diff --git a/src/pki_bootstrap/README b/src/pki_bootstrap/README index a86f70b..7e2ccb8 100644 --- a/src/pki_bootstrap/README +++ b/src/pki_bootstrap/README @@ -12,17 +12,16 @@ The PKI Bootstrap application will generate a new "PKI Lifecycle" package. The PKI Lifecycle package holds a new Certificate Authority (CA) and a complete certificate chain-of-trust. The PKI Lifecycle package has a life of 5-10 years. Each package has embedded programs to generate new -certificate authority intermediates, client, and server certificates. +certificate authority intermediate (CA I), client, and server certificates. ------------- USAGE ------------- - This application will generate all the files necessary to build a certificate chain of trust -using a CA, CA Intermediate, Server, and Client certificates. All the files are put into -pki lifecyle package +using a CA, CA Intermediate, Server, and Client certificates. All the files are put into a +PKI Lifecycle package -put the .cnf config files into the ./cnf directory Usage: pki_bootstrap <.cnf file (minus the .cnf)> @@ -31,7 +30,7 @@ Example: pki_bootstrap org.acme.xyz [ .cnf files ] -A .cnf file is required for the domain name. The .cnf file is found in the ./res/cnf directory +.cnf file is required for the domain name. The .cnf file is found in the ./res/cnf directory └── res ├── cnf @@ -42,18 +41,13 @@ A .cnf file is required for the domain name. The .cnf file is found in the ./re +----------------------- + APPLICATION DESIGN +----------------------- +The ./res directory contains all the resources for the application. The resources include: +readme files, configuration files, and application files. -------------- - FEATURES -------------- -The PKI Bootstrap application will generate an - - - - -------------- - TREE -------------- +The PKI Bootstrap application directory structure is the following: ├── README ├── pki_bootstrap.sh @@ -76,4 +70,111 @@ The PKI Bootstrap application will generate an ├── gen_ca-i.sh ├── gen_client.sh ├── gen_server.sh - └── pki_funcs.sh \ No newline at end of file + └── pki_funcs.sh + + + +------------------------- + PKI Lifecycle Package +------------------------- +The PKI Lifecycle packagee is a complete certificate chain of trust with a root self-signed +certificate. The package contains all the configuration and data inforomation to generate +Certificate Authority Intermediate packages. + +The PKI Lifecycle packge is NOT to be removed from the generation system. It should be +protected as it contains the root CA. The package contains the root CA, configuration files, +and the a copy of the resources directory. + + +The PKI Lifecycle package structure is the following: +├── README +├── ca +│   ├── 101.ca.skunkworks.acme.xyz.crt.pem +│   ├── 101.ca.skunkworks.acme.xyz.keys.pem +│   └── 101.ca.skunkworks.acme.xyz_cert.info.txt +├── cfg +│   ├── SERIAL +│   ├── UNIQ_ID_CA +│   ├── UNIQ_ID_CA-I +│   ├── ca.cnf +│   ├── ca.crt.pem +│   ├── ca.keys.pem +│   ├── pki_funcs.sh +│   └── skunkworks.acme.xyz.cnf +├── distribution +│   └── 101.cai.skunkworks.acme.xyz +├── gen_ca-i.sh +└── res + ├── cfg + ├── cnf + ├── docs + └── libs + + + +---------------- + CA-I Package +---------------- +The CA-I package contains a complete certifate chain of trust using a certificate authority +intermediate. The CA intermediate has permission to sign certificates. Included in the packages +is a client and server certificate generation applications that run on Bash linux. The CA intermediate +can be used with 3rd party applications to generate certificates. + +The CA-I package structure is the following: +├── distribution +│   └── 101.cai.skunkworks.acme.xyz +│   ├── README +│   ├── ca-i +│   │   ├── data +│   │   │   ├── 101.ca.skunkworks.acme.xyz.crt.pem +│   │   │   ├── 101.cai.skunkworks.acme.xyz.crt.pem +│   │   │   ├── 101.cai.skunkworks.acme.xyz.csr.pem +│   │   │   └── 101.cai.skunkworks.acme.xyz.keys.pem +│   │   ├── distro +│   │   │   ├── 101.cai.skunkworks.acme.xyz.p12 +│   │   │   └── ca_cert-chain_101.cai.skunkworks.acme.xyz.crts.pem +│   │   └── docs +│   │   ├── 101.ca.skunkworks.acme.xyz_cert.info.txt +│   │   └── 101.cai.skunkworks.acme.xyz.crt.info.txt +│   ├── clients +│   │   ├── README +│   │   ├── cfg +│   │   │   ├── SERIAL +│   │   │   ├── UNIQ_ID_CA +│   │   │   ├── UNIQ_ID_CA-I +│   │   │   ├── ca-i.crt.pem +│   │   │   ├── ca-i.keys.pem +│   │   │   ├── ca_cert-chain.crts.pem +│   │   │   ├── cert.cnf +│   │   │   └── pki_funcs.sh +│   │   ├── data +│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.crt.pem +│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.csr.pem +│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.keys.pem +│   │   ├── distro +│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.p12 +│   │   ├── docs +│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.info.txt +│   │   └── gen_client.sh +│   └── servers +│   ├── README +│   ├── cfg +│   │   ├── SERIAL +│   │   ├── UNIQ_ID_CA +│   │   ├── UNIQ_ID_CA-I +│   │   ├── ca-i.crt.pem +│   │   ├── ca-i.keys.pem +│   │   ├── ca_cert-chain.crts.pem +│   │   ├── cert.cnf +│   │   └── pki_funcs.sh +│   ├── data +│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.crt.pem +│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.csr.pem +│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.keys.pem +│   ├── distro +│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.p12 +│   ├── docs +│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.crt.info.txt +│   └── gen_server.sh + + diff --git a/src/pki_bootstrap/pki_bootstrap.sh b/src/pki_bootstrap/pki_bootstrap.sh index 70f688d..78e8d33 100755 --- a/src/pki_bootstrap/pki_bootstrap.sh +++ b/src/pki_bootstrap/pki_bootstrap.sh @@ -16,9 +16,9 @@ PARAM2=$2 usage() { echo echo "This application will generate all the files necessary to build a certificate chain of trust" - echo "using a CA, CA Intermediate, Server, and Client certificates. All the files are put into" - echo "pki lifecyle package" - echo " * put the .cnf config files into the .res/cnf/ directory" + echo "using a CA, CA Intermediate, Server, and Client certificates. All the files are put into a" + echo "PKI Lifecycle package. A .cnf file is required for the domain. The domain url should match" + echo "the .cnf file name. Put the .cnf config file into the .res/cnf/ directory" echo echo "Usage: pki_bootstrap <.cnf file (minus the .cnf)> [# of CA-I to generate]" echo diff --git a/src/pki_bootstrap/res/docs/README_C b/src/pki_bootstrap/res/docs/README_C index 8afda20..5090c25 100644 --- a/src/pki_bootstrap/res/docs/README_C +++ b/src/pki_bootstrap/res/docs/README_C @@ -8,15 +8,49 @@ ------------- INTRO ------------- +This application will generate new client certificates. The certificate chain is also included +(CA certificate & CA-I certificate). -This application will generate new client certificates. The certificates can be used with any -VPN client service. The certificate chain is also included (CA certificate & CA-I certificate). ------------- USAGE ------------- +Generate a new client certificate -./ gen_client.sh + usage: gen_client.sh <# to generate> + + example: gen_client.sh 2 + +----------------------- + APPLICATION DESIGN +----------------------- +The ./clients directory contains the files needed to generate client certificates. The directory +is portable and will operate properly if moved to another linux system. The ./client/cfg contains +configuration files that are used by the client generation application. The configuation files +do not need to be edited and they provide information congruent with the CA and server. The +./clients/data directory contains the raw data (in .pem) of the certificates generated. The +./clients/distro contains the files to be distributed and installed on clients. The ./clients/docs +directory contains certificate information in plain text format. + +├── README +├── cfg +│   ├── SERIAL +│   ├── UNIQ_ID_CA +│   ├── UNIQ_ID_CA-I +│   ├── ca-i.crt.pem +│   ├── ca-i.keys.pem +│   ├── ca_cert-chain.crts.pem +│   ├── cert.cnf +│   └── pki_funcs.sh +├── data +│   ├── 1001.client.101.cai.skunkworks.acme.xyz.crt.pem +│   ├── 1001.client.101.cai.skunkworks.acme.xyz.csr.pem +│   ├── 1001.client.101.cai.skunkworks.acme.xyz.keys.pem +├── distro +│   ├── 1001.client.101.cai.skunkworks.acme.xyz.p12 +├── docs +│   ├── 1001.client.101.cai.skunkworks.acme.xyz.info.txt +└── gen_client.sh diff --git a/src/pki_bootstrap/res/docs/README_CAI b/src/pki_bootstrap/res/docs/README_CAI index 2950c05..d1f5d6e 100644 --- a/src/pki_bootstrap/res/docs/README_CAI +++ b/src/pki_bootstrap/res/docs/README_CAI @@ -1,21 +1,123 @@ - ============================ - CA Intermediate README + =================== + CA Intermediate Version 3.1 - ============================ + =================== ------------- INTRO ------------- -This application will generate new client certificates. The certificates can be used with any -VPN client service. The certificate chain is also included (CA certificate & CA-I certificate). +This application will generate new Certificate Authority Intermediate packages to be distributed +to organizations for external usage. + +The CA-I package contains a complete certifate chain of trust using a certificate authority +intermediate. The CA intermediate has permission to sign certificates. Included in the package +is client and server certificate generation applications that run on Bash linux. The CA intermediate +can be used with 3rd party applications to generate certificates. + ------------- USAGE ------------- +Generate a new CA Intermediate certificate + +This program will generate a new certificate authority (CA) intermediate +It requires a CA certificate to sign a CA Intermediate +Requires the file "ca.pem" that is used to sign the certificates + + usage: gen_ca-i.sh [# of client/server certs] + + example: gen_ca-i.sh skunkworks.acme.xyz \ + 10 (optional) \ +----------------------- + APPLICATION DESIGN +----------------------- +The CA-I package contains all the files needed to generate certificates. The ./ca-i directory +contains the certificate authority files. The ./ca-i/data directory contains all the raw ca +files. The ./ca-i/distro directory contains the files to be distributed and installed on clients. +The .p12 files contins the CA certificate, and client certificates. The ./ca-i/docs directory +contains certificate information in plain text format. + +The ./clients directory contains the files needed to generate client certificates. The directory +is portable and will operate properly if moved to another linux system. The ./client/cfg contains +configuration files that are used by the client generation application. The configuation files +do not need to be edited and they provide information congruent with the CA and server. The +./clients/data directory contains the raw data (in .pem) of the certificates generated. The +./clients/distro contains the files to be distributed and installed on clients. The ./clients/docs +directory contains certificate information in plain text format. + +The ./servers directory contains the files needed to generate server certificates. The directory +is portable and will operate properly if moved to another linux system. The ./server/cfg contains +configuration files that are used by the server generation application. The configuation files +do not need to be edited and they provide information congruent with the CA and server. The +./servers/data directory contains the raw data (in .pem) of the certificates generated. The +./servers/distro contains the files to be distributed and installed on servers. The ./servers/docs +directory contains certificate information in plain text format. + + +---------------- + CA-I Package +---------------- + +The CA-I package structure is the following: +├── distribution +│   └── 101.cai.skunkworks.acme.xyz +│   ├── README +│   ├── ca-i +│   │   ├── data +│   │   │   ├── 101.ca.skunkworks.acme.xyz.crt.pem +│   │   │   ├── 101.cai.skunkworks.acme.xyz.crt.pem +│   │   │   ├── 101.cai.skunkworks.acme.xyz.csr.pem +│   │   │   └── 101.cai.skunkworks.acme.xyz.keys.pem +│   │   ├── distro +│   │   │   ├── 101.cai.skunkworks.acme.xyz.p12 +│   │   │   └── ca_cert-chain_101.cai.skunkworks.acme.xyz.crts.pem +│   │   └── docs +│   │   ├── 101.ca.skunkworks.acme.xyz_cert.info.txt +│   │   └── 101.cai.skunkworks.acme.xyz.crt.info.txt +│   ├── clients +│   │   ├── README +│   │   ├── cfg +│   │   │   ├── SERIAL +│   │   │   ├── UNIQ_ID_CA +│   │   │   ├── UNIQ_ID_CA-I +│   │   │   ├── ca-i.crt.pem +│   │   │   ├── ca-i.keys.pem +│   │   │   ├── ca_cert-chain.crts.pem +│   │   │   ├── cert.cnf +│   │   │   └── pki_funcs.sh +│   │   ├── data +│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.crt.pem +│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.csr.pem +│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.keys.pem +│   │   ├── distro +│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.p12 +│   │   ├── docs +│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.info.txt +│   │   └── gen_client.sh +│   └── servers +│   ├── README +│   ├── cfg +│   │   ├── SERIAL +│   │   ├── UNIQ_ID_CA +│   │   ├── UNIQ_ID_CA-I +│   │   ├── ca-i.crt.pem +│   │   ├── ca-i.keys.pem +│   │   ├── ca_cert-chain.crts.pem +│   │   ├── cert.cnf +│   │   └── pki_funcs.sh +│   ├── data +│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.crt.pem +│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.csr.pem +│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.keys.pem +│   ├── distro +│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.p12 +│   ├── docs +│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.crt.info.txt +│   └── gen_server.sh diff --git a/src/pki_bootstrap/res/docs/README_S b/src/pki_bootstrap/res/docs/README_S index 8ae544e..8ba9d11 100644 --- a/src/pki_bootstrap/res/docs/README_S +++ b/src/pki_bootstrap/res/docs/README_S @@ -8,14 +8,49 @@ ------------- INTRO ------------- +This application will generate new server certificates. The certificate chain is also included +(CA certificate & CA-I certificate). -This application will generate new server certificates to be used with a VPN service. ------------- USAGE ------------- +Generate a new server certificate -./ gen_server.sh + usage: gen_server.sh <# to generate> + + example: gen_server.sh 2 + +----------------------- + APPLICATION DESIGN +----------------------- +The ./servers directory contains the files needed to generate server certificates. The directory +is portable and will operate properly if moved to another linux system. The ./server/cfg contains +configuration files that are used by the server generation application. The configuation files +do not need to be edited and they provide information congruent with the CA and server. The +./servers/data directory contains the raw data (in .pem) of the certificates generated. The +./servers/distro contains the files to be distributed and installed on servers. The ./servers/docs +directory contains certificate information in plain text format. + +├── README +├── cfg +│   ├── SERIAL +│   ├── UNIQ_ID_CA +│   ├── UNIQ_ID_CA-I +│   ├── ca-i.crt.pem +│   ├── ca-i.keys.pem +│   ├── ca_cert-chain.crts.pem +│   ├── cert.cnf +│   └── pki_funcs.sh +├── data +│   ├── 5001.server.101.cai.skunkworks.acme.xyz.crt.pem +│   ├── 5001.server.101.cai.skunkworks.acme.xyz.csr.pem +│   ├── 5001.server.101.cai.skunkworks.acme.xyz.keys.pem +├── distro +│   ├── 5001.server.101.cai.skunkworks.acme.xyz.p12 +├── docs +│   ├── 5001.server.101.cai.skunkworks.acme.xyz.crt.info.txt +└── gen_server.sh diff --git a/src/pki_bootstrap/res/libs/gen_ca-i.sh b/src/pki_bootstrap/res/libs/gen_ca-i.sh index f1b8d16..ad99ca1 100755 --- a/src/pki_bootstrap/res/libs/gen_ca-i.sh +++ b/src/pki_bootstrap/res/libs/gen_ca-i.sh @@ -21,7 +21,7 @@ usage() { echo " usage: gen_ca-i.sh [# of client/server certs]" echo echo " example: gen_ca-i.sh skunkworks.acme.xyz \\" - echo " 10 (optional) \\" + echo " 10 (optional)" echo exit 1 } diff --git a/src/pki_bootstrap/res/libs/gen_client.sh b/src/pki_bootstrap/res/libs/gen_client.sh index d6ccd24..e319e05 100755 --- a/src/pki_bootstrap/res/libs/gen_client.sh +++ b/src/pki_bootstrap/res/libs/gen_client.sh @@ -11,11 +11,9 @@ PARAM1=$1 usage() { echo - echo "Generate a new Client certificate" + echo "Generate a new client certificate" echo - echo - echo "Generate a new certificate" - echo " usage: gen_client.sh " + echo " usage: gen_client.sh <# to generate>" echo echo " example: gen_client.sh 2" echo diff --git a/src/pki_bootstrap/res/libs/gen_server.sh b/src/pki_bootstrap/res/libs/gen_server.sh index 0a88abe..0a73089 100755 --- a/src/pki_bootstrap/res/libs/gen_server.sh +++ b/src/pki_bootstrap/res/libs/gen_server.sh @@ -11,13 +11,11 @@ PARAM1=$1 usage() { echo - echo "Generate a new Server certificate" + echo "Generate a new server certificate" echo + echo " usage: gen_server.sh <# to generate>" echo - echo "Generate a new certificate" - echo " usage: gen_client.sh " - echo - echo " example: gen_client.sh 2" + echo " example: gen_server.sh 2" echo exit 1 }