FIN: refactoring complete, serial #s are all coherent, distinguished names (DN) is strong with both CA-I serial #s and client/server serial #s

2018-09-10 19:09:48 -07:00 · 2018-09-10 19:09:48 -07:00 · 5366ef101d
parent 03d003b151
commit 5366ef101d
9 changed files with 200 additions and 246 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,12 +1,9 @@
 #
 pki-lifecycle_*
 # Project specific files
 sftp-config.json
 .DS_Store
 **/var/
 **/cert_gen/acme.xyz_fl/
-
+pki-lifecycle_*
 # Byte-compiled / optimized / DLL files
 __pycache__/
--- a/docs/pki_agile
+++ b/docs/pki_agile
@ -40,9 +40,12 @@
 [[ COMPLETED ]]
 [ ver 3.3 ]
 * SERIOUS refactoring to focus on local execution with default configs and SERIAL # incrementation
 * configuration defaults generated so that the CA-I package is all automated
 * gen_client.sh modified run with config defaults
 * gen_server.sh modified to run with config defaults
 * gen_client.sh will generate # of certs
 * gen_server.sh will generate # of certs
 * auto-increment SERIAL
 * CA FQDN saved to config file
 * CA-I FQDN saved to config file
--- a/src/pki_bootstrap/pki_bootstrap.sh
+++ b/src/pki_bootstrap/pki_bootstrap.sh
@ -17,11 +17,13 @@ usage() {
  echo "This application will generate all the files necessary to build a certificate chain of trust"
  echo "using a CA, CA Intermediate, Server, and Client certificates. All the files are put into"
  echo "pki lifecyle package"
-  echo "  -put the .cnf config files into the ./cnf directory"
+  echo "  * put the .cnf config files into the .res/cnf/ directory"
  echo 
-  echo "Usage: pki_bootstrap  <.cnf file (minus the .cnf)>"
+  echo "Usage: pki_bootstrap  <.cnf file (minus the .cnf)>  [# of CA-I to generate]"
  echo
  echo "Example: pki_bootstrap  org.acme.xyz"
  echo "         pki_bootstrap  org.acme.xyz  5"
  echo
  exit 1
 }
@ -41,9 +43,6 @@ get_serial_ca() {
 #
 # CA generation requires .cnf files
 # create CA directory
 # create bash variables to CA
 # restore script back to original path
 #
 app_init() {
  if [[ -n $PARAM1 ]]; then
@ -54,11 +53,9 @@ app_init() {
    if [[ ${PARAM1: -4} == .cnf ]]; then
      ORG_URL=${PARAM1%.*}
      S_CNF=${PARAM1}
      echo "ASDF: ${ORG_URL},  ${S_CNF}"
    else
      ORG_URL=$PARAM1
      S_CNF="${PARAM1}.cnf"
      echo "ZXCV: ${ORG_URL},  ${S_CNF}"
    fi
    FQ_S_CNF="${CD_ROOT}/res/cnf/${S_CNF}"
@ -78,7 +75,7 @@ app_init() {
 #
 gen_lifecycle() {
  get_serial_ca
-  echo_block "SERIAL == ${SERIAL}"
+
  # Organize
  # 
  # create a unique path for the server certificate
@ -88,44 +85,36 @@ gen_lifecycle() {
  FQ_DIR_LC="${FQ_DIR_LC}/${UNIQ_DIR_LC}"
  # create CA unique dir
-  UNIQ_ID_CA="${SERIAL}.${ORG_URL}"
+  UNIQ_ID_CA="${SERIAL}.ca.${ORG_URL}"
  CA_DIR="ca_${UNIQ_ID_CA}"
  # cd $CA_DIR
  # FQ_CA_DIR=`pwd`
  # FQ_CA_CERT="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.crt.pem"
  # FQ_CA_KEYS="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.keys.pem"
  # mkdir -p "${UNIQ_DIR_LC}/${CA_DIR}"
  mkdir -p "${UNIQ_DIR_LC}/ca"
  cd "${UNIQ_DIR_LC}"
  # initialize the functions lib
  # pki_func_init $FQ_CA_CERT $FQ_CA_KEYS "${CD_ROOT}/res/cnf"
  # generate a new CA
  gen_ca $UNIQ_ID_CA $SERIAL
  # go back to original dir
  cd ..
  # cd ..
 }
 #
 #
 #
 cp_lifecycle_docs() {
  # resource files to be copied to the PKI Lifecycle Package
  RES="${CD_ROOT}/res"
  mkdir -p "${UNIQ_DIR_LC}/cfg"
-  echo $UNIQ_ID_CA > $CD_ROOT/$UNIQ_DIR_LC/cfg/UNIQ_ID_CA
+  echo $UNIQ_ID_CA >         $CD_ROOT/$UNIQ_DIR_LC/cfg/UNIQ_ID_CA
-  cp -r $CD_ROOT/res        $CD_ROOT/$UNIQ_DIR_LC/
+  cp -r $CD_ROOT/res         $CD_ROOT/$UNIQ_DIR_LC/
-  cp $RES/libs/gen_ca-i.sh  $CD_ROOT/$UNIQ_DIR_LC/
+  cp $RES/libs/gen_ca-i.sh   $CD_ROOT/$UNIQ_DIR_LC/
-  cp $RES/docs/README_LC    $CD_ROOT/$UNIQ_DIR_LC/README
+  cp $RES/docs/README_LC     $CD_ROOT/$UNIQ_DIR_LC/README
-  cp $RES/docs/SERIAL_LC    $CD_ROOT/$UNIQ_DIR_LC/cfg/SERIAL
+  cp $RES/docs/SERIAL_LC     $CD_ROOT/$UNIQ_DIR_LC/cfg/SERIAL
-  cp $RES/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/cfg/
+  cp $RES/libs/pki_funcs.sh  $CD_ROOT/$UNIQ_DIR_LC/cfg/
-  cp "${RES}/cnf/${ORG_URL}.cnf"  $CD_ROOT/$UNIQ_DIR_LC/cfg/
+  cp $RES/cnf/$ORG_URL.cnf   $CD_ROOT/$UNIQ_DIR_LC/cfg/
-  cp "${RES}/cnf/ca.cnf"          $CD_ROOT/$UNIQ_DIR_LC/cfg/
+  cp $RES/cnf/ca.cnf         $CD_ROOT/$UNIQ_DIR_LC/cfg/
-  cp $CD_ROOT/$UNIQ_DIR_LC/ca/ca_*.crt.pem    $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.crt.pem
+
-  cp $CD_ROOT/$UNIQ_DIR_LC/ca/ca_*.keys.pem   $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.keys.pem
+  # CA certs
  cp $CD_ROOT/$UNIQ_DIR_LC/ca/*.crt.pem   $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.crt.pem
  cp $CD_ROOT/$UNIQ_DIR_LC/ca/*.keys.pem  $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.keys.pem
 }
 #
@ -133,10 +122,18 @@ cp_lifecycle_docs() {
 #
 gen_lc_ca_i() {
  cd $FQ_DIR_LC
-  # generate new CA-I
+
-  ca-i_gen_pki $ORG_URL 4321 2
+  if [[ -n $PARAM2 ]]; then
-  # ca-i_gen_pki $ORG_URL 2001 5
+    COUNT=$(($PARAM2-1))
-  # ca-i_gen_pki $ORG_URL 3001 8
+  else
    COUNT=2
  fi
  for NUM in $(seq 0 $COUNT)
  do
    ca-i_gen_pki $ORG_URL 5
  done
 }
 # ***** ***** ***** ***** *****
@ -154,19 +151,18 @@ gen_ca() {
  echo_block "Create CA (${UNIQ_ID_CA})"
  # encrypt the key
  #openssl genrsa -aes256 -out ca.keys.pem 4096
  #openssl genrsa -aes256 -password "pass:password" -out ca.keys.pem 4096 
  # key un-protected
-  openssl genrsa -out "ca/ca_${UNIQ_ID_CA}.keys.pem" 4096
+  openssl genrsa -out "ca/${UNIQ_ID_CA}.keys.pem" 4096
  # 
  # Create Certificate   (valid for 10 years, after the entire chain of trust expires)
  openssl req -config $CD_ROOT/res/cnf/ca.cnf -new -x509 -sha256 -days 3650 -extensions v3_ca \
-              -subj "/C=OO/O=ACME/CN=root.${UNIQ_ID_CA}" -set_serial ${SERIAL} \
+              -subj "/C=OO/O=ACME/CN=${UNIQ_ID_CA}" -set_serial ${SERIAL} \
-              -key ca/ca_${UNIQ_ID_CA}.keys.pem -out ca/ca_${UNIQ_ID_CA}.crt.pem
+              -key ca/${UNIQ_ID_CA}.keys.pem -out ca/${UNIQ_ID_CA}.crt.pem
  # verify certificate (output to text file for review)
-  openssl x509 -noout -text -in ca/ca_${UNIQ_ID_CA}.crt.pem > ca/ca_${UNIQ_ID_CA}_cert.info.txt
+  openssl x509 -noout -text -in ca/${UNIQ_ID_CA}.crt.pem > ca/${UNIQ_ID_CA}_cert.info.txt
 }
--- a/src/pki_bootstrap/res/docs/SERIAL_C
+++ b/src/pki_bootstrap/res/docs/SERIAL_C
--- a/src/pki_bootstrap/res/docs/SERIAL_S
+++ b/src/pki_bootstrap/res/docs/SERIAL_S
@ -0,0 +1 @@
 5001
--- a/src/pki_bootstrap/res/libs/gen_ca-i.sh
+++ b/src/pki_bootstrap/res/libs/gen_ca-i.sh
@ -9,8 +9,6 @@
 PARAM1=$1
 PARAM2=$2
 PARAM3=$3
 usage() {
  echo
@ -20,19 +18,43 @@ usage() {
  echo "It requires a CA certificate used to sign CA Intermediate"
  echo "Requires the file \"ca.pem\" that is used to sign the certificates"
  echo 
-  echo "  usage:   gen_ca-i.sh  <Org URL>   [Serial #]"
+  echo "  usage:   gen_ca-i.sh  <Org URL>   [# of client/server certs]"
  echo
  echo "  example: gen_ca-i.sh  skunkworks.acme.xyz \\"
-  echo "                        10052  (optional) \\"
+  echo "                        10  (optional) \\"
  echo
  exit 1
 }
 check_params() {
  # the parameter must be the URL (not the filename, .cnf)
  if [[ -n $PARAM1 ]]; then
    if [[ ${PARAM1: -4} == .cnf ]]; then
      if [[ ! -f "cfg/${PARAM1}" ]]; then
        echo_block "ERROR: file cfg/${PARAM1} is missing"
        usage
      else
        PARAM1=${PARAM1%.*}
      fi
    else 
      if [[ ! -f "cfg/${PARAM1}.cnf" ]]; then
        echo_block "ERROR: file cfg/${PARAM1}.cnf is missing"
        usage
      fi
    fi
  else
    usage
  fi
  if [[ -z $PARAM2 ]]; then
    PARAM2=5
  fi
 }
 main() {
  # uses global variables: $PARAM1 $PARAM2 $PARAM3
  check_cai_pkg
  check_params
-  ca-i_gen_pki $PARAM1 $PARAM2 $PARAM3
+  ca-i_gen_pki $PARAM1 $PARAM2
 }
 main
--- a/src/pki_bootstrap/res/libs/gen_client.sh
+++ b/src/pki_bootstrap/res/libs/gen_client.sh
@ -8,9 +8,6 @@
 . cfg/pki_funcs.sh
 PARAM1=$1
 PARAM2=$2
 PARAM3=$3
 usage() {
  echo
@ -18,19 +15,24 @@ usage() {
  echo
  echo
  echo "Generate a new certificate"
-  echo "  usage:   gen_client.sh  <Org URL>   [Serial #]"
+  echo "  usage:   gen_client.sh  <number to generate>"
  echo
-  echo "  example: gen_client.sh  skunkworks.acme.xyz \\"
+  echo "  example: gen_client.sh  2"
  echo "                          10052 (optional) \\"
  echo
  exit 1
 }
 check_params() {
  if [[ -z $PARAM1 ]]; then
    usage
  fi
 }
 main() {
-  # uses global variables: $PARAM1 $PARAM2
+  # uses global variables: $PARAM1
  check_cai_pkg
  check_params
-  gen_client_cert $PARAM1 $PARAM2
+  gen_client $PARAM1
 }
 main
--- a/src/pki_bootstrap/res/libs/gen_server.sh
+++ b/src/pki_bootstrap/res/libs/gen_server.sh
@ -8,9 +8,6 @@
 . cfg/pki_funcs.sh
 PARAM1=$1
 PARAM2=$2
 PARAM3=$3
 usage() {
  echo
@ -18,19 +15,24 @@ usage() {
  echo
  echo
  echo "Generate a new certificate"
-  echo "  usage:   gen_server.sh  <Org URL>   [Serial #]"
+  echo "  usage:   gen_client.sh  <number to generate>"
  echo
-  echo "  example: gen_server.sh  skunkworks.acme.xyz \\"
+  echo "  example: gen_client.sh  2"
  echo "                          10052  (optional) \\"
  echo
  exit 1
 }
 check_params() {
  if [[ -z $PARAM1 ]]; then
    usage
  fi
 }
 main() {
-  # uses global variables: $PARAM1 $PARAM2
+  # uses global variables: $PARAM1
  check_cai_pkg
  check_params
-  gen_server $PARAM1 $PARAM2
+  gen_server $PARAM1
 }
 main
--- a/src/pki_bootstrap/res/libs/pki_funcs.sh
+++ b/src/pki_bootstrap/res/libs/pki_funcs.sh
@ -3,20 +3,6 @@
 # all main functions to generate a PKI certificate chain
 # 
 #
 # Set the CA variables
 #
 # pki_func_init() {
 #   if [[ -n $1 ]] || [[ -n $2 ]] || [[ -n $3 ]]; then
 #     FQ_CA_CERT=$1
 #     FQ_CA_KEYS=$2
 #     CNF_PATH=$3
 #     APP_INIT=1
 #   else
 #     APP_INIT=0
 #   fi
 # }
 #
 # print text wrapped in a block
 #
@ -27,11 +13,6 @@ echo_block() {
  echo "***** ***** ***** *****"
 }
 error_no_ca_file() {
  echo_block "ERROR: missing ca.crt.pem, ca.keys.pem"
  usage
 }
 # 
 # Grab the latest serial # from the file, auto-increment
 # 
@ -47,57 +28,21 @@ get_serial() {
 }
 #
-# check the three parameters: $PARAM1, $PARAM2, $PARAM3
+# check the integrity of the CA-I package
 # PARAM1 : ORG_URL
 # PARAM2 : SERIAL
 # PARAM3 : Num Certs
 # the parameters are expected to be global
 # 
-check_params() {
+check_cai_pkg() {
  if [[ ! -f cfg/ca.keys.pem ]] || [[ ! -f cfg/ca.crt.pem ]]; then
    if [[ ! -f cfg/ca-i.keys.pem ]] || [[ ! -f cfg/ca-i.crt.pem ]]; then
-      echo_block "ERROR: missing ca certificat: cfg/ca.crt.pem, cfg/ca.keys.pem, cfg/ca-i.crt.pem, cfg/ca-i.keys.pem"
+      echo_block "ERROR: missing a config file: cfg/ca.crt.pem, cfg/ca.keys.pem, cfg/ca-i.crt.pem, cfg/ca-i.keys.pem"
      usage
    fi
  fi
-
+  if [[ ! -f cfg/SERIAL ]]; then
-  # the parameter must be the URL (not the filename, .cnf)
+    echo_block "ERROR: file cfg/SERIAL is missing"
  if [[ -n $PARAM1 ]]; then
    if [[ ${PARAM1: -4} == .cnf ]]; then
      if [[ ! -f "cfg/${PARAM1}" ]]; then
        echo_block "ERROR: file cfg/${PARAM1} is missing"
        usage
      else
        PARAM1=${PARAM1%.*}
      fi
    else 
      if [[ ! -f "cfg/${PARAM1}.cnf" ]]; then
        echo_block "ERROR: file cfg/${PARAM1}.cnf is missing"
        usage
      fi
    fi
  else
    usage
  fi
  if [[ -z $PARAM2 ]]; then
    if [[ ! -f cfg/SERIAL ]]; then
      echo_block "ERROR: file cfg/SERIAL is missing"
      usage
    else
      get_serial
      PARAM2=$SERIAL
    fi
  else
    SERIAL=$PARAM2
  fi
  if [[ -z $PARAM3 ]]; then
    PARAM3=2
  fi
 }
 #
 # Create CA Intermediate PKI
 # 
@ -110,175 +55,159 @@ check_params() {
 #   - generate server certificates
 #   - generate client certificates
 #
-# INPUT:  BASE SERIAL #, LOOP NUM
+# INPUT:  ORG URL, SERIAL #, LOOP NUM
 # 
 ca-i_gen_pki() {
  CDD=`pwd`
  ORG_URL=$1
-  SERIAL=$2
+  NUM_CERTS=$2
  NUM_CERTS=$(($3-1))
  # create unique directory
-  UNIQ_ID="${SERIAL}.${ORG_URL}" 
+  get_serial
-  mkdir -p "distribution/ca_i_${UNIQ_ID}"
+  UNIQ_ID_CAI="${SERIAL}.cai.${ORG_URL}"
  mkdir -p "distribution/${UNIQ_ID_CAI}"
-  # Create CA Intermediate
+  # generate CA Intermediate
-  # 
+  ca-i_gen_cert $UNIQ_ID_CAI
  ca-i_gen_cert $ORG_URL $SERIAL
  # create directories, copy files, before generating client/server
-  ca-i_create_shell
+  __ca-i_create_pkg
  # the client & server applications need to execute in their perspective directories
-  cd "distribution/ca_i_${UNIQ_ID}"
+  cd $CDD/distribution/$UNIQ_ID_CAI/clients
-  __ca-i_gen_client
+  gen_client $NUM_CERTS
-#  __ca-i_gen_server
+
  cd $CDD/distribution/$UNIQ_ID_CAI/servers
  gen_server $NUM_CERTS
  # return to last path
  cd $CDD
 }
 # 
 # Client Certificates
 # 
 __ca-i_gen_client() {
  # create directories
  mkdir -p clients/data
  mkdir -p clients/distro
  mkdir -p clients/docs
  cd clients
  for NUM in $(seq 0 $NUM_CERTS)
  do
    get_serial
    gen_client_cert $ORG_URL $SERIAL
  done
  cd ..
 }
 # 
 # Server Certificates
 # 
 __ca-i_gen_server() {
  # create directories
  mkdir -p servers/data
  mkdir -p servers/distro
  mkdir -p servers/docs
  cd servers
  for NUM in $(seq 0 $NUM_CERTS)
  do
    get_serial
    gen_server_cert $ORG_URL $SERIAL
  done
  cd ..
 }
 #
 # Copies all applcations to the Lifecycle package
 #   organize the ca-i directory
 #   order matters:  move these files last because they were copied above
 #
-ca-i_create_shell() {
+__ca-i_create_pkg() {
-
+  DEST_DIR="${CDD}/distribution/${UNIQ_ID}"
  DEST_DIR="${CDD}/distribution/ca_i_${UNIQ_ID}"
  echo $UNIQ_ID > cfg/UNIQ_ID_CA-I
-  # client
+  # 
  # Client
  # 
  # create directories
  mkdir -p $DEST_DIR/clients/data
  mkdir -p $DEST_DIR/clients/distro
  mkdir -p $DEST_DIR/clients/docs
  mkdir -p $DEST_DIR/clients/cfg
  # copy resource files
  cp $CDD/res/libs/gen_client.sh  $DEST_DIR/clients/
  cp $CDD/res/libs/pki_funcs.sh   $DEST_DIR/clients/cfg
  cp $CDD/res/docs/README_C       $DEST_DIR/clients/README
-  cp $CDD/res/docs/SERIAL         $DEST_DIR/clients/cfg/
+  cp $CDD/res/docs/SERIAL_C       $DEST_DIR/clients/cfg/SERIAL
-  cp "${CDD}/cfg/${ORG_URL}.cnf"  $DEST_DIR/clients/cfg/
+  cp "${CDD}/cfg/${ORG_URL}.cnf"  $DEST_DIR/clients/cfg/cert.cnf
  # generated files
-  cp ca_i*.crt.pem      $DEST_DIR/clients/cfg/ca-i.crt.pem
+  cp $UNIQ_ID_CAI.crt.pem     $DEST_DIR/clients/cfg/ca-i.crt.pem
-  cp ca_i*.keys.pem     $DEST_DIR/clients/cfg/ca-i.keys.pem
+  cp $UNIQ_ID_CAI.keys.pem    $DEST_DIR/clients/cfg/ca-i.keys.pem
-  cp ca_cert-chain*.pem $DEST_DIR/clients/cfg/ca_cert-chain.crts.pem
+  cp ca_cert-chain*.pem       $DEST_DIR/clients/cfg/ca_cert-chain.crts.pem
-  cp cfg/UNIQ_ID_CA-I   $DEST_DIR/clients/cfg/
+  cp cfg/UNIQ_ID_CA-I         $DEST_DIR/clients/cfg/
-  cp cfg/UNIQ_ID_CA     $DEST_DIR/clients/cfg/
+  cp cfg/UNIQ_ID_CA           $DEST_DIR/clients/cfg/
-  # server
+  # 
  # Server
  # 
  # create directories
  mkdir -p $DEST_DIR/servers/data
  mkdir -p $DEST_DIR/servers/distro
  mkdir -p $DEST_DIR/servers/docs
  mkdir -p $DEST_DIR/servers/cfg
  # copy resource files
  cp $CDD/res/libs/gen_server.sh  $DEST_DIR/servers/
  cp $CDD/res/libs/pki_funcs.sh   $DEST_DIR/servers/cfg/
  cp $CDD/res/docs/README_S       $DEST_DIR/servers/README
-  cp $CDD/res/docs/SERIAL         $DEST_DIR/servers/cfg/
+  cp $CDD/res/docs/SERIAL_S       $DEST_DIR/servers/cfg/SERIAL
-  cp "${CDD}/cfg/${ORG_URL}.cnf"  $DEST_DIR/servers/cfg/
+  cp "${CDD}/cfg/${ORG_URL}.cnf"  $DEST_DIR/servers/cfg/cert.cnf
  # generated files
-  cp ca_i*.crt.pem      $DEST_DIR/servers/cfg/ca-i.crt.pem
+  cp $UNIQ_ID_CAI.crt.pem   $DEST_DIR/servers/cfg/ca-i.crt.pem
-  cp ca_i*.keys.pem     $DEST_DIR/servers/cfg/ca-i.keys.pem
+  cp $UNIQ_ID_CAI.keys.pem  $DEST_DIR/servers/cfg/ca-i.keys.pem
-  cp ca_cert-chain*.pem $DEST_DIR/servers/cfg/ca_cert-chain.crts.pem
+  cp ca_cert-chain*.pem     $DEST_DIR/servers/cfg/ca_cert-chain.crts.pem
-  cp cfg/UNIQ_ID_CA-I   $DEST_DIR/servers/cfg/
+  cp cfg/UNIQ_ID_CA-I       $DEST_DIR/servers/cfg/
-  cp cfg/UNIQ_ID_CA     $DEST_DIR/servers/cfg/
+  cp cfg/UNIQ_ID_CA         $DEST_DIR/servers/cfg/
  # 
  # CA-I
  #
  # create directories
  mkdir -p $DEST_DIR/ca-i/data
  mkdir -p $DEST_DIR/ca-i/docs
  mkdir -p $DEST_DIR/ca-i/distro
-  cp $CDD/res/docs/README_CAI       $DEST_DIR/README
+  # copy resource files
-  cp $CDD/ca/ca_*.crt.pem         $DEST_DIR/ca-i/data/
+  cp $CDD/res/docs/README_CAI   $DEST_DIR/README
-  cp $CDD/ca/ca_*.info.txt        $DEST_DIR/ca-i/docs/
+  cp $CDD/ca/*.crt.pem          $DEST_DIR/ca-i/data/
  cp $CDD/ca/*.info.txt         $DEST_DIR/ca-i/docs/
  # generated files
-  mv ca_i*.pem            $DEST_DIR/ca-i/data/
+  mv $UNIQ_ID_CAI*.pem          $DEST_DIR/ca-i/data/
-  mv ca_i*.info.txt       $DEST_DIR/ca-i/docs/
+  mv $UNIQ_ID_CAI.crt.info.txt  $DEST_DIR/ca-i/docs/
-  mv ca_i*.p12            $DEST_DIR/ca-i/distro
+  mv $UNIQ_ID_CAI.p12           $DEST_DIR/ca-i/distro
-  mv ca_cert-chain*.pem   $DEST_DIR/ca-i/distro
+  mv ca_cert-chain*.pem         $DEST_DIR/ca-i/distro
 }
 # This function will generate a CA Intermediate
 # 
 # Requires:  CNF file, CA cert, CA key
 # 
-# IN: UNIQ_ID_CA, SERIAL
+# IN: UNIQ_ID_CA
 #
 ca-i_gen_cert() {
-  ORG_URL=$1 
+  UNIQ_ID=$1
  SERIAL=$2
  DEST_DIR="."
  # DEST_DIR=$3
-  UNIQ_ID="${SERIAL}.${ORG_URL}"
+  UNIQ_ID="${SERIAL}.cai.${ORG_URL}"
  echo_block "Create CA Intermediate  (${UNIQ_ID})"
-  openssl genrsa -out "${DEST_DIR}/ca_i_${UNIQ_ID}.keys.pem" 4096
+  openssl genrsa -out "${DEST_DIR}/${UNIQ_ID}.keys.pem" 4096
  # Create Cert Signing Request (CSR)
  openssl req -config "cfg/ca.cnf" -new -sha256 \
              -subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID}" \
-              -key "${DEST_DIR}/ca_i_${UNIQ_ID}.keys.pem" -out "${DEST_DIR}/ca_i_${UNIQ_ID}.csr.pem"
+              -key "${DEST_DIR}/${UNIQ_ID}.keys.pem" -out "${DEST_DIR}/${UNIQ_ID}.csr.pem"
  # Create Certificate   (valid for ~2 years, after the entire chain of trust expires)
  # CA signs Intermediate
  openssl x509 -req -days 750 -extfile "cfg/ca.cnf" -extensions v3_ca_i \
               -CA cfg/ca.crt.pem -CAkey cfg/ca.keys.pem -set_serial ${SERIAL} \
-               -in "${DEST_DIR}/ca_i_${UNIQ_ID}.csr.pem" -out "${DEST_DIR}/ca_i_${UNIQ_ID}.crt.pem"
+               -in "${DEST_DIR}/${UNIQ_ID}.csr.pem" -out "${DEST_DIR}/${UNIQ_ID}.crt.pem"
  # Package the Certificate Authority Certificates for distro  (windoze needs this)
-  openssl pkcs12 -export -password "pass:password" -inkey "${DEST_DIR}/ca_i_${UNIQ_ID}.keys.pem" \
+  openssl pkcs12 -export -password "pass:password" -inkey "${DEST_DIR}/${UNIQ_ID}.keys.pem" \
                 -name "CA Intermediate Mobile Provision" -certfile cfg/ca.crt.pem \
-                 -in "${DEST_DIR}/ca_i_${UNIQ_ID}.crt.pem" -out "${DEST_DIR}/ca_i_${UNIQ_ID}.p12"
+                 -in "${DEST_DIR}/${UNIQ_ID}.crt.pem" -out "${DEST_DIR}/${UNIQ_ID}.p12"
  # verify certificate (output to text file for review)
-  openssl x509 -noout -text -in "${DEST_DIR}/ca_i_${UNIQ_ID}.crt.pem" > "${DEST_DIR}/ca_i_${UNIQ_ID}.crt.info.txt"
+  openssl x509 -noout -text -in "${DEST_DIR}/${UNIQ_ID}.crt.pem" > "${DEST_DIR}/${UNIQ_ID}.crt.info.txt"
  # create certifiate chain
-  cat cfg/ca.crt.pem "${DEST_DIR}/ca_i_${UNIQ_ID}.crt.pem" > "${DEST_DIR}/ca_cert-chain_${UNIQ_ID}.crts.pem"
+  cat cfg/ca.crt.pem "${DEST_DIR}/${UNIQ_ID}.crt.pem" > "${DEST_DIR}/ca_cert-chain_${UNIQ_ID}.crts.pem"
 }
 get_uniq_ids() {
  UNIQ_ID_CA=`head cfg/UNIQ_ID_CA`
  UNIQ_ID_CAI=`head cfg/UNIQ_ID_CA-I`
  # if [[ -z $ORG_URL ]]; then
  #   echo_block "WARN: no file 'UNIQ_ID' found, using default 11111 as the serial # for CA"
  #   exit 1
  # fi  
 }
 gen_client() {
-  get_org_url
+  COUNT=$(($1-1))
-  get_client_cert $ORG_URL $SERIAL
+
  get_uniq_ids
  for NUM in $(seq 0 $COUNT)
  do
    get_serial
    UNIQ_ID="${SERIAL}.client.${UNIQ_ID_CAI}"
    gen_client_cert $UNIQ_ID
  done
 }
 #
@ -286,33 +215,39 @@ gen_client() {
 # IN: UNIQ_ID, SERIAL
 #
 gen_client_cert() {
-  ORG_URL=$1 
+  UNIQ_ID=$1
  SERIAL=$2
  get_uniq_ids
  UNIQ_ID="${SERIAL}_${ORG_URL}"
  CERT_CHAIN="cfg/ca_cert-chain.crts.pem"
  echo_block "Generate Client Certificates  (${UNIQ_ID})"
-  openssl genrsa -out "data/client-${UNIQ_ID}.keys.pem" 4096
+  openssl genrsa -out "data/${UNIQ_ID}.keys.pem" 4096
-  openssl req -new -key "data/client-${UNIQ_ID}.keys.pem" \
+  openssl req -new -key "data/${UNIQ_ID}.keys.pem" \
-              -subj "/C=OO/O=ACME/OU=ACME Standard/CN=client-${UNIQ_ID}" \
+              -subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \
-              -out "data/client-${UNIQ_ID}.csr.pem"
+              -out "data/${UNIQ_ID}.csr.pem"
  # CA Intermediate signs Client
  openssl x509 -req -days 365 \
               -CA "cfg/ca-i.crt.pem" -CAkey "cfg/ca-i.keys.pem" -set_serial ${SERIAL} \
-               -in "data/client-${UNIQ_ID}.csr.pem" -out "data/client-${UNIQ_ID}.crt.pem"
+               -in "data/${UNIQ_ID}.csr.pem" -out "data/${UNIQ_ID}.crt.pem"
  # Package the Certificates
-  openssl pkcs12 -export -password "pass:password" -inkey "data/client-${UNIQ_ID}.keys.pem" \
+  openssl pkcs12 -export -password "pass:password" -inkey "data/${UNIQ_ID}.keys.pem" \
-                 -name "Client ${UNIQ_ID} VPN Certificate" -certfile $CERT_CHAIN -caname "client-${UNIQ_ID}@acme.xyz" \
+                 -name "Client ${UNIQ_ID} VPN Certificate" -certfile "cfg/ca_cert-chain.crts.pem" -caname "${UNIQ_ID}@acme.xyz" \
-                 -in "data/client-${UNIQ_ID}.crt.pem" -out "distro/client-${UNIQ_ID}.p12"
+                 -in "data/${UNIQ_ID}.crt.pem" -out "distro/${UNIQ_ID}.p12"
  # verify certificate (output to text file for review)
-  openssl x509 -noout -text -in "data/client-${UNIQ_ID}.crt.pem" > "docs/client-${UNIQ_ID}.info.txt"
+  openssl x509 -noout -text -in "data/${UNIQ_ID}.crt.pem" > "docs/${UNIQ_ID}.info.txt"
 }
 gen_server() {
  COUNT=$(($1-1))
  get_uniq_ids
  for NUM in $(seq 0 $COUNT)
  do
    get_serial
    UNIQ_ID="${SERIAL}.server.${UNIQ_ID_CAI}"
    gen_server_cert $UNIQ_ID
  done
 }
 #
@ -320,31 +255,27 @@ gen_client_cert() {
 # IN: UNIQ_ID, SERIAL
 #
 gen_server_cert() {
-  ORG_URL=$1 
+  UNIQ_ID=$1
  SERIAL=$2
  UNIQ_ID="${SERIAL}.${ORG_URL}"
  CERT_CHAIN="cfg/ca_cert-chain.crts.pem"
  echo_block "Generate Server Certificates  (${UNIQ_ID})"
-  openssl genrsa -out "data/server_${UNIQ_ID}.keys.pem" 4096
+  openssl genrsa -out "data/${UNIQ_ID}.keys.pem" 4096
-  openssl req -new -config "cfg/${ORG_URL}.cnf" -key "data/server_${UNIQ_ID}.keys.pem" \
+  openssl req -new -config "cfg/cert.cnf" -key "data/${UNIQ_ID}.keys.pem" \
              -subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \
-              -out "data/server_${UNIQ_ID}.csr.pem"
+              -out "data/${UNIQ_ID}.csr.pem"
  # CA Intermediate signs Server
-  openssl x509 -req -days 365 -extfile "cfg/${ORG_URL}.cnf" -extensions v3_server \
+  openssl x509 -req -days 365 -extfile "cfg/cert.cnf" -extensions v3_server \
               -CA "cfg/ca-i.crt.pem" -CAkey "cfg/ca-i.keys.pem" -set_serial ${SERIAL} \
-               -in "data/server_${UNIQ_ID}.csr.pem" -out "data/server_${UNIQ_ID}.crt.pem"
+               -in "data/${UNIQ_ID}.csr.pem" -out "data/${UNIQ_ID}.crt.pem"
  # Package the Certificates
-  openssl pkcs12 -export -password "pass:password" -inkey "data/server_${UNIQ_ID}.keys.pem" \
+  openssl pkcs12 -export -password "pass:password" -inkey "data/${UNIQ_ID}.keys.pem" \
-                 -name "Server ${UNIQ_ID} VPN Certificate" -certfile $CERT_CHAIN -caname "server_${UNIQ_ID}@acme.xyz" \
+                 -name "Server ${UNIQ_ID} VPN Certificate" -certfile "cfg/ca_cert-chain.crts.pem" -caname "${UNIQ_ID}@acme.xyz" \
-                 -in "data/server_${UNIQ_ID}.crt.pem" -out "distro/server_${UNIQ_ID}.p12"
+                 -in "data/${UNIQ_ID}.crt.pem" -out "distro/${UNIQ_ID}.p12"
  # verify certificate (output to text file for review)
-  openssl x509 -noout -text -in "data/server_${UNIQ_ID}.crt.pem" > "docs/server_${UNIQ_ID}.crt.info.txt" 
+  openssl x509 -noout -text -in "data/${UNIQ_ID}.crt.pem" > "docs/${UNIQ_ID}.crt.info.txt" 
 }