From 5366ef101d6c2657c62c59ae5241ee99a656d62e Mon Sep 17 00:00:00 2001 From: JohnE Date: Mon, 10 Sep 2018 19:09:48 -0700 Subject: [PATCH] FIN: refactoring complete, serial #s are all coherent, distinguished names (DN) is strong with both CA-I serial #s and client/server serial #s --- .gitignore | 5 +- docs/pki_agile | 3 + src/pki_bootstrap/pki_bootstrap.sh | 74 +++-- .../res/docs/{SERIAL => SERIAL_C} | 0 src/pki_bootstrap/res/docs/SERIAL_S | 1 + src/pki_bootstrap/res/libs/gen_ca-i.sh | 34 +- src/pki_bootstrap/res/libs/gen_client.sh | 18 +- src/pki_bootstrap/res/libs/gen_server.sh | 18 +- src/pki_bootstrap/res/libs/pki_funcs.sh | 293 +++++++----------- 9 files changed, 200 insertions(+), 246 deletions(-) rename src/pki_bootstrap/res/docs/{SERIAL => SERIAL_C} (100%) create mode 100644 src/pki_bootstrap/res/docs/SERIAL_S diff --git a/.gitignore b/.gitignore index 8abb9f2..3f8f9be 100644 --- a/.gitignore +++ b/.gitignore @@ -1,12 +1,9 @@ -# -pki-lifecycle_* - # Project specific files sftp-config.json .DS_Store **/var/ **/cert_gen/acme.xyz_fl/ - +pki-lifecycle_* # Byte-compiled / optimized / DLL files __pycache__/ diff --git a/docs/pki_agile b/docs/pki_agile index 8f0b999..c84c243 100644 --- a/docs/pki_agile +++ b/docs/pki_agile @@ -40,9 +40,12 @@ [[ COMPLETED ]] [ ver 3.3 ] +* SERIOUS refactoring to focus on local execution with default configs and SERIAL # incrementation * configuration defaults generated so that the CA-I package is all automated * gen_client.sh modified run with config defaults * gen_server.sh modified to run with config defaults +* gen_client.sh will generate # of certs +* gen_server.sh will generate # of certs * auto-increment SERIAL * CA FQDN saved to config file * CA-I FQDN saved to config file diff --git a/src/pki_bootstrap/pki_bootstrap.sh b/src/pki_bootstrap/pki_bootstrap.sh index 374bccd..770e055 100755 --- a/src/pki_bootstrap/pki_bootstrap.sh +++ b/src/pki_bootstrap/pki_bootstrap.sh @@ -17,11 +17,13 @@ usage() { echo "This application will generate all the files necessary to build a certificate chain of trust" echo "using a CA, CA Intermediate, Server, and Client certificates. All the files are put into" echo "pki lifecyle package" - echo " -put the .cnf config files into the ./cnf directory" + echo " * put the .cnf config files into the .res/cnf/ directory" echo - echo "Usage: pki_bootstrap <.cnf file (minus the .cnf)>" + echo "Usage: pki_bootstrap <.cnf file (minus the .cnf)> [# of CA-I to generate]" echo echo "Example: pki_bootstrap org.acme.xyz" + echo " pki_bootstrap org.acme.xyz 5" + echo exit 1 } @@ -41,9 +43,6 @@ get_serial_ca() { # # CA generation requires .cnf files -# create CA directory -# create bash variables to CA -# restore script back to original path # app_init() { if [[ -n $PARAM1 ]]; then @@ -54,11 +53,9 @@ app_init() { if [[ ${PARAM1: -4} == .cnf ]]; then ORG_URL=${PARAM1%.*} S_CNF=${PARAM1} - echo "ASDF: ${ORG_URL}, ${S_CNF}" else ORG_URL=$PARAM1 S_CNF="${PARAM1}.cnf" - echo "ZXCV: ${ORG_URL}, ${S_CNF}" fi FQ_S_CNF="${CD_ROOT}/res/cnf/${S_CNF}" @@ -78,7 +75,7 @@ app_init() { # gen_lifecycle() { get_serial_ca - echo_block "SERIAL == ${SERIAL}" + # Organize # # create a unique path for the server certificate @@ -88,44 +85,36 @@ gen_lifecycle() { FQ_DIR_LC="${FQ_DIR_LC}/${UNIQ_DIR_LC}" # create CA unique dir - UNIQ_ID_CA="${SERIAL}.${ORG_URL}" - CA_DIR="ca_${UNIQ_ID_CA}" - # cd $CA_DIR - # FQ_CA_DIR=`pwd` - # FQ_CA_CERT="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.crt.pem" - # FQ_CA_KEYS="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.keys.pem" - - # mkdir -p "${UNIQ_DIR_LC}/${CA_DIR}" + UNIQ_ID_CA="${SERIAL}.ca.${ORG_URL}" mkdir -p "${UNIQ_DIR_LC}/ca" cd "${UNIQ_DIR_LC}" - # initialize the functions lib - # pki_func_init $FQ_CA_CERT $FQ_CA_KEYS "${CD_ROOT}/res/cnf" # generate a new CA gen_ca $UNIQ_ID_CA $SERIAL # go back to original dir cd .. - # cd .. } # # # cp_lifecycle_docs() { + # resource files to be copied to the PKI Lifecycle Package RES="${CD_ROOT}/res" - mkdir -p "${UNIQ_DIR_LC}/cfg" - echo $UNIQ_ID_CA > $CD_ROOT/$UNIQ_DIR_LC/cfg/UNIQ_ID_CA - cp -r $CD_ROOT/res $CD_ROOT/$UNIQ_DIR_LC/ - cp $RES/libs/gen_ca-i.sh $CD_ROOT/$UNIQ_DIR_LC/ - cp $RES/docs/README_LC $CD_ROOT/$UNIQ_DIR_LC/README - cp $RES/docs/SERIAL_LC $CD_ROOT/$UNIQ_DIR_LC/cfg/SERIAL - cp $RES/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/cfg/ - cp "${RES}/cnf/${ORG_URL}.cnf" $CD_ROOT/$UNIQ_DIR_LC/cfg/ - cp "${RES}/cnf/ca.cnf" $CD_ROOT/$UNIQ_DIR_LC/cfg/ - cp $CD_ROOT/$UNIQ_DIR_LC/ca/ca_*.crt.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.crt.pem - cp $CD_ROOT/$UNIQ_DIR_LC/ca/ca_*.keys.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.keys.pem + echo $UNIQ_ID_CA > $CD_ROOT/$UNIQ_DIR_LC/cfg/UNIQ_ID_CA + cp -r $CD_ROOT/res $CD_ROOT/$UNIQ_DIR_LC/ + cp $RES/libs/gen_ca-i.sh $CD_ROOT/$UNIQ_DIR_LC/ + cp $RES/docs/README_LC $CD_ROOT/$UNIQ_DIR_LC/README + cp $RES/docs/SERIAL_LC $CD_ROOT/$UNIQ_DIR_LC/cfg/SERIAL + cp $RES/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/cfg/ + cp $RES/cnf/$ORG_URL.cnf $CD_ROOT/$UNIQ_DIR_LC/cfg/ + cp $RES/cnf/ca.cnf $CD_ROOT/$UNIQ_DIR_LC/cfg/ + + # CA certs + cp $CD_ROOT/$UNIQ_DIR_LC/ca/*.crt.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.crt.pem + cp $CD_ROOT/$UNIQ_DIR_LC/ca/*.keys.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.keys.pem } # @@ -133,10 +122,18 @@ cp_lifecycle_docs() { # gen_lc_ca_i() { cd $FQ_DIR_LC - # generate new CA-I - ca-i_gen_pki $ORG_URL 4321 2 - # ca-i_gen_pki $ORG_URL 2001 5 - # ca-i_gen_pki $ORG_URL 3001 8 + + if [[ -n $PARAM2 ]]; then + COUNT=$(($PARAM2-1)) + else + COUNT=2 + fi + + for NUM in $(seq 0 $COUNT) + do + ca-i_gen_pki $ORG_URL 5 + done + } # ***** ***** ***** ***** ***** @@ -154,19 +151,18 @@ gen_ca() { echo_block "Create CA (${UNIQ_ID_CA})" # encrypt the key - #openssl genrsa -aes256 -out ca.keys.pem 4096 #openssl genrsa -aes256 -password "pass:password" -out ca.keys.pem 4096 # key un-protected - openssl genrsa -out "ca/ca_${UNIQ_ID_CA}.keys.pem" 4096 + openssl genrsa -out "ca/${UNIQ_ID_CA}.keys.pem" 4096 # # Create Certificate (valid for 10 years, after the entire chain of trust expires) openssl req -config $CD_ROOT/res/cnf/ca.cnf -new -x509 -sha256 -days 3650 -extensions v3_ca \ - -subj "/C=OO/O=ACME/CN=root.${UNIQ_ID_CA}" -set_serial ${SERIAL} \ - -key ca/ca_${UNIQ_ID_CA}.keys.pem -out ca/ca_${UNIQ_ID_CA}.crt.pem + -subj "/C=OO/O=ACME/CN=${UNIQ_ID_CA}" -set_serial ${SERIAL} \ + -key ca/${UNIQ_ID_CA}.keys.pem -out ca/${UNIQ_ID_CA}.crt.pem # verify certificate (output to text file for review) - openssl x509 -noout -text -in ca/ca_${UNIQ_ID_CA}.crt.pem > ca/ca_${UNIQ_ID_CA}_cert.info.txt + openssl x509 -noout -text -in ca/${UNIQ_ID_CA}.crt.pem > ca/${UNIQ_ID_CA}_cert.info.txt } diff --git a/src/pki_bootstrap/res/docs/SERIAL b/src/pki_bootstrap/res/docs/SERIAL_C similarity index 100% rename from src/pki_bootstrap/res/docs/SERIAL rename to src/pki_bootstrap/res/docs/SERIAL_C diff --git a/src/pki_bootstrap/res/docs/SERIAL_S b/src/pki_bootstrap/res/docs/SERIAL_S new file mode 100644 index 0000000..b30c5d8 --- /dev/null +++ b/src/pki_bootstrap/res/docs/SERIAL_S @@ -0,0 +1 @@ +5001 \ No newline at end of file diff --git a/src/pki_bootstrap/res/libs/gen_ca-i.sh b/src/pki_bootstrap/res/libs/gen_ca-i.sh index cd37826..af46bd3 100755 --- a/src/pki_bootstrap/res/libs/gen_ca-i.sh +++ b/src/pki_bootstrap/res/libs/gen_ca-i.sh @@ -9,8 +9,6 @@ PARAM1=$1 PARAM2=$2 -PARAM3=$3 - usage() { echo @@ -20,19 +18,43 @@ usage() { echo "It requires a CA certificate used to sign CA Intermediate" echo "Requires the file \"ca.pem\" that is used to sign the certificates" echo - echo " usage: gen_ca-i.sh [Serial #]" + echo " usage: gen_ca-i.sh [# of client/server certs]" echo echo " example: gen_ca-i.sh skunkworks.acme.xyz \\" - echo " 10052 (optional) \\" - echo + echo " 10 (optional) \\" exit 1 } +check_params() { + # the parameter must be the URL (not the filename, .cnf) + if [[ -n $PARAM1 ]]; then + if [[ ${PARAM1: -4} == .cnf ]]; then + if [[ ! -f "cfg/${PARAM1}" ]]; then + echo_block "ERROR: file cfg/${PARAM1} is missing" + usage + else + PARAM1=${PARAM1%.*} + fi + else + if [[ ! -f "cfg/${PARAM1}.cnf" ]]; then + echo_block "ERROR: file cfg/${PARAM1}.cnf is missing" + usage + fi + fi + else + usage + fi + + if [[ -z $PARAM2 ]]; then + PARAM2=5 + fi +} main() { # uses global variables: $PARAM1 $PARAM2 $PARAM3 + check_cai_pkg check_params - ca-i_gen_pki $PARAM1 $PARAM2 $PARAM3 + ca-i_gen_pki $PARAM1 $PARAM2 } main diff --git a/src/pki_bootstrap/res/libs/gen_client.sh b/src/pki_bootstrap/res/libs/gen_client.sh index 094e111..d6ccd24 100755 --- a/src/pki_bootstrap/res/libs/gen_client.sh +++ b/src/pki_bootstrap/res/libs/gen_client.sh @@ -8,9 +8,6 @@ . cfg/pki_funcs.sh PARAM1=$1 -PARAM2=$2 -PARAM3=$3 - usage() { echo @@ -18,19 +15,24 @@ usage() { echo echo echo "Generate a new certificate" - echo " usage: gen_client.sh [Serial #]" + echo " usage: gen_client.sh " echo - echo " example: gen_client.sh skunkworks.acme.xyz \\" - echo " 10052 (optional) \\" + echo " example: gen_client.sh 2" echo exit 1 } +check_params() { + if [[ -z $PARAM1 ]]; then + usage + fi +} main() { - # uses global variables: $PARAM1 $PARAM2 + # uses global variables: $PARAM1 + check_cai_pkg check_params - gen_client_cert $PARAM1 $PARAM2 + gen_client $PARAM1 } main diff --git a/src/pki_bootstrap/res/libs/gen_server.sh b/src/pki_bootstrap/res/libs/gen_server.sh index 90e7e03..0a88abe 100755 --- a/src/pki_bootstrap/res/libs/gen_server.sh +++ b/src/pki_bootstrap/res/libs/gen_server.sh @@ -8,9 +8,6 @@ . cfg/pki_funcs.sh PARAM1=$1 -PARAM2=$2 -PARAM3=$3 - usage() { echo @@ -18,19 +15,24 @@ usage() { echo echo echo "Generate a new certificate" - echo " usage: gen_server.sh [Serial #]" + echo " usage: gen_client.sh " echo - echo " example: gen_server.sh skunkworks.acme.xyz \\" - echo " 10052 (optional) \\" + echo " example: gen_client.sh 2" echo exit 1 } +check_params() { + if [[ -z $PARAM1 ]]; then + usage + fi +} main() { - # uses global variables: $PARAM1 $PARAM2 + # uses global variables: $PARAM1 + check_cai_pkg check_params - gen_server $PARAM1 $PARAM2 + gen_server $PARAM1 } main diff --git a/src/pki_bootstrap/res/libs/pki_funcs.sh b/src/pki_bootstrap/res/libs/pki_funcs.sh index ac8954c..59c012c 100644 --- a/src/pki_bootstrap/res/libs/pki_funcs.sh +++ b/src/pki_bootstrap/res/libs/pki_funcs.sh @@ -3,20 +3,6 @@ # all main functions to generate a PKI certificate chain # -# -# Set the CA variables -# -# pki_func_init() { -# if [[ -n $1 ]] || [[ -n $2 ]] || [[ -n $3 ]]; then -# FQ_CA_CERT=$1 -# FQ_CA_KEYS=$2 -# CNF_PATH=$3 -# APP_INIT=1 -# else -# APP_INIT=0 -# fi -# } - # # print text wrapped in a block # @@ -27,11 +13,6 @@ echo_block() { echo "***** ***** ***** *****" } -error_no_ca_file() { - echo_block "ERROR: missing ca.crt.pem, ca.keys.pem" - usage -} - # # Grab the latest serial # from the file, auto-increment # @@ -47,57 +28,21 @@ get_serial() { } # -# check the three parameters: $PARAM1, $PARAM2, $PARAM3 -# PARAM1 : ORG_URL -# PARAM2 : SERIAL -# PARAM3 : Num Certs -# the parameters are expected to be global +# check the integrity of the CA-I package # -check_params() { +check_cai_pkg() { if [[ ! -f cfg/ca.keys.pem ]] || [[ ! -f cfg/ca.crt.pem ]]; then if [[ ! -f cfg/ca-i.keys.pem ]] || [[ ! -f cfg/ca-i.crt.pem ]]; then - echo_block "ERROR: missing ca certificat: cfg/ca.crt.pem, cfg/ca.keys.pem, cfg/ca-i.crt.pem, cfg/ca-i.keys.pem" + echo_block "ERROR: missing a config file: cfg/ca.crt.pem, cfg/ca.keys.pem, cfg/ca-i.crt.pem, cfg/ca-i.keys.pem" usage fi fi - - # the parameter must be the URL (not the filename, .cnf) - if [[ -n $PARAM1 ]]; then - if [[ ${PARAM1: -4} == .cnf ]]; then - if [[ ! -f "cfg/${PARAM1}" ]]; then - echo_block "ERROR: file cfg/${PARAM1} is missing" - usage - else - PARAM1=${PARAM1%.*} - fi - else - if [[ ! -f "cfg/${PARAM1}.cnf" ]]; then - echo_block "ERROR: file cfg/${PARAM1}.cnf is missing" - usage - fi - fi - else + if [[ ! -f cfg/SERIAL ]]; then + echo_block "ERROR: file cfg/SERIAL is missing" usage fi - - if [[ -z $PARAM2 ]]; then - if [[ ! -f cfg/SERIAL ]]; then - echo_block "ERROR: file cfg/SERIAL is missing" - usage - else - get_serial - PARAM2=$SERIAL - fi - else - SERIAL=$PARAM2 - fi - - if [[ -z $PARAM3 ]]; then - PARAM3=2 - fi } - # # Create CA Intermediate PKI # @@ -110,175 +55,159 @@ check_params() { # - generate server certificates # - generate client certificates # -# INPUT: BASE SERIAL #, LOOP NUM +# INPUT: ORG URL, SERIAL #, LOOP NUM # ca-i_gen_pki() { CDD=`pwd` ORG_URL=$1 - SERIAL=$2 - NUM_CERTS=$(($3-1)) + NUM_CERTS=$2 # create unique directory - UNIQ_ID="${SERIAL}.${ORG_URL}" - mkdir -p "distribution/ca_i_${UNIQ_ID}" + get_serial + UNIQ_ID_CAI="${SERIAL}.cai.${ORG_URL}" + mkdir -p "distribution/${UNIQ_ID_CAI}" - # Create CA Intermediate - # - ca-i_gen_cert $ORG_URL $SERIAL + # generate CA Intermediate + ca-i_gen_cert $UNIQ_ID_CAI # create directories, copy files, before generating client/server - ca-i_create_shell - + __ca-i_create_pkg # the client & server applications need to execute in their perspective directories - cd "distribution/ca_i_${UNIQ_ID}" - __ca-i_gen_client -# __ca-i_gen_server + cd $CDD/distribution/$UNIQ_ID_CAI/clients + gen_client $NUM_CERTS + + cd $CDD/distribution/$UNIQ_ID_CAI/servers + gen_server $NUM_CERTS # return to last path cd $CDD } -# -# Client Certificates -# -__ca-i_gen_client() { - # create directories - mkdir -p clients/data - mkdir -p clients/distro - mkdir -p clients/docs - cd clients - for NUM in $(seq 0 $NUM_CERTS) - do - get_serial - gen_client_cert $ORG_URL $SERIAL - done - cd .. -} - -# -# Server Certificates -# -__ca-i_gen_server() { - # create directories - mkdir -p servers/data - mkdir -p servers/distro - mkdir -p servers/docs - cd servers - for NUM in $(seq 0 $NUM_CERTS) - do - get_serial - gen_server_cert $ORG_URL $SERIAL - done - cd .. -} - # # Copies all applcations to the Lifecycle package # organize the ca-i directory # order matters: move these files last because they were copied above # -ca-i_create_shell() { - - DEST_DIR="${CDD}/distribution/ca_i_${UNIQ_ID}" +__ca-i_create_pkg() { + DEST_DIR="${CDD}/distribution/${UNIQ_ID}" echo $UNIQ_ID > cfg/UNIQ_ID_CA-I - # client + # + # Client + # + # create directories + mkdir -p $DEST_DIR/clients/data + mkdir -p $DEST_DIR/clients/distro + mkdir -p $DEST_DIR/clients/docs mkdir -p $DEST_DIR/clients/cfg + # copy resource files cp $CDD/res/libs/gen_client.sh $DEST_DIR/clients/ cp $CDD/res/libs/pki_funcs.sh $DEST_DIR/clients/cfg cp $CDD/res/docs/README_C $DEST_DIR/clients/README - cp $CDD/res/docs/SERIAL $DEST_DIR/clients/cfg/ - cp "${CDD}/cfg/${ORG_URL}.cnf" $DEST_DIR/clients/cfg/ + cp $CDD/res/docs/SERIAL_C $DEST_DIR/clients/cfg/SERIAL + cp "${CDD}/cfg/${ORG_URL}.cnf" $DEST_DIR/clients/cfg/cert.cnf # generated files - cp ca_i*.crt.pem $DEST_DIR/clients/cfg/ca-i.crt.pem - cp ca_i*.keys.pem $DEST_DIR/clients/cfg/ca-i.keys.pem - cp ca_cert-chain*.pem $DEST_DIR/clients/cfg/ca_cert-chain.crts.pem - cp cfg/UNIQ_ID_CA-I $DEST_DIR/clients/cfg/ - cp cfg/UNIQ_ID_CA $DEST_DIR/clients/cfg/ + cp $UNIQ_ID_CAI.crt.pem $DEST_DIR/clients/cfg/ca-i.crt.pem + cp $UNIQ_ID_CAI.keys.pem $DEST_DIR/clients/cfg/ca-i.keys.pem + cp ca_cert-chain*.pem $DEST_DIR/clients/cfg/ca_cert-chain.crts.pem + cp cfg/UNIQ_ID_CA-I $DEST_DIR/clients/cfg/ + cp cfg/UNIQ_ID_CA $DEST_DIR/clients/cfg/ - # server + # + # Server + # + # create directories + mkdir -p $DEST_DIR/servers/data + mkdir -p $DEST_DIR/servers/distro + mkdir -p $DEST_DIR/servers/docs mkdir -p $DEST_DIR/servers/cfg + # copy resource files cp $CDD/res/libs/gen_server.sh $DEST_DIR/servers/ cp $CDD/res/libs/pki_funcs.sh $DEST_DIR/servers/cfg/ cp $CDD/res/docs/README_S $DEST_DIR/servers/README - cp $CDD/res/docs/SERIAL $DEST_DIR/servers/cfg/ - cp "${CDD}/cfg/${ORG_URL}.cnf" $DEST_DIR/servers/cfg/ + cp $CDD/res/docs/SERIAL_S $DEST_DIR/servers/cfg/SERIAL + cp "${CDD}/cfg/${ORG_URL}.cnf" $DEST_DIR/servers/cfg/cert.cnf # generated files - cp ca_i*.crt.pem $DEST_DIR/servers/cfg/ca-i.crt.pem - cp ca_i*.keys.pem $DEST_DIR/servers/cfg/ca-i.keys.pem - cp ca_cert-chain*.pem $DEST_DIR/servers/cfg/ca_cert-chain.crts.pem - cp cfg/UNIQ_ID_CA-I $DEST_DIR/servers/cfg/ - cp cfg/UNIQ_ID_CA $DEST_DIR/servers/cfg/ + cp $UNIQ_ID_CAI.crt.pem $DEST_DIR/servers/cfg/ca-i.crt.pem + cp $UNIQ_ID_CAI.keys.pem $DEST_DIR/servers/cfg/ca-i.keys.pem + cp ca_cert-chain*.pem $DEST_DIR/servers/cfg/ca_cert-chain.crts.pem + cp cfg/UNIQ_ID_CA-I $DEST_DIR/servers/cfg/ + cp cfg/UNIQ_ID_CA $DEST_DIR/servers/cfg/ + # # CA-I + # + # create directories mkdir -p $DEST_DIR/ca-i/data mkdir -p $DEST_DIR/ca-i/docs mkdir -p $DEST_DIR/ca-i/distro - cp $CDD/res/docs/README_CAI $DEST_DIR/README - cp $CDD/ca/ca_*.crt.pem $DEST_DIR/ca-i/data/ - cp $CDD/ca/ca_*.info.txt $DEST_DIR/ca-i/docs/ + # copy resource files + cp $CDD/res/docs/README_CAI $DEST_DIR/README + cp $CDD/ca/*.crt.pem $DEST_DIR/ca-i/data/ + cp $CDD/ca/*.info.txt $DEST_DIR/ca-i/docs/ # generated files - mv ca_i*.pem $DEST_DIR/ca-i/data/ - mv ca_i*.info.txt $DEST_DIR/ca-i/docs/ - mv ca_i*.p12 $DEST_DIR/ca-i/distro - mv ca_cert-chain*.pem $DEST_DIR/ca-i/distro + mv $UNIQ_ID_CAI*.pem $DEST_DIR/ca-i/data/ + mv $UNIQ_ID_CAI.crt.info.txt $DEST_DIR/ca-i/docs/ + mv $UNIQ_ID_CAI.p12 $DEST_DIR/ca-i/distro + mv ca_cert-chain*.pem $DEST_DIR/ca-i/distro } # This function will generate a CA Intermediate # # Requires: CNF file, CA cert, CA key # -# IN: UNIQ_ID_CA, SERIAL +# IN: UNIQ_ID_CA # ca-i_gen_cert() { - ORG_URL=$1 - SERIAL=$2 + UNIQ_ID=$1 DEST_DIR="." - # DEST_DIR=$3 - UNIQ_ID="${SERIAL}.${ORG_URL}" + UNIQ_ID="${SERIAL}.cai.${ORG_URL}" echo_block "Create CA Intermediate (${UNIQ_ID})" - openssl genrsa -out "${DEST_DIR}/ca_i_${UNIQ_ID}.keys.pem" 4096 + openssl genrsa -out "${DEST_DIR}/${UNIQ_ID}.keys.pem" 4096 # Create Cert Signing Request (CSR) openssl req -config "cfg/ca.cnf" -new -sha256 \ -subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID}" \ - -key "${DEST_DIR}/ca_i_${UNIQ_ID}.keys.pem" -out "${DEST_DIR}/ca_i_${UNIQ_ID}.csr.pem" + -key "${DEST_DIR}/${UNIQ_ID}.keys.pem" -out "${DEST_DIR}/${UNIQ_ID}.csr.pem" # Create Certificate (valid for ~2 years, after the entire chain of trust expires) # CA signs Intermediate openssl x509 -req -days 750 -extfile "cfg/ca.cnf" -extensions v3_ca_i \ -CA cfg/ca.crt.pem -CAkey cfg/ca.keys.pem -set_serial ${SERIAL} \ - -in "${DEST_DIR}/ca_i_${UNIQ_ID}.csr.pem" -out "${DEST_DIR}/ca_i_${UNIQ_ID}.crt.pem" + -in "${DEST_DIR}/${UNIQ_ID}.csr.pem" -out "${DEST_DIR}/${UNIQ_ID}.crt.pem" # Package the Certificate Authority Certificates for distro (windoze needs this) - openssl pkcs12 -export -password "pass:password" -inkey "${DEST_DIR}/ca_i_${UNIQ_ID}.keys.pem" \ + openssl pkcs12 -export -password "pass:password" -inkey "${DEST_DIR}/${UNIQ_ID}.keys.pem" \ -name "CA Intermediate Mobile Provision" -certfile cfg/ca.crt.pem \ - -in "${DEST_DIR}/ca_i_${UNIQ_ID}.crt.pem" -out "${DEST_DIR}/ca_i_${UNIQ_ID}.p12" + -in "${DEST_DIR}/${UNIQ_ID}.crt.pem" -out "${DEST_DIR}/${UNIQ_ID}.p12" # verify certificate (output to text file for review) - openssl x509 -noout -text -in "${DEST_DIR}/ca_i_${UNIQ_ID}.crt.pem" > "${DEST_DIR}/ca_i_${UNIQ_ID}.crt.info.txt" + openssl x509 -noout -text -in "${DEST_DIR}/${UNIQ_ID}.crt.pem" > "${DEST_DIR}/${UNIQ_ID}.crt.info.txt" # create certifiate chain - cat cfg/ca.crt.pem "${DEST_DIR}/ca_i_${UNIQ_ID}.crt.pem" > "${DEST_DIR}/ca_cert-chain_${UNIQ_ID}.crts.pem" + cat cfg/ca.crt.pem "${DEST_DIR}/${UNIQ_ID}.crt.pem" > "${DEST_DIR}/ca_cert-chain_${UNIQ_ID}.crts.pem" } get_uniq_ids() { UNIQ_ID_CA=`head cfg/UNIQ_ID_CA` UNIQ_ID_CAI=`head cfg/UNIQ_ID_CA-I` - # if [[ -z $ORG_URL ]]; then - # echo_block "WARN: no file 'UNIQ_ID' found, using default 11111 as the serial # for CA" - # exit 1 - # fi } gen_client() { - get_org_url - get_client_cert $ORG_URL $SERIAL + COUNT=$(($1-1)) + + get_uniq_ids + for NUM in $(seq 0 $COUNT) + do + get_serial + UNIQ_ID="${SERIAL}.client.${UNIQ_ID_CAI}" + gen_client_cert $UNIQ_ID + done } # @@ -286,33 +215,39 @@ gen_client() { # IN: UNIQ_ID, SERIAL # gen_client_cert() { - ORG_URL=$1 - SERIAL=$2 - - get_uniq_ids - - UNIQ_ID="${SERIAL}_${ORG_URL}" - CERT_CHAIN="cfg/ca_cert-chain.crts.pem" + UNIQ_ID=$1 echo_block "Generate Client Certificates (${UNIQ_ID})" - openssl genrsa -out "data/client-${UNIQ_ID}.keys.pem" 4096 + openssl genrsa -out "data/${UNIQ_ID}.keys.pem" 4096 - openssl req -new -key "data/client-${UNIQ_ID}.keys.pem" \ - -subj "/C=OO/O=ACME/OU=ACME Standard/CN=client-${UNIQ_ID}" \ - -out "data/client-${UNIQ_ID}.csr.pem" + openssl req -new -key "data/${UNIQ_ID}.keys.pem" \ + -subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \ + -out "data/${UNIQ_ID}.csr.pem" # CA Intermediate signs Client openssl x509 -req -days 365 \ -CA "cfg/ca-i.crt.pem" -CAkey "cfg/ca-i.keys.pem" -set_serial ${SERIAL} \ - -in "data/client-${UNIQ_ID}.csr.pem" -out "data/client-${UNIQ_ID}.crt.pem" + -in "data/${UNIQ_ID}.csr.pem" -out "data/${UNIQ_ID}.crt.pem" # Package the Certificates - openssl pkcs12 -export -password "pass:password" -inkey "data/client-${UNIQ_ID}.keys.pem" \ - -name "Client ${UNIQ_ID} VPN Certificate" -certfile $CERT_CHAIN -caname "client-${UNIQ_ID}@acme.xyz" \ - -in "data/client-${UNIQ_ID}.crt.pem" -out "distro/client-${UNIQ_ID}.p12" + openssl pkcs12 -export -password "pass:password" -inkey "data/${UNIQ_ID}.keys.pem" \ + -name "Client ${UNIQ_ID} VPN Certificate" -certfile "cfg/ca_cert-chain.crts.pem" -caname "${UNIQ_ID}@acme.xyz" \ + -in "data/${UNIQ_ID}.crt.pem" -out "distro/${UNIQ_ID}.p12" # verify certificate (output to text file for review) - openssl x509 -noout -text -in "data/client-${UNIQ_ID}.crt.pem" > "docs/client-${UNIQ_ID}.info.txt" + openssl x509 -noout -text -in "data/${UNIQ_ID}.crt.pem" > "docs/${UNIQ_ID}.info.txt" +} + +gen_server() { + COUNT=$(($1-1)) + + get_uniq_ids + for NUM in $(seq 0 $COUNT) + do + get_serial + UNIQ_ID="${SERIAL}.server.${UNIQ_ID_CAI}" + gen_server_cert $UNIQ_ID + done } # @@ -320,31 +255,27 @@ gen_client_cert() { # IN: UNIQ_ID, SERIAL # gen_server_cert() { - ORG_URL=$1 - SERIAL=$2 - - UNIQ_ID="${SERIAL}.${ORG_URL}" - CERT_CHAIN="cfg/ca_cert-chain.crts.pem" + UNIQ_ID=$1 echo_block "Generate Server Certificates (${UNIQ_ID})" - openssl genrsa -out "data/server_${UNIQ_ID}.keys.pem" 4096 + openssl genrsa -out "data/${UNIQ_ID}.keys.pem" 4096 - openssl req -new -config "cfg/${ORG_URL}.cnf" -key "data/server_${UNIQ_ID}.keys.pem" \ + openssl req -new -config "cfg/cert.cnf" -key "data/${UNIQ_ID}.keys.pem" \ -subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \ - -out "data/server_${UNIQ_ID}.csr.pem" + -out "data/${UNIQ_ID}.csr.pem" # CA Intermediate signs Server - openssl x509 -req -days 365 -extfile "cfg/${ORG_URL}.cnf" -extensions v3_server \ + openssl x509 -req -days 365 -extfile "cfg/cert.cnf" -extensions v3_server \ -CA "cfg/ca-i.crt.pem" -CAkey "cfg/ca-i.keys.pem" -set_serial ${SERIAL} \ - -in "data/server_${UNIQ_ID}.csr.pem" -out "data/server_${UNIQ_ID}.crt.pem" + -in "data/${UNIQ_ID}.csr.pem" -out "data/${UNIQ_ID}.crt.pem" # Package the Certificates - openssl pkcs12 -export -password "pass:password" -inkey "data/server_${UNIQ_ID}.keys.pem" \ - -name "Server ${UNIQ_ID} VPN Certificate" -certfile $CERT_CHAIN -caname "server_${UNIQ_ID}@acme.xyz" \ - -in "data/server_${UNIQ_ID}.crt.pem" -out "distro/server_${UNIQ_ID}.p12" + openssl pkcs12 -export -password "pass:password" -inkey "data/${UNIQ_ID}.keys.pem" \ + -name "Server ${UNIQ_ID} VPN Certificate" -certfile "cfg/ca_cert-chain.crts.pem" -caname "${UNIQ_ID}@acme.xyz" \ + -in "data/${UNIQ_ID}.crt.pem" -out "distro/${UNIQ_ID}.p12" # verify certificate (output to text file for review) - openssl x509 -noout -text -in "data/server_${UNIQ_ID}.crt.pem" > "docs/server_${UNIQ_ID}.crt.info.txt" + openssl x509 -noout -text -in "data/${UNIQ_ID}.crt.pem" > "docs/${UNIQ_ID}.crt.info.txt" }