j3g
/
pki-bootstrap_pub
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

WIP: most of gen_ca-i.sh is working except for the docs, the docs need to be consolidated for easy CA-I generation

This commit is contained in:
JohnE 2018-08-23 09:58:41 -07:00
parent dd6afcba9f
commit 0e94573945
4 changed files with 37 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
src/pki_bootstrap/SERIAL → src/pki_bootstrap/docs/SERIAL_LC
View File

12
src/pki_bootstrap/libs/gen_ca-i.sh
View File

@ -10,7 +10,7 @@
# source this file to include the functions # source this file to include the functions
. pki_funcs.sh . pki_funcs.sh
$CA_CNF #$CA_CNF
PARAM1=$1 PARAM1=$1
PARAM2=$2 PARAM2=$2
@ -35,17 +35,21 @@ usage() {
} }
error_no_ca_file() { error_no_ca_file() {
echo_block "ERROR: missing ca.pem" echo_block "ERROR: missing ca.crt.pem, ca.keys.pem"
usage usage
} }
main() { main() {
if [[ ! -f ca-i.pem ]]; then CDD=`pwd`
FQ_CA_KEYS="${CDD}/cfg/ca.keys.pem"
FQ_CA_CRT="${CDD}/cfg/ca.crt.pem"
if [[ ! -f $FQ_CA_KEYS ]] || [[ ! -f $FQ_CA_CRT ]]; then
error_no_ca_file error_no_ca_file
fi fi
if [[ -n $PARAM1 ]] || [[ -n $PARAM2 ]]; then if [[ -n $PARAM1 ]] || [[ -n $PARAM2 ]]; then
generate_ca_i $PARAM1 $PARAM2 pki_func_init $FQ_CA_CRT $FQ_CA_KEYS "${CDD}/cfg"
ca-i_gen_pki $PARAM1 $PARAM2 2
else else
usage usage
fi fi

42
src/pki_bootstrap/libs/pki_funcs.sh
View File

@ -31,7 +31,7 @@ echo_block() {
# Grab the latest serial # from the file, auto-increment # Grab the latest serial # from the file, auto-increment
# #
get_serial() { get_serial() {
SERIAL=`head SERIAL` SERIAL=`head "docs/SERIAL_LC"`
if [[ -z $SERIAL ]]; then if [[ -z $SERIAL ]]; then
SERIAL=11111 SERIAL=11111
echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA" echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA"
@ -83,6 +83,7 @@ ca-i_gen_pki() {
LOOP_NUM=$3 LOOP_NUM=$3
UNIQ_DIR_CA="ca_i_${SERIAL}.${ORG_URL}" UNIQ_DIR_CA="ca_i_${SERIAL}.${ORG_URL}"
mkdir -p "cfg"
mkdir -p "distribution/${UNIQ_DIR_CA}" mkdir -p "distribution/${UNIQ_DIR_CA}"
cd "distribution/${UNIQ_DIR_CA}" cd "distribution/${UNIQ_DIR_CA}"
@ -170,26 +171,26 @@ ca-i_gen_cert() {
# #
ca-i_organize() { ca-i_organize() {
# organize the client directory # organize the client directory
mkdir -p clients/ca-i mkdir -p clients/cfg
mkdir -p clients/data mkdir -p clients/data
mkdir -p clients/distro mkdir -p clients/distro
mkdir -p clients/docs mkdir -p clients/docs
mv client*.pem clients/data/ mv client*.pem clients/data/
mv client*.p12 clients/distro/ mv client*.p12 clients/distro/
mv client*.info.txt clients/docs/ mv client*.info.txt clients/docs/
cp ca_i*.crt.pem clients/ca-i/ cp ca_i*.crt.pem clients/cfg/ca_i.crt.pem
cp ca_i*.keys.pem clients/ca-i/ cp ca_i*.keys.pem clients/cfg/ca_i.keys.pem
# organize the server directory # organize the server directory
mkdir -p servers/ca-i mkdir -p servers/cfg
mkdir -p servers/data mkdir -p servers/data
mkdir -p servers/distro mkdir -p servers/distro
mkdir -p servers/docs mkdir -p servers/docs
mv server_*.pem servers/data/ mv server_*.pem servers/data/
mv server_*.p12 servers/distro/ mv server_*.p12 servers/distro/
mv server_*.info.txt servers/docs/ mv server_*.info.txt servers/docs/
cp ca_i*.crt.pem servers/ca-i/ cp ca_i*.crt.pem servers/cfg/ca_i.crt.pem
cp ca_i*.keys.pem servers/ca-i/ cp ca_i*.keys.pem servers/cfg/ca_i.keys.pem
# organize the ca-i directory # organize the ca-i directory
# order matters: move these files last because they were copied above # order matters: move these files last because they were copied above
@ -208,26 +209,31 @@ ca-i_organize() {
# #
# Requires: # Requires:
# UNIQ_DIR_LC : unique string for the Lifecycle directory # UNIQ_DIR_LC : unique string for the Lifecycle directory
# UNIQ_ID_CA-I : unique string for the CA-I # UNIQ_ID_CAI : unique string for the CA-I
# #
ca-i_cp_docs() { ca-i_cp_docs() {
# CA-I # CA-I
cp $CD_ROOT/libs/gen_ca-i.sh $CD_ROOT/$UNIQ_DIR_LC/ cp $CD_ROOT/libs/gen_ca-i.sh $CD_ROOT/$UNIQ_DIR_LC/
cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/ cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/
cp $CD_ROOT/docs/README_LC $CD_ROOT/$UNIQ_DIR_LC/README cp $CD_ROOT/docs/README_LC $CD_ROOT/$UNIQ_DIR_LC/README
cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/ cp $CD_ROOT/docs/SERIAL_LC $CD_ROOT/$UNIQ_DIR_LC/cfg/SERIAL
cp $CD_ROOT/cnf/ca.cnf $CD_ROOT/$UNIQ_DIR_LC/cfg/
cp $CD_ROOT/$UNIQ_DIR_LC/"ca_${UNIQ_ID_CA}"/ca_*.crt.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.crt.pem
cp $CD_ROOT/$UNIQ_DIR_LC/"ca_${UNIQ_ID_CA}"/ca_*.keys.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.keys.pem
# client # client
cp $CD_ROOT/libs/gen_client.sh $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/ cp $CD_ROOT/libs/gen_client.sh $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/
cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/ cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/
cp $CD_ROOT/docs/README_C $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/README cp $CD_ROOT/docs/README_C $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/README
cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/ cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/cfg/
cp "${CD_ROOT}/cnf/${ORG_URL}.cnf" $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/cfg/
# server # server
cp $CD_ROOT/libs/gen_server.sh $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/ cp $CD_ROOT/libs/gen_server.sh $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/
cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/ cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/
cp $CD_ROOT/docs/README_S $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/README cp $CD_ROOT/docs/README_S $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/README
cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/ cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/cfg/
cp "${CD_ROOT}/cnf/${ORG_URL}.cnf" $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/cfg/
} }
# #
@ -236,7 +242,7 @@ ca-i_cp_docs() {
# #
gen_server() { gen_server() {
ORG_URL=$1 ORG_URL=$1
UNIQ_ID_CA=$2 UNIQ_ID_CAI=$2
SERIAL=$3 SERIAL=$3
UNIQ_ID="${SERIAL}.${ORG_URL}" UNIQ_ID="${SERIAL}.${ORG_URL}"
@ -250,12 +256,12 @@ gen_server() {
# CA Intermediate signs Server # CA Intermediate signs Server
openssl x509 -req -days 365 -extfile $CNF_PATH/${ORG_URL}.cnf -extensions v3_server \ openssl x509 -req -days 365 -extfile $CNF_PATH/${ORG_URL}.cnf -extensions v3_server \
-CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \ -CA "ca_i_${UNIQ_ID_CAI}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CAI}.keys.pem" -set_serial ${SERIAL} \
-in "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.crt.pem" -in "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.crt.pem"
# Package the Certificates # Package the Certificates
openssl pkcs12 -export -password "pass:password" -inkey "server_${UNIQ_ID}.keys.pem" \ openssl pkcs12 -export -password "pass:password" -inkey "server_${UNIQ_ID}.keys.pem" \
-name "Server ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" -caname "server_${UNIQ_ID}@acme.xyz" \ -name "Server ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CAI}.crts.pem" -caname "server_${UNIQ_ID}@acme.xyz" \
-in "server_${UNIQ_ID}.crt.pem" -out "server_${UNIQ_ID}.p12" -in "server_${UNIQ_ID}.crt.pem" -out "server_${UNIQ_ID}.p12"
# verify certificate (output to text file for review) # verify certificate (output to text file for review)
@ -264,11 +270,11 @@ gen_server() {
# #
# Generate a Client Certificate # Generate a Client Certificate
# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL # IN: UNIQ_ID, UNIQ_ID_CAI, SERIAL
# #
gen_client() { gen_client() {
ORG_URL=$1 ORG_URL=$1
UNIQ_ID_CA=$2 UNIQ_ID_CAI=$2
SERIAL=$3 SERIAL=$3
UNIQ_ID="${SERIAL}.${ORG_URL}" UNIQ_ID="${SERIAL}.${ORG_URL}"
@ -282,12 +288,12 @@ gen_client() {
-out "client_${UNIQ_ID}.csr.pem" -out "client_${UNIQ_ID}.csr.pem"
# CA Intermediate signs Client # CA Intermediate signs Client
openssl x509 -req -days 365 \ openssl x509 -req -days 365 \
-CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \ -CA "ca_i_${UNIQ_ID_CAI}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CAI}.keys.pem" -set_serial ${SERIAL} \
-in "client_${UNIQ_ID}.csr.pem" -out "client_${UNIQ_ID}.crt.pem" -in "client_${UNIQ_ID}.csr.pem" -out "client_${UNIQ_ID}.crt.pem"
# Package the Certificates # Package the Certificates
openssl pkcs12 -export -password "pass:password" -inkey "client_${UNIQ_ID}.keys.pem" \ openssl pkcs12 -export -password "pass:password" -inkey "client_${UNIQ_ID}.keys.pem" \
-name "Client ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" -caname "client_${UNIQ_ID}@acme.xyz" \ -name "Client ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CAI}.crts.pem" -caname "client_${UNIQ_ID}@acme.xyz" \
-in "client_${UNIQ_ID}.crt.pem" -out "client_${UNIQ_ID}.p12" -in "client_${UNIQ_ID}.crt.pem" -out "client_${UNIQ_ID}.p12"
# verify certificate (output to text file for review) # verify certificate (output to text file for review)

7
src/pki_bootstrap/pki_bootstrap.sh
View File

@ -57,9 +57,12 @@ app_init() {
} }
# #
# Generate a new Certificate Authority
# Create a new LifeCycle package
#
# IN: UNIQ_ID_CA, SERIAL # IN: UNIQ_ID_CA, SERIAL
# #
one-time-ca() { gen_lifecycle() {
# params # params
#SERIAL="101" #SERIAL="101"
@ -96,7 +99,7 @@ main() {
LIB_PATH="${CD_ROOT}/libs" LIB_PATH="${CD_ROOT}/libs"
app_init app_init
one-time-ca gen_lifecycle
ca-i_gen_pki $ORG_URL 1001 2 ca-i_gen_pki $ORG_URL 1001 2
# ca-i_gen_pki $ORG_URL 2001 5 # ca-i_gen_pki $ORG_URL 2001 5
# ca-i_gen_pki $ORG_URL 3001 8 # ca-i_gen_pki $ORG_URL 3001 8