NEW: supports for distrobution of continued CA-I generation! I continue to modify the applications so that it is split into two different applications: PKI Bootstrap and PKI Lifecycle. The certificates are generated into neatly organized folders for distrobution as per each CA-I...now i'm adding the scripts to include in the distrobution.

2018-08-12 10:25:55 -07:00 · 2018-08-12 10:25:55 -07:00 · 1816ecc5a2
parent 22eae1703a
commit 1816ecc5a2
4 changed files with 79 additions and 30 deletions
--- a/src/pki_bootstrap/SERIAL
+++ b/src/pki_bootstrap/SERIAL
@ -0,0 +1 @@
+10000
--- a/src/pki_bootstrap/pki_bootstrap.sh
+++ b/src/pki_bootstrap/pki_bootstrap.sh
@ -53,15 +53,6 @@ app_init() {
  else
    usage
  fi
-
-  # Organize
-  # 
-  # create a unique path for the server certificate
-  UNIQ_DIR=`date +%Y-%m-%d.%H_%M_%S`
-  UNIQ_DIR="cert-chain_${UNIQ_DIR}"
-  mkdir -p "${UNIQ_DIR}"
-  cd "${UNIQ_DIR}"
-  # FQ_DIR="${CD}/${UNIQ_DIR}"
 }

 #
@ -69,7 +60,20 @@ app_init() {
 #
 one-time-ca() {
  # params
-  SERIAL="101"
+  #SERIAL="101"
+
+  get_serial
+  echo_block "SERIAL == ${SERIAL}"
+  # Organize
+  # 
+  # create a unique path for the server certificate
+  UNIQ_DIR=`date +%Y-%m-%d.%H_%M_%S`
+  UNIQ_DIR="pki-chain_${UNIQ_DIR}"
+  mkdir -p "${UNIQ_DIR}"
+  cd "${UNIQ_DIR}"
+  # FQ_DIR="${CD}/${UNIQ_DIR}"
+
+
  UNIQ_ID_CA="${SERIAL}.${ORG_URL}"
  CA_DIR="ca_${UNIQ_ID_CA}"
  mkdir $CA_DIR
@ -85,23 +89,41 @@ one-time-ca() {
 # Organize the files into logical folders based on serial #
 #
 organize() {
-  # cert info
-  mkdir docs
-  mv *.txt docs/
+  # organize the client directory
+  mkdir -p clients/ca-i
+  mkdir -p clients/data
+  mkdir -p clients/distro
+  mkdir -p clients/docs
+  mv client*.pem clients/data/
+  mv client*.p12 clients/distro/
+  mv client*.info.txt clients/docs/
+  cp ca_i*.crt.pem clients/ca-i/
+  cp ca_i*.keys.pem clients/ca-i/

-  # move all files to folders
-  mkdir ca-i
-  mv ca_i*.pem ca-i/
+  # organize the server directory
+  mkdir -p servers/ca-i
+  mkdir -p servers/data
+  mkdir -p servers/distro
+  mkdir -p servers/docs
+  mv server_*.pem servers/data/
+  mv server_*.p12 servers/distro/
+  mv server_*.info.txt servers/docs/
+  cp ca_i*.crt.pem servers/ca-i/
+  cp ca_i*.keys.pem servers/ca-i/

-  mkdir servers
-  mv server_*.pem servers/
-
-  mkdir clients
-  mv client*.pem clients/
+  # organize the ca-i directory
+  mkdir -p ca-i/data
+  mkdir -p ca-i/docs
+  mv ca_i*.pem ca-i/data/
+  mv ca_i*.info.txt ca-i/docs/
+  mv ca_i*.p12 ca-i/
+  mv ca_cert-chain*.pem ca-i/
+  cp $FQ_CA_DIR/ca_*.crt.pem ca-i/data/
+  cp $FQ_CA_DIR/ca_*.info.txt ca-i/docs/
 }

 cp_pki_lifecycle() {
-  
+  echo
 }

 #
@ -138,16 +160,19 @@ gen_pki_certs() {
 # INPUT:  SERIAL #, LOOP NUM
 # 
 gen_pki() {
-  SERIAL=$1
+  # organization
+  CDD=`pwd`

-  mkdir "ca_i_${SERIAL}.${ORG_URL}"
-  cd "ca_i_${SERIAL}.${ORG_URL}"
+  SERIAL=$1
+  UNIQ_DIR_CA="ca_i_${SERIAL}.${ORG_URL}"
+  mkdir -p "distrobution/${UNIQ_DIR_CA}"
+  cd "distrobution/${UNIQ_DIR_CA}"

  gen_pki_certs $SERIAL $2
  organize
  cp_pki_lifecycle

-  cd ..
+  cd $CDD
 }


@ -158,7 +183,7 @@ main() {
  one-time-ca
  gen_pki 10001 2
  gen_pki 50001 5
-  gen_pki 80001 10
+#  gen_pki 80001 10
  
  cd "${CD}"
 }
--- a/src/pki_bootstrap/pki_funcs.sh
+++ b/src/pki_bootstrap/pki_funcs.sh
@ -3,6 +3,9 @@
 # all main functions to generate a PKI certificate chain
 # 

+#
+# print text wrapped in a block
+#
 echo_block() {
  echo
  echo "***** ***** ***** *****"
@ -10,6 +13,17 @@ echo_block() {
  echo "***** ***** ***** *****"
 }

+# 
+# Grab the latest serial # from the file, auto-increment
+# 
+get_serial() {
+  SERIAL=`head SERIAL`
+  if [[ -z $SERIAL ]]; then
+    SERIAL=11111
+    echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA"
+  fi
+}
+
 # ***** ***** ***** ***** *****
 # 
 # CERTIFICATE AUTHORITY (CA)
@ -70,7 +84,7 @@ generate_ca_i() {
                 -in "ca_i_${UNIQ_ID_CA}.crt.pem" -out "ca_i_${UNIQ_ID_CA}.p12"

  # verify certificate (output to text file for review)
-  openssl x509 -noout -text -in "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_i_${UNIQ_ID_CA}_crt_info.txt"
+  openssl x509 -noout -text -in "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_i_${UNIQ_ID_CA}.crt.info.txt"

  # create certifiate chain
  cat $FQ_CA_CERT "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_cert-chain_${UNIQ_ID_CA}.crts.pem"
@ -92,7 +106,7 @@ generate_server() {
              -subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \
              -out "server_${UNIQ_ID}.csr.pem"

-  # Intermediate signs Server
+  # CA Intermediate signs Server
  openssl x509 -req -days 365 -extfile $FQ_S_CNF -extensions v3_server \
               -CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \
               -in "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.crt.pem"
@ -121,7 +135,7 @@ generate_client() {
  openssl req -new -key "client_${UNIQ_ID}.keys.pem" \
              -subj "/C=OO/O=ACME/OU=ACME Standard/CN=client_${UNIQ_ID}" \
              -out "client_${UNIQ_ID}.csr.pem"
-  # Intermediate signs Client
+  # CA Intermediate signs Client
  openssl x509 -req -days 365 \
               -CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \
               -in "client_${UNIQ_ID}.csr.pem" -out "client_${UNIQ_ID}.crt.pem"
--- a/src/pki_lifecycle/README
+++ b/src/pki_lifecycle/README
@ -0,0 +1,9 @@
+***
+THIS was Generated by the CA generation application
+***
+
+Included in this package is a CA Intermediate generation application
+Running get_ca-i.sh  will create a new PKI certificate chain to be distributed to organizations.
+
+
+