j3g
/
pki-bootstrap_pub
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

FIN: backwards compatibility with client/server changes

This commit is contained in:
JohnE 2018-08-25 10:08:24 -07:00
parent 1c10bd4b55
commit 3e28da6ac3
5 changed files with 221 additions and 185 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/pki_bootstrap/pki_bootstrap.sh
View File

@ -129,8 +129,8 @@ gen_lc_ca_i() {
cd $FQ_DIR_LC cd $FQ_DIR_LC
# generate new CA-I # generate new CA-I
ca-i_gen_pki $ORG_URL 1001 2 ca-i_gen_pki $ORG_URL 1001 2
ca-i_gen_pki $ORG_URL 2001 5 # ca-i_gen_pki $ORG_URL 2001 5
# ca-i_gen_pki $ORG_URL 3001 8 # ca-i_gen_pki $ORG_URL 3001 8
} }

55
src/pki_bootstrap/res/cnf/vpn.backchannel.es.cnf Normal file
View File

@ -0,0 +1,55 @@
#
#
# IMPORTANT INFO
#
#
[ v3_server ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "ACME Corp"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
#subjectAltName = IP:192.168.123.129
[ alt_names ]
DNS.1 = "vpn.backchannel.es"
#
#
# FORCED TO INCLUDE THIS JUNK
#
#
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 4096
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
#x509_extensions = v3_ca
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = US
stateOrProvinceName_default = State51
localityName_default =
0.organizationName_default = ACME R&D
organizationalUnitName_default =
emailAddress_default =

21
src/pki_bootstrap/res/libs/gen_client.sh
View File

@ -4,7 +4,7 @@
# #
# #
# This function will generate a Client cert # This function will generate a Client cert
# IN: UNIQ_ID_CA, SERIAL # IN: UNIQ_ID, SERIAL
# #
# source this file to include the functions # source this file to include the functions
@ -21,7 +21,7 @@ usage() {
echo echo
echo echo
echo "Generate a new certificate" echo "Generate a new certificate"
echo " usage: gen_client.sh <CA Intermediate> <Org URL> <Serial>" echo " usage: gen_client.sh <Org URL> <Serial #>"
echo echo
echo " example: gen_client.sh skunkworks.acme.xyz \\" echo " example: gen_client.sh skunkworks.acme.xyz \\"
echo " 10052 \\" echo " 10052 \\"
@ -29,21 +29,18 @@ usage() {
exit 1 exit 1
} }
error_no_ca_file() {
echo_block "ERROR: missing ca-i.pem"
usage
}
main() { main() {
if [[ ! -f ca-i.pem ]]; then if [[ ! -f cfg/ca-i.crt.pem ]] || [[ ! -f cfg/ca-i.keys.pem ]]; then
error_no_ca_file echo_block "ERROR: file cfg/ca-i.crt.pem cfg/ca-i.keys.pem is missing"
usage
fi fi
if [[ ! -f SERIAL ]]; then if [[ ! -f cfg/SERIAL ]]; then
error_no_serial echo_block "ERROR: file cfg/SERIAL is missing"
usage
fi fi
if [[ -n $PARAM1 ]] || [[ -n $PARAM2 ]]; then if [[ -n $PARAM1 ]] && [[ -n $PARAM2 ]]; then
gen_client $PARAM1 $PARAM2 gen_client $PARAM1 $PARAM2
else else
usage usage

70
src/pki_bootstrap/res/libs/gen_server.sh
View File

@ -1,62 +1,54 @@
#!/bin/bash #!/bin/bash
# #
# Create CA Intermediate # Create Server Certificates
# #
# #
# This function will generate a CA Intermediate # This function will generate a Server cert
# IN: UNIQ_ID_CA, SERIAL # IN: UNIQ_ID, SERIAL
# #
# source this file to include the functions
. cfg/pki_funcs.sh
PARAM1=$1 PARAM1=$1
PARAM2=$2 PARAM2=$2
PARAM3=$3
usage() { usage() {
echo echo
echo "Generate a new certificate" echo "Generate a new Server certificate"
echo echo
echo "This program will generate a new certificate authority intermediate"
echo "Requires the file ca-i.pem that is used to sign the certificates"
echo "The script requires a CA Intermediate certificate used to sign the client"
echo ""
echo ""
echo ""
echo echo
echo "Generate a new certificate" echo "Generate a new certificate"
echo " usage: gen_server.sh <CA Intermediate> <Org URL> <Serial>" echo " usage: gen_server.sh <Org URL> <Serial #>"
echo echo
echo " example: gen_server.sh ca_i_skunkworks.acme.xyz_10001.crt.pem \\" echo " example: gen_server.sh skunkworks.acme.xyz \\"
echo " skunkworks.acme.xyz \\"
echo " 10052 \\" echo " 10052 \\"
echo echo
exit 1 exit 1
} }
#
# Generate a Server Certificate
# IN: ${SERIAL}, ${UNIQ_ID}
#
generate_server() {
openssl genrsa -out "server_${UNIQ_ID}.keys.pem" 4096
openssl req -new -config $FQ_S_CNF -key "server_${UNIQ_ID}.keys.pem" \ main() {
-subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \ if [[ ! -f cfg/ca-i.crt.pem ]] || [[ ! -f cfg/ca-i.keys.pem ]]; then
-out "server_${UNIQ_ID}.csr.pem" echo_block "ERROR: file cfg/ca-i.crt.pem cfg/ca-i.keys.pem is missing"
usage
fi
if [[ ! -f cfg/SERIAL ]]; then
echo_block "ERROR: file cfg/SERIAL is missing"
usage
fi
if [[ ! -f "cfg/$PARAM1.cnf" ]]; then
echo_block "ERROR: file cfg/$PARAM1.cnf is missing"
usage
fi
# Intermediate signs Server if [[ -n $PARAM1 ]] && [[ -n $PARAM2 ]]; then
openssl x509 -req -days 365 -extfile $FQ_S_CNF -extensions v3_server \ gen_server $PARAM1 $PARAM2
-CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \ else
-in "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.crt.pem" usage
fi
# verify certificate (output to text file for review)
openssl x509 -noout -text -in "server_${UNIQ_ID}.crt.pem" > "server_${UNIQ_ID}.crt.info.txt"
} }
# if all argument strings are empty, then continue execution main
if [[ -n $1 ]] && [[ -n $2 ]] && [[ -n $3 ]]; then
UNIQ_ID_CA=$1
ORG_URL=$2
SERIAL=$3
UNIQ_ID="${ORG_URL}_${SERIAL}"
generate_server
else
usage
fi

256
src/pki_bootstrap/res/libs/pki_funcs.sh
View File

@ -72,60 +72,73 @@ gen_ca() {
# Create CA Intermediate PKI # Create CA Intermediate PKI
# #
# #
#
# INPUT: SERIAL #, LOOP NUM
#
ca-i_gen_pki() {
# organization
CDD=`pwd`
ORG_URL=$1
SERIAL=$2
LOOP_NUM=$3
UNIQ_DIR_CA="ca_i_${SERIAL}.${ORG_URL}"
mkdir -p "distribution/${UNIQ_DIR_CA}"
cd "distribution/${UNIQ_DIR_CA}"
# geneate certificates, organize the files
ca-i_gen_pki_certs $ORG_URL $SERIAL $LOOP_NUM
ca-i_organize
ca-i_cp_docs
# return to last path
cd $CDD
}
# #
# Generate a PKI chain # Generate a PKI chain
# - the certificate chain is unique based on the serial # # - the certificate chain is unique based on the serial #
# - generate a new CA I # - generate a new CA I
# - generate two server certificates # - generate server certificates
# - generate two client certificates # - generate client certificates
# #
# INPUT: BASE SERIAL #, LOOP NUM # INPUT: BASE SERIAL #, LOOP NUM
# #
# Requires: FQ_CA_CERT, FQ_CA_KEYS # Requires: FQ_CA_CERT, FQ_CA_KEYS
# #
ca-i_gen_pki_certs() { ca-i_gen_pki() {
CDD=`pwd`
ORG_URL=$1 ORG_URL=$1
SERIAL_O=$2 SERIAL_O=$2
NUM_CERTS=$(($3-1)) NUM_CERTS=$(($3-1))
# Create CA Intermediate # create unique directory
UNIQ_ID_CAI="${SERIAL_O}.${ORG_URL}" UNIQ_ID_CAI="${SERIAL_O}.${ORG_URL}"
ca-i_gen_cert $UNIQ_ID_CAI $SERIAL_O mkdir -p "distribution/ca_i_${UNIQ_ID_CAI}"
cd "distribution/ca_i_${UNIQ_ID_CAI}"
# Server Certificates # Create CA Intermediate
ca-i_gen_cert $ORG_URL $SERIAL_O
# create directories, copy files, before generating client/server
ca-i_create_shell
__ca-i_gen_client
__ca-i_gen_server
# return to last path
cd $CDD
}
#
# Client Certificates
#
__ca-i_gen_client() {
# create directories
mkdir -p clients/data
mkdir -p clients/distro
mkdir -p clients/docs
cd clients
for NUM in $(seq 0 $NUM_CERTS) for NUM in $(seq 0 $NUM_CERTS)
do do
gen_server $ORG_URL $UNIQ_ID_CAI $((SERIAL_O+NUM)) gen_client $ORG_URL $((SERIAL_O+NUM))
done done
cd ..
}
# Client Certificates #
# Server Certificates
#
__ca-i_gen_server() {
# create directories
mkdir -p servers/data
mkdir -p servers/distro
mkdir -p servers/docs
cd servers
for NUM in $(seq 0 $NUM_CERTS) for NUM in $(seq 0 $NUM_CERTS)
do do
gen_client $ORG_URL $UNIQ_ID_CAI $((SERIAL_O+NUM)) gen_server $ORG_URL $((SERIAL_O+NUM))
done done
cd ..
} }
# This function will generate a CA Intermediate # This function will generate a CA Intermediate
@ -135,133 +148,83 @@ ca-i_gen_pki_certs() {
# IN: UNIQ_ID_CA, SERIAL # IN: UNIQ_ID_CA, SERIAL
# #
ca-i_gen_cert() { ca-i_gen_cert() {
UNIQ_ID_CAI=$1 ORG_URL=$1
SERIAL=$2 SERIAL=$2
echo_block "Create CA Intermediate (${UNIQ_ID_CAI})" UNIQ_ID="${SERIAL}.${ORG_URL}"
openssl genrsa -out "ca_i_${UNIQ_ID_CAI}.keys.pem" 4096 echo_block "Create CA Intermediate (${UNIQ_ID})"
openssl genrsa -out "ca_i_${UNIQ_ID}.keys.pem" 4096
# Create Cert Signing Request (CSR) # Create Cert Signing Request (CSR)
openssl req -config "${CNF_PATH}/ca.cnf" -new -sha256 \ openssl req -config "${CNF_PATH}/ca.cnf" -new -sha256 \
-subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID_CAI}" \ -subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID}" \
-key "ca_i_${UNIQ_ID_CAI}.keys.pem" -out "ca_i_${UNIQ_ID_CAI}.csr.pem" -key "ca_i_${UNIQ_ID}.keys.pem" -out "ca_i_${UNIQ_ID}.csr.pem"
# Create Certificate (valid for ~2 years, after the entire chain of trust expires) # Create Certificate (valid for ~2 years, after the entire chain of trust expires)
# CA signs Intermediate # CA signs Intermediate
openssl x509 -req -days 750 -extfile "${CNF_PATH}/ca.cnf" -extensions v3_ca_i \ openssl x509 -req -days 750 -extfile "${CNF_PATH}/ca.cnf" -extensions v3_ca_i \
-CA $FQ_CA_CERT -CAkey $FQ_CA_KEYS -set_serial ${SERIAL} \ -CA $FQ_CA_CERT -CAkey $FQ_CA_KEYS -set_serial ${SERIAL} \
-in "ca_i_${UNIQ_ID_CAI}.csr.pem" -out "ca_i_${UNIQ_ID_CAI}.crt.pem" -in "ca_i_${UNIQ_ID}.csr.pem" -out "ca_i_${UNIQ_ID}.crt.pem"
# Package the Certificate Authority Certificates for distro (windoze needs this) # Package the Certificate Authority Certificates for distro (windoze needs this)
openssl pkcs12 -export -password "pass:password" -inkey "ca_i_${UNIQ_ID_CAI}.keys.pem" \ openssl pkcs12 -export -password "pass:password" -inkey "ca_i_${UNIQ_ID}.keys.pem" \
-name "CA Intermediate Mobile Provision" -certfile $FQ_CA_CERT \ -name "CA Intermediate Mobile Provision" -certfile $FQ_CA_CERT \
-in "ca_i_${UNIQ_ID_CAI}.crt.pem" -out "ca_i_${UNIQ_ID_CAI}.p12" -in "ca_i_${UNIQ_ID}.crt.pem" -out "ca_i_${UNIQ_ID}.p12"
# verify certificate (output to text file for review) # verify certificate (output to text file for review)
openssl x509 -noout -text -in "ca_i_${UNIQ_ID_CAI}.crt.pem" > "ca_i_${UNIQ_ID_CAI}.crt.info.txt" openssl x509 -noout -text -in "ca_i_${UNIQ_ID}.crt.pem" > "ca_i_${UNIQ_ID}.crt.info.txt"
# create certifiate chain # create certifiate chain
cat $FQ_CA_CERT "ca_i_${UNIQ_ID_CAI}.crt.pem" > "ca_cert-chain_${UNIQ_ID_CAI}.crts.pem" cat $FQ_CA_CERT "ca_i_${UNIQ_ID}.crt.pem" > "ca_cert-chain_${UNIQ_ID}.crts.pem"
}
#
# Organize the generated crypto files into logical folders
#
ca-i_organize() {
# organize the client directory
mkdir -p clients/cfg
mkdir -p clients/data
mkdir -p clients/distro
mkdir -p clients/docs
mv client*.pem clients/data/
mv client*.p12 clients/distro/
mv client*.info.txt clients/docs/
cp ca_i*.crt.pem clients/cfg/ca_i.crt.pem
cp ca_i*.keys.pem clients/cfg/ca_i.keys.pem
# organize the server directory
mkdir -p servers/cfg
mkdir -p servers/data
mkdir -p servers/distro
mkdir -p servers/docs
mv server_*.pem servers/data/
mv server_*.p12 servers/distro/
mv server_*.info.txt servers/docs/
cp ca_i*.crt.pem servers/cfg/ca_i.crt.pem
cp ca_i*.keys.pem servers/cfg/ca_i.keys.pem
# organize the ca-i directory
# order matters: move these files last because they were copied above
mkdir -p ca-i/data
mkdir -p ca-i/docs
mkdir -p ca-i/distro
mv ca_i*.pem ca-i/data/
mv ca_i*.info.txt ca-i/docs/
mv ca_i*.p12 ca-i/distro
mv ca_cert-chain*.pem ca-i/distro
} }
# #
# Copies all applcations to the Lifecycle package # Copies all applcations to the Lifecycle package
# # organize the ca-i directory
# Requires: # order matters: move these files last because they were copied above
# UNIQ_DIR_LC : unique string for the Lifecycle directory
# UNIQ_ID_CAI : unique string for the CA-I
# #
ca-i_cp_docs() { ca-i_create_shell() {
DEST_DIR="${CDD}/distribution/ca_i_${UNIQ_ID_CAI}" DEST_DIR="${CDD}/distribution/ca_i_${UNIQ_ID_CAI}"
# CA-I
cp $CDD/res/docs/README_CAI $DEST_DIR/README
cp $CDD/ca_*/ca_*.crt.pem $DEST_DIR/ca-i/data/
cp $CDD/ca_*/ca_*.info.txt $DEST_DIR/ca-i/docs/
# client # client
mkdir -p clients/cfg
cp $CDD/res/libs/gen_client.sh $DEST_DIR/clients/ cp $CDD/res/libs/gen_client.sh $DEST_DIR/clients/
cp $CDD/res/libs/pki_funcs.sh $DEST_DIR/clients/cfg cp $CDD/res/libs/pki_funcs.sh $DEST_DIR/clients/cfg
cp $CDD/res/docs/README_C $DEST_DIR/clients/README cp $CDD/res/docs/README_C $DEST_DIR/clients/README
cp $CDD/res/docs/SERIAL $DEST_DIR/clients/cfg/ cp $CDD/res/docs/SERIAL $DEST_DIR/clients/cfg/
cp "${CDD}/cfg/${ORG_URL}.cnf" $DEST_DIR/clients/cfg/ cp "${CDD}/cfg/${ORG_URL}.cnf" $DEST_DIR/clients/cfg/
# generated files
cp $DEST_DIR/ca_i*.crt.pem $DEST_DIR/clients/cfg/ca-i.crt.pem
cp $DEST_DIR/ca_i*.keys.pem $DEST_DIR/clients/cfg/ca-i.keys.pem
cp $DEST_DIR/ca_cert-chain*.pem $DEST_DIR/clients/cfg/ca_cert-chain.crts.pem
# server # server
mkdir -p servers/cfg
cp $CDD/res/libs/gen_server.sh $DEST_DIR/servers/ cp $CDD/res/libs/gen_server.sh $DEST_DIR/servers/
cp $CDD/res/libs/pki_funcs.sh $DEST_DIR/servers/cfg/ cp $CDD/res/libs/pki_funcs.sh $DEST_DIR/servers/cfg/
cp $CDD/res/docs/README_S $DEST_DIR/servers/README cp $CDD/res/docs/README_S $DEST_DIR/servers/README
cp $CDD/res/docs/SERIAL $DEST_DIR/servers/cfg/ cp $CDD/res/docs/SERIAL $DEST_DIR/servers/cfg/
cp "${CDD}/cfg/${ORG_URL}.cnf" $DEST_DIR/servers/cfg/ cp "${CDD}/cfg/${ORG_URL}.cnf" $DEST_DIR/servers/cfg/
} # generated files
cp $DEST_DIR/ca_i*.crt.pem $DEST_DIR/servers/cfg/ca-i.crt.pem
cp $DEST_DIR/ca_i*.keys.pem $DEST_DIR/servers/cfg/ca-i.keys.pem
cp $DEST_DIR/ca_cert-chain*.pem $DEST_DIR/servers/cfg/ca_cert-chain.crts.pem
# # CA-I
# Generate a Server Certificate mkdir -p ca-i/data
# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL mkdir -p ca-i/docs
# mkdir -p ca-i/distro
gen_server() { cp $CDD/res/docs/README_CAI $DEST_DIR/README
ORG_URL=$1 cp $CDD/ca_*/ca_*.crt.pem $DEST_DIR/ca-i/data/
UNIQ_ID_CAI=$2 cp $CDD/ca_*/ca_*.info.txt $DEST_DIR/ca-i/docs/
SERIAL=$3 # generated files
mv $DEST_DIR/ca_i*.pem $DEST_DIR/ca-i/data/
UNIQ_ID="${SERIAL}.${ORG_URL}" mv $DEST_DIR/ca_i*.info.txt $DEST_DIR/ca-i/docs/
echo_block "Generate Server Certificates (${UNIQ_ID})" mv $DEST_DIR/ca_i*.p12 $DEST_DIR/ca-i/distro
mv $DEST_DIR/ca_cert-chain*.pem $DEST_DIR/ca-i/distro
openssl genrsa -out "server_${UNIQ_ID}.keys.pem" 4096
openssl req -new -config $CNF_PATH/${ORG_URL}.cnf -key "server_${UNIQ_ID}.keys.pem" \
-subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \
-out "server_${UNIQ_ID}.csr.pem"
# CA Intermediate signs Server
openssl x509 -req -days 365 -extfile $CNF_PATH/${ORG_URL}.cnf -extensions v3_server \
-CA "ca_i_${UNIQ_ID_CAI}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CAI}.keys.pem" -set_serial ${SERIAL} \
-in "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.crt.pem"
# Package the Certificates
openssl pkcs12 -export -password "pass:password" -inkey "server_${UNIQ_ID}.keys.pem" \
-name "Server ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CAI}.crts.pem" -caname "server_${UNIQ_ID}@acme.xyz" \
-in "server_${UNIQ_ID}.crt.pem" -out "server_${UNIQ_ID}.p12"
# verify certificate (output to text file for review)
openssl x509 -noout -text -in "server_${UNIQ_ID}.crt.pem" > "server_${UNIQ_ID}.crt.info.txt"
} }
# #
@ -270,33 +233,62 @@ gen_server() {
# #
gen_client() { gen_client() {
ORG_URL=$1 ORG_URL=$1
UNIQ_ID_CAI=$2 SERIAL=$2
SERIAL=$3
UNIQ_ID="${SERIAL}.${ORG_URL}" UNIQ_ID="${SERIAL}.${ORG_URL}"
CERT_CHAIN="cfg/ca_cert-chain.crts.pem"
echo_block "Generate Client Certificates (${UNIQ_ID})" echo_block "Generate Client Certificates (${UNIQ_ID})"
openssl genrsa -out "client_${UNIQ_ID}.keys.pem" 4096 openssl genrsa -out "data/client_${UNIQ_ID}.keys.pem" 4096
openssl req -new -key "client_${UNIQ_ID}.keys.pem" \ openssl req -new -key "data/client_${UNIQ_ID}.keys.pem" \
-subj "/C=OO/O=ACME/OU=ACME Standard/CN=client_${UNIQ_ID}" \ -subj "/C=OO/O=ACME/OU=ACME Standard/CN=client_${UNIQ_ID}" \
-out "client_${UNIQ_ID}.csr.pem" -out "data/client_${UNIQ_ID}.csr.pem"
# CA Intermediate signs Client # CA Intermediate signs Client
openssl x509 -req -days 365 \ openssl x509 -req -days 365 \
-CA "ca_i_${UNIQ_ID_CAI}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CAI}.keys.pem" -set_serial ${SERIAL} \ -CA "cfg/ca-i.crt.pem" -CAkey "cfg/ca-i.keys.pem" -set_serial ${SERIAL} \
-in "client_${UNIQ_ID}.csr.pem" -out "client_${UNIQ_ID}.crt.pem" -in "data/client_${UNIQ_ID}.csr.pem" -out "data/client_${UNIQ_ID}.crt.pem"
# Package the Certificates # Package the Certificates
openssl pkcs12 -export -password "pass:password" -inkey "client_${UNIQ_ID}.keys.pem" \ openssl pkcs12 -export -password "pass:password" -inkey "data/client_${UNIQ_ID}.keys.pem" \
-name "Client ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CAI}.crts.pem" -caname "client_${UNIQ_ID}@acme.xyz" \ -name "Client ${UNIQ_ID} VPN Certificate" -certfile $CERT_CHAIN -caname "client_${UNIQ_ID}@acme.xyz" \
-in "client_${UNIQ_ID}.crt.pem" -out "client_${UNIQ_ID}.p12" -in "data/client_${UNIQ_ID}.crt.pem" -out "distro/client_${UNIQ_ID}.p12"
# verify certificate (output to text file for review) # verify certificate (output to text file for review)
openssl x509 -noout -text -in "client_${UNIQ_ID}.crt.pem" > "client_${UNIQ_ID}.info.txt" openssl x509 -noout -text -in "data/client_${UNIQ_ID}.crt.pem" > "docs/client_${UNIQ_ID}.info.txt"
} }
# #
# give some info if someone tries to execute this # Generate a Server Certificate
# echo_block "this script file has only helper functions" # IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
#
gen_server() {
ORG_URL=$1
SERIAL=$2
UNIQ_ID="${SERIAL}.${ORG_URL}"
CERT_CHAIN="cfg/ca_cert-chain.crts.pem"
echo_block "Generate Server Certificates (${UNIQ_ID})"
openssl genrsa -out "data/server_${UNIQ_ID}.keys.pem" 4096
openssl req -new -config "cfg/${ORG_URL}.cnf" -key "data/server_${UNIQ_ID}.keys.pem" \
-subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \
-out "data/server_${UNIQ_ID}.csr.pem"
# CA Intermediate signs Server
openssl x509 -req -days 365 -extfile "cfg/${ORG_URL}.cnf" -extensions v3_server \
-CA "cfg/ca-i.crt.pem" -CAkey "cfg/ca-i.keys.pem" -set_serial ${SERIAL} \
-in "data/server_${UNIQ_ID}.csr.pem" -out "data/server_${UNIQ_ID}.crt.pem"
# Package the Certificates
openssl pkcs12 -export -password "pass:password" -inkey "data/server_${UNIQ_ID}.keys.pem" \
-name "Server ${UNIQ_ID} VPN Certificate" -certfile $CERT_CHAIN -caname "server_${UNIQ_ID}@acme.xyz" \
-in "data/server_${UNIQ_ID}.crt.pem" -out "distro/server_${UNIQ_ID}.p12"
# verify certificate (output to text file for review)
openssl x509 -noout -text -in "data/server_${UNIQ_ID}.crt.pem" > "docs/server_${UNIQ_ID}.crt.info.txt"
}