AdminSys
/
MyPKI


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114
							import sys, getopt, os

def usage():
    print(' USAGE: ./myPKI.py [OPTIONS]')
    print(' OPTIONS:')
    print('\t-A --initall\t-i -g -d -s')
    print('\t-i --init\tInitialise directorys of PKI')
    print('\t-g --genca\tGenerate CA root')
    print('\t-d --gender\tGenerate DER cert for browser know my self-signed cert')
    print('\t-s --gensign\tGenerate and sign certificate for hosts')
    print('\t-n --genauth\tGenerate and sign certificate for client authenticationf in .pfx format')
    print('\t-h --help\tShows this help')

def generate_client_auth_cert():
    tld = input("=> TLD of your certificate :")
    client_name = input("=> Client Name :")

    # Changement du fichier de config
    os.system('sed -i "s/DNSCHANGEME/'+ tld +'/" ./config/ca.config')
    os.system('sed -i "s/Root Certificate/'+ tld +'/" ./config/ca.config')


    print("=> Création du certificat client")
    os.system("openssl genrsa -out ./certificats/" +client_name+ "_" +tld+ ".key 4096")
    print("[*] " +client_name+"_"+tld+".key is done")
    os.system('openssl req -new -config config/ca.config -key ./certificats/'+client_name+ '_'  +tld+  '.key  -out ./certificats/'+ client_name +'-remote.csr')
    print("[*] CSR Request completed  !")
    os.system('openssl x509 -req -days 3650 -in ./certificats/'+client_name+'-remote.csr -CA ./certificats/ca.crt -CAkey ./certificats/ca.key -set_serial 001 -out ./certificats/'+client_name+'-remote.pem')
    print("[*] Sign OK")
    os.system("openssl pkcs12 -export -out ./"+client_name+".full.pfx -inkey ./certificats/"+client_name+'_'+tld+".key -in ./certificats/"+client_name+"-remote.pem -certfile ./certificats/ca.crt")
    print("[*] Certificate OK")


def generate_sign():
    tld = input("=> TLD of your certificate :")
    ip_addr = input("=> IPv4 :")

    # Changement du fichier de config
    os.system('sed -i "s/DNSCHANGEME/'+ tld +'/" ./config/ca.config')
    os.system('sed -i "s/0.0.0.0/'+ ip_addr +'/" ./config/ca.config')
    os.system('sed -i "s/Root Certificate/'+ tld +'/" ./config/ca.config')

    # Création des certificats
    os.system("openssl genrsa -out ./certificats/"+tld+".key 4096")
    os.system("openssl req -days 3650 -new -config config/ca.config -key ./certificats/"+tld+".key -out certificats/"+tld+".csr")
    os.system("openssl ca -out "+tld+".crt -config config/ca.config -infiles certificats/"+tld+".csr ")

    # On restaure ca.config d'origine
    os.system('sed -i "s/'+ tld +'/DNSCHANGEME/" ./config/ca.config')
    os.system('sed -i "s/'+ ip_addr +'/0.0.0.0/" ./config/ca.config')
    os.system('sed -i "s/'+ tld +'/Root Certificate/" ./config/ca.config')

    print("[*] Certificate Signed !")


def generate_der():
    os.system("openssl x509 -in certificats/ca.crt -outform DER -out certificats/ca.der")
    print("[*] Put public CA ./certificats/ca.der on all browser you see !")

def generate_ca():
    if not os.path.isfile("./certificats/ca.key"):
        os.system("openssl genrsa -out ./certificats/ca.key 4096")
        os.system("openssl req -utf8 -new -x509 -days 3000 -config ./config/ca.config -key ./certificats/ca.key -out ./certificats/ca.crt")
        print("[*] CA Certificate done !")
    else:
        print("[x] CA Certificate already exist...")


def init_dir():
    if not os.path.exists("./db/ca.db.certs"):
        print("[*] Creating directories")
        os.makedirs("./db/ca.db.certs")
        os.makedirs("./config")
        os.makedirs("./certificats")
        os.system("echo '01'> ./db/ca.db.serial")
        os.system("cp /dev/null ./db/ca.db.index")
        os.system("cp ./ca.config.sample ./config/ca.config")
        os.system("touch ./db/ca.db.index.attr")
    else:
        print("[x] Directorys already exist")


def main():
    try:
        opts, args = getopt.getopt(sys.argv[1:], "Ahigdsn", ["initall", "help", "init", "genca", "gender", "gensign", "genauth"])

        for o, a in opts:
            if o in ("--help"):
                usage()
                sys.exit()
            elif o in ("--genca"):
                generate_ca()
            elif o in ("--init"):
                init_dir()
            elif o in ("--gender"):
                generate_der()
            elif o in ("--gensign"):
                generate_sign()
            elif o in ("--genauth"):
                generate_client_auth_cert()
            elif o in ("--initall"):
                init_dir()
                generate_ca()
                generate_der()
                generate_sign()
                sys.exit()

    except getopt.GetoptError as err:
        sys.stderr.write(str(err))
        usage()
        sys.exit(2)

if __name__ == "__main__":
    main()