#!/bin/sh
# Add new server certificates to tlsproxy (also see below).
#
# Requires certtool (from GnuTLS).
#
# Copyright (C) 2011-2014 Simon Ruderich
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
set -e
if test "$#" -ne 1 && test "$#" -ne 2; then
echo "Usage: $0 []"
echo
echo "Add the server certificate (as .pem file) for "
echo " to tlsproxy. is not modified."
echo
echo "If is not given the certificate (PEM format) "
echo "is read from stdin."
echo
echo "The server certificate is NOT validated in any way, you must do "
echo "that before using this command or you risk using an insecure "
echo "certificate!"
echo
echo "Must be run in the tlsproxy directory where other configuration "
echo "files like proxy-ca.pem are stored."
exit 1
fi
tempfile=`mktemp`
trap 'rm -f "$tempfile"' EXIT
# Generate server certificate for given host.
echo 'organization = tlsproxy' > "$tempfile"
echo "cn = $1" >> "$tempfile"
echo tls_www_server >> "$tempfile"
echo encryption_key >> "$tempfile"
echo signing_key >> "$tempfile"
echo 'expiration_days = 3650' >> "$tempfile"
certtool --generate-certificate \
--load-privkey proxy-key.pem \
--load-ca-certificate proxy-ca.pem \
--load-ca-privkey proxy-ca-key.pem \
--template "$tempfile" \
--outfile "certificate-$1-proxy.pem"
rm "$tempfile"
if test "x$2" = x; then
echo 'Please enter server certificate (Ctrl-D to terminate input).'
cat > "certificate-$1-server.pem"
else
cp "$2" "certificate-$1-server.pem"
fi
echo done