From 7e075560feca93d06a2f3d69ab1e38a6cc4e14e4 Mon Sep 17 00:00:00 2001 From: JohnE Date: Wed, 22 Aug 2018 08:31:55 -0700 Subject: [PATCH] WIP: re-org the code to support the lifecycle applications. working on the variables passed and the paths to the .cnf, CA-I files --- src/pki_bootstrap/libs/pki_funcs.sh | 163 +++++++++++- src/pki_bootstrap/libs/pki_funcs_old.sh | 155 ++++++++++++ src/pki_bootstrap/pki_bootstrap.sh | 125 +--------- src/pki_bootstrap/pki_bootstrap2.sh | 232 ++++++++++++++++++ .../clients/{ => cfg}/SERIAL | 0 .../clients/{ca-i => cfg}/ca-i.crt.pem | 0 .../servers/{ => cfg}/SERIAL | 0 .../servers/{ca-i => cfg}/ca-i.crt.pem | 0 .../servers/cfg/skunkworks.acme.xyz.cnf | 55 +++++ 9 files changed, 599 insertions(+), 131 deletions(-) create mode 100644 src/pki_bootstrap/libs/pki_funcs_old.sh create mode 100755 src/pki_bootstrap/pki_bootstrap2.sh rename src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/clients/{ => cfg}/SERIAL (100%) rename src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/clients/{ca-i => cfg}/ca-i.crt.pem (100%) rename src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/servers/{ => cfg}/SERIAL (100%) rename src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/servers/{ca-i => cfg}/ca-i.crt.pem (100%) create mode 100644 src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/servers/cfg/skunkworks.acme.xyz.cnf diff --git a/src/pki_bootstrap/libs/pki_funcs.sh b/src/pki_bootstrap/libs/pki_funcs.sh index 8b1db9d..0ca99b0 100644 --- a/src/pki_bootstrap/libs/pki_funcs.sh +++ b/src/pki_bootstrap/libs/pki_funcs.sh @@ -3,6 +3,20 @@ # all main functions to generate a PKI certificate chain # +# +# Set the CA variables +# +pki_func_init() { + if [[ -n $1 ]] || [[ -n $2 ]] || [[ -n $3 ]]; then + FQ_CA_CERT=$1 + FQ_CA_KEYS=$2 + CNF_PATH=$3 + APP_INIT=1 + else + APP_INIT=0 + fi +} + # # print text wrapped in a block # @@ -32,7 +46,7 @@ get_serial() { # This function will generate a CA Intermediate # IN: UNIQ_ID_CA, SERIAL # -generate_ca() { +gen_ca() { # params UNIQ_ID_CA=$1 SERIAL=$2 @@ -44,7 +58,7 @@ generate_ca() { openssl genrsa -out "ca_${UNIQ_ID_CA}.keys.pem" 4096 # # Create Certificate (valid for 10 years, after the entire chain of trust expires) - openssl req -config $CA_CNF -new -x509 -sha256 -days 3650 -extensions v3_ca \ + openssl req -config $CNF_PATH/ca.cnf -new -x509 -sha256 -days 3650 -extensions v3_ca \ -subj "/C=OO/O=ACME/CN=root.${UNIQ_ID_CA}" -set_serial ${SERIAL} \ -key ca_${UNIQ_ID_CA}.keys.pem -out ca_${UNIQ_ID_CA}.crt.pem @@ -53,28 +67,84 @@ generate_ca() { } # -# Create CA Intermediate +# Create CA Intermediate PKI # # +# +# INPUT: SERIAL #, LOOP NUM +# +ca-i_gen_pki() { + # organization + CDD=`pwd` + SERIAL=$1 + LOOP_NUM=$2 + UNIQ_DIR_CA="ca_i_${SERIAL}.${ORG_URL}" + mkdir -p "distrobution/${UNIQ_DIR_CA}" + cd "distrobution/${UNIQ_DIR_CA}" + + # geneate certificates, organize the files + ca-i_gen_pki_certs $SERIAL $LOOP_NUM + organize + cp_pki_lifecycle + + # return to last path + cd $CDD +} + +# +# Generate a PKI chain +# - the certificate chain is unique based on the serial # +# - generate a new CA I +# - generate two server certificates +# - generate two client certificates +# +# INPUT: BASE SERIAL #, LOOP NUM +# +# Requires: FQ_CA_CERT, FQ_CA_KEYS +# +ca-i_gen_pki_certs() { + SERIAL=$1 + NUM_CERTS=$(($2-1)) + + # Create CA Intermediate + UNIQ_ID_CAI="${SERIAL}.${ORG_URL}" + ca-i_gen_cert $UNIQ_ID_CAI $SERIAL + + # Server Certificates + for NUM in $(seq 0 $NUM_CERTS) + do + gen_server "$((SERIAL+NUM)).${ORG_URL}" $UNIQ_ID_CAI $((SERIAL+NUM)) + done + + # Client Certificates + for NUM in $(seq 0 $NUM_CERTS) + do + gen_client "$((SERIAL+NUM)).${ORG_URL}" $UNIQ_ID_CAI $((SERIAL+NUM)) + done +} + # This function will generate a CA Intermediate +# +# Requires: CNF file, CA cert, CA key +# # IN: UNIQ_ID_CA, SERIAL # -generate_ca_i() { +ca-i_gen_cert() { echo_block "Create CA Intermediate (${UNIQ_ID_CA})" # params - UNIQ_ID_CA=$1 - SERIAL=$2 + UNIQ_ID_CA=$3 + SERIAL=$4 openssl genrsa -out "ca_i_${UNIQ_ID_CA}.keys.pem" 4096 # Create Cert Signing Request (CSR) - openssl req -config $CA_CNF -new -sha256 \ + openssl req -config "${CNF_PATH}/ca.cnf" -new -sha256 \ -subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID_CA}" \ -key "ca_i_${UNIQ_ID_CA}.keys.pem" -out "ca_i_${UNIQ_ID_CA}.csr.pem" # Create Certificate (valid for ~2 years, after the entire chain of trust expires) # CA signs Intermediate - openssl x509 -req -days 750 -extfile $CA_CNF -extensions v3_ca_i \ + openssl x509 -req -days 750 -extfile "${CNF_PATH}/ca.cnf" -extensions v3_ca_i \ -CA $FQ_CA_CERT -CAkey $FQ_CA_KEYS -set_serial ${SERIAL} \ -in "ca_i_${UNIQ_ID_CA}.csr.pem" -out "ca_i_${UNIQ_ID_CA}.crt.pem" @@ -89,11 +159,77 @@ generate_ca_i() { # create certifiate chain cat $FQ_CA_CERT "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" } + +# +# Organize the files into logical folders based on serial # +# +ca-i_organize() { + # organize the client directory + mkdir -p clients/ca-i + mkdir -p clients/data + mkdir -p clients/distro + mkdir -p clients/docs + mv client*.pem clients/data/ + mv client*.p12 clients/distro/ + mv client*.info.txt clients/docs/ + cp ca_i*.crt.pem clients/ca-i/ + cp ca_i*.keys.pem clients/ca-i/ + + # organize the server directory + mkdir -p servers/ca-i + mkdir -p servers/data + mkdir -p servers/distro + mkdir -p servers/docs + mv server_*.pem servers/data/ + mv server_*.p12 servers/distro/ + mv server_*.info.txt servers/docs/ + cp ca_i*.crt.pem servers/ca-i/ + cp ca_i*.keys.pem servers/ca-i/ + + # organize the ca-i directory + # order matters: move these files last because they were copied above + mkdir -p ca-i/data + mkdir -p ca-i/docs + mv ca_i*.pem ca-i/data/ + mv ca_i*.info.txt ca-i/docs/ + mv ca_i*.p12 ca-i/ + mv ca_cert-chain*.pem ca-i/ + cp $FQ_CA_DIR/ca_*.crt.pem ca-i/data/ + cp $FQ_CA_DIR/ca_*.info.txt ca-i/docs/ +} + +# +# Copies all applcations to the Lifecycle package +# +# Requires: +# UNIQ_DIR_LC : unique string for the Lifecycle directory +# UNIQ_ID_CA-I : unique string for the CA-I +# +ca-i_cp_docs() { + # CA-I + cp $CD_ROOT/libs/gen_ca-i.sh $CD_ROOT/$UNIQ_DIR_LC/ + cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/ + cp $CD_ROOT/docs/README_LC $CD_ROOT/$UNIQ_DIR_LC/README + cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/ + + # client + cp $CD_ROOT/libs/gen_client.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/ + cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/ + cp $CD_ROOT/docs/README_C $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/README + cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/ + + # server + cp $CD_ROOT/libs/gen_server.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/ + cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/ + cp $CD_ROOT/docs/README_S $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/README + cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/ +} + # # Generate a Server Certificate # IN: UNIQ_ID, UNIQ_ID_CA, SERIAL # -generate_server() { +gen_server() { echo_block "Generate Server Certificates (${UNIQ_ID})" # params UNIQ_ID=$1 @@ -102,12 +238,12 @@ generate_server() { openssl genrsa -out "server_${UNIQ_ID}.keys.pem" 4096 - openssl req -new -config $FQ_S_CNF -key "server_${UNIQ_ID}.keys.pem" \ + openssl req -new -config $CNF_PATH/${UNIQ_ID}.cnf -key "server_${UNIQ_ID}.keys.pem" \ -subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \ -out "server_${UNIQ_ID}.csr.pem" # CA Intermediate signs Server - openssl x509 -req -days 365 -extfile $FQ_S_CNF -extensions v3_server \ + openssl x509 -req -days 365 -extfile $CNF_PATH/cfg.cnf -extensions v3_server \ -CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \ -in "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.crt.pem" @@ -119,11 +255,12 @@ generate_server() { # verify certificate (output to text file for review) openssl x509 -noout -text -in "server_${UNIQ_ID}.crt.pem" > "server_${UNIQ_ID}.crt.info.txt" } + # # Generate a Client Certificate # IN: UNIQ_ID, UNIQ_ID_CA, SERIAL # -generate_client() { +gen_client() { echo_block "Generate Client Certificates (${UNIQ_ID})" # params UNIQ_ID=$1 @@ -151,5 +288,5 @@ generate_client() { # # give some info if someone tries to execute this -echo_block "this script file has only helper functions" +# echo_block "this script file has only helper functions" diff --git a/src/pki_bootstrap/libs/pki_funcs_old.sh b/src/pki_bootstrap/libs/pki_funcs_old.sh new file mode 100644 index 0000000..8b1db9d --- /dev/null +++ b/src/pki_bootstrap/libs/pki_funcs_old.sh @@ -0,0 +1,155 @@ +#!/bin/bash +# +# all main functions to generate a PKI certificate chain +# + +# +# print text wrapped in a block +# +echo_block() { + echo + echo "***** ***** ***** *****" + echo $1 + echo "***** ***** ***** *****" +} + +# +# Grab the latest serial # from the file, auto-increment +# +get_serial() { + SERIAL=`head SERIAL` + if [[ -z $SERIAL ]]; then + SERIAL=11111 + echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA" + fi +} + +# ***** ***** ***** ***** ***** +# +# CERTIFICATE AUTHORITY (CA) +# +# ***** ***** ***** ***** ***** +# This function will generate a CA Intermediate +# IN: UNIQ_ID_CA, SERIAL +# +generate_ca() { + # params + UNIQ_ID_CA=$1 + SERIAL=$2 + # encrypt the key + #openssl genrsa -aes256 -out ca.keys.pem 4096 + #openssl genrsa -aes256 -password "pass:password" -out ca.keys.pem 4096 + + # key un-protected + openssl genrsa -out "ca_${UNIQ_ID_CA}.keys.pem" 4096 + # + # Create Certificate (valid for 10 years, after the entire chain of trust expires) + openssl req -config $CA_CNF -new -x509 -sha256 -days 3650 -extensions v3_ca \ + -subj "/C=OO/O=ACME/CN=root.${UNIQ_ID_CA}" -set_serial ${SERIAL} \ + -key ca_${UNIQ_ID_CA}.keys.pem -out ca_${UNIQ_ID_CA}.crt.pem + + # verify certificate (output to text file for review) + openssl x509 -noout -text -in ca_${UNIQ_ID_CA}.crt.pem > ca_${UNIQ_ID_CA}_cert.info.txt +} + +# +# Create CA Intermediate +# +# +# This function will generate a CA Intermediate +# IN: UNIQ_ID_CA, SERIAL +# +generate_ca_i() { + echo_block "Create CA Intermediate (${UNIQ_ID_CA})" + # params + UNIQ_ID_CA=$1 + SERIAL=$2 + + openssl genrsa -out "ca_i_${UNIQ_ID_CA}.keys.pem" 4096 + + # Create Cert Signing Request (CSR) + openssl req -config $CA_CNF -new -sha256 \ + -subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID_CA}" \ + -key "ca_i_${UNIQ_ID_CA}.keys.pem" -out "ca_i_${UNIQ_ID_CA}.csr.pem" + + # Create Certificate (valid for ~2 years, after the entire chain of trust expires) + # CA signs Intermediate + openssl x509 -req -days 750 -extfile $CA_CNF -extensions v3_ca_i \ + -CA $FQ_CA_CERT -CAkey $FQ_CA_KEYS -set_serial ${SERIAL} \ + -in "ca_i_${UNIQ_ID_CA}.csr.pem" -out "ca_i_${UNIQ_ID_CA}.crt.pem" + + # Package the Certificate Authority Certificates for distro (windoze needs this) + openssl pkcs12 -export -password "pass:password" -inkey "ca_i_${UNIQ_ID_CA}.keys.pem" \ + -name "CA Intermediate Mobile Provision" -certfile $FQ_CA_CERT \ + -in "ca_i_${UNIQ_ID_CA}.crt.pem" -out "ca_i_${UNIQ_ID_CA}.p12" + + # verify certificate (output to text file for review) + openssl x509 -noout -text -in "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_i_${UNIQ_ID_CA}.crt.info.txt" + + # create certifiate chain + cat $FQ_CA_CERT "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" +} +# +# Generate a Server Certificate +# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL +# +generate_server() { + echo_block "Generate Server Certificates (${UNIQ_ID})" + # params + UNIQ_ID=$1 + UNIQ_ID_CA=$2 + SERIAL=$3 + + openssl genrsa -out "server_${UNIQ_ID}.keys.pem" 4096 + + openssl req -new -config $FQ_S_CNF -key "server_${UNIQ_ID}.keys.pem" \ + -subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \ + -out "server_${UNIQ_ID}.csr.pem" + + # CA Intermediate signs Server + openssl x509 -req -days 365 -extfile $FQ_S_CNF -extensions v3_server \ + -CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \ + -in "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.crt.pem" + + # Package the Certificates + openssl pkcs12 -export -password "pass:password" -inkey "server_${UNIQ_ID}.keys.pem" \ + -name "Server ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" -caname "server_${UNIQ_ID}@acme.xyz" \ + -in "server_${UNIQ_ID}.crt.pem" -out "server_${UNIQ_ID}.p12" + + # verify certificate (output to text file for review) + openssl x509 -noout -text -in "server_${UNIQ_ID}.crt.pem" > "server_${UNIQ_ID}.crt.info.txt" +} +# +# Generate a Client Certificate +# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL +# +generate_client() { + echo_block "Generate Client Certificates (${UNIQ_ID})" + # params + UNIQ_ID=$1 + UNIQ_ID_CA=$2 + SERIAL=$3 + + openssl genrsa -out "client_${UNIQ_ID}.keys.pem" 4096 + + openssl req -new -key "client_${UNIQ_ID}.keys.pem" \ + -subj "/C=OO/O=ACME/OU=ACME Standard/CN=client_${UNIQ_ID}" \ + -out "client_${UNIQ_ID}.csr.pem" + # CA Intermediate signs Client + openssl x509 -req -days 365 \ + -CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \ + -in "client_${UNIQ_ID}.csr.pem" -out "client_${UNIQ_ID}.crt.pem" + + # Package the Certificates + openssl pkcs12 -export -password "pass:password" -inkey "client_${UNIQ_ID}.keys.pem" \ + -name "Client ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" -caname "client_${UNIQ_ID}@acme.xyz" \ + -in "client_${UNIQ_ID}.crt.pem" -out "client_${UNIQ_ID}.p12" + + # verify certificate (output to text file for review) + openssl x509 -noout -text -in "client_${UNIQ_ID}.crt.pem" > "client_${UNIQ_ID}.info.txt" +} + +# +# give some info if someone tries to execute this +echo_block "this script file has only helper functions" + diff --git a/src/pki_bootstrap/pki_bootstrap.sh b/src/pki_bootstrap/pki_bootstrap.sh index 3e23d39..98d90ed 100755 --- a/src/pki_bootstrap/pki_bootstrap.sh +++ b/src/pki_bootstrap/pki_bootstrap.sh @@ -81,126 +81,15 @@ one-time-ca() { FQ_CA_DIR=`pwd` FQ_CA_CERT="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.crt.pem" FQ_CA_KEYS="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.keys.pem" - generate_ca $UNIQ_ID_CA $SERIAL + + # initialize the functions lib + pki_func_init $FQ_CA_CERT $FQ_CA_KEYS "${CD_ROOT}/cnf/" + + # generate a new CA + gen_ca $UNIQ_ID_CA $SERIAL cd .. } -# -# Organize the files into logical folders based on serial # -# -organize() { - # organize the client directory - mkdir -p clients/ca-i - mkdir -p clients/data - mkdir -p clients/distro - mkdir -p clients/docs - mv client*.pem clients/data/ - mv client*.p12 clients/distro/ - mv client*.info.txt clients/docs/ - cp ca_i*.crt.pem clients/ca-i/ - cp ca_i*.keys.pem clients/ca-i/ - - # organize the server directory - mkdir -p servers/ca-i - mkdir -p servers/data - mkdir -p servers/distro - mkdir -p servers/docs - mv server_*.pem servers/data/ - mv server_*.p12 servers/distro/ - mv server_*.info.txt servers/docs/ - cp ca_i*.crt.pem servers/ca-i/ - cp ca_i*.keys.pem servers/ca-i/ - - # organize the ca-i directory - # order matters: move these files last because they were copied above - mkdir -p ca-i/data - mkdir -p ca-i/docs - mv ca_i*.pem ca-i/data/ - mv ca_i*.info.txt ca-i/docs/ - mv ca_i*.p12 ca-i/ - mv ca_cert-chain*.pem ca-i/ - cp $FQ_CA_DIR/ca_*.crt.pem ca-i/data/ - cp $FQ_CA_DIR/ca_*.info.txt ca-i/docs/ -} - -# -# Copies all applcations to the Lifecycle package -# -# Requires: -# UNIQ_DIR_LC : unique string for the Lifecycle directory -# UNIQ_ID_CA-I : unique string for the CA-I -# -cp_pki_lifecycle() { - # CA-I - cp $CD_ROOT/libs/gen_ca-i.sh $CD_ROOT/$UNIQ_DIR_LC/ - cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/ - cp $CD_ROOT/docs/README_LC $CD_ROOT/$UNIQ_DIR_LC/README - cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/ - - # client - cp $CD_ROOT/libs/gen_client.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/ - cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/ - cp $CD_ROOT/docs/README_C $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/README - cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/ - - # server - cp $CD_ROOT/libs/gen_server.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/ - cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/ - cp $CD_ROOT/docs/README_S $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/README - cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/ -} - -# -# Generate a PKI chain -# - the certificate chain is unique based on the serial # -# - generate a new CA I -# - generate two server certificates -# - generate two client certificates -# -# INPUT: BASE SERIAL #, LOOP NUM -# -gen_pki_certs() { - B_SERIAL=$1 - NUM_CERTS=$(($2-1)) - - # Create CA Intermediate - UNIQ_ID_CAI="${B_SERIAL}.${ORG_URL}" - generate_ca_i $UNIQ_ID_CAI $B_SERIAL - - # Server Certificates - for NUM in $(seq 0 $NUM_CERTS) - do - generate_server "$((B_SERIAL+NUM)).${ORG_URL}" $UNIQ_ID_CAI $((B_SERIAL+NUM)) - done - - # Client Certificates - for NUM in $(seq 0 $NUM_CERTS) - do - generate_client "$((B_SERIAL+NUM)).${ORG_URL}" $UNIQ_ID_CAI $((B_SERIAL+NUM)) - done -} - -# -# INPUT: SERIAL #, LOOP NUM -# -gen_pki() { - # organization - CDD=`pwd` - - SERIAL=$1 - UNIQ_DIR_CA="ca_i_${SERIAL}.${ORG_URL}" - mkdir -p "distrobution/${UNIQ_DIR_CA}" - cd "distrobution/${UNIQ_DIR_CA}" - - # geneate certificates, organize the files - gen_pki_certs $SERIAL $2 - organize - cp_pki_lifecycle - - # return to last path - cd $CDD -} - main() { CD_ROOT=`pwd` @@ -208,7 +97,7 @@ main() { app_init one-time-ca - gen_pki 1001 2 + ca-i_gen_pki 1001 2 # gen_pki 50001 5 # gen_pki 80001 10 diff --git a/src/pki_bootstrap/pki_bootstrap2.sh b/src/pki_bootstrap/pki_bootstrap2.sh new file mode 100755 index 0000000..ef9226f --- /dev/null +++ b/src/pki_bootstrap/pki_bootstrap2.sh @@ -0,0 +1,232 @@ +#!/bin/bash +# +# ACME PKI (Certificate) Bootstrap v1.3 +# +# This script will generate all the files necessary to build a certificate chain of trust +# using a CA, CA Intermediate, Server, and Client certificates. After the bootstrap the other +# helper scripts will generate new client/server certificates +# + +# source this file to include the functions +. libs/pki_funcs_old.sh + +PARAM1=$1 + +usage() { + echo + echo "This application will generate all the files necessary to build a certificate chain of trust" + echo "using a CA, CA Intermediate, Server, and Client certificates. All the files are put into" + echo "pki lifecyle package" + echo " -put the .cnf config files into the ./cnf directory" + echo + echo "Usage: pki_bootstrap <.cnf file (minus the .cnf)>" + echo + echo "Example: pki_bootstrap org.acme.xyz" + exit 1 +} + +# +# CA generation requires .cnf files +# create CA directory +# create bash variables to CA +# restore script back to original path +# +app_init() { + if [[ -n $PARAM1 ]]; then + # need to know the location of the configuration file (expected to be in same dir path as this script) + CA_CNF="$CD_ROOT/cnf/ca.cnf" + + # handle the case of having the ".cnf" extension or not + if [[ ${PARAM1: -4} == .cnf ]]; then + ORG_URL=${PARAM1%.*} + S_CNF=${PARAM1} + echo "ASDF: ${ORG_URL}, ${S_CNF}" + else + ORG_URL=$PARAM1 + S_CNF="${PARAM1}.cnf" + echo "ZXCV: ${ORG_URL}, ${S_CNF}" + fi + + FQ_S_CNF="${CD_ROOT}/cnf/${S_CNF}" + if [[ ! -f $FQ_S_CNF ]] || [[ ! -f $CA_CNF ]]; then + usage + fi + else + usage + fi +} + +# +# IN: UNIQ_ID_CA, SERIAL +# +one-time-ca() { + # params + #SERIAL="101" + + get_serial + echo_block "SERIAL == ${SERIAL}" + # Organize + # + # create a unique path for the server certificate + UNIQ_DIR_LC=`date +%Y-%m-%d.%H_%M_%S` + UNIQ_DIR_LC="pki-lifecycle_${UNIQ_DIR_LC}" + mkdir -p "${UNIQ_DIR_LC}" + cd "${UNIQ_DIR_LC}" + + # create certificate + UNIQ_ID_CA="${SERIAL}.${ORG_URL}" + CA_DIR="ca_${UNIQ_ID_CA}" + mkdir $CA_DIR + cd $CA_DIR + FQ_CA_DIR=`pwd` + FQ_CA_CERT="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.crt.pem" + FQ_CA_KEYS="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.keys.pem" + generate_ca $UNIQ_ID_CA $SERIAL + cd .. +} + +# +# Organize the files into logical folders based on serial # +# +organize() { + # organize the client directory + mkdir -p clients/ca-i + mkdir -p clients/data + mkdir -p clients/distro + mkdir -p clients/docs + mv client*.pem clients/data/ + mv client*.p12 clients/distro/ + mv client*.info.txt clients/docs/ + cp ca_i*.crt.pem clients/ca-i/ + cp ca_i*.keys.pem clients/ca-i/ + + # organize the server directory + mkdir -p servers/ca-i + mkdir -p servers/data + mkdir -p servers/distro + mkdir -p servers/docs + mv server_*.pem servers/data/ + mv server_*.p12 servers/distro/ + mv server_*.info.txt servers/docs/ + cp ca_i*.crt.pem servers/ca-i/ + cp ca_i*.keys.pem servers/ca-i/ + + # organize the ca-i directory + # order matters: move these files last because they were copied above + mkdir -p ca-i/data + mkdir -p ca-i/docs + mv ca_i*.pem ca-i/data/ + mv ca_i*.info.txt ca-i/docs/ + mv ca_i*.p12 ca-i/ + mv ca_cert-chain*.pem ca-i/ + cp $FQ_CA_DIR/ca_*.crt.pem ca-i/data/ + cp $FQ_CA_DIR/ca_*.info.txt ca-i/docs/ +} + +# +# Copies all applcations to the Lifecycle package +# +# Requires: +# UNIQ_DIR_LC : unique string for the Lifecycle directory +# UNIQ_ID_CA-I : unique string for the CA-I +# +cp_pki_lifecycle() { + # CA-I + cp $CD_ROOT/libs/gen_ca-i.sh $CD_ROOT/$UNIQ_DIR_LC/ + cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/ + cp $CD_ROOT/docs/README_LC $CD_ROOT/$UNIQ_DIR_LC/README + cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/ + + # client + cp $CD_ROOT/libs/gen_client.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/ + cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/ + cp $CD_ROOT/docs/README_C $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/README + cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/ + + # server + cp $CD_ROOT/libs/gen_server.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/ + cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/ + cp $CD_ROOT/docs/README_S $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/README + cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/ +} + +# +# Generate a PKI chain +# - the certificate chain is unique based on the serial # +# - generate a new CA I +# - generate two server certificates +# - generate two client certificates +# +# INPUT: BASE SERIAL #, LOOP NUM +# +gen_pki_certs() { + B_SERIAL=$1 + NUM_CERTS=$(($2-1)) + + # Create CA Intermediate + UNIQ_ID_CAI="${B_SERIAL}.${ORG_URL}" + generate_ca_i $UNIQ_ID_CAI $B_SERIAL + + # Server Certificates + for NUM in $(seq 0 $NUM_CERTS) + do + generate_server "$((B_SERIAL+NUM)).${ORG_URL}" $UNIQ_ID_CAI $((B_SERIAL+NUM)) + done + + # Client Certificates + for NUM in $(seq 0 $NUM_CERTS) + do + generate_client "$((B_SERIAL+NUM)).${ORG_URL}" $UNIQ_ID_CAI $((B_SERIAL+NUM)) + done +} + +# +# INPUT: SERIAL #, LOOP NUM +# +gen_pki() { + # organization + CDD=`pwd` + + SERIAL=$1 + UNIQ_DIR_CA="ca_i_${SERIAL}.${ORG_URL}" + mkdir -p "distrobution/${UNIQ_DIR_CA}" + cd "distrobution/${UNIQ_DIR_CA}" + + # geneate certificates, organize the files + gen_pki_certs $SERIAL $2 + organize + cp_pki_lifecycle + + # return to last path + cd $CDD +} + + +main() { + CD_ROOT=`pwd` + LIB_PATH="${CD_ROOT}/libs" + + app_init + one-time-ca + gen_pki 1001 2 +# gen_pki 50001 5 +# gen_pki 80001 10 + + # make sure we return to root execution path + cd "${CD_ROOT}" +} + + +# ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** +# +# main execution begins here (because all the functions have to be defined) +# +# ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** + +main + +# ***** ***** ***** ***** +# +# +# +# ***** ***** ***** ***** diff --git a/src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/clients/SERIAL b/src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/clients/cfg/SERIAL similarity index 100% rename from src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/clients/SERIAL rename to src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/clients/cfg/SERIAL diff --git a/src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/clients/ca-i/ca-i.crt.pem b/src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/clients/cfg/ca-i.crt.pem similarity index 100% rename from src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/clients/ca-i/ca-i.crt.pem rename to src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/clients/cfg/ca-i.crt.pem diff --git a/src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/servers/SERIAL b/src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/servers/cfg/SERIAL similarity index 100% rename from src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/servers/SERIAL rename to src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/servers/cfg/SERIAL diff --git a/src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/servers/ca-i/ca-i.crt.pem b/src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/servers/cfg/ca-i.crt.pem similarity index 100% rename from src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/servers/ca-i/ca-i.crt.pem rename to src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/servers/cfg/ca-i.crt.pem diff --git a/src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/servers/cfg/skunkworks.acme.xyz.cnf b/src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/servers/cfg/skunkworks.acme.xyz.cnf new file mode 100644 index 0000000..9bf9706 --- /dev/null +++ b/src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/servers/cfg/skunkworks.acme.xyz.cnf @@ -0,0 +1,55 @@ +# +# +# IMPORTANT INFO +# +# +[ v3_server ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server +nsComment = "ACME Corp" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth +subjectAltName = @alt_names +#subjectAltName = IP:192.168.123.129 + +[ alt_names ] +DNS.1 = "skunkworks.acme.xyz" + +# +# +# FORCED TO INCLUDE THIS JUNK +# +# +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 4096 +distinguished_name = req_distinguished_name +string_mask = utf8only + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +# Extension to add when the -x509 option is used. +#x509_extensions = v3_ca + +[ req_distinguished_name ] +# See . +countryName = Country Name (2 letter code) +stateOrProvinceName = State or Province Name +localityName = Locality Name +0.organizationName = Organization Name +organizationalUnitName = Organizational Unit Name +commonName = Common Name +emailAddress = Email Address + +# Optionally, specify some defaults. +countryName_default = US +stateOrProvinceName_default = State51 +localityName_default = +0.organizationName_default = ACME R&D +organizationalUnitName_default = +emailAddress_default = +