diff --git a/src/pki_bootstrap/pki_bootstrap.sh b/src/pki_bootstrap/pki_bootstrap.sh index e33709a..1ec1741 100755 --- a/src/pki_bootstrap/pki_bootstrap.sh +++ b/src/pki_bootstrap/pki_bootstrap.sh @@ -129,8 +129,8 @@ gen_lc_ca_i() { cd $FQ_DIR_LC # generate new CA-I ca-i_gen_pki $ORG_URL 1001 2 - ca-i_gen_pki $ORG_URL 2001 5 -# ca-i_gen_pki $ORG_URL 3001 8 + # ca-i_gen_pki $ORG_URL 2001 5 + # ca-i_gen_pki $ORG_URL 3001 8 } diff --git a/src/pki_bootstrap/res/cnf/vpn.backchannel.es.cnf b/src/pki_bootstrap/res/cnf/vpn.backchannel.es.cnf new file mode 100644 index 0000000..a0a750e --- /dev/null +++ b/src/pki_bootstrap/res/cnf/vpn.backchannel.es.cnf @@ -0,0 +1,55 @@ +# +# +# IMPORTANT INFO +# +# +[ v3_server ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server +nsComment = "ACME Corp" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth +subjectAltName = @alt_names +#subjectAltName = IP:192.168.123.129 + +[ alt_names ] +DNS.1 = "vpn.backchannel.es" + +# +# +# FORCED TO INCLUDE THIS JUNK +# +# +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 4096 +distinguished_name = req_distinguished_name +string_mask = utf8only + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +# Extension to add when the -x509 option is used. +#x509_extensions = v3_ca + +[ req_distinguished_name ] +# See . +countryName = Country Name (2 letter code) +stateOrProvinceName = State or Province Name +localityName = Locality Name +0.organizationName = Organization Name +organizationalUnitName = Organizational Unit Name +commonName = Common Name +emailAddress = Email Address + +# Optionally, specify some defaults. +countryName_default = US +stateOrProvinceName_default = State51 +localityName_default = +0.organizationName_default = ACME R&D +organizationalUnitName_default = +emailAddress_default = + diff --git a/src/pki_bootstrap/res/libs/gen_client.sh b/src/pki_bootstrap/res/libs/gen_client.sh index 69939ec..9b03551 100755 --- a/src/pki_bootstrap/res/libs/gen_client.sh +++ b/src/pki_bootstrap/res/libs/gen_client.sh @@ -4,7 +4,7 @@ # # # This function will generate a Client cert -# IN: UNIQ_ID_CA, SERIAL +# IN: UNIQ_ID, SERIAL # # source this file to include the functions @@ -21,7 +21,7 @@ usage() { echo echo echo "Generate a new certificate" - echo " usage: gen_client.sh " + echo " usage: gen_client.sh " echo echo " example: gen_client.sh skunkworks.acme.xyz \\" echo " 10052 \\" @@ -29,21 +29,18 @@ usage() { exit 1 } -error_no_ca_file() { - echo_block "ERROR: missing ca-i.pem" - usage -} - main() { - if [[ ! -f ca-i.pem ]]; then - error_no_ca_file + if [[ ! -f cfg/ca-i.crt.pem ]] || [[ ! -f cfg/ca-i.keys.pem ]]; then + echo_block "ERROR: file cfg/ca-i.crt.pem cfg/ca-i.keys.pem is missing" + usage fi - if [[ ! -f SERIAL ]]; then - error_no_serial + if [[ ! -f cfg/SERIAL ]]; then + echo_block "ERROR: file cfg/SERIAL is missing" + usage fi - if [[ -n $PARAM1 ]] || [[ -n $PARAM2 ]]; then + if [[ -n $PARAM1 ]] && [[ -n $PARAM2 ]]; then gen_client $PARAM1 $PARAM2 else usage diff --git a/src/pki_bootstrap/res/libs/gen_server.sh b/src/pki_bootstrap/res/libs/gen_server.sh index ad7e320..156cb73 100755 --- a/src/pki_bootstrap/res/libs/gen_server.sh +++ b/src/pki_bootstrap/res/libs/gen_server.sh @@ -1,62 +1,54 @@ #!/bin/bash # -# Create CA Intermediate +# Create Server Certificates # # -# This function will generate a CA Intermediate -# IN: UNIQ_ID_CA, SERIAL +# This function will generate a Server cert +# IN: UNIQ_ID, SERIAL # + +# source this file to include the functions +. cfg/pki_funcs.sh + PARAM1=$1 PARAM2=$2 +PARAM3=$3 + usage() { echo - echo "Generate a new certificate" + echo "Generate a new Server certificate" echo - echo "This program will generate a new certificate authority intermediate" - echo "Requires the file ca-i.pem that is used to sign the certificates" - echo "The script requires a CA Intermediate certificate used to sign the client" - echo "" - echo "" - echo "" echo echo "Generate a new certificate" - echo " usage: gen_server.sh " + echo " usage: gen_server.sh " echo - echo " example: gen_server.sh ca_i_skunkworks.acme.xyz_10001.crt.pem \\" - echo " skunkworks.acme.xyz \\" + echo " example: gen_server.sh skunkworks.acme.xyz \\" echo " 10052 \\" echo exit 1 } -# -# Generate a Server Certificate -# IN: ${SERIAL}, ${UNIQ_ID} -# -generate_server() { - openssl genrsa -out "server_${UNIQ_ID}.keys.pem" 4096 - openssl req -new -config $FQ_S_CNF -key "server_${UNIQ_ID}.keys.pem" \ - -subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \ - -out "server_${UNIQ_ID}.csr.pem" +main() { + if [[ ! -f cfg/ca-i.crt.pem ]] || [[ ! -f cfg/ca-i.keys.pem ]]; then + echo_block "ERROR: file cfg/ca-i.crt.pem cfg/ca-i.keys.pem is missing" + usage + fi + if [[ ! -f cfg/SERIAL ]]; then + echo_block "ERROR: file cfg/SERIAL is missing" + usage + fi + if [[ ! -f "cfg/$PARAM1.cnf" ]]; then + echo_block "ERROR: file cfg/$PARAM1.cnf is missing" + usage + fi - # Intermediate signs Server - openssl x509 -req -days 365 -extfile $FQ_S_CNF -extensions v3_server \ - -CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \ - -in "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.crt.pem" - - # verify certificate (output to text file for review) - openssl x509 -noout -text -in "server_${UNIQ_ID}.crt.pem" > "server_${UNIQ_ID}.crt.info.txt" + if [[ -n $PARAM1 ]] && [[ -n $PARAM2 ]]; then + gen_server $PARAM1 $PARAM2 + else + usage + fi } -# if all argument strings are empty, then continue execution -if [[ -n $1 ]] && [[ -n $2 ]] && [[ -n $3 ]]; then - UNIQ_ID_CA=$1 - ORG_URL=$2 - SERIAL=$3 - UNIQ_ID="${ORG_URL}_${SERIAL}" - generate_server -else - usage -fi +main diff --git a/src/pki_bootstrap/res/libs/pki_funcs.sh b/src/pki_bootstrap/res/libs/pki_funcs.sh index 02784f2..ba901bd 100644 --- a/src/pki_bootstrap/res/libs/pki_funcs.sh +++ b/src/pki_bootstrap/res/libs/pki_funcs.sh @@ -72,60 +72,73 @@ gen_ca() { # Create CA Intermediate PKI # # -# -# INPUT: SERIAL #, LOOP NUM -# -ca-i_gen_pki() { - # organization - CDD=`pwd` - ORG_URL=$1 - SERIAL=$2 - LOOP_NUM=$3 - - UNIQ_DIR_CA="ca_i_${SERIAL}.${ORG_URL}" - mkdir -p "distribution/${UNIQ_DIR_CA}" - cd "distribution/${UNIQ_DIR_CA}" - - # geneate certificates, organize the files - ca-i_gen_pki_certs $ORG_URL $SERIAL $LOOP_NUM - ca-i_organize - ca-i_cp_docs - - # return to last path - cd $CDD -} # # Generate a PKI chain # - the certificate chain is unique based on the serial # # - generate a new CA I -# - generate two server certificates -# - generate two client certificates +# - generate server certificates +# - generate client certificates # # INPUT: BASE SERIAL #, LOOP NUM # # Requires: FQ_CA_CERT, FQ_CA_KEYS # -ca-i_gen_pki_certs() { +ca-i_gen_pki() { + CDD=`pwd` ORG_URL=$1 SERIAL_O=$2 NUM_CERTS=$(($3-1)) - # Create CA Intermediate + # create unique directory UNIQ_ID_CAI="${SERIAL_O}.${ORG_URL}" - ca-i_gen_cert $UNIQ_ID_CAI $SERIAL_O + mkdir -p "distribution/ca_i_${UNIQ_ID_CAI}" + cd "distribution/ca_i_${UNIQ_ID_CAI}" - # Server Certificates + # Create CA Intermediate + ca-i_gen_cert $ORG_URL $SERIAL_O + + # create directories, copy files, before generating client/server + ca-i_create_shell + + __ca-i_gen_client + + __ca-i_gen_server + + # return to last path + cd $CDD +} + +# +# Client Certificates +# +__ca-i_gen_client() { + # create directories + mkdir -p clients/data + mkdir -p clients/distro + mkdir -p clients/docs + cd clients for NUM in $(seq 0 $NUM_CERTS) do - gen_server $ORG_URL $UNIQ_ID_CAI $((SERIAL_O+NUM)) + gen_client $ORG_URL $((SERIAL_O+NUM)) done + cd .. +} - # Client Certificates +# +# Server Certificates +# +__ca-i_gen_server() { + # create directories + mkdir -p servers/data + mkdir -p servers/distro + mkdir -p servers/docs + cd servers for NUM in $(seq 0 $NUM_CERTS) do - gen_client $ORG_URL $UNIQ_ID_CAI $((SERIAL_O+NUM)) + gen_server $ORG_URL $((SERIAL_O+NUM)) done + cd .. } # This function will generate a CA Intermediate @@ -135,133 +148,83 @@ ca-i_gen_pki_certs() { # IN: UNIQ_ID_CA, SERIAL # ca-i_gen_cert() { - UNIQ_ID_CAI=$1 + ORG_URL=$1 SERIAL=$2 - echo_block "Create CA Intermediate (${UNIQ_ID_CAI})" + UNIQ_ID="${SERIAL}.${ORG_URL}" - openssl genrsa -out "ca_i_${UNIQ_ID_CAI}.keys.pem" 4096 + echo_block "Create CA Intermediate (${UNIQ_ID})" + + openssl genrsa -out "ca_i_${UNIQ_ID}.keys.pem" 4096 # Create Cert Signing Request (CSR) openssl req -config "${CNF_PATH}/ca.cnf" -new -sha256 \ - -subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID_CAI}" \ - -key "ca_i_${UNIQ_ID_CAI}.keys.pem" -out "ca_i_${UNIQ_ID_CAI}.csr.pem" + -subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID}" \ + -key "ca_i_${UNIQ_ID}.keys.pem" -out "ca_i_${UNIQ_ID}.csr.pem" # Create Certificate (valid for ~2 years, after the entire chain of trust expires) # CA signs Intermediate openssl x509 -req -days 750 -extfile "${CNF_PATH}/ca.cnf" -extensions v3_ca_i \ -CA $FQ_CA_CERT -CAkey $FQ_CA_KEYS -set_serial ${SERIAL} \ - -in "ca_i_${UNIQ_ID_CAI}.csr.pem" -out "ca_i_${UNIQ_ID_CAI}.crt.pem" + -in "ca_i_${UNIQ_ID}.csr.pem" -out "ca_i_${UNIQ_ID}.crt.pem" # Package the Certificate Authority Certificates for distro (windoze needs this) - openssl pkcs12 -export -password "pass:password" -inkey "ca_i_${UNIQ_ID_CAI}.keys.pem" \ + openssl pkcs12 -export -password "pass:password" -inkey "ca_i_${UNIQ_ID}.keys.pem" \ -name "CA Intermediate Mobile Provision" -certfile $FQ_CA_CERT \ - -in "ca_i_${UNIQ_ID_CAI}.crt.pem" -out "ca_i_${UNIQ_ID_CAI}.p12" + -in "ca_i_${UNIQ_ID}.crt.pem" -out "ca_i_${UNIQ_ID}.p12" # verify certificate (output to text file for review) - openssl x509 -noout -text -in "ca_i_${UNIQ_ID_CAI}.crt.pem" > "ca_i_${UNIQ_ID_CAI}.crt.info.txt" + openssl x509 -noout -text -in "ca_i_${UNIQ_ID}.crt.pem" > "ca_i_${UNIQ_ID}.crt.info.txt" # create certifiate chain - cat $FQ_CA_CERT "ca_i_${UNIQ_ID_CAI}.crt.pem" > "ca_cert-chain_${UNIQ_ID_CAI}.crts.pem" -} - -# -# Organize the generated crypto files into logical folders -# -ca-i_organize() { - # organize the client directory - mkdir -p clients/cfg - mkdir -p clients/data - mkdir -p clients/distro - mkdir -p clients/docs - mv client*.pem clients/data/ - mv client*.p12 clients/distro/ - mv client*.info.txt clients/docs/ - cp ca_i*.crt.pem clients/cfg/ca_i.crt.pem - cp ca_i*.keys.pem clients/cfg/ca_i.keys.pem - - # organize the server directory - mkdir -p servers/cfg - mkdir -p servers/data - mkdir -p servers/distro - mkdir -p servers/docs - mv server_*.pem servers/data/ - mv server_*.p12 servers/distro/ - mv server_*.info.txt servers/docs/ - cp ca_i*.crt.pem servers/cfg/ca_i.crt.pem - cp ca_i*.keys.pem servers/cfg/ca_i.keys.pem - - # organize the ca-i directory - # order matters: move these files last because they were copied above - mkdir -p ca-i/data - mkdir -p ca-i/docs - mkdir -p ca-i/distro - mv ca_i*.pem ca-i/data/ - mv ca_i*.info.txt ca-i/docs/ - mv ca_i*.p12 ca-i/distro - mv ca_cert-chain*.pem ca-i/distro + cat $FQ_CA_CERT "ca_i_${UNIQ_ID}.crt.pem" > "ca_cert-chain_${UNIQ_ID}.crts.pem" } # # Copies all applcations to the Lifecycle package -# -# Requires: -# UNIQ_DIR_LC : unique string for the Lifecycle directory -# UNIQ_ID_CAI : unique string for the CA-I +# organize the ca-i directory +# order matters: move these files last because they were copied above # -ca-i_cp_docs() { +ca-i_create_shell() { + DEST_DIR="${CDD}/distribution/ca_i_${UNIQ_ID_CAI}" - # CA-I - cp $CDD/res/docs/README_CAI $DEST_DIR/README - cp $CDD/ca_*/ca_*.crt.pem $DEST_DIR/ca-i/data/ - cp $CDD/ca_*/ca_*.info.txt $DEST_DIR/ca-i/docs/ - # client + mkdir -p clients/cfg cp $CDD/res/libs/gen_client.sh $DEST_DIR/clients/ cp $CDD/res/libs/pki_funcs.sh $DEST_DIR/clients/cfg cp $CDD/res/docs/README_C $DEST_DIR/clients/README cp $CDD/res/docs/SERIAL $DEST_DIR/clients/cfg/ cp "${CDD}/cfg/${ORG_URL}.cnf" $DEST_DIR/clients/cfg/ + # generated files + cp $DEST_DIR/ca_i*.crt.pem $DEST_DIR/clients/cfg/ca-i.crt.pem + cp $DEST_DIR/ca_i*.keys.pem $DEST_DIR/clients/cfg/ca-i.keys.pem + cp $DEST_DIR/ca_cert-chain*.pem $DEST_DIR/clients/cfg/ca_cert-chain.crts.pem # server + mkdir -p servers/cfg cp $CDD/res/libs/gen_server.sh $DEST_DIR/servers/ cp $CDD/res/libs/pki_funcs.sh $DEST_DIR/servers/cfg/ cp $CDD/res/docs/README_S $DEST_DIR/servers/README cp $CDD/res/docs/SERIAL $DEST_DIR/servers/cfg/ cp "${CDD}/cfg/${ORG_URL}.cnf" $DEST_DIR/servers/cfg/ -} + # generated files + cp $DEST_DIR/ca_i*.crt.pem $DEST_DIR/servers/cfg/ca-i.crt.pem + cp $DEST_DIR/ca_i*.keys.pem $DEST_DIR/servers/cfg/ca-i.keys.pem + cp $DEST_DIR/ca_cert-chain*.pem $DEST_DIR/servers/cfg/ca_cert-chain.crts.pem -# -# Generate a Server Certificate -# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL -# -gen_server() { - ORG_URL=$1 - UNIQ_ID_CAI=$2 - SERIAL=$3 - - UNIQ_ID="${SERIAL}.${ORG_URL}" - echo_block "Generate Server Certificates (${UNIQ_ID})" - - openssl genrsa -out "server_${UNIQ_ID}.keys.pem" 4096 - - openssl req -new -config $CNF_PATH/${ORG_URL}.cnf -key "server_${UNIQ_ID}.keys.pem" \ - -subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \ - -out "server_${UNIQ_ID}.csr.pem" - - # CA Intermediate signs Server - openssl x509 -req -days 365 -extfile $CNF_PATH/${ORG_URL}.cnf -extensions v3_server \ - -CA "ca_i_${UNIQ_ID_CAI}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CAI}.keys.pem" -set_serial ${SERIAL} \ - -in "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.crt.pem" - - # Package the Certificates - openssl pkcs12 -export -password "pass:password" -inkey "server_${UNIQ_ID}.keys.pem" \ - -name "Server ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CAI}.crts.pem" -caname "server_${UNIQ_ID}@acme.xyz" \ - -in "server_${UNIQ_ID}.crt.pem" -out "server_${UNIQ_ID}.p12" - - # verify certificate (output to text file for review) - openssl x509 -noout -text -in "server_${UNIQ_ID}.crt.pem" > "server_${UNIQ_ID}.crt.info.txt" + # CA-I + mkdir -p ca-i/data + mkdir -p ca-i/docs + mkdir -p ca-i/distro + cp $CDD/res/docs/README_CAI $DEST_DIR/README + cp $CDD/ca_*/ca_*.crt.pem $DEST_DIR/ca-i/data/ + cp $CDD/ca_*/ca_*.info.txt $DEST_DIR/ca-i/docs/ + # generated files + mv $DEST_DIR/ca_i*.pem $DEST_DIR/ca-i/data/ + mv $DEST_DIR/ca_i*.info.txt $DEST_DIR/ca-i/docs/ + mv $DEST_DIR/ca_i*.p12 $DEST_DIR/ca-i/distro + mv $DEST_DIR/ca_cert-chain*.pem $DEST_DIR/ca-i/distro } # @@ -270,33 +233,62 @@ gen_server() { # gen_client() { ORG_URL=$1 - UNIQ_ID_CAI=$2 - SERIAL=$3 + SERIAL=$2 UNIQ_ID="${SERIAL}.${ORG_URL}" + CERT_CHAIN="cfg/ca_cert-chain.crts.pem" echo_block "Generate Client Certificates (${UNIQ_ID})" - openssl genrsa -out "client_${UNIQ_ID}.keys.pem" 4096 + openssl genrsa -out "data/client_${UNIQ_ID}.keys.pem" 4096 - openssl req -new -key "client_${UNIQ_ID}.keys.pem" \ + openssl req -new -key "data/client_${UNIQ_ID}.keys.pem" \ -subj "/C=OO/O=ACME/OU=ACME Standard/CN=client_${UNIQ_ID}" \ - -out "client_${UNIQ_ID}.csr.pem" + -out "data/client_${UNIQ_ID}.csr.pem" # CA Intermediate signs Client openssl x509 -req -days 365 \ - -CA "ca_i_${UNIQ_ID_CAI}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CAI}.keys.pem" -set_serial ${SERIAL} \ - -in "client_${UNIQ_ID}.csr.pem" -out "client_${UNIQ_ID}.crt.pem" + -CA "cfg/ca-i.crt.pem" -CAkey "cfg/ca-i.keys.pem" -set_serial ${SERIAL} \ + -in "data/client_${UNIQ_ID}.csr.pem" -out "data/client_${UNIQ_ID}.crt.pem" # Package the Certificates - openssl pkcs12 -export -password "pass:password" -inkey "client_${UNIQ_ID}.keys.pem" \ - -name "Client ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CAI}.crts.pem" -caname "client_${UNIQ_ID}@acme.xyz" \ - -in "client_${UNIQ_ID}.crt.pem" -out "client_${UNIQ_ID}.p12" + openssl pkcs12 -export -password "pass:password" -inkey "data/client_${UNIQ_ID}.keys.pem" \ + -name "Client ${UNIQ_ID} VPN Certificate" -certfile $CERT_CHAIN -caname "client_${UNIQ_ID}@acme.xyz" \ + -in "data/client_${UNIQ_ID}.crt.pem" -out "distro/client_${UNIQ_ID}.p12" # verify certificate (output to text file for review) - openssl x509 -noout -text -in "client_${UNIQ_ID}.crt.pem" > "client_${UNIQ_ID}.info.txt" + openssl x509 -noout -text -in "data/client_${UNIQ_ID}.crt.pem" > "docs/client_${UNIQ_ID}.info.txt" } # -# give some info if someone tries to execute this -# echo_block "this script file has only helper functions" +# Generate a Server Certificate +# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL +# +gen_server() { + ORG_URL=$1 + SERIAL=$2 + + UNIQ_ID="${SERIAL}.${ORG_URL}" + CERT_CHAIN="cfg/ca_cert-chain.crts.pem" + + echo_block "Generate Server Certificates (${UNIQ_ID})" + + openssl genrsa -out "data/server_${UNIQ_ID}.keys.pem" 4096 + + openssl req -new -config "cfg/${ORG_URL}.cnf" -key "data/server_${UNIQ_ID}.keys.pem" \ + -subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \ + -out "data/server_${UNIQ_ID}.csr.pem" + + # CA Intermediate signs Server + openssl x509 -req -days 365 -extfile "cfg/${ORG_URL}.cnf" -extensions v3_server \ + -CA "cfg/ca-i.crt.pem" -CAkey "cfg/ca-i.keys.pem" -set_serial ${SERIAL} \ + -in "data/server_${UNIQ_ID}.csr.pem" -out "data/server_${UNIQ_ID}.crt.pem" + + # Package the Certificates + openssl pkcs12 -export -password "pass:password" -inkey "data/server_${UNIQ_ID}.keys.pem" \ + -name "Server ${UNIQ_ID} VPN Certificate" -certfile $CERT_CHAIN -caname "server_${UNIQ_ID}@acme.xyz" \ + -in "data/server_${UNIQ_ID}.crt.pem" -out "distro/server_${UNIQ_ID}.p12" + + # verify certificate (output to text file for review) + openssl x509 -noout -text -in "data/server_${UNIQ_ID}.crt.pem" > "docs/server_${UNIQ_ID}.crt.info.txt" +}