j3g
/
pki-bootstrap_pub
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

FIN: refactoring complete, serial #s are all coherent, distinguished names (DN) is strong with both CA-I serial #s and client/server serial #s

This commit is contained in:
JohnE 2018-09-10 19:09:48 -07:00
parent 03d003b151
commit 5366ef101d
9 changed files with 200 additions and 246 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.gitignore vendored
View File

@ -1,12 +1,9 @@
#
pki-lifecycle_*
# Project specific files
sftp-config.json
.DS_Store
**/var/
**/cert_gen/acme.xyz_fl/
pki-lifecycle_*
# Byte-compiled / optimized / DLL files
__pycache__/

3
docs/pki_agile
View File

@ -40,9 +40,12 @@
[[ COMPLETED ]]
[ ver 3.3 ]
* SERIOUS refactoring to focus on local execution with default configs and SERIAL # incrementation
* configuration defaults generated so that the CA-I package is all automated
* gen_client.sh modified run with config defaults
* gen_server.sh modified to run with config defaults
* gen_client.sh will generate # of certs
* gen_server.sh will generate # of certs
* auto-increment SERIAL
* CA FQDN saved to config file
* CA-I FQDN saved to config file

62
src/pki_bootstrap/pki_bootstrap.sh
View File

@ -17,11 +17,13 @@ usage() {
echo "This application will generate all the files necessary to build a certificate chain of trust"
echo "using a CA, CA Intermediate, Server, and Client certificates. All the files are put into"
echo "pki lifecyle package"
echo " -put the .cnf config files into the ./cnf directory"
echo " * put the .cnf config files into the .res/cnf/ directory"
echo
echo "Usage: pki_bootstrap <.cnf file (minus the .cnf)>"
echo "Usage: pki_bootstrap <.cnf file (minus the .cnf)> [# of CA-I to generate]"
echo
echo "Example: pki_bootstrap org.acme.xyz"
echo " pki_bootstrap org.acme.xyz 5"
echo
exit 1
}
@ -41,9 +43,6 @@ get_serial_ca() {
#
# CA generation requires .cnf files
# create CA directory
# create bash variables to CA
# restore script back to original path
#
app_init() {
if [[ -n $PARAM1 ]]; then
@ -54,11 +53,9 @@ app_init() {
if [[ ${PARAM1: -4} == .cnf ]]; then
ORG_URL=${PARAM1%.*}
S_CNF=${PARAM1}
echo "ASDF: ${ORG_URL}, ${S_CNF}"
else
ORG_URL=$PARAM1
S_CNF="${PARAM1}.cnf"
echo "ZXCV: ${ORG_URL}, ${S_CNF}"
fi
FQ_S_CNF="${CD_ROOT}/res/cnf/${S_CNF}"
@ -78,7 +75,7 @@ app_init() {
#
gen_lifecycle() {
get_serial_ca
echo_block "SERIAL == ${SERIAL}"
# Organize
#
# create a unique path for the server certificate
@ -88,33 +85,23 @@ gen_lifecycle() {
FQ_DIR_LC="${FQ_DIR_LC}/${UNIQ_DIR_LC}"
# create CA unique dir
UNIQ_ID_CA="${SERIAL}.${ORG_URL}"
CA_DIR="ca_${UNIQ_ID_CA}"
# cd $CA_DIR
# FQ_CA_DIR=`pwd`
# FQ_CA_CERT="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.crt.pem"
# FQ_CA_KEYS="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.keys.pem"
# mkdir -p "${UNIQ_DIR_LC}/${CA_DIR}"
UNIQ_ID_CA="${SERIAL}.ca.${ORG_URL}"
mkdir -p "${UNIQ_DIR_LC}/ca"
cd "${UNIQ_DIR_LC}"
# initialize the functions lib
# pki_func_init $FQ_CA_CERT $FQ_CA_KEYS "${CD_ROOT}/res/cnf"
# generate a new CA
gen_ca $UNIQ_ID_CA $SERIAL
# go back to original dir
cd ..
# cd ..
}
#
#
#
cp_lifecycle_docs() {
# resource files to be copied to the PKI Lifecycle Package
RES="${CD_ROOT}/res"
mkdir -p "${UNIQ_DIR_LC}/cfg"
echo $UNIQ_ID_CA > $CD_ROOT/$UNIQ_DIR_LC/cfg/UNIQ_ID_CA
cp -r $CD_ROOT/res $CD_ROOT/$UNIQ_DIR_LC/
@ -122,10 +109,12 @@ cp_lifecycle_docs() {
cp $RES/docs/README_LC $CD_ROOT/$UNIQ_DIR_LC/README
cp $RES/docs/SERIAL_LC $CD_ROOT/$UNIQ_DIR_LC/cfg/SERIAL
cp $RES/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/cfg/
cp "${RES}/cnf/${ORG_URL}.cnf" $CD_ROOT/$UNIQ_DIR_LC/cfg/
cp "${RES}/cnf/ca.cnf" $CD_ROOT/$UNIQ_DIR_LC/cfg/
cp $CD_ROOT/$UNIQ_DIR_LC/ca/ca_*.crt.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.crt.pem
cp $CD_ROOT/$UNIQ_DIR_LC/ca/ca_*.keys.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.keys.pem
cp $RES/cnf/$ORG_URL.cnf $CD_ROOT/$UNIQ_DIR_LC/cfg/
cp $RES/cnf/ca.cnf $CD_ROOT/$UNIQ_DIR_LC/cfg/
# CA certs
cp $CD_ROOT/$UNIQ_DIR_LC/ca/*.crt.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.crt.pem
cp $CD_ROOT/$UNIQ_DIR_LC/ca/*.keys.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.keys.pem
}
#
@ -133,10 +122,18 @@ cp_lifecycle_docs() {
#
gen_lc_ca_i() {
cd $FQ_DIR_LC
# generate new CA-I
ca-i_gen_pki $ORG_URL 4321 2
# ca-i_gen_pki $ORG_URL 2001 5
# ca-i_gen_pki $ORG_URL 3001 8
if [[ -n $PARAM2 ]]; then
COUNT=$(($PARAM2-1))
else
COUNT=2
fi
for NUM in $(seq 0 $COUNT)
do
ca-i_gen_pki $ORG_URL 5
done
}
# ***** ***** ***** ***** *****
@ -154,19 +151,18 @@ gen_ca() {
echo_block "Create CA (${UNIQ_ID_CA})"
# encrypt the key
#openssl genrsa -aes256 -out ca.keys.pem 4096
#openssl genrsa -aes256 -password "pass:password" -out ca.keys.pem 4096
# key un-protected
openssl genrsa -out "ca/ca_${UNIQ_ID_CA}.keys.pem" 4096
openssl genrsa -out "ca/${UNIQ_ID_CA}.keys.pem" 4096
#
# Create Certificate (valid for 10 years, after the entire chain of trust expires)
openssl req -config $CD_ROOT/res/cnf/ca.cnf -new -x509 -sha256 -days 3650 -extensions v3_ca \
-subj "/C=OO/O=ACME/CN=root.${UNIQ_ID_CA}" -set_serial ${SERIAL} \
-key ca/ca_${UNIQ_ID_CA}.keys.pem -out ca/ca_${UNIQ_ID_CA}.crt.pem
-subj "/C=OO/O=ACME/CN=${UNIQ_ID_CA}" -set_serial ${SERIAL} \
-key ca/${UNIQ_ID_CA}.keys.pem -out ca/${UNIQ_ID_CA}.crt.pem
# verify certificate (output to text file for review)
openssl x509 -noout -text -in ca/ca_${UNIQ_ID_CA}.crt.pem > ca/ca_${UNIQ_ID_CA}_cert.info.txt
openssl x509 -noout -text -in ca/${UNIQ_ID_CA}.crt.pem > ca/${UNIQ_ID_CA}_cert.info.txt
}

0
src/pki_bootstrap/res/docs/SERIAL → src/pki_bootstrap/res/docs/SERIAL_C
View File

1
src/pki_bootstrap/res/docs/SERIAL_S Normal file
View File

@ -0,0 +1 @@
5001

34
src/pki_bootstrap/res/libs/gen_ca-i.sh
View File

@ -9,8 +9,6 @@
PARAM1=$1
PARAM2=$2
PARAM3=$3
usage() {
echo
@ -20,19 +18,43 @@ usage() {
echo "It requires a CA certificate used to sign CA Intermediate"
echo "Requires the file \"ca.pem\" that is used to sign the certificates"
echo
echo " usage: gen_ca-i.sh <Org URL> [Serial #]"
echo " usage: gen_ca-i.sh <Org URL> [# of client/server certs]"
echo
echo " example: gen_ca-i.sh skunkworks.acme.xyz \\"
echo " 10052 (optional) \\"
echo
echo " 10 (optional) \\"
exit 1
}
check_params() {
# the parameter must be the URL (not the filename, .cnf)
if [[ -n $PARAM1 ]]; then
if [[ ${PARAM1: -4} == .cnf ]]; then
if [[ ! -f "cfg/${PARAM1}" ]]; then
echo_block "ERROR: file cfg/${PARAM1} is missing"
usage
else
PARAM1=${PARAM1%.*}
fi
else
if [[ ! -f "cfg/${PARAM1}.cnf" ]]; then
echo_block "ERROR: file cfg/${PARAM1}.cnf is missing"
usage
fi
fi
else
usage
fi
if [[ -z $PARAM2 ]]; then
PARAM2=5
fi
}
main() {
# uses global variables: $PARAM1 $PARAM2 $PARAM3
check_cai_pkg
check_params
ca-i_gen_pki $PARAM1 $PARAM2 $PARAM3
ca-i_gen_pki $PARAM1 $PARAM2
}
main

18
src/pki_bootstrap/res/libs/gen_client.sh
View File

@ -8,9 +8,6 @@
. cfg/pki_funcs.sh
PARAM1=$1
PARAM2=$2
PARAM3=$3
usage() {
echo
@ -18,19 +15,24 @@ usage() {
echo
echo
echo "Generate a new certificate"
echo " usage: gen_client.sh <Org URL> [Serial #]"
echo " usage: gen_client.sh <number to generate>"
echo
echo " example: gen_client.sh skunkworks.acme.xyz \\"
echo " 10052 (optional) \\"
echo " example: gen_client.sh 2"
echo
exit 1
}
check_params() {
if [[ -z $PARAM1 ]]; then
usage
fi
}
main() {
# uses global variables: $PARAM1 $PARAM2
# uses global variables: $PARAM1
check_cai_pkg
check_params
gen_client_cert $PARAM1 $PARAM2
gen_client $PARAM1
}
main

18
src/pki_bootstrap/res/libs/gen_server.sh
View File

@ -8,9 +8,6 @@
. cfg/pki_funcs.sh
PARAM1=$1
PARAM2=$2
PARAM3=$3
usage() {
echo
@ -18,19 +15,24 @@ usage() {
echo
echo
echo "Generate a new certificate"
echo " usage: gen_server.sh <Org URL> [Serial #]"
echo " usage: gen_client.sh <number to generate>"
echo
echo " example: gen_server.sh skunkworks.acme.xyz \\"
echo " 10052 (optional) \\"
echo " example: gen_client.sh 2"
echo
exit 1
}
check_params() {
if [[ -z $PARAM1 ]]; then
usage
fi
}
main() {
# uses global variables: $PARAM1 $PARAM2
# uses global variables: $PARAM1
check_cai_pkg
check_params
gen_server $PARAM1 $PARAM2
gen_server $PARAM1
}
main

273
src/pki_bootstrap/res/libs/pki_funcs.sh
View File

@ -3,20 +3,6 @@
# all main functions to generate a PKI certificate chain
#
#
# Set the CA variables
#
# pki_func_init() {
# if [[ -n $1 ]] || [[ -n $2 ]] || [[ -n $3 ]]; then
# FQ_CA_CERT=$1
# FQ_CA_KEYS=$2
# CNF_PATH=$3
# APP_INIT=1
# else
# APP_INIT=0
# fi
# }
#
# print text wrapped in a block
#
@ -27,11 +13,6 @@ echo_block() {
echo "***** ***** ***** *****"
}
error_no_ca_file() {
echo_block "ERROR: missing ca.crt.pem, ca.keys.pem"
usage
}
#
# Grab the latest serial # from the file, auto-increment
#
@ -47,57 +28,21 @@ get_serial() {
}
#
# check the three parameters: $PARAM1, $PARAM2, $PARAM3
# PARAM1 : ORG_URL
# PARAM2 : SERIAL
# PARAM3 : Num Certs
# the parameters are expected to be global
# check the integrity of the CA-I package
#
check_params() {
check_cai_pkg() {
if [[ ! -f cfg/ca.keys.pem ]] || [[ ! -f cfg/ca.crt.pem ]]; then
if [[ ! -f cfg/ca-i.keys.pem ]] || [[ ! -f cfg/ca-i.crt.pem ]]; then
echo_block "ERROR: missing ca certificat: cfg/ca.crt.pem, cfg/ca.keys.pem, cfg/ca-i.crt.pem, cfg/ca-i.keys.pem"
echo_block "ERROR: missing a config file: cfg/ca.crt.pem, cfg/ca.keys.pem, cfg/ca-i.crt.pem, cfg/ca-i.keys.pem"
usage
fi
fi
# the parameter must be the URL (not the filename, .cnf)
if [[ -n $PARAM1 ]]; then
if [[ ${PARAM1: -4} == .cnf ]]; then
if [[ ! -f "cfg/${PARAM1}" ]]; then
echo_block "ERROR: file cfg/${PARAM1} is missing"
usage
else
PARAM1=${PARAM1%.*}
fi
else
if [[ ! -f "cfg/${PARAM1}.cnf" ]]; then
echo_block "ERROR: file cfg/${PARAM1}.cnf is missing"
usage
fi
fi
else
usage
fi
if [[ -z $PARAM2 ]]; then
if [[ ! -f cfg/SERIAL ]]; then
echo_block "ERROR: file cfg/SERIAL is missing"
usage
else
get_serial
PARAM2=$SERIAL
fi
else
SERIAL=$PARAM2
fi
if [[ -z $PARAM3 ]]; then
PARAM3=2
fi
}
#
# Create CA Intermediate PKI
#
@ -110,119 +55,102 @@ check_params() {
# - generate server certificates
# - generate client certificates
#
# INPUT: BASE SERIAL #, LOOP NUM
# INPUT: ORG URL, SERIAL #, LOOP NUM
#
ca-i_gen_pki() {
CDD=`pwd`
ORG_URL=$1
SERIAL=$2
NUM_CERTS=$(($3-1))
NUM_CERTS=$2
# create unique directory
UNIQ_ID="${SERIAL}.${ORG_URL}"
mkdir -p "distribution/ca_i_${UNIQ_ID}"
get_serial
UNIQ_ID_CAI="${SERIAL}.cai.${ORG_URL}"
mkdir -p "distribution/${UNIQ_ID_CAI}"
# Create CA Intermediate
#
ca-i_gen_cert $ORG_URL $SERIAL
# generate CA Intermediate
ca-i_gen_cert $UNIQ_ID_CAI
# create directories, copy files, before generating client/server
ca-i_create_shell
__ca-i_create_pkg
# the client & server applications need to execute in their perspective directories
cd "distribution/ca_i_${UNIQ_ID}"
__ca-i_gen_client
# __ca-i_gen_server
cd $CDD/distribution/$UNIQ_ID_CAI/clients
gen_client $NUM_CERTS
cd $CDD/distribution/$UNIQ_ID_CAI/servers
gen_server $NUM_CERTS
# return to last path
cd $CDD
}
#
# Client Certificates
#
__ca-i_gen_client() {
# create directories
mkdir -p clients/data
mkdir -p clients/distro
mkdir -p clients/docs
cd clients
for NUM in $(seq 0 $NUM_CERTS)
do
get_serial
gen_client_cert $ORG_URL $SERIAL
done
cd ..
}
#
# Server Certificates
#
__ca-i_gen_server() {
# create directories
mkdir -p servers/data
mkdir -p servers/distro
mkdir -p servers/docs
cd servers
for NUM in $(seq 0 $NUM_CERTS)
do
get_serial
gen_server_cert $ORG_URL $SERIAL
done
cd ..
}
#
# Copies all applcations to the Lifecycle package
# organize the ca-i directory
# order matters: move these files last because they were copied above
#
ca-i_create_shell() {
DEST_DIR="${CDD}/distribution/ca_i_${UNIQ_ID}"
__ca-i_create_pkg() {
DEST_DIR="${CDD}/distribution/${UNIQ_ID}"
echo $UNIQ_ID > cfg/UNIQ_ID_CA-I
# client
#
# Client
#
# create directories
mkdir -p $DEST_DIR/clients/data
mkdir -p $DEST_DIR/clients/distro
mkdir -p $DEST_DIR/clients/docs
mkdir -p $DEST_DIR/clients/cfg
# copy resource files
cp $CDD/res/libs/gen_client.sh $DEST_DIR/clients/
cp $CDD/res/libs/pki_funcs.sh $DEST_DIR/clients/cfg
cp $CDD/res/docs/README_C $DEST_DIR/clients/README
cp $CDD/res/docs/SERIAL $DEST_DIR/clients/cfg/
cp "${CDD}/cfg/${ORG_URL}.cnf" $DEST_DIR/clients/cfg/
cp $CDD/res/docs/SERIAL_C $DEST_DIR/clients/cfg/SERIAL
cp "${CDD}/cfg/${ORG_URL}.cnf" $DEST_DIR/clients/cfg/cert.cnf
# generated files
cp ca_i*.crt.pem $DEST_DIR/clients/cfg/ca-i.crt.pem
cp ca_i*.keys.pem $DEST_DIR/clients/cfg/ca-i.keys.pem
cp $UNIQ_ID_CAI.crt.pem $DEST_DIR/clients/cfg/ca-i.crt.pem
cp $UNIQ_ID_CAI.keys.pem $DEST_DIR/clients/cfg/ca-i.keys.pem
cp ca_cert-chain*.pem $DEST_DIR/clients/cfg/ca_cert-chain.crts.pem
cp cfg/UNIQ_ID_CA-I $DEST_DIR/clients/cfg/
cp cfg/UNIQ_ID_CA $DEST_DIR/clients/cfg/
# server
#
# Server
#
# create directories
mkdir -p $DEST_DIR/servers/data
mkdir -p $DEST_DIR/servers/distro
mkdir -p $DEST_DIR/servers/docs
mkdir -p $DEST_DIR/servers/cfg
# copy resource files
cp $CDD/res/libs/gen_server.sh $DEST_DIR/servers/
cp $CDD/res/libs/pki_funcs.sh $DEST_DIR/servers/cfg/
cp $CDD/res/docs/README_S $DEST_DIR/servers/README
cp $CDD/res/docs/SERIAL $DEST_DIR/servers/cfg/
cp "${CDD}/cfg/${ORG_URL}.cnf" $DEST_DIR/servers/cfg/
cp $CDD/res/docs/SERIAL_S $DEST_DIR/servers/cfg/SERIAL
cp "${CDD}/cfg/${ORG_URL}.cnf" $DEST_DIR/servers/cfg/cert.cnf
# generated files
cp ca_i*.crt.pem $DEST_DIR/servers/cfg/ca-i.crt.pem
cp ca_i*.keys.pem $DEST_DIR/servers/cfg/ca-i.keys.pem
cp $UNIQ_ID_CAI.crt.pem $DEST_DIR/servers/cfg/ca-i.crt.pem
cp $UNIQ_ID_CAI.keys.pem $DEST_DIR/servers/cfg/ca-i.keys.pem
cp ca_cert-chain*.pem $DEST_DIR/servers/cfg/ca_cert-chain.crts.pem
cp cfg/UNIQ_ID_CA-I $DEST_DIR/servers/cfg/
cp cfg/UNIQ_ID_CA $DEST_DIR/servers/cfg/
#
# CA-I
#
# create directories
mkdir -p $DEST_DIR/ca-i/data
mkdir -p $DEST_DIR/ca-i/docs
mkdir -p $DEST_DIR/ca-i/distro
# copy resource files
cp $CDD/res/docs/README_CAI $DEST_DIR/README
cp $CDD/ca/ca_*.crt.pem $DEST_DIR/ca-i/data/
cp $CDD/ca/ca_*.info.txt $DEST_DIR/ca-i/docs/
cp $CDD/ca/*.crt.pem $DEST_DIR/ca-i/data/
cp $CDD/ca/*.info.txt $DEST_DIR/ca-i/docs/
# generated files
mv ca_i*.pem $DEST_DIR/ca-i/data/
mv ca_i*.info.txt $DEST_DIR/ca-i/docs/
mv ca_i*.p12 $DEST_DIR/ca-i/distro
mv $UNIQ_ID_CAI*.pem $DEST_DIR/ca-i/data/
mv $UNIQ_ID_CAI.crt.info.txt $DEST_DIR/ca-i/docs/
mv $UNIQ_ID_CAI.p12 $DEST_DIR/ca-i/distro
mv ca_cert-chain*.pem $DEST_DIR/ca-i/distro
}
@ -230,55 +158,56 @@ ca-i_create_shell() {
#
# Requires: CNF file, CA cert, CA key
#
# IN: UNIQ_ID_CA, SERIAL
# IN: UNIQ_ID_CA
#
ca-i_gen_cert() {
ORG_URL=$1
SERIAL=$2
UNIQ_ID=$1
DEST_DIR="."
# DEST_DIR=$3
UNIQ_ID="${SERIAL}.${ORG_URL}"
UNIQ_ID="${SERIAL}.cai.${ORG_URL}"
echo_block "Create CA Intermediate (${UNIQ_ID})"
openssl genrsa -out "${DEST_DIR}/ca_i_${UNIQ_ID}.keys.pem" 4096
openssl genrsa -out "${DEST_DIR}/${UNIQ_ID}.keys.pem" 4096
# Create Cert Signing Request (CSR)
openssl req -config "cfg/ca.cnf" -new -sha256 \
-subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID}" \
-key "${DEST_DIR}/ca_i_${UNIQ_ID}.keys.pem" -out "${DEST_DIR}/ca_i_${UNIQ_ID}.csr.pem"
-key "${DEST_DIR}/${UNIQ_ID}.keys.pem" -out "${DEST_DIR}/${UNIQ_ID}.csr.pem"
# Create Certificate (valid for ~2 years, after the entire chain of trust expires)
# CA signs Intermediate
openssl x509 -req -days 750 -extfile "cfg/ca.cnf" -extensions v3_ca_i \
-CA cfg/ca.crt.pem -CAkey cfg/ca.keys.pem -set_serial ${SERIAL} \
-in "${DEST_DIR}/ca_i_${UNIQ_ID}.csr.pem" -out "${DEST_DIR}/ca_i_${UNIQ_ID}.crt.pem"
-in "${DEST_DIR}/${UNIQ_ID}.csr.pem" -out "${DEST_DIR}/${UNIQ_ID}.crt.pem"
# Package the Certificate Authority Certificates for distro (windoze needs this)
openssl pkcs12 -export -password "pass:password" -inkey "${DEST_DIR}/ca_i_${UNIQ_ID}.keys.pem" \
openssl pkcs12 -export -password "pass:password" -inkey "${DEST_DIR}/${UNIQ_ID}.keys.pem" \
-name "CA Intermediate Mobile Provision" -certfile cfg/ca.crt.pem \
-in "${DEST_DIR}/ca_i_${UNIQ_ID}.crt.pem" -out "${DEST_DIR}/ca_i_${UNIQ_ID}.p12"
-in "${DEST_DIR}/${UNIQ_ID}.crt.pem" -out "${DEST_DIR}/${UNIQ_ID}.p12"
# verify certificate (output to text file for review)
openssl x509 -noout -text -in "${DEST_DIR}/ca_i_${UNIQ_ID}.crt.pem" > "${DEST_DIR}/ca_i_${UNIQ_ID}.crt.info.txt"
openssl x509 -noout -text -in "${DEST_DIR}/${UNIQ_ID}.crt.pem" > "${DEST_DIR}/${UNIQ_ID}.crt.info.txt"
# create certifiate chain
cat cfg/ca.crt.pem "${DEST_DIR}/ca_i_${UNIQ_ID}.crt.pem" > "${DEST_DIR}/ca_cert-chain_${UNIQ_ID}.crts.pem"
cat cfg/ca.crt.pem "${DEST_DIR}/${UNIQ_ID}.crt.pem" > "${DEST_DIR}/ca_cert-chain_${UNIQ_ID}.crts.pem"
}
get_uniq_ids() {
UNIQ_ID_CA=`head cfg/UNIQ_ID_CA`
UNIQ_ID_CAI=`head cfg/UNIQ_ID_CA-I`
# if [[ -z $ORG_URL ]]; then
# echo_block "WARN: no file 'UNIQ_ID' found, using default 11111 as the serial # for CA"
# exit 1
# fi
}
gen_client() {
get_org_url
get_client_cert $ORG_URL $SERIAL
COUNT=$(($1-1))
get_uniq_ids
for NUM in $(seq 0 $COUNT)
do
get_serial
UNIQ_ID="${SERIAL}.client.${UNIQ_ID_CAI}"
gen_client_cert $UNIQ_ID
done
}
#
@ -286,33 +215,39 @@ gen_client() {
# IN: UNIQ_ID, SERIAL
#
gen_client_cert() {
ORG_URL=$1
SERIAL=$2
get_uniq_ids
UNIQ_ID="${SERIAL}_${ORG_URL}"
CERT_CHAIN="cfg/ca_cert-chain.crts.pem"
UNIQ_ID=$1
echo_block "Generate Client Certificates (${UNIQ_ID})"
openssl genrsa -out "data/client-${UNIQ_ID}.keys.pem" 4096
openssl genrsa -out "data/${UNIQ_ID}.keys.pem" 4096
openssl req -new -key "data/client-${UNIQ_ID}.keys.pem" \
-subj "/C=OO/O=ACME/OU=ACME Standard/CN=client-${UNIQ_ID}" \
-out "data/client-${UNIQ_ID}.csr.pem"
openssl req -new -key "data/${UNIQ_ID}.keys.pem" \
-subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \
-out "data/${UNIQ_ID}.csr.pem"
# CA Intermediate signs Client
openssl x509 -req -days 365 \
-CA "cfg/ca-i.crt.pem" -CAkey "cfg/ca-i.keys.pem" -set_serial ${SERIAL} \
-in "data/client-${UNIQ_ID}.csr.pem" -out "data/client-${UNIQ_ID}.crt.pem"
-in "data/${UNIQ_ID}.csr.pem" -out "data/${UNIQ_ID}.crt.pem"
# Package the Certificates
openssl pkcs12 -export -password "pass:password" -inkey "data/client-${UNIQ_ID}.keys.pem" \
-name "Client ${UNIQ_ID} VPN Certificate" -certfile $CERT_CHAIN -caname "client-${UNIQ_ID}@acme.xyz" \
-in "data/client-${UNIQ_ID}.crt.pem" -out "distro/client-${UNIQ_ID}.p12"
openssl pkcs12 -export -password "pass:password" -inkey "data/${UNIQ_ID}.keys.pem" \
-name "Client ${UNIQ_ID} VPN Certificate" -certfile "cfg/ca_cert-chain.crts.pem" -caname "${UNIQ_ID}@acme.xyz" \
-in "data/${UNIQ_ID}.crt.pem" -out "distro/${UNIQ_ID}.p12"
# verify certificate (output to text file for review)
openssl x509 -noout -text -in "data/client-${UNIQ_ID}.crt.pem" > "docs/client-${UNIQ_ID}.info.txt"
openssl x509 -noout -text -in "data/${UNIQ_ID}.crt.pem" > "docs/${UNIQ_ID}.info.txt"
}
gen_server() {
COUNT=$(($1-1))
get_uniq_ids
for NUM in $(seq 0 $COUNT)
do
get_serial
UNIQ_ID="${SERIAL}.server.${UNIQ_ID_CAI}"
gen_server_cert $UNIQ_ID
done
}
#
@ -320,31 +255,27 @@ gen_client_cert() {
# IN: UNIQ_ID, SERIAL
#
gen_server_cert() {
ORG_URL=$1
SERIAL=$2
UNIQ_ID="${SERIAL}.${ORG_URL}"
CERT_CHAIN="cfg/ca_cert-chain.crts.pem"
UNIQ_ID=$1
echo_block "Generate Server Certificates (${UNIQ_ID})"
openssl genrsa -out "data/server_${UNIQ_ID}.keys.pem" 4096
openssl genrsa -out "data/${UNIQ_ID}.keys.pem" 4096
openssl req -new -config "cfg/${ORG_URL}.cnf" -key "data/server_${UNIQ_ID}.keys.pem" \
openssl req -new -config "cfg/cert.cnf" -key "data/${UNIQ_ID}.keys.pem" \
-subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \
-out "data/server_${UNIQ_ID}.csr.pem"
-out "data/${UNIQ_ID}.csr.pem"
# CA Intermediate signs Server
openssl x509 -req -days 365 -extfile "cfg/${ORG_URL}.cnf" -extensions v3_server \
openssl x509 -req -days 365 -extfile "cfg/cert.cnf" -extensions v3_server \
-CA "cfg/ca-i.crt.pem" -CAkey "cfg/ca-i.keys.pem" -set_serial ${SERIAL} \
-in "data/server_${UNIQ_ID}.csr.pem" -out "data/server_${UNIQ_ID}.crt.pem"
-in "data/${UNIQ_ID}.csr.pem" -out "data/${UNIQ_ID}.crt.pem"
# Package the Certificates
openssl pkcs12 -export -password "pass:password" -inkey "data/server_${UNIQ_ID}.keys.pem" \
-name "Server ${UNIQ_ID} VPN Certificate" -certfile $CERT_CHAIN -caname "server_${UNIQ_ID}@acme.xyz" \
-in "data/server_${UNIQ_ID}.crt.pem" -out "distro/server_${UNIQ_ID}.p12"
openssl pkcs12 -export -password "pass:password" -inkey "data/${UNIQ_ID}.keys.pem" \
-name "Server ${UNIQ_ID} VPN Certificate" -certfile "cfg/ca_cert-chain.crts.pem" -caname "${UNIQ_ID}@acme.xyz" \
-in "data/${UNIQ_ID}.crt.pem" -out "distro/${UNIQ_ID}.p12"
# verify certificate (output to text file for review)
openssl x509 -noout -text -in "data/server_${UNIQ_ID}.crt.pem" > "docs/server_${UNIQ_ID}.crt.info.txt"
openssl x509 -noout -text -in "data/${UNIQ_ID}.crt.pem" > "docs/${UNIQ_ID}.crt.info.txt"
}