#!/bin/bash # # Encrypt RDP # Generate and save cert/keys to be used by individual VM # if [ "$UID" -ne 0 ] then echo "This script should be run as root." exit 1 fi # VM_VB_CONFIG_DIR=/etc/vbox if [ ! -d "$VM_VB_CONFIG_DIR" ]; then mkdir -p $VM_VB_CONFIG_DIR; fi # Set sticky bit chmod 1775 $VM_VB_CONFIG_DIR # VM_VB_CERT_DIR=$VM_VB_CONFIG_DIR/tls if [ ! -d "$VM_VB_CERT_DIR" ]; then mkdir -p $VM_VB_CERT_DIR; fi # Set the Directory to the VirtualBox group chgrp -R vboxusers $VM_VB_CONFIG_DIR VM_VB_RDP_ENCRYPT_CA_KEY=$VM_VB_CERT_DIR/ca_key.pem VM_VB_RDP_ENCRYPT_CA_CERT=$VM_VB_CERT_DIR/ca_crt.pem VM_VB_RDP_SERVER_KEY=$VM_VB_CERT_DIR/sr_key.pem VM_VB_RDP_SERVER_CERT=$VM_VB_CERT_DIR/sr_crt.pem VM_VB_RDP_SERVER_SIGN_REQUEST=$VM_VB_CERT_DIR/sr_req.pem VM_VB_RDP_CERT_VALID_DAYS=36524 VM_VB_RDP_PASS_PHRASE=`date|md5sum|cut -b5-16` # echo "Create a CA self signed certificate" openssl req -new -x509 -days $VM_VB_RDP_CERT_VALID_DAYS \ -passout pass:${VM_VB_RDP_PASS_PHRASE} \ -extensions v3_ca \ -keyout $VM_VB_RDP_ENCRYPT_CA_KEY \ -out $VM_VB_RDP_ENCRYPT_CA_CERT # echo "Generate a server private key" openssl genrsa -out $VM_VB_RDP_SERVER_KEY # echo "Generate request for signing the server private key" openssl req -new -key $VM_VB_RDP_SERVER_KEY \ -out $VM_VB_RDP_SERVER_SIGN_REQUEST # echo "Generate the server certificate" openssl x509 -req -days $VM_VB_RDP_CERT_VALID_DAYS \ -passin pass:${VM_VB_RDP_PASS_PHRASE} \ -in $VM_VB_RDP_SERVER_SIGN_REQUEST \ -CA $VM_VB_RDP_ENCRYPT_CA_CERT \ -CAkey $VM_VB_RDP_ENCRYPT_CA_KEY \ -set_serial 01 -out $VM_VB_RDP_SERVER_CERT # # Set permissions and group chmod o-rwx ${VM_VB_CERT_DIR}/* chmod g+r ${VM_VB_CERT_DIR}/* chgrp vboxusers ${VM_VB_CERT_DIR}/* exit