WIP: most of gen_ca-i.sh is working except for the docs, the docs need to be consolidated for easy CA-I generation
This commit is contained in:
JohnE
parent
dd6afcba9f
commit
0e94573945
|
|
@ -10,7 +10,7 @@
|
|||
# source this file to include the functions
|
||||
. pki_funcs.sh
|
||||
|
||||
$CA_CNF
|
||||
#$CA_CNF
|
||||
|
||||
PARAM1=$1
|
||||
PARAM2=$2
|
||||
|
|
@ -35,17 +35,21 @@ usage() {
|
|||
}
|
||||
|
||||
error_no_ca_file() {
|
||||
echo_block "ERROR: missing ca.pem"
|
||||
echo_block "ERROR: missing ca.crt.pem, ca.keys.pem"
|
||||
usage
|
||||
}
|
||||
|
||||
main() {
|
||||
if [[ ! -f ca-i.pem ]]; then
|
||||
CDD=`pwd`
|
||||
FQ_CA_KEYS="${CDD}/cfg/ca.keys.pem"
|
||||
FQ_CA_CRT="${CDD}/cfg/ca.crt.pem"
|
||||
if [[ ! -f $FQ_CA_KEYS ]] || [[ ! -f $FQ_CA_CRT ]]; then
|
||||
error_no_ca_file
|
||||
fi
|
||||
|
||||
if [[ -n $PARAM1 ]] || [[ -n $PARAM2 ]]; then
|
||||
generate_ca_i $PARAM1 $PARAM2
|
||||
pki_func_init $FQ_CA_CRT $FQ_CA_KEYS "${CDD}/cfg"
|
||||
ca-i_gen_pki $PARAM1 $PARAM2 2
|
||||
else
|
||||
usage
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ echo_block() {
|
|||
# Grab the latest serial # from the file, auto-increment
|
||||
#
|
||||
get_serial() {
|
||||
SERIAL=`head SERIAL`
|
||||
SERIAL=`head "docs/SERIAL_LC"`
|
||||
if [[ -z $SERIAL ]]; then
|
||||
SERIAL=11111
|
||||
echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA"
|
||||
|
|
@ -83,6 +83,7 @@ ca-i_gen_pki() {
|
|||
LOOP_NUM=$3
|
||||
|
||||
UNIQ_DIR_CA="ca_i_${SERIAL}.${ORG_URL}"
|
||||
mkdir -p "cfg"
|
||||
mkdir -p "distribution/${UNIQ_DIR_CA}"
|
||||
cd "distribution/${UNIQ_DIR_CA}"
|
||||
|
||||
|
|
@ -170,26 +171,26 @@ ca-i_gen_cert() {
|
|||
#
|
||||
ca-i_organize() {
|
||||
# organize the client directory
|
||||
mkdir -p clients/ca-i
|
||||
mkdir -p clients/cfg
|
||||
mkdir -p clients/data
|
||||
mkdir -p clients/distro
|
||||
mkdir -p clients/docs
|
||||
mv client*.pem clients/data/
|
||||
mv client*.p12 clients/distro/
|
||||
mv client*.info.txt clients/docs/
|
||||
cp ca_i*.crt.pem clients/ca-i/
|
||||
cp ca_i*.keys.pem clients/ca-i/
|
||||
cp ca_i*.crt.pem clients/cfg/ca_i.crt.pem
|
||||
cp ca_i*.keys.pem clients/cfg/ca_i.keys.pem
|
||||
|
||||
# organize the server directory
|
||||
mkdir -p servers/ca-i
|
||||
mkdir -p servers/cfg
|
||||
mkdir -p servers/data
|
||||
mkdir -p servers/distro
|
||||
mkdir -p servers/docs
|
||||
mv server_*.pem servers/data/
|
||||
mv server_*.p12 servers/distro/
|
||||
mv server_*.info.txt servers/docs/
|
||||
cp ca_i*.crt.pem servers/ca-i/
|
||||
cp ca_i*.keys.pem servers/ca-i/
|
||||
cp ca_i*.crt.pem servers/cfg/ca_i.crt.pem
|
||||
cp ca_i*.keys.pem servers/cfg/ca_i.keys.pem
|
||||
|
||||
# organize the ca-i directory
|
||||
# order matters: move these files last because they were copied above
|
||||
|
|
@ -208,26 +209,31 @@ ca-i_organize() {
|
|||
#
|
||||
# Requires:
|
||||
# UNIQ_DIR_LC : unique string for the Lifecycle directory
|
||||
# UNIQ_ID_CA-I : unique string for the CA-I
|
||||
# UNIQ_ID_CAI : unique string for the CA-I
|
||||
#
|
||||
ca-i_cp_docs() {
|
||||
# CA-I
|
||||
cp $CD_ROOT/libs/gen_ca-i.sh $CD_ROOT/$UNIQ_DIR_LC/
|
||||
cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/
|
||||
cp $CD_ROOT/docs/README_LC $CD_ROOT/$UNIQ_DIR_LC/README
|
||||
cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/
|
||||
cp $CD_ROOT/docs/SERIAL_LC $CD_ROOT/$UNIQ_DIR_LC/cfg/SERIAL
|
||||
cp $CD_ROOT/cnf/ca.cnf $CD_ROOT/$UNIQ_DIR_LC/cfg/
|
||||
cp $CD_ROOT/$UNIQ_DIR_LC/"ca_${UNIQ_ID_CA}"/ca_*.crt.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.crt.pem
|
||||
cp $CD_ROOT/$UNIQ_DIR_LC/"ca_${UNIQ_ID_CA}"/ca_*.keys.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.keys.pem
|
||||
|
||||
# client
|
||||
cp $CD_ROOT/libs/gen_client.sh $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/
|
||||
cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/
|
||||
cp $CD_ROOT/docs/README_C $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/README
|
||||
cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/
|
||||
cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/cfg/
|
||||
cp "${CD_ROOT}/cnf/${ORG_URL}.cnf" $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/cfg/
|
||||
|
||||
# server
|
||||
cp $CD_ROOT/libs/gen_server.sh $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/
|
||||
cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/
|
||||
cp $CD_ROOT/docs/README_S $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/README
|
||||
cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/
|
||||
cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/cfg/
|
||||
cp "${CD_ROOT}/cnf/${ORG_URL}.cnf" $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/cfg/
|
||||
}
|
||||
|
||||
#
|
||||
|
|
@ -236,7 +242,7 @@ ca-i_cp_docs() {
|
|||
#
|
||||
gen_server() {
|
||||
ORG_URL=$1
|
||||
UNIQ_ID_CA=$2
|
||||
UNIQ_ID_CAI=$2
|
||||
SERIAL=$3
|
||||
|
||||
UNIQ_ID="${SERIAL}.${ORG_URL}"
|
||||
|
|
@ -250,12 +256,12 @@ gen_server() {
|
|||
|
||||
# CA Intermediate signs Server
|
||||
openssl x509 -req -days 365 -extfile $CNF_PATH/${ORG_URL}.cnf -extensions v3_server \
|
||||
-CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \
|
||||
-CA "ca_i_${UNIQ_ID_CAI}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CAI}.keys.pem" -set_serial ${SERIAL} \
|
||||
-in "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.crt.pem"
|
||||
|
||||
# Package the Certificates
|
||||
openssl pkcs12 -export -password "pass:password" -inkey "server_${UNIQ_ID}.keys.pem" \
|
||||
-name "Server ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" -caname "server_${UNIQ_ID}@acme.xyz" \
|
||||
-name "Server ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CAI}.crts.pem" -caname "server_${UNIQ_ID}@acme.xyz" \
|
||||
-in "server_${UNIQ_ID}.crt.pem" -out "server_${UNIQ_ID}.p12"
|
||||
|
||||
# verify certificate (output to text file for review)
|
||||
|
|
@ -264,11 +270,11 @@ gen_server() {
|
|||
|
||||
#
|
||||
# Generate a Client Certificate
|
||||
# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
|
||||
# IN: UNIQ_ID, UNIQ_ID_CAI, SERIAL
|
||||
#
|
||||
gen_client() {
|
||||
ORG_URL=$1
|
||||
UNIQ_ID_CA=$2
|
||||
UNIQ_ID_CAI=$2
|
||||
SERIAL=$3
|
||||
|
||||
UNIQ_ID="${SERIAL}.${ORG_URL}"
|
||||
|
|
@ -282,12 +288,12 @@ gen_client() {
|
|||
-out "client_${UNIQ_ID}.csr.pem"
|
||||
# CA Intermediate signs Client
|
||||
openssl x509 -req -days 365 \
|
||||
-CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \
|
||||
-CA "ca_i_${UNIQ_ID_CAI}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CAI}.keys.pem" -set_serial ${SERIAL} \
|
||||
-in "client_${UNIQ_ID}.csr.pem" -out "client_${UNIQ_ID}.crt.pem"
|
||||
|
||||
# Package the Certificates
|
||||
openssl pkcs12 -export -password "pass:password" -inkey "client_${UNIQ_ID}.keys.pem" \
|
||||
-name "Client ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" -caname "client_${UNIQ_ID}@acme.xyz" \
|
||||
-name "Client ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CAI}.crts.pem" -caname "client_${UNIQ_ID}@acme.xyz" \
|
||||
-in "client_${UNIQ_ID}.crt.pem" -out "client_${UNIQ_ID}.p12"
|
||||
|
||||
# verify certificate (output to text file for review)
|
||||
|
|
|
|||
|
|
@ -57,9 +57,12 @@ app_init() {
|
|||
}
|
||||
|
||||
#
|
||||
# Generate a new Certificate Authority
|
||||
# Create a new LifeCycle package
|
||||
#
|
||||
# IN: UNIQ_ID_CA, SERIAL
|
||||
#
|
||||
one-time-ca() {
|
||||
gen_lifecycle() {
|
||||
# params
|
||||
#SERIAL="101"
|
||||
|
||||
|
|
@ -96,7 +99,7 @@ main() {
|
|||
LIB_PATH="${CD_ROOT}/libs"
|
||||
|
||||
app_init
|
||||
one-time-ca
|
||||
gen_lifecycle
|
||||
ca-i_gen_pki $ORG_URL 1001 2
|
||||
# ca-i_gen_pki $ORG_URL 2001 5
|
||||
# ca-i_gen_pki $ORG_URL 3001 8
|
||||
|
|
|
|||
Loading…
Reference in New Issue