From 0e94573945362adfe8ddee23c88f5a8e9b7bfcb0 Mon Sep 17 00:00:00 2001 From: JohnE Date: Thu, 23 Aug 2018 09:58:41 -0700 Subject: [PATCH] WIP: most of gen_ca-i.sh is working except for the docs, the docs need to be consolidated for easy CA-I generation --- src/pki_bootstrap/{SERIAL => docs/SERIAL_LC} | 0 src/pki_bootstrap/libs/gen_ca-i.sh | 12 ++++-- src/pki_bootstrap/libs/pki_funcs.sh | 42 +++++++++++--------- src/pki_bootstrap/pki_bootstrap.sh | 7 +++- 4 files changed, 37 insertions(+), 24 deletions(-) rename src/pki_bootstrap/{SERIAL => docs/SERIAL_LC} (100%) diff --git a/src/pki_bootstrap/SERIAL b/src/pki_bootstrap/docs/SERIAL_LC similarity index 100% rename from src/pki_bootstrap/SERIAL rename to src/pki_bootstrap/docs/SERIAL_LC diff --git a/src/pki_bootstrap/libs/gen_ca-i.sh b/src/pki_bootstrap/libs/gen_ca-i.sh index 37c148e..39b4dd9 100755 --- a/src/pki_bootstrap/libs/gen_ca-i.sh +++ b/src/pki_bootstrap/libs/gen_ca-i.sh @@ -10,7 +10,7 @@ # source this file to include the functions . pki_funcs.sh -$CA_CNF +#$CA_CNF PARAM1=$1 PARAM2=$2 @@ -35,17 +35,21 @@ usage() { } error_no_ca_file() { - echo_block "ERROR: missing ca.pem" + echo_block "ERROR: missing ca.crt.pem, ca.keys.pem" usage } main() { - if [[ ! -f ca-i.pem ]]; then + CDD=`pwd` + FQ_CA_KEYS="${CDD}/cfg/ca.keys.pem" + FQ_CA_CRT="${CDD}/cfg/ca.crt.pem" + if [[ ! -f $FQ_CA_KEYS ]] || [[ ! -f $FQ_CA_CRT ]]; then error_no_ca_file fi if [[ -n $PARAM1 ]] || [[ -n $PARAM2 ]]; then - generate_ca_i $PARAM1 $PARAM2 + pki_func_init $FQ_CA_CRT $FQ_CA_KEYS "${CDD}/cfg" + ca-i_gen_pki $PARAM1 $PARAM2 2 else usage fi diff --git a/src/pki_bootstrap/libs/pki_funcs.sh b/src/pki_bootstrap/libs/pki_funcs.sh index 1f27d4c..ec6ef05 100644 --- a/src/pki_bootstrap/libs/pki_funcs.sh +++ b/src/pki_bootstrap/libs/pki_funcs.sh @@ -31,7 +31,7 @@ echo_block() { # Grab the latest serial # from the file, auto-increment # get_serial() { - SERIAL=`head SERIAL` + SERIAL=`head "docs/SERIAL_LC"` if [[ -z $SERIAL ]]; then SERIAL=11111 echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA" @@ -83,6 +83,7 @@ ca-i_gen_pki() { LOOP_NUM=$3 UNIQ_DIR_CA="ca_i_${SERIAL}.${ORG_URL}" + mkdir -p "cfg" mkdir -p "distribution/${UNIQ_DIR_CA}" cd "distribution/${UNIQ_DIR_CA}" @@ -170,26 +171,26 @@ ca-i_gen_cert() { # ca-i_organize() { # organize the client directory - mkdir -p clients/ca-i + mkdir -p clients/cfg mkdir -p clients/data mkdir -p clients/distro mkdir -p clients/docs mv client*.pem clients/data/ mv client*.p12 clients/distro/ mv client*.info.txt clients/docs/ - cp ca_i*.crt.pem clients/ca-i/ - cp ca_i*.keys.pem clients/ca-i/ + cp ca_i*.crt.pem clients/cfg/ca_i.crt.pem + cp ca_i*.keys.pem clients/cfg/ca_i.keys.pem # organize the server directory - mkdir -p servers/ca-i + mkdir -p servers/cfg mkdir -p servers/data mkdir -p servers/distro mkdir -p servers/docs mv server_*.pem servers/data/ mv server_*.p12 servers/distro/ mv server_*.info.txt servers/docs/ - cp ca_i*.crt.pem servers/ca-i/ - cp ca_i*.keys.pem servers/ca-i/ + cp ca_i*.crt.pem servers/cfg/ca_i.crt.pem + cp ca_i*.keys.pem servers/cfg/ca_i.keys.pem # organize the ca-i directory # order matters: move these files last because they were copied above @@ -208,26 +209,31 @@ ca-i_organize() { # # Requires: # UNIQ_DIR_LC : unique string for the Lifecycle directory -# UNIQ_ID_CA-I : unique string for the CA-I +# UNIQ_ID_CAI : unique string for the CA-I # ca-i_cp_docs() { # CA-I cp $CD_ROOT/libs/gen_ca-i.sh $CD_ROOT/$UNIQ_DIR_LC/ cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/ cp $CD_ROOT/docs/README_LC $CD_ROOT/$UNIQ_DIR_LC/README - cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/ + cp $CD_ROOT/docs/SERIAL_LC $CD_ROOT/$UNIQ_DIR_LC/cfg/SERIAL + cp $CD_ROOT/cnf/ca.cnf $CD_ROOT/$UNIQ_DIR_LC/cfg/ + cp $CD_ROOT/$UNIQ_DIR_LC/"ca_${UNIQ_ID_CA}"/ca_*.crt.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.crt.pem + cp $CD_ROOT/$UNIQ_DIR_LC/"ca_${UNIQ_ID_CA}"/ca_*.keys.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.keys.pem # client cp $CD_ROOT/libs/gen_client.sh $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/ cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/ cp $CD_ROOT/docs/README_C $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/README - cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/ + cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/cfg/ + cp "${CD_ROOT}/cnf/${ORG_URL}.cnf" $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/cfg/ # server cp $CD_ROOT/libs/gen_server.sh $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/ cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/ cp $CD_ROOT/docs/README_S $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/README - cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/ + cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/cfg/ + cp "${CD_ROOT}/cnf/${ORG_URL}.cnf" $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/cfg/ } # @@ -236,7 +242,7 @@ ca-i_cp_docs() { # gen_server() { ORG_URL=$1 - UNIQ_ID_CA=$2 + UNIQ_ID_CAI=$2 SERIAL=$3 UNIQ_ID="${SERIAL}.${ORG_URL}" @@ -250,12 +256,12 @@ gen_server() { # CA Intermediate signs Server openssl x509 -req -days 365 -extfile $CNF_PATH/${ORG_URL}.cnf -extensions v3_server \ - -CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \ + -CA "ca_i_${UNIQ_ID_CAI}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CAI}.keys.pem" -set_serial ${SERIAL} \ -in "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.crt.pem" # Package the Certificates openssl pkcs12 -export -password "pass:password" -inkey "server_${UNIQ_ID}.keys.pem" \ - -name "Server ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" -caname "server_${UNIQ_ID}@acme.xyz" \ + -name "Server ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CAI}.crts.pem" -caname "server_${UNIQ_ID}@acme.xyz" \ -in "server_${UNIQ_ID}.crt.pem" -out "server_${UNIQ_ID}.p12" # verify certificate (output to text file for review) @@ -264,11 +270,11 @@ gen_server() { # # Generate a Client Certificate -# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL +# IN: UNIQ_ID, UNIQ_ID_CAI, SERIAL # gen_client() { ORG_URL=$1 - UNIQ_ID_CA=$2 + UNIQ_ID_CAI=$2 SERIAL=$3 UNIQ_ID="${SERIAL}.${ORG_URL}" @@ -282,12 +288,12 @@ gen_client() { -out "client_${UNIQ_ID}.csr.pem" # CA Intermediate signs Client openssl x509 -req -days 365 \ - -CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \ + -CA "ca_i_${UNIQ_ID_CAI}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CAI}.keys.pem" -set_serial ${SERIAL} \ -in "client_${UNIQ_ID}.csr.pem" -out "client_${UNIQ_ID}.crt.pem" # Package the Certificates openssl pkcs12 -export -password "pass:password" -inkey "client_${UNIQ_ID}.keys.pem" \ - -name "Client ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" -caname "client_${UNIQ_ID}@acme.xyz" \ + -name "Client ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CAI}.crts.pem" -caname "client_${UNIQ_ID}@acme.xyz" \ -in "client_${UNIQ_ID}.crt.pem" -out "client_${UNIQ_ID}.p12" # verify certificate (output to text file for review) diff --git a/src/pki_bootstrap/pki_bootstrap.sh b/src/pki_bootstrap/pki_bootstrap.sh index 0154d93..adf7721 100755 --- a/src/pki_bootstrap/pki_bootstrap.sh +++ b/src/pki_bootstrap/pki_bootstrap.sh @@ -57,9 +57,12 @@ app_init() { } # +# Generate a new Certificate Authority +# Create a new LifeCycle package +# # IN: UNIQ_ID_CA, SERIAL # -one-time-ca() { +gen_lifecycle() { # params #SERIAL="101" @@ -96,7 +99,7 @@ main() { LIB_PATH="${CD_ROOT}/libs" app_init - one-time-ca + gen_lifecycle ca-i_gen_pki $ORG_URL 1001 2 # ca-i_gen_pki $ORG_URL 2001 5 # ca-i_gen_pki $ORG_URL 3001 8