#!perl -w use warnings; # Very basic script to create TLS certificates for qpsmtpd use File::Temp qw/ tempfile tempdir /; use Getopt::Long; my %opts = (); chomp (my $hostname = `hostname --fqdn`); if ($?) { chomp($hostname = `hostname`); } print "Using hostname: $hostname\n"; my %defaults = ( C => 'XY', ST => 'unknown', L => 'unknown', O => 'QSMTPD', OU => 'Server', CN => $hostname, ); GetOptions(\%opts, 'C|Country:s', 'ST|State:s', 'L|Locality|City:s', 'O|Organization:s', 'OU|OrganizationalUnit|U:s', 'CN|CommonName|N:s', 'emailAddress|email|E:s', 'help|H', ); usage() if $opts{help}; # initialize defaults foreach my $key ( keys %defaults ) { $opts{$key} = $defaults{$key} unless $opts{$key} } $opts{emailAddress} = 'postmaster@'.$opts{CN}; mkdir('ssl') unless -d 'ssl'; my $CA_key = 'ssl/qpsmtpd-ca.key'; my $CA_crt = 'ssl/qpsmtpd-ca.crt'; my $CA_serial = 'ssl/.cert.serial'; my ($CA, $CAfilename) = tempfile( $template, DIR => "ssl", UNLINK => 1); print ${CA} return_cfg('CA'); close ${CA}; system('openssl', 'genrsa', '-out', $CA_key, 2048) == 0 or die "Cannot create CA key: $?"; system('openssl', 'req', '-config', $CAfilename, '-new', '-x509', '-days', (365*6), '-key', $CA_key, '-out', $CA_crt) == 0 or die "Cannot create CA cert: $?"; my $SERVER_key = 'ssl/qpsmtpd-server.key'; my $SERVER_csr = 'ssl/qpsmtpd-server.csr'; my $SERVER_crt = 'ssl/qpsmtpd-server.crt'; my ($SERVER, $SERVERfilename) = tempfile( $template, DIR => "ssl", UNLINK => 1); print ${SERVER} return_cfg($opts{OU}); close ${SERVER}; system('openssl', 'genrsa', '-out', $SERVER_key, 1024) == 0 or die "Cannot create server key: $?"; system('openssl', 'req', '-config', $SERVERfilename, '-new', '-key', $SERVER_key, '-out', $SERVER_csr) == 0 or die "Cannot create server cert: $?"; my ($SIGN, $SIGNfilename) = tempfile( $template, DIR => "ssl", UNLINK => 1); print ${SIGN} <<"EOT"; extensions = x509v3 [ x509v3 ] subjectAltName = email:copy nsComment = tls certificate nsCertType = server EOT close ${SIGN}; open my $SERIAL, '>', $CA_serial; print ${SERIAL} "01\n"; close ${SERIAL}; system('openssl', 'x509', '-extfile', $SIGNfilename, '-days', (365*2), '-CAserial', $CA_serial, '-CA', $CA_crt, '-CAkey', $CA_key, '-in', $SERVER_csr, '-req', '-out', $SERVER_crt) == 0 or die "Cannot sign cert: $?"; exit(0); sub return_cfg { my $OU = shift; my $RANDOM = int(rand(1000)).'RAN'.int(rand(1000)).'DOM'; my $cfg = <<"EOT"; [ req ] default_bits = 1024 default_keyfile = keyfile.pem distinguished_name = req_distinguished_name attributes = req_attributes prompt = no output_password = mypass [ req_distinguished_name ] C = $opts{C} ST = $opts{ST} L = $opts{L} O = $opts{O} OU = $OU CN = $opts{CN} emailAddress = $opts{emailAddress} [ req_attributes ] challengePassword = $RANDOM challenge password EOT return $cfg; } sub usage { print STDERR <<"EOT"; $0 will generate a TLS certificate "the quick way", i.e. without interaction. You can change some defaults however. These options are recognized: Default: --C Country (two letters, e.g. DE) $defaults{C} --ST State (spelled out) $defaults{ST} --L City $defaults{L} --O Organization $defaults{O} --OU Organizational Unit $defaults{OU} --CN Common name $defaults{CN} --email Email address of postmaster postmaster\@CN --help Show usage EOT exit(1); }