j3g
/
pki-bootstrap_pub
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

MOD: documentation updates

This commit is contained in:
JohnE 2018-09-17 21:40:34 -07:00
parent da07fd1845
commit 2ec57697cb
8 changed files with 308 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

133
src/pki_bootstrap/README
View File

@ -12,17 +12,16 @@
The PKI Bootstrap application will generate a new "PKI Lifecycle" package. The PKI Lifecycle
package holds a new Certificate Authority (CA) and a complete certificate chain-of-trust. The
PKI Lifecycle package has a life of 5-10 years. Each package has embedded programs to generate new
certificate authority intermediates, client, and server certificates.
certificate authority intermediate (CA I), client, and server certificates.
-------------
USAGE
-------------
This application will generate all the files necessary to build a certificate chain of trust
using a CA, CA Intermediate, Server, and Client certificates. All the files are put into
pki lifecyle package
using a CA, CA Intermediate, Server, and Client certificates. All the files are put into a
PKI Lifecycle package
-put the .cnf config files into the ./cnf directory
Usage: pki_bootstrap <.cnf file (minus the .cnf)>
@ -31,7 +30,7 @@ Example: pki_bootstrap org.acme.xyz
[ .cnf files ]
A .cnf file is required for the domain name. The .cnf file is found in the ./res/cnf directory
.cnf file is required for the domain name. The .cnf file is found in the ./res/cnf directory
└── res
├── cnf
@ -42,18 +41,13 @@ A .cnf file is required for the domain name. The .cnf file is found in the ./re
-----------------------
APPLICATION DESIGN
-----------------------
The ./res directory contains all the resources for the application. The resources include:
readme files, configuration files, and application files.
-------------
FEATURES
-------------
The PKI Bootstrap application will generate an
-------------
TREE
-------------
The PKI Bootstrap application directory structure is the following:
├── README
├── pki_bootstrap.sh
@ -77,3 +71,110 @@ The PKI Bootstrap application will generate an
├── gen_client.sh
├── gen_server.sh
└── pki_funcs.sh
-------------------------
PKI Lifecycle Package
-------------------------
The PKI Lifecycle packagee is a complete certificate chain of trust with a root self-signed
certificate. The package contains all the configuration and data inforomation to generate
Certificate Authority Intermediate packages.
The PKI Lifecycle packge is NOT to be removed from the generation system. It should be
protected as it contains the root CA. The package contains the root CA, configuration files,
and the a copy of the resources directory.
The PKI Lifecycle package structure is the following:
├── README
├── ca
│   ├── 101.ca.skunkworks.acme.xyz.crt.pem
│   ├── 101.ca.skunkworks.acme.xyz.keys.pem
│   └── 101.ca.skunkworks.acme.xyz_cert.info.txt
├── cfg
│   ├── SERIAL
│   ├── UNIQ_ID_CA
│   ├── UNIQ_ID_CA-I
│   ├── ca.cnf
│   ├── ca.crt.pem
│   ├── ca.keys.pem
│   ├── pki_funcs.sh
│   └── skunkworks.acme.xyz.cnf
├── distribution
│   └── 101.cai.skunkworks.acme.xyz
├── gen_ca-i.sh
└── res
├── cfg
├── cnf
├── docs
└── libs
----------------
CA-I Package
----------------
The CA-I package contains a complete certifate chain of trust using a certificate authority
intermediate. The CA intermediate has permission to sign certificates. Included in the packages
is a client and server certificate generation applications that run on Bash linux. The CA intermediate
can be used with 3rd party applications to generate certificates.
The CA-I package structure is the following:
├── distribution
│   └── 101.cai.skunkworks.acme.xyz
│   ├── README
│   ├── ca-i
│   │   ├── data
│   │   │   ├── 101.ca.skunkworks.acme.xyz.crt.pem
│   │   │   ├── 101.cai.skunkworks.acme.xyz.crt.pem
│   │   │   ├── 101.cai.skunkworks.acme.xyz.csr.pem
│   │   │   └── 101.cai.skunkworks.acme.xyz.keys.pem
│   │   ├── distro
│   │   │   ├── 101.cai.skunkworks.acme.xyz.p12
│   │   │   └── ca_cert-chain_101.cai.skunkworks.acme.xyz.crts.pem
│   │   └── docs
│   │   ├── 101.ca.skunkworks.acme.xyz_cert.info.txt
│   │   └── 101.cai.skunkworks.acme.xyz.crt.info.txt
│   ├── clients
│   │   ├── README
│   │   ├── cfg
│   │   │   ├── SERIAL
│   │   │   ├── UNIQ_ID_CA
│   │   │   ├── UNIQ_ID_CA-I
│   │   │   ├── ca-i.crt.pem
│   │   │   ├── ca-i.keys.pem
│   │   │   ├── ca_cert-chain.crts.pem
│   │   │   ├── cert.cnf
│   │   │   └── pki_funcs.sh
│   │   ├── data
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.crt.pem
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.csr.pem
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.keys.pem
│   │   ├── distro
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.p12
│   │   ├── docs
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.info.txt
│   │   └── gen_client.sh
│   └── servers
│   ├── README
│   ├── cfg
│   │   ├── SERIAL
│   │   ├── UNIQ_ID_CA
│   │   ├── UNIQ_ID_CA-I
│   │   ├── ca-i.crt.pem
│   │   ├── ca-i.keys.pem
│   │   ├── ca_cert-chain.crts.pem
│   │   ├── cert.cnf
│   │   └── pki_funcs.sh
│   ├── data
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.crt.pem
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.csr.pem
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.keys.pem
│   ├── distro
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.p12
│   ├── docs
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.crt.info.txt
│   └── gen_server.sh

6
src/pki_bootstrap/pki_bootstrap.sh
View File

@ -16,9 +16,9 @@ PARAM2=$2
usage() {
echo
echo "This application will generate all the files necessary to build a certificate chain of trust"
echo "using a CA, CA Intermediate, Server, and Client certificates. All the files are put into"
echo "pki lifecyle package"
echo " * put the .cnf config files into the .res/cnf/ directory"
echo "using a CA, CA Intermediate, Server, and Client certificates. All the files are put into a"
echo "PKI Lifecycle package. A .cnf file is required for the domain. The domain url should match"
echo "the .cnf file name. Put the .cnf config file into the .res/cnf/ directory"
echo
echo "Usage: pki_bootstrap <.cnf file (minus the .cnf)> [# of CA-I to generate]"
echo

40
src/pki_bootstrap/res/docs/README_C
View File

@ -8,15 +8,49 @@
-------------
INTRO
-------------
This application will generate new client certificates. The certificate chain is also included
(CA certificate & CA-I certificate).
This application will generate new client certificates. The certificates can be used with any
VPN client service. The certificate chain is also included (CA certificate & CA-I certificate).
-------------
USAGE
-------------
Generate a new client certificate
./ gen_client.sh
usage: gen_client.sh <# to generate>
example: gen_client.sh 2
-----------------------
APPLICATION DESIGN
-----------------------
The ./clients directory contains the files needed to generate client certificates. The directory
is portable and will operate properly if moved to another linux system. The ./client/cfg contains
configuration files that are used by the client generation application. The configuation files
do not need to be edited and they provide information congruent with the CA and server. The
./clients/data directory contains the raw data (in .pem) of the certificates generated. The
./clients/distro contains the files to be distributed and installed on clients. The ./clients/docs
directory contains certificate information in plain text format.
├── README
├── cfg
│   ├── SERIAL
│   ├── UNIQ_ID_CA
│   ├── UNIQ_ID_CA-I
│   ├── ca-i.crt.pem
│   ├── ca-i.keys.pem
│   ├── ca_cert-chain.crts.pem
│   ├── cert.cnf
│   └── pki_funcs.sh
├── data
│   ├── 1001.client.101.cai.skunkworks.acme.xyz.crt.pem
│   ├── 1001.client.101.cai.skunkworks.acme.xyz.csr.pem
│   ├── 1001.client.101.cai.skunkworks.acme.xyz.keys.pem
├── distro
│   ├── 1001.client.101.cai.skunkworks.acme.xyz.p12
├── docs
│   ├── 1001.client.101.cai.skunkworks.acme.xyz.info.txt
└── gen_client.sh

112
src/pki_bootstrap/res/docs/README_CAI
View File

@ -1,21 +1,123 @@
============================
CA Intermediate README
===================
CA Intermediate
Version 3.1
============================
===================
-------------
INTRO
-------------
This application will generate new client certificates. The certificates can be used with any
VPN client service. The certificate chain is also included (CA certificate & CA-I certificate).
This application will generate new Certificate Authority Intermediate packages to be distributed
to organizations for external usage.
The CA-I package contains a complete certifate chain of trust using a certificate authority
intermediate. The CA intermediate has permission to sign certificates. Included in the package
is client and server certificate generation applications that run on Bash linux. The CA intermediate
can be used with 3rd party applications to generate certificates.
-------------
USAGE
-------------
Generate a new CA Intermediate certificate
This program will generate a new certificate authority (CA) intermediate
It requires a CA certificate to sign a CA Intermediate
Requires the file "ca.pem" that is used to sign the certificates
usage: gen_ca-i.sh <Org URL> [# of client/server certs]
example: gen_ca-i.sh skunkworks.acme.xyz \
10 (optional) \
-----------------------
APPLICATION DESIGN
-----------------------
The CA-I package contains all the files needed to generate certificates. The ./ca-i directory
contains the certificate authority files. The ./ca-i/data directory contains all the raw ca
files. The ./ca-i/distro directory contains the files to be distributed and installed on clients.
The .p12 files contins the CA certificate, and client certificates. The ./ca-i/docs directory
contains certificate information in plain text format.
The ./clients directory contains the files needed to generate client certificates. The directory
is portable and will operate properly if moved to another linux system. The ./client/cfg contains
configuration files that are used by the client generation application. The configuation files
do not need to be edited and they provide information congruent with the CA and server. The
./clients/data directory contains the raw data (in .pem) of the certificates generated. The
./clients/distro contains the files to be distributed and installed on clients. The ./clients/docs
directory contains certificate information in plain text format.
The ./servers directory contains the files needed to generate server certificates. The directory
is portable and will operate properly if moved to another linux system. The ./server/cfg contains
configuration files that are used by the server generation application. The configuation files
do not need to be edited and they provide information congruent with the CA and server. The
./servers/data directory contains the raw data (in .pem) of the certificates generated. The
./servers/distro contains the files to be distributed and installed on servers. The ./servers/docs
directory contains certificate information in plain text format.
----------------
CA-I Package
----------------
The CA-I package structure is the following:
├── distribution
│   └── 101.cai.skunkworks.acme.xyz
│   ├── README
│   ├── ca-i
│   │   ├── data
│   │   │   ├── 101.ca.skunkworks.acme.xyz.crt.pem
│   │   │   ├── 101.cai.skunkworks.acme.xyz.crt.pem
│   │   │   ├── 101.cai.skunkworks.acme.xyz.csr.pem
│   │   │   └── 101.cai.skunkworks.acme.xyz.keys.pem
│   │   ├── distro
│   │   │   ├── 101.cai.skunkworks.acme.xyz.p12
│   │   │   └── ca_cert-chain_101.cai.skunkworks.acme.xyz.crts.pem
│   │   └── docs
│   │   ├── 101.ca.skunkworks.acme.xyz_cert.info.txt
│   │   └── 101.cai.skunkworks.acme.xyz.crt.info.txt
│   ├── clients
│   │   ├── README
│   │   ├── cfg
│   │   │   ├── SERIAL
│   │   │   ├── UNIQ_ID_CA
│   │   │   ├── UNIQ_ID_CA-I
│   │   │   ├── ca-i.crt.pem
│   │   │   ├── ca-i.keys.pem
│   │   │   ├── ca_cert-chain.crts.pem
│   │   │   ├── cert.cnf
│   │   │   └── pki_funcs.sh
│   │   ├── data
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.crt.pem
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.csr.pem
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.keys.pem
│   │   ├── distro
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.p12
│   │   ├── docs
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.info.txt
│   │   └── gen_client.sh
│   └── servers
│   ├── README
│   ├── cfg
│   │   ├── SERIAL
│   │   ├── UNIQ_ID_CA
│   │   ├── UNIQ_ID_CA-I
│   │   ├── ca-i.crt.pem
│   │   ├── ca-i.keys.pem
│   │   ├── ca_cert-chain.crts.pem
│   │   ├── cert.cnf
│   │   └── pki_funcs.sh
│   ├── data
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.crt.pem
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.csr.pem
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.keys.pem
│   ├── distro
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.p12
│   ├── docs
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.crt.info.txt
│   └── gen_server.sh

39
src/pki_bootstrap/res/docs/README_S
View File

@ -8,14 +8,49 @@
-------------
INTRO
-------------
This application will generate new server certificates. The certificate chain is also included
(CA certificate & CA-I certificate).
This application will generate new server certificates to be used with a VPN service.
-------------
USAGE
-------------
Generate a new server certificate
./ gen_server.sh
usage: gen_server.sh <# to generate>
example: gen_server.sh 2
-----------------------
APPLICATION DESIGN
-----------------------
The ./servers directory contains the files needed to generate server certificates. The directory
is portable and will operate properly if moved to another linux system. The ./server/cfg contains
configuration files that are used by the server generation application. The configuation files
do not need to be edited and they provide information congruent with the CA and server. The
./servers/data directory contains the raw data (in .pem) of the certificates generated. The
./servers/distro contains the files to be distributed and installed on servers. The ./servers/docs
directory contains certificate information in plain text format.
├── README
├── cfg
│   ├── SERIAL
│   ├── UNIQ_ID_CA
│   ├── UNIQ_ID_CA-I
│   ├── ca-i.crt.pem
│   ├── ca-i.keys.pem
│   ├── ca_cert-chain.crts.pem
│   ├── cert.cnf
│   └── pki_funcs.sh
├── data
│   ├── 5001.server.101.cai.skunkworks.acme.xyz.crt.pem
│   ├── 5001.server.101.cai.skunkworks.acme.xyz.csr.pem
│   ├── 5001.server.101.cai.skunkworks.acme.xyz.keys.pem
├── distro
│   ├── 5001.server.101.cai.skunkworks.acme.xyz.p12
├── docs
│   ├── 5001.server.101.cai.skunkworks.acme.xyz.crt.info.txt
└── gen_server.sh

2
src/pki_bootstrap/res/libs/gen_ca-i.sh
View File

@ -21,7 +21,7 @@ usage() {
echo " usage: gen_ca-i.sh <Org URL> [# of client/server certs]"
echo
echo " example: gen_ca-i.sh skunkworks.acme.xyz \\"
echo " 10 (optional) \\"
echo " 10 (optional)"
echo
exit 1
}

6
src/pki_bootstrap/res/libs/gen_client.sh
View File

@ -11,11 +11,9 @@ PARAM1=$1
usage() {
echo
echo "Generate a new Client certificate"
echo "Generate a new client certificate"
echo
echo
echo "Generate a new certificate"
echo " usage: gen_client.sh <number to generate>"
echo " usage: gen_client.sh <# to generate>"
echo
echo " example: gen_client.sh 2"
echo

8
src/pki_bootstrap/res/libs/gen_server.sh
View File

@ -11,13 +11,11 @@ PARAM1=$1
usage() {
echo
echo "Generate a new Server certificate"
echo "Generate a new server certificate"
echo
echo " usage: gen_server.sh <# to generate>"
echo
echo "Generate a new certificate"
echo " usage: gen_client.sh <number to generate>"
echo
echo " example: gen_client.sh 2"
echo " example: gen_server.sh 2"
echo
exit 1
}