j3g
/
pki-bootstrap_pub
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

FIN: completed the gen_ca-i.sh refactoring, CA-Is are generated from the Lifecycle package now! :)

This commit is contained in:
JohnE 2018-08-23 20:14:13 -07:00
parent 0e94573945
commit 1c10bd4b55
18 changed files with 192 additions and 116 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README
View File

@ -1,8 +1,10 @@
============================ ===============================================
Certificate Generation Certificate Authority (CA) Generation
CA Intermediate Generation and Distribution
Project ReadMe
Version 3.x Version 3.x
============================ ===============================================
------------- -------------

24
src/pki_bootstrap/README Normal file
View File

@ -0,0 +1,24 @@
===============================================
Certificate Authority (CA) Generation
CA Intermediate Generation and Distribution
Version 3.x
===============================================
-------------
INTRO
-------------
-------------
USAGE
-------------
-------------
FEATURES
-------------

66
src/pki_bootstrap/libs/gen_client.sh
View File

@ -1,66 +0,0 @@
#!/bin/bash
#
# Create CA Intermediate
#
#
# This function will generate a CA Intermediate
# IN: UNIQ_ID_CA, SERIAL
#
PARAM1=$1
PARAM2=$2
usage() {
echo
echo "Generate a new certificate"
echo
echo "This program will generate a new certificate authority intermediate"
echo "Requires the file ca-i.pem that is used to sign the certificates"
echo "The script requires a CA Intermediate certificate used to sign the client"
echo ""
echo ""
echo ""
echo
echo "Generate a new certificate"
echo " usage: gen_server.sh <CA Intermediate> <Org URL> <Serial>"
echo
echo " example: gen_server.sh ca_i_skunkworks.acme.xyz_10001.crt.pem \\"
echo " skunkworks.acme.xyz \\"
echo " 10052 \\"
echo
exit 1
}
error_no_ca_file() {
echo_block "ERROR: missing ca-i.pem"
usage
}
error_no_serial() {
echo_block "ERROR: missing SERIAL file"
usage
}
get_serial() {
filename="SERIAL"
read -r line
SERIAL=$line
SERIAL=$((SERIAL+1))
}
main() {
if [[ ! -f ca-i.pem ]]; then
error_no_ca_file
fi
if [[ ! -f SERIAL ]]; then
error_no_serial
fi
if [[ -n $PARAM1 ]] || [[ -n $PARAM2 ]]; then
generate_client $PARAM1 $PARAM2
else
usage
fi
}
main

70
src/pki_bootstrap/pki_bootstrap.sh
View File

@ -8,7 +8,7 @@
# #
# source this file to include the functions # source this file to include the functions
. libs/pki_funcs.sh . res/libs/pki_funcs.sh
PARAM1=$1 PARAM1=$1
@ -25,6 +25,17 @@ usage() {
exit 1 exit 1
} }
#
# Grab the latest serial # from the file, auto-increment
#
get_serial_ca() {
SERIAL=`head "res/cfg/SERIAL"`
if [[ -z $SERIAL ]]; then
SERIAL=11111
echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA"
fi
}
# #
# CA generation requires .cnf files # CA generation requires .cnf files
# create CA directory # create CA directory
@ -34,7 +45,7 @@ usage() {
app_init() { app_init() {
if [[ -n $PARAM1 ]]; then if [[ -n $PARAM1 ]]; then
# need to know the location of the configuration file (expected to be in same dir path as this script) # need to know the location of the configuration file (expected to be in same dir path as this script)
CA_CNF="$CD_ROOT/cnf/ca.cnf" CA_CNF="$CD_ROOT/res/cnf/ca.cnf"
# handle the case of having the ".cnf" extension or not # handle the case of having the ".cnf" extension or not
if [[ ${PARAM1: -4} == .cnf ]]; then if [[ ${PARAM1: -4} == .cnf ]]; then
@ -47,7 +58,7 @@ app_init() {
echo "ZXCV: ${ORG_URL}, ${S_CNF}" echo "ZXCV: ${ORG_URL}, ${S_CNF}"
fi fi
FQ_S_CNF="${CD_ROOT}/cnf/${S_CNF}" FQ_S_CNF="${CD_ROOT}/res/cnf/${S_CNF}"
if [[ ! -f $FQ_S_CNF ]] || [[ ! -f $CA_CNF ]]; then if [[ ! -f $FQ_S_CNF ]] || [[ ! -f $CA_CNF ]]; then
usage usage
fi fi
@ -63,10 +74,7 @@ app_init() {
# IN: UNIQ_ID_CA, SERIAL # IN: UNIQ_ID_CA, SERIAL
# #
gen_lifecycle() { gen_lifecycle() {
# params get_serial_ca
#SERIAL="101"
get_serial
echo_block "SERIAL == ${SERIAL}" echo_block "SERIAL == ${SERIAL}"
# Organize # Organize
# #
@ -75,8 +83,9 @@ gen_lifecycle() {
UNIQ_DIR_LC="pki-lifecycle_${UNIQ_DIR_LC}" UNIQ_DIR_LC="pki-lifecycle_${UNIQ_DIR_LC}"
mkdir -p "${UNIQ_DIR_LC}" mkdir -p "${UNIQ_DIR_LC}"
cd "${UNIQ_DIR_LC}" cd "${UNIQ_DIR_LC}"
FQ_DIR_LC=`pwd`
# create certificate # create CA unique dir
UNIQ_ID_CA="${SERIAL}.${ORG_URL}" UNIQ_ID_CA="${SERIAL}.${ORG_URL}"
CA_DIR="ca_${UNIQ_ID_CA}" CA_DIR="ca_${UNIQ_ID_CA}"
mkdir $CA_DIR mkdir $CA_DIR
@ -86,23 +95,56 @@ gen_lifecycle() {
FQ_CA_KEYS="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.keys.pem" FQ_CA_KEYS="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.keys.pem"
# initialize the functions lib # initialize the functions lib
pki_func_init $FQ_CA_CERT $FQ_CA_KEYS "${CD_ROOT}/cnf/" pki_func_init $FQ_CA_CERT $FQ_CA_KEYS "${CD_ROOT}/res/cnf"
# generate a new CA # generate a new CA
gen_ca $UNIQ_ID_CA $SERIAL gen_ca $UNIQ_ID_CA $SERIAL
# go back to original dir
cd .. cd ..
cd ..
}
#
#
#
cp_lifecycle_docs() {
RES="${CD_ROOT}/res"
mkdir -p "${UNIQ_DIR_LC}/cfg"
cp -r $CD_ROOT/res $CD_ROOT/$UNIQ_DIR_LC/
cp $RES/libs/gen_ca-i.sh $CD_ROOT/$UNIQ_DIR_LC/
cp $RES/docs/README_LC $CD_ROOT/$UNIQ_DIR_LC/README
cp $RES/docs/SERIAL_LC $CD_ROOT/$UNIQ_DIR_LC/cfg/SERIAL
cp $RES/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/cfg/
cp "${RES}/cnf/${ORG_URL}.cnf" $CD_ROOT/$UNIQ_DIR_LC/cfg/
cp "${RES}/cnf/ca.cnf" $CD_ROOT/$UNIQ_DIR_LC/cfg/
cp $CD_ROOT/$UNIQ_DIR_LC/"ca_${UNIQ_ID_CA}"/ca_*.crt.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.crt.pem
cp $CD_ROOT/$UNIQ_DIR_LC/"ca_${UNIQ_ID_CA}"/ca_*.keys.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.keys.pem
}
#
# Generate Lifecycle CA Intermediates
#
gen_lc_ca_i() {
cd $FQ_DIR_LC
# generate new CA-I
ca-i_gen_pki $ORG_URL 1001 2
ca-i_gen_pki $ORG_URL 2001 5
# ca-i_gen_pki $ORG_URL 3001 8
} }
main() { main() {
CD_ROOT=`pwd` CD_ROOT=`pwd`
LIB_PATH="${CD_ROOT}/libs"
# generate new CA
# create new PKI Lifecycle Package
app_init app_init
gen_lifecycle gen_lifecycle
ca-i_gen_pki $ORG_URL 1001 2 cp_lifecycle_docs
# ca-i_gen_pki $ORG_URL 2001 5
# ca-i_gen_pki $ORG_URL 3001 8 # gen some CAs
gen_lc_ca_i
# make sure we return to root execution path # make sure we return to root execution path
cd "${CD_ROOT}" cd "${CD_ROOT}"

0
src/pki_bootstrap/docs/SERIAL_LC → src/pki_bootstrap/res/cfg/SERIAL
View File

0
src/pki_bootstrap/cnf/192.168.1.3.cnf → src/pki_bootstrap/res/cnf/192.168.1.3.cnf
View File

0
src/pki_bootstrap/cnf/ca.cnf → src/pki_bootstrap/res/cnf/ca.cnf
View File

0
src/pki_bootstrap/cnf/skunkworks.acme.xyz.cnf → src/pki_bootstrap/res/cnf/skunkworks.acme.xyz.cnf
View File

0
src/pki_bootstrap/docs/README_C → src/pki_bootstrap/res/docs/README_C
View File

21
src/pki_bootstrap/res/docs/README_CAI Normal file
View File

@ -0,0 +1,21 @@
============================
CA Intermediate README
Version 3.1
============================
-------------
INTRO
-------------
This application will generate new client certificates. The certificates can be used with any
VPN client service. The certificate chain is also included (CA certificate & CA-I certificate).
-------------
USAGE
-------------

0
src/pki_bootstrap/docs/README_LC → src/pki_bootstrap/res/docs/README_LC
View File

0
src/pki_bootstrap/docs/README_S → src/pki_bootstrap/res/docs/README_S
View File

0
src/pki_bootstrap/docs/SERIAL → src/pki_bootstrap/res/docs/SERIAL
View File

1
src/pki_bootstrap/res/docs/SERIAL_LC Normal file
View File

@ -0,0 +1 @@
101

21
src/pki_bootstrap/libs/gen_ca-i.sh → src/pki_bootstrap/res/libs/gen_ca-i.sh
View File

@ -8,12 +8,12 @@
# #
# source this file to include the functions # source this file to include the functions
. pki_funcs.sh . cfg/pki_funcs.sh
#$CA_CNF
PARAM1=$1 PARAM1=$1
PARAM2=$2 PARAM2=$2
PARAM3=$3
usage() { usage() {
echo echo
@ -22,10 +22,7 @@ usage() {
echo "This program will generate a new certificate authority (CA) intermediate" echo "This program will generate a new certificate authority (CA) intermediate"
echo "It requires a CA certificate used to sign CA Intermediate" echo "It requires a CA certificate used to sign CA Intermediate"
echo "Requires the file \"ca.pem\" that is used to sign the certificates" echo "Requires the file \"ca.pem\" that is used to sign the certificates"
echo "" echo
echo ""
echo ""
echo
echo " usage: gen_ca-i.sh <Org URL> <Serial>" echo " usage: gen_ca-i.sh <Org URL> <Serial>"
echo echo
echo " example: gen_ca-i.sh skunkworks.acme.xyz" echo " example: gen_ca-i.sh skunkworks.acme.xyz"
@ -39,6 +36,7 @@ error_no_ca_file() {
usage usage
} }
main() { main() {
CDD=`pwd` CDD=`pwd`
FQ_CA_KEYS="${CDD}/cfg/ca.keys.pem" FQ_CA_KEYS="${CDD}/cfg/ca.keys.pem"
@ -47,9 +45,14 @@ main() {
error_no_ca_file error_no_ca_file
fi fi
if [[ -n $PARAM1 ]] || [[ -n $PARAM2 ]]; then if [[ -n $PARAM1 ]] && [[ -n $PARAM2 ]]; then
pki_func_init $FQ_CA_CRT $FQ_CA_KEYS "${CDD}/cfg" pki_func_init $FQ_CA_CRT $FQ_CA_KEYS "${CDD}/cfg"
ca-i_gen_pki $PARAM1 $PARAM2 2
if [[ -z $PARAM3 ]]; then
PARAM3=5
fi
ca-i_gen_pki $PARAM1 $PARAM2 $PARAM3
else else
usage usage
fi fi

53
src/pki_bootstrap/res/libs/gen_client.sh Executable file
View File

@ -0,0 +1,53 @@
#!/bin/bash
#
# Create Client Certificates
#
#
# This function will generate a Client cert
# IN: UNIQ_ID_CA, SERIAL
#
# source this file to include the functions
. cfg/pki_funcs.sh
PARAM1=$1
PARAM2=$2
PARAM3=$3
usage() {
echo
echo "Generate a new Client certificate"
echo
echo
echo "Generate a new certificate"
echo " usage: gen_client.sh <CA Intermediate> <Org URL> <Serial>"
echo
echo " example: gen_client.sh skunkworks.acme.xyz \\"
echo " 10052 \\"
echo
exit 1
}
error_no_ca_file() {
echo_block "ERROR: missing ca-i.pem"
usage
}
main() {
if [[ ! -f ca-i.pem ]]; then
error_no_ca_file
fi
if [[ ! -f SERIAL ]]; then
error_no_serial
fi
if [[ -n $PARAM1 ]] || [[ -n $PARAM2 ]]; then
gen_client $PARAM1 $PARAM2
else
usage
fi
}
main

0
src/pki_bootstrap/libs/gen_server.sh → src/pki_bootstrap/res/libs/gen_server.sh
View File

44
src/pki_bootstrap/libs/pki_funcs.sh → src/pki_bootstrap/res/libs/pki_funcs.sh
View File

@ -31,7 +31,7 @@ echo_block() {
# Grab the latest serial # from the file, auto-increment # Grab the latest serial # from the file, auto-increment
# #
get_serial() { get_serial() {
SERIAL=`head "docs/SERIAL_LC"` SERIAL=`head "cfg/SERIAL"`
if [[ -z $SERIAL ]]; then if [[ -z $SERIAL ]]; then
SERIAL=11111 SERIAL=11111
echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA" echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA"
@ -83,7 +83,6 @@ ca-i_gen_pki() {
LOOP_NUM=$3 LOOP_NUM=$3
UNIQ_DIR_CA="ca_i_${SERIAL}.${ORG_URL}" UNIQ_DIR_CA="ca_i_${SERIAL}.${ORG_URL}"
mkdir -p "cfg"
mkdir -p "distribution/${UNIQ_DIR_CA}" mkdir -p "distribution/${UNIQ_DIR_CA}"
cd "distribution/${UNIQ_DIR_CA}" cd "distribution/${UNIQ_DIR_CA}"
@ -167,7 +166,7 @@ ca-i_gen_cert() {
} }
# #
# Organize the files into logical folders based on serial # # Organize the generated crypto files into logical folders
# #
ca-i_organize() { ca-i_organize() {
# organize the client directory # organize the client directory
@ -196,12 +195,11 @@ ca-i_organize() {
# order matters: move these files last because they were copied above # order matters: move these files last because they were copied above
mkdir -p ca-i/data mkdir -p ca-i/data
mkdir -p ca-i/docs mkdir -p ca-i/docs
mkdir -p ca-i/distro
mv ca_i*.pem ca-i/data/ mv ca_i*.pem ca-i/data/
mv ca_i*.info.txt ca-i/docs/ mv ca_i*.info.txt ca-i/docs/
mv ca_i*.p12 ca-i/ mv ca_i*.p12 ca-i/distro
mv ca_cert-chain*.pem ca-i/ mv ca_cert-chain*.pem ca-i/distro
cp $FQ_CA_DIR/ca_*.crt.pem ca-i/data/
cp $FQ_CA_DIR/ca_*.info.txt ca-i/docs/
} }
# #
@ -212,28 +210,26 @@ ca-i_organize() {
# UNIQ_ID_CAI : unique string for the CA-I # UNIQ_ID_CAI : unique string for the CA-I
# #
ca-i_cp_docs() { ca-i_cp_docs() {
DEST_DIR="${CDD}/distribution/ca_i_${UNIQ_ID_CAI}"
# CA-I # CA-I
cp $CD_ROOT/libs/gen_ca-i.sh $CD_ROOT/$UNIQ_DIR_LC/ cp $CDD/res/docs/README_CAI $DEST_DIR/README
cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/ cp $CDD/ca_*/ca_*.crt.pem $DEST_DIR/ca-i/data/
cp $CD_ROOT/docs/README_LC $CD_ROOT/$UNIQ_DIR_LC/README cp $CDD/ca_*/ca_*.info.txt $DEST_DIR/ca-i/docs/
cp $CD_ROOT/docs/SERIAL_LC $CD_ROOT/$UNIQ_DIR_LC/cfg/SERIAL
cp $CD_ROOT/cnf/ca.cnf $CD_ROOT/$UNIQ_DIR_LC/cfg/
cp $CD_ROOT/$UNIQ_DIR_LC/"ca_${UNIQ_ID_CA}"/ca_*.crt.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.crt.pem
cp $CD_ROOT/$UNIQ_DIR_LC/"ca_${UNIQ_ID_CA}"/ca_*.keys.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.keys.pem
# client # client
cp $CD_ROOT/libs/gen_client.sh $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/ cp $CDD/res/libs/gen_client.sh $DEST_DIR/clients/
cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/ cp $CDD/res/libs/pki_funcs.sh $DEST_DIR/clients/cfg
cp $CD_ROOT/docs/README_C $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/README cp $CDD/res/docs/README_C $DEST_DIR/clients/README
cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/cfg/ cp $CDD/res/docs/SERIAL $DEST_DIR/clients/cfg/
cp "${CD_ROOT}/cnf/${ORG_URL}.cnf" $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/clients/cfg/ cp "${CDD}/cfg/${ORG_URL}.cnf" $DEST_DIR/clients/cfg/
# server # server
cp $CD_ROOT/libs/gen_server.sh $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/ cp $CDD/res/libs/gen_server.sh $DEST_DIR/servers/
cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/ cp $CDD/res/libs/pki_funcs.sh $DEST_DIR/servers/cfg/
cp $CD_ROOT/docs/README_S $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/README cp $CDD/res/docs/README_S $DEST_DIR/servers/README
cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/cfg/ cp $CDD/res/docs/SERIAL $DEST_DIR/servers/cfg/
cp "${CD_ROOT}/cnf/${ORG_URL}.cnf" $CD_ROOT/$UNIQ_DIR_LC/distribution/$UNIQ_DIR_CA/servers/cfg/ cp "${CDD}/cfg/${ORG_URL}.cnf" $DEST_DIR/servers/cfg/
} }
# #