MOD: refactoring to allow for auto-gen of serial #s and fixing unique id

2018-08-28 16:25:19 -07:00 · 2018-08-28 16:25:19 -07:00 · 23ea416acf
parent fc21e150e5
commit 23ea416acf
9 changed files with 253 additions and 167 deletions
--- a/docs/pki_agile
+++ b/docs/pki_agile
@ -11,6 +11,7 @@
 [[ BACKLOG ]]

 [ current ]
+* add CA password
 * auto-increment SERIAL
 * create certificate installation guide
  -copy file to sd, select .p12 file, password="password"
--- a/src/pki_bootstrap/README
+++ b/src/pki_bootstrap/README
@ -8,6 +8,10 @@
 -------------
  INTRO
 -------------
+The PKI Bootstrap application will generate a new "PKI Lifecycle" package. The PKI Lifecycle 
+package holds a new Certificate Authority (CA) and a complete certificate chain-of-trust. The
+PKI Lifecycle package has a life of 5-10 years. Each package has embedded programs to generate new
+certificate authority intermediates, client, and server certificates.



@ -15,10 +19,60 @@
  USAGE
 -------------

+This application will generate all the files necessary to build a certificate chain of trust
+using a CA, CA Intermediate, Server, and Client certificates. All the files are put into
+pki lifecyle package
+  -put the .cnf config files into the ./cnf directory
+
+Usage: pki_bootstrap  <.cnf file (minus the .cnf)>
+
+Example: pki_bootstrap  org.acme.xyz
+
+
+[ .cnf files ]
+A .cnf file is required for the domain name. The .cnf file is found in the  ./res/cnf  directory
+
+└── res
+    ├── cnf
+    │   ├── 192.168.1.3.cnf
+    │   ├── ca.cnf
+    │   ├── skunkworks.acme.xyz.cnf
+    │   └── vpn.backchannel.es.cnf
+
+


 -------------
  FEATURES
 -------------
+The PKI Bootstrap application will generate an 


+
+
+-------------
+  TREE
+-------------
+├── README
+├── pki_bootstrap.sh
+
+└── res
+    ├── cfg
+    │   └── SERIAL
+    ├── cnf
+    │   ├── 192.168.1.3.cnf
+    │   ├── ca.cnf
+    │   ├── skunkworks.acme.xyz.cnf
+    │   └── vpn.backchannel.es.cnf
+    ├── docs
+    │   ├── README_C
+    │   ├── README_CAI
+    │   ├── README_LC
+    │   ├── README_S
+    │   ├── SERIAL
+    │   └── SERIAL_LC
+    └── libs
+        ├── gen_ca-i.sh
+        ├── gen_client.sh
+        ├── gen_server.sh
+        └── pki_funcs.sh
--- a/src/pki_bootstrap/pki_bootstrap.sh
+++ b/src/pki_bootstrap/pki_bootstrap.sh
@ -128,7 +128,7 @@ cp_lifecycle_docs() {
 gen_lc_ca_i() {
  cd $FQ_DIR_LC
  # generate new CA-I
-  ca-i_gen_pki $ORG_URL 1001 2
+  ca-i_gen_pki $ORG_URL 4321 2
  # ca-i_gen_pki $ORG_URL 2001 5
  # ca-i_gen_pki $ORG_URL 3001 8
 }
--- a/src/pki_bootstrap/res/libs/gen_ca-i.sh
+++ b/src/pki_bootstrap/res/libs/gen_ca-i.sh
@ -3,9 +3,6 @@
 # Create CA Intermediate
 # 
 # 
-# This function will generate a CA Intermediate
-# IN: UNIQ_ID_CA, SERIAL
-#

 # source this file to include the functions
 . cfg/pki_funcs.sh
@ -23,39 +20,19 @@ usage() {
  echo "It requires a CA certificate used to sign CA Intermediate"
  echo "Requires the file \"ca.pem\" that is used to sign the certificates"
  echo 
-  echo "  usage:   gen_ca-i.sh  <Org URL> <Serial>"
+  echo "  usage:   gen_ca-i.sh  <Org URL>   [Serial #]"
  echo
-  echo "  example: gen_ca-i.sh  skunkworks.acme.xyz"
-  echo "                        10052"
+  echo "  example: gen_ca-i.sh  skunkworks.acme.xyz \\"
+  echo "                        10052  (optional) \\"
  echo
  exit 1
 }

-error_no_ca_file() {
-  echo_block "ERROR: missing ca.crt.pem, ca.keys.pem"
-  usage
-}
-

 main() {
-  CDD=`pwd`
-  FQ_CA_KEYS="${CDD}/cfg/ca.keys.pem"
-  FQ_CA_CRT="${CDD}/cfg/ca.crt.pem"
-  if [[ ! -f $FQ_CA_KEYS ]] || [[ ! -f $FQ_CA_CRT ]]; then
-    error_no_ca_file
-  fi
-
-  if [[ -n $PARAM1 ]] && [[ -n $PARAM2 ]]; then
-    pki_func_init $FQ_CA_CRT $FQ_CA_KEYS "${CDD}/cfg"
-
-    if [[ -z $PARAM3 ]]; then
-      PARAM3=5
-    fi
-
-    ca-i_gen_pki $PARAM1 $PARAM2 $PARAM3
-  else
-    usage
-  fi
+  # uses global variables: $PARAM1 $PARAM2 $PARAM3
+  check_params
+  ca-i_gen_pki 
 }

 main
--- a/src/pki_bootstrap/res/libs/gen_client.sh
+++ b/src/pki_bootstrap/res/libs/gen_client.sh
@ -3,9 +3,6 @@
 # Create Client Certificates
 # 
 # 
-# This function will generate a Client cert
-# IN: UNIQ_ID, SERIAL
-#

 # source this file to include the functions
 . cfg/pki_funcs.sh
@ -21,36 +18,19 @@ usage() {
  echo
  echo
  echo "Generate a new certificate"
-  echo "  usage:   gen_client.sh  <Org URL> <Serial #>"
+  echo "  usage:   gen_client.sh  <Org URL>   [Serial #]"
  echo
  echo "  example: gen_client.sh  skunkworks.acme.xyz \\"
-  echo "                          10052 \\"
+  echo "                          10052 (optional) \\"
  echo
  exit 1
 }


 main() {
-  if [[ ! -f cfg/ca-i.crt.pem ]] || [[ ! -f cfg/ca-i.keys.pem ]]; then
-    echo_block "ERROR: file cfg/ca-i.crt.pem cfg/ca-i.keys.pem is missing"
-    usage
-  fi
-  if [[ ! -f cfg/SERIAL ]]; then
-    echo_block "ERROR: file cfg/SERIAL is missing"
-    usage
-  fi
-
-  if [[ -n $PARAM1 ]] && [[ -n $PARAM2 ]]; then
-    UNIQ_ID="${PARAM2}.${PARAM1}"
-    if [[ -f "distro/client_${UNIQ_ID}.p12" ]]; then
-      echo_block "ERROR: certifate  <<distro/client_${UNIQ_ID}.p12>>  already exists"
-      usage
-    fi
-
-    gen_client $PARAM1 $PARAM2
-  else
-    usage
-  fi
+  # uses global variables: $PARAM1 $PARAM2
+  check_params
+  gen_client_cert $PARAM1 $PARAM2
 }

 main
--- a/src/pki_bootstrap/res/libs/gen_server.sh
+++ b/src/pki_bootstrap/res/libs/gen_server.sh
@ -3,9 +3,6 @@
 # Create Server Certificates
 # 
 # 
-# This function will generate a Server cert
-# IN: UNIQ_ID, SERIAL
-#

 # source this file to include the functions
 . cfg/pki_funcs.sh
@ -21,40 +18,19 @@ usage() {
  echo
  echo
  echo "Generate a new certificate"
-  echo "  usage:   gen_server.sh  <Org URL> <Serial #>"
+  echo "  usage:   gen_server.sh  <Org URL>   [Serial #]"
  echo
  echo "  example: gen_server.sh  skunkworks.acme.xyz \\"
-  echo "                          10052 \\"
+  echo "                          10052  (optional) \\"
  echo
  exit 1
 }


 main() {
-  if [[ ! -f cfg/ca-i.crt.pem ]] || [[ ! -f cfg/ca-i.keys.pem ]]; then
-    echo_block "ERROR: file cfg/ca-i.crt.pem cfg/ca-i.keys.pem is missing"
-    usage
-  fi
-  if [[ ! -f cfg/SERIAL ]]; then
-    echo_block "ERROR: file cfg/SERIAL is missing"
-    usage
-  fi
-
-  if [[ -n $PARAM1 ]] && [[ -n $PARAM2 ]]; then
-    UNIQ_ID="${PARAM2}.${PARAM1}"
-    if [[ -f "distro/server_${UNIQ_ID}.p12" ]]; then
-      echo_block "ERROR: certifate  <<distro/server_${UNIQ_ID}.p12>>  already exists"
-      usage
-    fi
-    if [[ ! -f "cfg/${PARAM1}.cnf" ]]; then
-      echo_block "ERROR: configuration file  <<cfg/${PARAM1}.cnf>>  is missing"
-      usage
-    fi
-
+  # uses global variables: $PARAM1 $PARAM2
+  check_params
  gen_server $PARAM1 $PARAM2
-  else
-    usage
-  fi
 }

 main
--- a/src/pki_bootstrap/res/libs/pki_funcs.sh
+++ b/src/pki_bootstrap/res/libs/pki_funcs.sh
@ -6,16 +6,16 @@
 #
 # Set the CA variables
 #
-pki_func_init() {
-  if [[ -n $1 ]] || [[ -n $2 ]] || [[ -n $3 ]]; then
-    FQ_CA_CERT=$1
-    FQ_CA_KEYS=$2
-    CNF_PATH=$3
-    APP_INIT=1
-  else
-    APP_INIT=0
-  fi
-}
+# pki_func_init() {
+#   if [[ -n $1 ]] || [[ -n $2 ]] || [[ -n $3 ]]; then
+#     FQ_CA_CERT=$1
+#     FQ_CA_KEYS=$2
+#     CNF_PATH=$3
+#     APP_INIT=1
+#   else
+#     APP_INIT=0
+#   fi
+# }

 #
 # print text wrapped in a block
@ -27,14 +27,70 @@ echo_block() {
  echo "***** ***** ***** *****"
 }

+error_no_ca_file() {
+  echo_block "ERROR: missing ca.crt.pem, ca.keys.pem"
+  usage
+}
+
 # 
 # Grab the latest serial # from the file, auto-increment
 # 
 get_serial() {
-  SERIAL=`head "cfg/SERIAL"`
+  SERIAL=`head cfg/SERIAL`
  if [[ -z $SERIAL ]]; then
    SERIAL=11111
    echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA"
+  else
+    PLUS1=$((SERIAL+1))
+    echo $PLUS1 > cfg/SERIAL 
+  fi
+}
+
+#
+# check the three parameters: $PARAM1, $PARAM2, $PARAM3
+# the parameters are expected to be global
+# 
+check_params() {
+  if [[ ! -f cfg/ca.keys.pem ]] || [[ ! -f cfg/ca.crt.pem ]]; then
+    if [[ ! -f cfg/ca-i.keys.pem ]] || [[ ! -f cfg/ca-i.crt.pem ]]; then
+      echo_block "ERROR: missing ca certificat: cfg/ca.crt.pem, cfg/ca.keys.pem, cfg/ca-i.crt.pem, cfg/ca-i.keys.pem"
+      usage
+    fi
+  fi
+
+  # the parameter must be the URL (not the filename, .cnf)
+  if [[ -n $PARAM1 ]]; then
+    if [[ ${PARAM1: -4} == .cnf ]]; then
+      if [[ ! -f "cfg/${PARAM1}" ]]; then
+        echo_block "ERROR: file cfg/${PARAM1} is missing"
+        usage
+      else
+        PARAM1=${PARAM1%.*}
+      fi
+    else 
+      if [[ ! -f "cfg/${PARAM1}.cnf" ]]; then
+        echo_block "ERROR: file cfg/${PARAM1}.cnf is missing"
+        usage
+      fi
+    fi
+  else
+    usage
+  fi
+
+  if [[ -z $PARAM2 ]]; then
+    if [[ ! -f cfg/SERIAL ]]; then
+      echo_block "ERROR: file cfg/SERIAL is missing"
+      usage
+    else
+      get_serial
+      PARAM2=$SERIAL
+    fi
+  else
+    SERIAL=$PARAM2
+  fi
+
+  if [[ -z $PARAM3 ]]; then
+    PARAM3=2
  fi
 }

@ -82,28 +138,27 @@ gen_ca() {
 #
 # INPUT:  BASE SERIAL #, LOOP NUM
 # 
-# Requires: FQ_CA_CERT, FQ_CA_KEYS
-# 
 ca-i_gen_pki() {
  CDD=`pwd`
-  ORG_URL=$1
-  SERIAL_O=$2
-  NUM_CERTS=$(($3-1))
+  ORG_URL=$PARAM1
+  NUM_CERTS=$(($PARAM3-1))

  # create unique directory
-  UNIQ_ID_CAI="${SERIAL_O}.${ORG_URL}" 
-  mkdir -p "distribution/ca_i_${UNIQ_ID_CAI}"
-  cd "distribution/ca_i_${UNIQ_ID_CAI}"
+  UNIQ_ID="${SERIAL}.${ORG_URL}" 
+  mkdir -p "distribution/ca_i_${UNIQ_ID}"

  # Create CA Intermediate
-  ca-i_gen_cert $ORG_URL $SERIAL_O
+  # 
+  ca-i_gen_cert $ORG_URL $SERIAL

  # create directories, copy files, before generating client/server
  ca-i_create_shell

-  __ca-i_gen_client

-  __ca-i_gen_server
+  # the client & server applications need to execute in their perspective directories
+  cd "distribution/ca_i_${UNIQ_ID}"
+  __ca-i_gen_client
+#  __ca-i_gen_server

  # return to last path
  cd $CDD
@ -120,7 +175,8 @@ __ca-i_gen_client() {
  cd clients
  for NUM in $(seq 0 $NUM_CERTS)
  do
-    gen_client $ORG_URL $((SERIAL_O+NUM))
+    get_serial
+    gen_client_cert $ORG_URL $SERIAL
  done
  cd ..
 }
@ -136,11 +192,73 @@ __ca-i_gen_server() {
  cd servers
  for NUM in $(seq 0 $NUM_CERTS)
  do
-    gen_server $ORG_URL $((SERIAL_O+NUM))
+    get_serial
+    gen_server_cert $ORG_URL $SERIAL
  done
  cd ..
 }

+#
+# Copies all applcations to the Lifecycle package
+#   organize the ca-i directory
+#   order matters:  move these files last because they were copied above
+#
+ca-i_create_shell() {
+
+  DEST_DIR="${CDD}/distribution/ca_i_${UNIQ_ID}"
+
+  echo $UNIQ_ID > UNIQ_ID
+
+  # client
+  mkdir -p $DEST_DIR/clients/cfg
+  cp $CDD/res/libs/gen_client.sh  $DEST_DIR/clients/
+  cp $CDD/res/libs/pki_funcs.sh   $DEST_DIR/clients/cfg
+  cp $CDD/res/docs/README_C       $DEST_DIR/clients/README
+  cp $CDD/res/docs/SERIAL         $DEST_DIR/clients/cfg/
+  cp "${CDD}/cfg/${ORG_URL}.cnf"  $DEST_DIR/clients/cfg/
+  # generated files
+  cp ca_i*.crt.pem      $DEST_DIR/clients/cfg/ca-i.crt.pem
+  cp ca_i*.keys.pem     $DEST_DIR/clients/cfg/ca-i.keys.pem
+  cp ca_cert-chain*.pem $DEST_DIR/clients/cfg/ca_cert-chain.crts.pem
+  cp UNIQ_ID            $DEST_DIR/clients/cfg/
+  # cp $DEST_DIR/ca_i*.crt.pem      $DEST_DIR/clients/cfg/ca-i.crt.pem
+  # cp $DEST_DIR/ca_i*.keys.pem     $DEST_DIR/clients/cfg/ca-i.keys.pem
+  # cp $DEST_DIR/ca_cert-chain*.pem $DEST_DIR/clients/cfg/ca_cert-chain.crts.pem
+
+  # server
+  mkdir -p $DEST_DIR/servers/cfg
+  cp $CDD/res/libs/gen_server.sh  $DEST_DIR/servers/
+  cp $CDD/res/libs/pki_funcs.sh   $DEST_DIR/servers/cfg/
+  cp $CDD/res/docs/README_S       $DEST_DIR/servers/README
+  cp $CDD/res/docs/SERIAL         $DEST_DIR/servers/cfg/
+  cp "${CDD}/cfg/${ORG_URL}.cnf"  $DEST_DIR/servers/cfg/
+  # generated files
+  cp ca_i*.crt.pem      $DEST_DIR/servers/cfg/ca-i.crt.pem
+  cp ca_i*.keys.pem     $DEST_DIR/servers/cfg/ca-i.keys.pem
+  cp ca_cert-chain*.pem $DEST_DIR/servers/cfg/ca_cert-chain.crts.pem
+  cp UNIQ_ID            $DEST_DIR/servers/cfg/
+  # cp $DEST_DIR/ca_i*.crt.pem      $DEST_DIR/servers/cfg/ca-i.crt.pem
+  # cp $DEST_DIR/ca_i*.keys.pem     $DEST_DIR/servers/cfg/ca-i.keys.pem
+  # cp $DEST_DIR/ca_cert-chain*.pem $DEST_DIR/servers/cfg/ca_cert-chain.crts.pem
+
+  # CA-I
+  mkdir -p $DEST_DIR/ca-i/data
+  mkdir -p $DEST_DIR/ca-i/docs
+  mkdir -p $DEST_DIR/ca-i/distro
+  cp $CDD/res/docs/README_CAI       $DEST_DIR/README
+  cp $CDD/ca_*/ca_*.crt.pem         $DEST_DIR/ca-i/data/
+  cp $CDD/ca_*/ca_*.info.txt        $DEST_DIR/ca-i/docs/
+  # generated files
+  mv ca_i*.pem            $DEST_DIR/ca-i/data/
+  mv ca_i*.info.txt       $DEST_DIR/ca-i/docs/
+  mv ca_i*.p12            $DEST_DIR/ca-i/distro
+  mv ca_cert-chain*.pem   $DEST_DIR/ca-i/distro
+  # mv $DEST_DIR/ca_i*.pem            $DEST_DIR/ca-i/data/
+  # mv $DEST_DIR/ca_i*.info.txt       $DEST_DIR/ca-i/docs/
+  # mv $DEST_DIR/ca_i*.p12            $DEST_DIR/ca-i/distro
+  # mv $DEST_DIR/ca_cert-chain*.pem   $DEST_DIR/ca-i/distro
+}
+
 # This function will generate a CA Intermediate
 # 
 # Requires:  CNF file, CA cert, CA key
@ -150,88 +268,56 @@ __ca-i_gen_server() {
 ca-i_gen_cert() {
  ORG_URL=$1 
  SERIAL=$2
+  DEST_DIR="."
+  # DEST_DIR=$3

  UNIQ_ID="${SERIAL}.${ORG_URL}"

  echo_block "Create CA Intermediate  (${UNIQ_ID})"

-  openssl genrsa -out "ca_i_${UNIQ_ID}.keys.pem" 4096
+  openssl genrsa -out "${DEST_DIR}/ca_i_${UNIQ_ID}.keys.pem" 4096

  # Create Cert Signing Request (CSR)
-  openssl req -config "${CNF_PATH}/ca.cnf" -new -sha256 \
+  openssl req -config "cfg/ca.cnf" -new -sha256 \
              -subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID}" \
-              -key "ca_i_${UNIQ_ID}.keys.pem" -out "ca_i_${UNIQ_ID}.csr.pem"
+              -key "${DEST_DIR}/ca_i_${UNIQ_ID}.keys.pem" -out "${DEST_DIR}/ca_i_${UNIQ_ID}.csr.pem"

  # Create Certificate   (valid for ~2 years, after the entire chain of trust expires)
  # CA signs Intermediate
-  openssl x509 -req -days 750 -extfile "${CNF_PATH}/ca.cnf" -extensions v3_ca_i \
-               -CA $FQ_CA_CERT -CAkey $FQ_CA_KEYS -set_serial ${SERIAL} \
-               -in "ca_i_${UNIQ_ID}.csr.pem" -out "ca_i_${UNIQ_ID}.crt.pem"
+  openssl x509 -req -days 750 -extfile "cfg/ca.cnf" -extensions v3_ca_i \
+               -CA cfg/ca.crt.pem -CAkey cfg/ca.keys.pem -set_serial ${SERIAL} \
+               -in "${DEST_DIR}/ca_i_${UNIQ_ID}.csr.pem" -out "${DEST_DIR}/ca_i_${UNIQ_ID}.crt.pem"

  # Package the Certificate Authority Certificates for distro  (windoze needs this)
-  openssl pkcs12 -export -password "pass:password" -inkey "ca_i_${UNIQ_ID}.keys.pem" \
-                 -name "CA Intermediate Mobile Provision" -certfile $FQ_CA_CERT \
-                 -in "ca_i_${UNIQ_ID}.crt.pem" -out "ca_i_${UNIQ_ID}.p12"
+  openssl pkcs12 -export -password "pass:password" -inkey "${DEST_DIR}/ca_i_${UNIQ_ID}.keys.pem" \
+                 -name "CA Intermediate Mobile Provision" -certfile cfg/ca.crt.pem \
+                 -in "${DEST_DIR}/ca_i_${UNIQ_ID}.crt.pem" -out "${DEST_DIR}/ca_i_${UNIQ_ID}.p12"

  # verify certificate (output to text file for review)
-  openssl x509 -noout -text -in "ca_i_${UNIQ_ID}.crt.pem" > "ca_i_${UNIQ_ID}.crt.info.txt"
+  openssl x509 -noout -text -in "${DEST_DIR}/ca_i_${UNIQ_ID}.crt.pem" > "${DEST_DIR}/ca_i_${UNIQ_ID}.crt.info.txt"

  # create certifiate chain
-  cat $FQ_CA_CERT "ca_i_${UNIQ_ID}.crt.pem" > "ca_cert-chain_${UNIQ_ID}.crts.pem"
+  cat cfg/ca.crt.pem "${DEST_DIR}/ca_i_${UNIQ_ID}.crt.pem" > "${DEST_DIR}/ca_cert-chain_${UNIQ_ID}.crts.pem"
 }

-#
-# Copies all applcations to the Lifecycle package
-#   organize the ca-i directory
-#   order matters:  move these files last because they were copied above
-#
-ca-i_create_shell() {
+get_org_url() {
+  ORG_URL=`head cfg/UNIQ_ID`
+  if [[ -z $ORG_URL ]]; then
+    echo_block "WARN: no file 'UNIQ_ID' found, using default 11111 as the serial # for CA"
+    exit 1
+  fi  
+}

-  DEST_DIR="${CDD}/distribution/ca_i_${UNIQ_ID_CAI}"
-
-  # client
-  mkdir -p clients/cfg
-  cp $CDD/res/libs/gen_client.sh  $DEST_DIR/clients/
-  cp $CDD/res/libs/pki_funcs.sh   $DEST_DIR/clients/cfg
-  cp $CDD/res/docs/README_C       $DEST_DIR/clients/README
-  cp $CDD/res/docs/SERIAL         $DEST_DIR/clients/cfg/
-  cp "${CDD}/cfg/${ORG_URL}.cnf"  $DEST_DIR/clients/cfg/
-  # generated files
-  cp $DEST_DIR/ca_i*.crt.pem      $DEST_DIR/clients/cfg/ca-i.crt.pem
-  cp $DEST_DIR/ca_i*.keys.pem     $DEST_DIR/clients/cfg/ca-i.keys.pem
-  cp $DEST_DIR/ca_cert-chain*.pem $DEST_DIR/clients/cfg/ca_cert-chain.crts.pem
-
-  # server
-  mkdir -p servers/cfg
-  cp $CDD/res/libs/gen_server.sh  $DEST_DIR/servers/
-  cp $CDD/res/libs/pki_funcs.sh   $DEST_DIR/servers/cfg/
-  cp $CDD/res/docs/README_S       $DEST_DIR/servers/README
-  cp $CDD/res/docs/SERIAL         $DEST_DIR/servers/cfg/
-  cp "${CDD}/cfg/${ORG_URL}.cnf"  $DEST_DIR/servers/cfg/
-  # generated files
-  cp $DEST_DIR/ca_i*.crt.pem      $DEST_DIR/servers/cfg/ca-i.crt.pem
-  cp $DEST_DIR/ca_i*.keys.pem     $DEST_DIR/servers/cfg/ca-i.keys.pem
-  cp $DEST_DIR/ca_cert-chain*.pem $DEST_DIR/servers/cfg/ca_cert-chain.crts.pem
-
-  # CA-I
-  mkdir -p ca-i/data
-  mkdir -p ca-i/docs
-  mkdir -p ca-i/distro
-  cp $CDD/res/docs/README_CAI       $DEST_DIR/README
-  cp $CDD/ca_*/ca_*.crt.pem         $DEST_DIR/ca-i/data/
-  cp $CDD/ca_*/ca_*.info.txt        $DEST_DIR/ca-i/docs/
-  # generated files
-  mv $DEST_DIR/ca_i*.pem            $DEST_DIR/ca-i/data/
-  mv $DEST_DIR/ca_i*.info.txt       $DEST_DIR/ca-i/docs/
-  mv $DEST_DIR/ca_i*.p12            $DEST_DIR/ca-i/distro
-  mv $DEST_DIR/ca_cert-chain*.pem   $DEST_DIR/ca-i/distro
+gen_client() {
+  get_org_url
+  get_client_cert $ORG_URL $SERIAL
 }

 #
 # Generate a Client Certificate
-# IN: UNIQ_ID, UNIQ_ID_CAI, SERIAL
+# IN: UNIQ_ID, SERIAL
 #
-gen_client() {
+gen_client_cert() {
  ORG_URL=$1 
  SERIAL=$2

@ -261,9 +347,9 @@ gen_client() {

 #
 # Generate a Server Certificate
-# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
+# IN: UNIQ_ID, SERIAL
 #
-gen_server() {
+gen_server_cert() {
  ORG_URL=$1 
  SERIAL=$2

--- a/src/sandbox/SERIAL
+++ b/src/sandbox/SERIAL
@ -0,0 +1 @@
+2010
--- a/src/sandbox/serial.sh
+++ b/src/sandbox/serial.sh
@ -0,0 +1,11 @@
+#!/bin/bash
+
+SERIAL=`head SERIAL`
+if [[ -z $SERIAL ]]; then
+  SERIAL=11111
+  echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA"
+else
+  PLUS1=$((SERIAL+1))
+  echo $PLUS1 > SERIAL 
+fi
+