diff --git a/README b/README index 9d7e24c..d01af26 100644 --- a/README +++ b/README @@ -1,8 +1,10 @@ - ============================ - Certificate Generation + =============================================== + Certificate Authority (CA) Generation + CA Intermediate Generation and Distribution + Project ReadMe Version 3.x - ============================ + =============================================== ------------- diff --git a/src/pki_bootstrap/README b/src/pki_bootstrap/README new file mode 100644 index 0000000..1622550 --- /dev/null +++ b/src/pki_bootstrap/README @@ -0,0 +1,24 @@ + =============================================== + Certificate Authority (CA) Generation + CA Intermediate Generation and Distribution + Version 3.x + =============================================== + + +------------- + INTRO +------------- + + + +------------- + USAGE +------------- + + + +------------- + FEATURES +------------- + + diff --git a/src/pki_bootstrap/libs/gen_client.sh b/src/pki_bootstrap/libs/gen_client.sh deleted file mode 100755 index a18aba1..0000000 --- a/src/pki_bootstrap/libs/gen_client.sh +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/bash -# -# Create CA Intermediate -# -# -# This function will generate a CA Intermediate -# IN: UNIQ_ID_CA, SERIAL -# -PARAM1=$1 -PARAM2=$2 - -usage() { - echo - echo "Generate a new certificate" - echo - echo "This program will generate a new certificate authority intermediate" - echo "Requires the file ca-i.pem that is used to sign the certificates" - echo "The script requires a CA Intermediate certificate used to sign the client" - echo "" - echo "" - echo "" - echo - echo "Generate a new certificate" - echo " usage: gen_server.sh " - echo - echo " example: gen_server.sh ca_i_skunkworks.acme.xyz_10001.crt.pem \\" - echo " skunkworks.acme.xyz \\" - echo " 10052 \\" - echo - exit 1 -} - -error_no_ca_file() { - echo_block "ERROR: missing ca-i.pem" - usage -} - -error_no_serial() { - echo_block "ERROR: missing SERIAL file" - usage -} - -get_serial() { - filename="SERIAL" - read -r line - SERIAL=$line - SERIAL=$((SERIAL+1)) -} - - -main() { - if [[ ! -f ca-i.pem ]]; then - error_no_ca_file - fi - if [[ ! -f SERIAL ]]; then - error_no_serial - fi - - if [[ -n $PARAM1 ]] || [[ -n $PARAM2 ]]; then - generate_client $PARAM1 $PARAM2 - else - usage - fi -} - -main diff --git a/src/pki_bootstrap/pki_bootstrap.sh b/src/pki_bootstrap/pki_bootstrap.sh index adf7721..e33709a 100755 --- a/src/pki_bootstrap/pki_bootstrap.sh +++ b/src/pki_bootstrap/pki_bootstrap.sh @@ -8,7 +8,7 @@ # # source this file to include the functions -. libs/pki_funcs.sh +. res/libs/pki_funcs.sh PARAM1=$1 @@ -25,6 +25,17 @@ usage() { exit 1 } +# +# Grab the latest serial # from the file, auto-increment +# +get_serial_ca() { + SERIAL=`head "res/cfg/SERIAL"` + if [[ -z $SERIAL ]]; then + SERIAL=11111 + echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA" + fi +} + # # CA generation requires .cnf files # create CA directory @@ -34,7 +45,7 @@ usage() { app_init() { if [[ -n $PARAM1 ]]; then # need to know the location of the configuration file (expected to be in same dir path as this script) - CA_CNF="$CD_ROOT/cnf/ca.cnf" + CA_CNF="$CD_ROOT/res/cnf/ca.cnf" # handle the case of having the ".cnf" extension or not if [[ ${PARAM1: -4} == .cnf ]]; then @@ -47,7 +58,7 @@ app_init() { echo "ZXCV: ${ORG_URL}, ${S_CNF}" fi - FQ_S_CNF="${CD_ROOT}/cnf/${S_CNF}" + FQ_S_CNF="${CD_ROOT}/res/cnf/${S_CNF}" if [[ ! -f $FQ_S_CNF ]] || [[ ! -f $CA_CNF ]]; then usage fi @@ -63,10 +74,7 @@ app_init() { # IN: UNIQ_ID_CA, SERIAL # gen_lifecycle() { - # params - #SERIAL="101" - - get_serial + get_serial_ca echo_block "SERIAL == ${SERIAL}" # Organize # @@ -75,8 +83,9 @@ gen_lifecycle() { UNIQ_DIR_LC="pki-lifecycle_${UNIQ_DIR_LC}" mkdir -p "${UNIQ_DIR_LC}" cd "${UNIQ_DIR_LC}" + FQ_DIR_LC=`pwd` - # create certificate + # create CA unique dir UNIQ_ID_CA="${SERIAL}.${ORG_URL}" CA_DIR="ca_${UNIQ_ID_CA}" mkdir $CA_DIR @@ -86,23 +95,56 @@ gen_lifecycle() { FQ_CA_KEYS="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.keys.pem" # initialize the functions lib - pki_func_init $FQ_CA_CERT $FQ_CA_KEYS "${CD_ROOT}/cnf/" - + pki_func_init $FQ_CA_CERT $FQ_CA_KEYS "${CD_ROOT}/res/cnf" # generate a new CA gen_ca $UNIQ_ID_CA $SERIAL + + # go back to original dir cd .. + cd .. +} + +# +# +# +cp_lifecycle_docs() { + RES="${CD_ROOT}/res" + + mkdir -p "${UNIQ_DIR_LC}/cfg" + cp -r $CD_ROOT/res $CD_ROOT/$UNIQ_DIR_LC/ + cp $RES/libs/gen_ca-i.sh $CD_ROOT/$UNIQ_DIR_LC/ + cp $RES/docs/README_LC $CD_ROOT/$UNIQ_DIR_LC/README + cp $RES/docs/SERIAL_LC $CD_ROOT/$UNIQ_DIR_LC/cfg/SERIAL + cp $RES/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/cfg/ + cp "${RES}/cnf/${ORG_URL}.cnf" $CD_ROOT/$UNIQ_DIR_LC/cfg/ + cp "${RES}/cnf/ca.cnf" $CD_ROOT/$UNIQ_DIR_LC/cfg/ + cp $CD_ROOT/$UNIQ_DIR_LC/"ca_${UNIQ_ID_CA}"/ca_*.crt.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.crt.pem + cp $CD_ROOT/$UNIQ_DIR_LC/"ca_${UNIQ_ID_CA}"/ca_*.keys.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.keys.pem +} + +# +# Generate Lifecycle CA Intermediates +# +gen_lc_ca_i() { + cd $FQ_DIR_LC + # generate new CA-I + ca-i_gen_pki $ORG_URL 1001 2 + ca-i_gen_pki $ORG_URL 2001 5 +# ca-i_gen_pki $ORG_URL 3001 8 } main() { CD_ROOT=`pwd` - LIB_PATH="${CD_ROOT}/libs" + # generate new CA + # create new PKI Lifecycle Package app_init gen_lifecycle - ca-i_gen_pki $ORG_URL 1001 2 -# ca-i_gen_pki $ORG_URL 2001 5 -# ca-i_gen_pki $ORG_URL 3001 8 + cp_lifecycle_docs + + # gen some CAs + gen_lc_ca_i # make sure we return to root execution path cd "${CD_ROOT}" diff --git a/src/pki_bootstrap/docs/SERIAL_LC b/src/pki_bootstrap/res/cfg/SERIAL similarity index 100% rename from src/pki_bootstrap/docs/SERIAL_LC rename to src/pki_bootstrap/res/cfg/SERIAL diff --git a/src/pki_bootstrap/cnf/192.168.1.3.cnf b/src/pki_bootstrap/res/cnf/192.168.1.3.cnf similarity index 100% rename from src/pki_bootstrap/cnf/192.168.1.3.cnf rename to src/pki_bootstrap/res/cnf/192.168.1.3.cnf diff --git a/src/pki_bootstrap/cnf/ca.cnf b/src/pki_bootstrap/res/cnf/ca.cnf similarity index 100% rename from src/pki_bootstrap/cnf/ca.cnf rename to src/pki_bootstrap/res/cnf/ca.cnf diff --git a/src/pki_bootstrap/cnf/skunkworks.acme.xyz.cnf b/src/pki_bootstrap/res/cnf/skunkworks.acme.xyz.cnf similarity index 100% rename from src/pki_bootstrap/cnf/skunkworks.acme.xyz.cnf rename to src/pki_bootstrap/res/cnf/skunkworks.acme.xyz.cnf diff --git a/src/pki_bootstrap/docs/README_C b/src/pki_bootstrap/res/docs/README_C similarity index 100% rename from src/pki_bootstrap/docs/README_C rename to src/pki_bootstrap/res/docs/README_C diff --git a/src/pki_bootstrap/res/docs/README_CAI b/src/pki_bootstrap/res/docs/README_CAI new file mode 100644 index 0000000..2950c05 --- /dev/null +++ b/src/pki_bootstrap/res/docs/README_CAI @@ -0,0 +1,21 @@ + + ============================ + CA Intermediate README + Version 3.1 + ============================ + + +------------- + INTRO +------------- + +This application will generate new client certificates. The certificates can be used with any +VPN client service. The certificate chain is also included (CA certificate & CA-I certificate). + + +------------- + USAGE +------------- + + + diff --git a/src/pki_bootstrap/docs/README_LC b/src/pki_bootstrap/res/docs/README_LC similarity index 100% rename from src/pki_bootstrap/docs/README_LC rename to src/pki_bootstrap/res/docs/README_LC diff --git a/src/pki_bootstrap/docs/README_S b/src/pki_bootstrap/res/docs/README_S similarity index 100% rename from src/pki_bootstrap/docs/README_S rename to src/pki_bootstrap/res/docs/README_S diff --git a/src/pki_bootstrap/docs/SERIAL b/src/pki_bootstrap/res/docs/SERIAL similarity index 100% rename from src/pki_bootstrap/docs/SERIAL rename to src/pki_bootstrap/res/docs/SERIAL diff --git a/src/pki_bootstrap/res/docs/SERIAL_LC b/src/pki_bootstrap/res/docs/SERIAL_LC new file mode 100644 index 0000000..97a55e1 --- /dev/null +++ b/src/pki_bootstrap/res/docs/SERIAL_LC @@ -0,0 +1 @@ +101 \ No newline at end of file diff --git a/src/pki_bootstrap/libs/gen_ca-i.sh b/src/pki_bootstrap/res/libs/gen_ca-i.sh similarity index 84% rename from src/pki_bootstrap/libs/gen_ca-i.sh rename to src/pki_bootstrap/res/libs/gen_ca-i.sh index 39b4dd9..ff1d198 100755 --- a/src/pki_bootstrap/libs/gen_ca-i.sh +++ b/src/pki_bootstrap/res/libs/gen_ca-i.sh @@ -8,12 +8,12 @@ # # source this file to include the functions -. pki_funcs.sh - -#$CA_CNF +. cfg/pki_funcs.sh PARAM1=$1 PARAM2=$2 +PARAM3=$3 + usage() { echo @@ -22,10 +22,7 @@ usage() { echo "This program will generate a new certificate authority (CA) intermediate" echo "It requires a CA certificate used to sign CA Intermediate" echo "Requires the file \"ca.pem\" that is used to sign the certificates" - echo "" - echo "" - echo "" - echo + echo echo " usage: gen_ca-i.sh " echo echo " example: gen_ca-i.sh skunkworks.acme.xyz" @@ -39,6 +36,7 @@ error_no_ca_file() { usage } + main() { CDD=`pwd` FQ_CA_KEYS="${CDD}/cfg/ca.keys.pem" @@ -47,9 +45,14 @@ main() { error_no_ca_file fi - if [[ -n $PARAM1 ]] || [[ -n $PARAM2 ]]; then + if [[ -n $PARAM1 ]] && [[ -n $PARAM2 ]]; then pki_func_init $FQ_CA_CRT $FQ_CA_KEYS "${CDD}/cfg" - ca-i_gen_pki $PARAM1 $PARAM2 2 + + if [[ -z $PARAM3 ]]; then + PARAM3=5 + fi + + ca-i_gen_pki $PARAM1 $PARAM2 $PARAM3 else usage fi diff --git a/src/pki_bootstrap/res/libs/gen_client.sh b/src/pki_bootstrap/res/libs/gen_client.sh new file mode 100755 index 0000000..69939ec --- /dev/null +++ b/src/pki_bootstrap/res/libs/gen_client.sh @@ -0,0 +1,53 @@ +#!/bin/bash +# +# Create Client Certificates +# +# +# This function will generate a Client cert +# IN: UNIQ_ID_CA, SERIAL +# + +# source this file to include the functions +. cfg/pki_funcs.sh + +PARAM1=$1 +PARAM2=$2 +PARAM3=$3 + + +usage() { + echo + echo "Generate a new Client certificate" + echo + echo + echo "Generate a new certificate" + echo " usage: gen_client.sh " + echo + echo " example: gen_client.sh skunkworks.acme.xyz \\" + echo " 10052 \\" + echo + exit 1 +} + +error_no_ca_file() { + echo_block "ERROR: missing ca-i.pem" + usage +} + + +main() { + if [[ ! -f ca-i.pem ]]; then + error_no_ca_file + fi + if [[ ! -f SERIAL ]]; then + error_no_serial + fi + + if [[ -n $PARAM1 ]] || [[ -n $PARAM2 ]]; then + gen_client $PARAM1 $PARAM2 + else + usage + fi +} + +main diff --git a/src/pki_bootstrap/libs/gen_server.sh b/src/pki_bootstrap/res/libs/gen_server.sh similarity index 100% rename from src/pki_bootstrap/libs/gen_server.sh rename to src/pki_bootstrap/res/libs/gen_server.sh diff --git a/src/pki_bootstrap/libs/pki_funcs.sh b/src/pki_bootstrap/res/libs/pki_funcs.sh similarity index 83% rename from src/pki_bootstrap/libs/pki_funcs.sh rename to src/pki_bootstrap/res/libs/pki_funcs.sh index ec6ef05..02784f2 100644 --- a/src/pki_bootstrap/libs/pki_funcs.sh +++ b/src/pki_bootstrap/res/libs/pki_funcs.sh @@ -31,7 +31,7 @@ echo_block() { # Grab the latest serial # from the file, auto-increment # get_serial() { - SERIAL=`head "docs/SERIAL_LC"` + SERIAL=`head "cfg/SERIAL"` if [[ -z $SERIAL ]]; then SERIAL=11111 echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA" @@ -83,7 +83,6 @@ ca-i_gen_pki() { LOOP_NUM=$3 UNIQ_DIR_CA="ca_i_${SERIAL}.${ORG_URL}" - mkdir -p "cfg" mkdir -p "distribution/${UNIQ_DIR_CA}" cd "distribution/${UNIQ_DIR_CA}" @@ -167,7 +166,7 @@ ca-i_gen_cert() { } # -# Organize the files into logical folders based on serial # +# Organize the generated crypto files into logical folders # ca-i_organize() { # organize the client directory @@ -196,12 +195,11 @@ ca-i_organize() { # order matters: move these files last because they were copied above mkdir -p ca-i/data mkdir -p ca-i/docs + mkdir -p ca-i/distro mv ca_i*.pem ca-i/data/ mv ca_i*.info.txt ca-i/docs/ - mv ca_i*.p12 ca-i/ - mv ca_cert-chain*.pem ca-i/ - cp $FQ_CA_DIR/ca_*.crt.pem ca-i/data/ - cp $FQ_CA_DIR/ca_*.info.txt ca-i/docs/ + mv ca_i*.p12 ca-i/distro + mv ca_cert-chain*.pem ca-i/distro } # @@ -212,28 +210,26 @@ ca-i_organize() { # UNIQ_ID_CAI : unique string for the CA-I # ca-i_cp_docs() { + DEST_DIR="${CDD}/distribution/ca_i_${UNIQ_ID_CAI}" + # CA-I - cp $CD_ROOT/libs/gen_ca-i.sh $CD_ROOT/$UNIQ_DIR_LC/ - cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/ - cp $CD_ROOT/docs/README_LC $CD_ROOT/$UNIQ_DIR_LC/README - cp $CD_ROOT/docs/SERIAL_LC $CD_ROOT/$UNIQ_DIR_LC/cfg/SERIAL - cp $CD_ROOT/cnf/ca.cnf $CD_ROOT/$UNIQ_DIR_LC/cfg/ - cp $CD_ROOT/$UNIQ_DIR_LC/"ca_${UNIQ_ID_CA}"/ca_*.crt.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.crt.pem - cp $CD_ROOT/$UNIQ_DIR_LC/"ca_${UNIQ_ID_CA}"/ca_*.keys.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.keys.pem + cp $CDD/res/docs/README_CAI $DEST_DIR/README + cp $CDD/ca_*/ca_*.crt.pem $DEST_DIR/ca-i/data/ + cp $CDD/ca_*/ca_*.info.txt $DEST_DIR/ca-i/docs/ # client - cp $CD_ROOT/libs/gen_client.sh $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/ - cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/ - cp $CD_ROOT/docs/README_C $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/README - cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/cfg/ - cp "${CD_ROOT}/cnf/${ORG_URL}.cnf" $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/cfg/ + cp $CDD/res/libs/gen_client.sh $DEST_DIR/clients/ + cp $CDD/res/libs/pki_funcs.sh $DEST_DIR/clients/cfg + cp $CDD/res/docs/README_C $DEST_DIR/clients/README + cp $CDD/res/docs/SERIAL $DEST_DIR/clients/cfg/ + cp "${CDD}/cfg/${ORG_URL}.cnf" $DEST_DIR/clients/cfg/ # server - cp $CD_ROOT/libs/gen_server.sh $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/ - cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/ - cp $CD_ROOT/docs/README_S $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/README - cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/cfg/ - cp "${CD_ROOT}/cnf/${ORG_URL}.cnf" $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/cfg/ + cp $CDD/res/libs/gen_server.sh $DEST_DIR/servers/ + cp $CDD/res/libs/pki_funcs.sh $DEST_DIR/servers/cfg/ + cp $CDD/res/docs/README_S $DEST_DIR/servers/README + cp $CDD/res/docs/SERIAL $DEST_DIR/servers/cfg/ + cp "${CDD}/cfg/${ORG_URL}.cnf" $DEST_DIR/servers/cfg/ } #