From 1816ecc5a2d1a6091636e7f10f1a4ff2a00f5594 Mon Sep 17 00:00:00 2001 From: JohnE Date: Sun, 12 Aug 2018 10:25:55 -0700 Subject: [PATCH] NEW: supports for distrobution of continued CA-I generation! I continue to modify the applications so that it is split into two different applications: PKI Bootstrap and PKI Lifecycle. The certificates are generated into neatly organized folders for distrobution as per each CA-I...now i'm adding the scripts to include in the distrobution. --- src/pki_bootstrap/SERIAL | 1 + src/pki_bootstrap/pki_bootstrap.sh | 79 ++++++++++++++++++++---------- src/pki_bootstrap/pki_funcs.sh | 20 ++++++-- src/pki_lifecycle/README | 9 ++++ 4 files changed, 79 insertions(+), 30 deletions(-) create mode 100644 src/pki_bootstrap/SERIAL create mode 100644 src/pki_lifecycle/README diff --git a/src/pki_bootstrap/SERIAL b/src/pki_bootstrap/SERIAL new file mode 100644 index 0000000..1746da6 --- /dev/null +++ b/src/pki_bootstrap/SERIAL @@ -0,0 +1 @@ +10000 \ No newline at end of file diff --git a/src/pki_bootstrap/pki_bootstrap.sh b/src/pki_bootstrap/pki_bootstrap.sh index ce7bb87..f91d666 100755 --- a/src/pki_bootstrap/pki_bootstrap.sh +++ b/src/pki_bootstrap/pki_bootstrap.sh @@ -53,15 +53,6 @@ app_init() { else usage fi - - # Organize - # - # create a unique path for the server certificate - UNIQ_DIR=`date +%Y-%m-%d.%H_%M_%S` - UNIQ_DIR="cert-chain_${UNIQ_DIR}" - mkdir -p "${UNIQ_DIR}" - cd "${UNIQ_DIR}" - # FQ_DIR="${CD}/${UNIQ_DIR}" } # @@ -69,7 +60,20 @@ app_init() { # one-time-ca() { # params - SERIAL="101" + #SERIAL="101" + + get_serial + echo_block "SERIAL == ${SERIAL}" + # Organize + # + # create a unique path for the server certificate + UNIQ_DIR=`date +%Y-%m-%d.%H_%M_%S` + UNIQ_DIR="pki-chain_${UNIQ_DIR}" + mkdir -p "${UNIQ_DIR}" + cd "${UNIQ_DIR}" + # FQ_DIR="${CD}/${UNIQ_DIR}" + + UNIQ_ID_CA="${SERIAL}.${ORG_URL}" CA_DIR="ca_${UNIQ_ID_CA}" mkdir $CA_DIR @@ -85,23 +89,41 @@ one-time-ca() { # Organize the files into logical folders based on serial # # organize() { - # cert info - mkdir docs - mv *.txt docs/ + # organize the client directory + mkdir -p clients/ca-i + mkdir -p clients/data + mkdir -p clients/distro + mkdir -p clients/docs + mv client*.pem clients/data/ + mv client*.p12 clients/distro/ + mv client*.info.txt clients/docs/ + cp ca_i*.crt.pem clients/ca-i/ + cp ca_i*.keys.pem clients/ca-i/ - # move all files to folders - mkdir ca-i - mv ca_i*.pem ca-i/ + # organize the server directory + mkdir -p servers/ca-i + mkdir -p servers/data + mkdir -p servers/distro + mkdir -p servers/docs + mv server_*.pem servers/data/ + mv server_*.p12 servers/distro/ + mv server_*.info.txt servers/docs/ + cp ca_i*.crt.pem servers/ca-i/ + cp ca_i*.keys.pem servers/ca-i/ - mkdir servers - mv server_*.pem servers/ - - mkdir clients - mv client*.pem clients/ + # organize the ca-i directory + mkdir -p ca-i/data + mkdir -p ca-i/docs + mv ca_i*.pem ca-i/data/ + mv ca_i*.info.txt ca-i/docs/ + mv ca_i*.p12 ca-i/ + mv ca_cert-chain*.pem ca-i/ + cp $FQ_CA_DIR/ca_*.crt.pem ca-i/data/ + cp $FQ_CA_DIR/ca_*.info.txt ca-i/docs/ } cp_pki_lifecycle() { - + echo } # @@ -138,16 +160,19 @@ gen_pki_certs() { # INPUT: SERIAL #, LOOP NUM # gen_pki() { - SERIAL=$1 + # organization + CDD=`pwd` - mkdir "ca_i_${SERIAL}.${ORG_URL}" - cd "ca_i_${SERIAL}.${ORG_URL}" + SERIAL=$1 + UNIQ_DIR_CA="ca_i_${SERIAL}.${ORG_URL}" + mkdir -p "distrobution/${UNIQ_DIR_CA}" + cd "distrobution/${UNIQ_DIR_CA}" gen_pki_certs $SERIAL $2 organize cp_pki_lifecycle - cd .. + cd $CDD } @@ -158,7 +183,7 @@ main() { one-time-ca gen_pki 10001 2 gen_pki 50001 5 - gen_pki 80001 10 +# gen_pki 80001 10 cd "${CD}" } diff --git a/src/pki_bootstrap/pki_funcs.sh b/src/pki_bootstrap/pki_funcs.sh index 9874230..433fd5b 100644 --- a/src/pki_bootstrap/pki_funcs.sh +++ b/src/pki_bootstrap/pki_funcs.sh @@ -3,6 +3,9 @@ # all main functions to generate a PKI certificate chain # +# +# print text wrapped in a block +# echo_block() { echo echo "***** ***** ***** *****" @@ -10,6 +13,17 @@ echo_block() { echo "***** ***** ***** *****" } +# +# Grab the latest serial # from the file, auto-increment +# +get_serial() { + SERIAL=`head SERIAL` + if [[ -z $SERIAL ]]; then + SERIAL=11111 + echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA" + fi +} + # ***** ***** ***** ***** ***** # # CERTIFICATE AUTHORITY (CA) @@ -70,7 +84,7 @@ generate_ca_i() { -in "ca_i_${UNIQ_ID_CA}.crt.pem" -out "ca_i_${UNIQ_ID_CA}.p12" # verify certificate (output to text file for review) - openssl x509 -noout -text -in "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_i_${UNIQ_ID_CA}_crt_info.txt" + openssl x509 -noout -text -in "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_i_${UNIQ_ID_CA}.crt.info.txt" # create certifiate chain cat $FQ_CA_CERT "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" @@ -92,7 +106,7 @@ generate_server() { -subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \ -out "server_${UNIQ_ID}.csr.pem" - # Intermediate signs Server + # CA Intermediate signs Server openssl x509 -req -days 365 -extfile $FQ_S_CNF -extensions v3_server \ -CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \ -in "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.crt.pem" @@ -121,7 +135,7 @@ generate_client() { openssl req -new -key "client_${UNIQ_ID}.keys.pem" \ -subj "/C=OO/O=ACME/OU=ACME Standard/CN=client_${UNIQ_ID}" \ -out "client_${UNIQ_ID}.csr.pem" - # Intermediate signs Client + # CA Intermediate signs Client openssl x509 -req -days 365 \ -CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \ -in "client_${UNIQ_ID}.csr.pem" -out "client_${UNIQ_ID}.crt.pem" diff --git a/src/pki_lifecycle/README b/src/pki_lifecycle/README new file mode 100644 index 0000000..b3a4c55 --- /dev/null +++ b/src/pki_lifecycle/README @@ -0,0 +1,9 @@ +*** +THIS was Generated by the CA generation application +*** + +Included in this package is a CA Intermediate generation application +Running get_ca-i.sh will create a new PKI certificate chain to be distributed to organizations. + + +