NEW: supports for distrobution of continued CA-I generation! I continue to modify the applications so that it is split into two different applications: PKI Bootstrap and PKI Lifecycle. The certificates are generated into neatly organized folders for distrobution as per each CA-I...now i'm adding the scripts to include in the distrobution.

src/pki_bootstrap/SERIAL

@@ -0,0 +1 @@
+10000

src/pki_bootstrap/pki_bootstrap.sh

@@ -53,15 +53,6 @@ app_init() {
   else
     usage
   fi
-
-  # Organize
-  # 
-  # create a unique path for the server certificate
-  UNIQ_DIR=`date +%Y-%m-%d.%H_%M_%S`
-  UNIQ_DIR="cert-chain_${UNIQ_DIR}"
-  mkdir -p "${UNIQ_DIR}"
-  cd "${UNIQ_DIR}"
-  # FQ_DIR="${CD}/${UNIQ_DIR}"
 }
 
 #
@@ -69,7 +60,20 @@ app_init() {
 #
 one-time-ca() {
   # params
-  SERIAL="101"
+  #SERIAL="101"
+
+  get_serial
+  echo_block "SERIAL == ${SERIAL}"
+  # Organize
+  # 
+  # create a unique path for the server certificate
+  UNIQ_DIR=`date +%Y-%m-%d.%H_%M_%S`
+  UNIQ_DIR="pki-chain_${UNIQ_DIR}"
+  mkdir -p "${UNIQ_DIR}"
+  cd "${UNIQ_DIR}"
+  # FQ_DIR="${CD}/${UNIQ_DIR}"
+
+
   UNIQ_ID_CA="${SERIAL}.${ORG_URL}"
   CA_DIR="ca_${UNIQ_ID_CA}"
   mkdir $CA_DIR
@@ -85,23 +89,41 @@ one-time-ca() {
 # Organize the files into logical folders based on serial #
 #
 organize() {
-  # cert info
+  # organize the client directory
-  mkdir docs
+  mkdir -p clients/ca-i
-  mv *.txt docs/
+  mkdir -p clients/data
+  mkdir -p clients/distro
+  mkdir -p clients/docs
+  mv client*.pem clients/data/
+  mv client*.p12 clients/distro/
+  mv client*.info.txt clients/docs/
+  cp ca_i*.crt.pem clients/ca-i/
+  cp ca_i*.keys.pem clients/ca-i/
 
-  # move all files to folders
+  # organize the server directory
-  mkdir ca-i
+  mkdir -p servers/ca-i
-  mv ca_i*.pem ca-i/
+  mkdir -p servers/data
+  mkdir -p servers/distro
+  mkdir -p servers/docs
+  mv server_*.pem servers/data/
+  mv server_*.p12 servers/distro/
+  mv server_*.info.txt servers/docs/
+  cp ca_i*.crt.pem servers/ca-i/
+  cp ca_i*.keys.pem servers/ca-i/
 
-  mkdir servers
+  # organize the ca-i directory
-  mv server_*.pem servers/
+  mkdir -p ca-i/data
-
+  mkdir -p ca-i/docs
-  mkdir clients
+  mv ca_i*.pem ca-i/data/
-  mv client*.pem clients/
+  mv ca_i*.info.txt ca-i/docs/
+  mv ca_i*.p12 ca-i/
+  mv ca_cert-chain*.pem ca-i/
+  cp $FQ_CA_DIR/ca_*.crt.pem ca-i/data/
+  cp $FQ_CA_DIR/ca_*.info.txt ca-i/docs/
 }
 
 cp_pki_lifecycle() {
-  
+  echo
 }
 
 #
@@ -138,16 +160,19 @@ gen_pki_certs() {
 # INPUT:  SERIAL #, LOOP NUM
 # 
 gen_pki() {
-  SERIAL=$1
+  # organization
+  CDD=`pwd`
 
-  mkdir "ca_i_${SERIAL}.${ORG_URL}"
+  SERIAL=$1
-  cd "ca_i_${SERIAL}.${ORG_URL}"
+  UNIQ_DIR_CA="ca_i_${SERIAL}.${ORG_URL}"
+  mkdir -p "distrobution/${UNIQ_DIR_CA}"
+  cd "distrobution/${UNIQ_DIR_CA}"
 
   gen_pki_certs $SERIAL $2
   organize
   cp_pki_lifecycle
 
-  cd ..
+  cd $CDD
 }
 
 
@@ -158,7 +183,7 @@ main() {
   one-time-ca
   gen_pki 10001 2
   gen_pki 50001 5
-  gen_pki 80001 10
+#  gen_pki 80001 10
   
   cd "${CD}"
 }

src/pki_bootstrap/pki_funcs.sh

@@ -3,6 +3,9 @@
 # all main functions to generate a PKI certificate chain
 # 
 
+#
+# print text wrapped in a block
+#
 echo_block() {
   echo
   echo "***** ***** ***** *****"
@@ -10,6 +13,17 @@ echo_block() {
   echo "***** ***** ***** *****"
 }
 
+# 
+# Grab the latest serial # from the file, auto-increment
+# 
+get_serial() {
+  SERIAL=`head SERIAL`
+  if [[ -z $SERIAL ]]; then
+    SERIAL=11111
+    echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA"
+  fi
+}
+
 # ***** ***** ***** ***** *****
 # 
 # CERTIFICATE AUTHORITY (CA)
@@ -70,7 +84,7 @@ generate_ca_i() {
                  -in "ca_i_${UNIQ_ID_CA}.crt.pem" -out "ca_i_${UNIQ_ID_CA}.p12"
 
   # verify certificate (output to text file for review)
-  openssl x509 -noout -text -in "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_i_${UNIQ_ID_CA}_crt_info.txt"
+  openssl x509 -noout -text -in "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_i_${UNIQ_ID_CA}.crt.info.txt"
 
   # create certifiate chain
   cat $FQ_CA_CERT "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_cert-chain_${UNIQ_ID_CA}.crts.pem"
@@ -92,7 +106,7 @@ generate_server() {
               -subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \
               -out "server_${UNIQ_ID}.csr.pem"
 
-  # Intermediate signs Server
+  # CA Intermediate signs Server
   openssl x509 -req -days 365 -extfile $FQ_S_CNF -extensions v3_server \
                -CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \
                -in "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.crt.pem"
@@ -121,7 +135,7 @@ generate_client() {
   openssl req -new -key "client_${UNIQ_ID}.keys.pem" \
               -subj "/C=OO/O=ACME/OU=ACME Standard/CN=client_${UNIQ_ID}" \
               -out "client_${UNIQ_ID}.csr.pem"
-  # Intermediate signs Client
+  # CA Intermediate signs Client
   openssl x509 -req -days 365 \
                -CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \
                -in "client_${UNIQ_ID}.csr.pem" -out "client_${UNIQ_ID}.crt.pem"

src/pki_lifecycle/README

@@ -0,0 +1,9 @@
+***
+THIS was Generated by the CA generation application
+***
+
+Included in this package is a CA Intermediate generation application
+Running get_ca-i.sh  will create a new PKI certificate chain to be distributed to organizations.
+
+
+