j3g
/
pki-bootstrap_pub
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

WIP: re-org the code to support the lifecycle applications. working on the variables passed and the paths to the .cnf, CA-I files

This commit is contained in:
JohnE 2018-08-22 08:31:55 -07:00
parent 593d231271
commit 7e075560fe
9 changed files with 599 additions and 131 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

163
src/pki_bootstrap/libs/pki_funcs.sh
View File

@ -3,6 +3,20 @@
# all main functions to generate a PKI certificate chain # all main functions to generate a PKI certificate chain
# #
#
# Set the CA variables
#
pki_func_init() {
if [[ -n $1 ]] || [[ -n $2 ]] || [[ -n $3 ]]; then
FQ_CA_CERT=$1
FQ_CA_KEYS=$2
CNF_PATH=$3
APP_INIT=1
else
APP_INIT=0
fi
}
# #
# print text wrapped in a block # print text wrapped in a block
# #
@ -32,7 +46,7 @@ get_serial() {
# This function will generate a CA Intermediate # This function will generate a CA Intermediate
# IN: UNIQ_ID_CA, SERIAL # IN: UNIQ_ID_CA, SERIAL
# #
generate_ca() { gen_ca() {
# params # params
UNIQ_ID_CA=$1 UNIQ_ID_CA=$1
SERIAL=$2 SERIAL=$2
@ -44,7 +58,7 @@ generate_ca() {
openssl genrsa -out "ca_${UNIQ_ID_CA}.keys.pem" 4096 openssl genrsa -out "ca_${UNIQ_ID_CA}.keys.pem" 4096
# #
# Create Certificate (valid for 10 years, after the entire chain of trust expires) # Create Certificate (valid for 10 years, after the entire chain of trust expires)
openssl req -config $CA_CNF -new -x509 -sha256 -days 3650 -extensions v3_ca \ openssl req -config $CNF_PATH/ca.cnf -new -x509 -sha256 -days 3650 -extensions v3_ca \
-subj "/C=OO/O=ACME/CN=root.${UNIQ_ID_CA}" -set_serial ${SERIAL} \ -subj "/C=OO/O=ACME/CN=root.${UNIQ_ID_CA}" -set_serial ${SERIAL} \
-key ca_${UNIQ_ID_CA}.keys.pem -out ca_${UNIQ_ID_CA}.crt.pem -key ca_${UNIQ_ID_CA}.keys.pem -out ca_${UNIQ_ID_CA}.crt.pem
@ -53,28 +67,84 @@ generate_ca() {
} }
# #
# Create CA Intermediate # Create CA Intermediate PKI
# #
# #
#
# INPUT: SERIAL #, LOOP NUM
#
ca-i_gen_pki() {
# organization
CDD=`pwd`
SERIAL=$1
LOOP_NUM=$2
UNIQ_DIR_CA="ca_i_${SERIAL}.${ORG_URL}"
mkdir -p "distrobution/${UNIQ_DIR_CA}"
cd "distrobution/${UNIQ_DIR_CA}"
# geneate certificates, organize the files
ca-i_gen_pki_certs $SERIAL $LOOP_NUM
organize
cp_pki_lifecycle
# return to last path
cd $CDD
}
#
# Generate a PKI chain
# - the certificate chain is unique based on the serial #
# - generate a new CA I
# - generate two server certificates
# - generate two client certificates
#
# INPUT: BASE SERIAL #, LOOP NUM
#
# Requires: FQ_CA_CERT, FQ_CA_KEYS
#
ca-i_gen_pki_certs() {
SERIAL=$1
NUM_CERTS=$(($2-1))
# Create CA Intermediate
UNIQ_ID_CAI="${SERIAL}.${ORG_URL}"
ca-i_gen_cert $UNIQ_ID_CAI $SERIAL
# Server Certificates
for NUM in $(seq 0 $NUM_CERTS)
do
gen_server "$((SERIAL+NUM)).${ORG_URL}" $UNIQ_ID_CAI $((SERIAL+NUM))
done
# Client Certificates
for NUM in $(seq 0 $NUM_CERTS)
do
gen_client "$((SERIAL+NUM)).${ORG_URL}" $UNIQ_ID_CAI $((SERIAL+NUM))
done
}
# This function will generate a CA Intermediate # This function will generate a CA Intermediate
#
# Requires: CNF file, CA cert, CA key
#
# IN: UNIQ_ID_CA, SERIAL # IN: UNIQ_ID_CA, SERIAL
# #
generate_ca_i() { ca-i_gen_cert() {
echo_block "Create CA Intermediate (${UNIQ_ID_CA})" echo_block "Create CA Intermediate (${UNIQ_ID_CA})"
# params # params
UNIQ_ID_CA=$1 UNIQ_ID_CA=$3
SERIAL=$2 SERIAL=$4
openssl genrsa -out "ca_i_${UNIQ_ID_CA}.keys.pem" 4096 openssl genrsa -out "ca_i_${UNIQ_ID_CA}.keys.pem" 4096
# Create Cert Signing Request (CSR) # Create Cert Signing Request (CSR)
openssl req -config $CA_CNF -new -sha256 \ openssl req -config "${CNF_PATH}/ca.cnf" -new -sha256 \
-subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID_CA}" \ -subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID_CA}" \
-key "ca_i_${UNIQ_ID_CA}.keys.pem" -out "ca_i_${UNIQ_ID_CA}.csr.pem" -key "ca_i_${UNIQ_ID_CA}.keys.pem" -out "ca_i_${UNIQ_ID_CA}.csr.pem"
# Create Certificate (valid for ~2 years, after the entire chain of trust expires) # Create Certificate (valid for ~2 years, after the entire chain of trust expires)
# CA signs Intermediate # CA signs Intermediate
openssl x509 -req -days 750 -extfile $CA_CNF -extensions v3_ca_i \ openssl x509 -req -days 750 -extfile "${CNF_PATH}/ca.cnf" -extensions v3_ca_i \
-CA $FQ_CA_CERT -CAkey $FQ_CA_KEYS -set_serial ${SERIAL} \ -CA $FQ_CA_CERT -CAkey $FQ_CA_KEYS -set_serial ${SERIAL} \
-in "ca_i_${UNIQ_ID_CA}.csr.pem" -out "ca_i_${UNIQ_ID_CA}.crt.pem" -in "ca_i_${UNIQ_ID_CA}.csr.pem" -out "ca_i_${UNIQ_ID_CA}.crt.pem"
@ -89,11 +159,77 @@ generate_ca_i() {
# create certifiate chain # create certifiate chain
cat $FQ_CA_CERT "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" cat $FQ_CA_CERT "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_cert-chain_${UNIQ_ID_CA}.crts.pem"
} }
#
# Organize the files into logical folders based on serial #
#
ca-i_organize() {
# organize the client directory
mkdir -p clients/ca-i
mkdir -p clients/data
mkdir -p clients/distro
mkdir -p clients/docs
mv client*.pem clients/data/
mv client*.p12 clients/distro/
mv client*.info.txt clients/docs/
cp ca_i*.crt.pem clients/ca-i/
cp ca_i*.keys.pem clients/ca-i/
# organize the server directory
mkdir -p servers/ca-i
mkdir -p servers/data
mkdir -p servers/distro
mkdir -p servers/docs
mv server_*.pem servers/data/
mv server_*.p12 servers/distro/
mv server_*.info.txt servers/docs/
cp ca_i*.crt.pem servers/ca-i/
cp ca_i*.keys.pem servers/ca-i/
# organize the ca-i directory
# order matters: move these files last because they were copied above
mkdir -p ca-i/data
mkdir -p ca-i/docs
mv ca_i*.pem ca-i/data/
mv ca_i*.info.txt ca-i/docs/
mv ca_i*.p12 ca-i/
mv ca_cert-chain*.pem ca-i/
cp $FQ_CA_DIR/ca_*.crt.pem ca-i/data/
cp $FQ_CA_DIR/ca_*.info.txt ca-i/docs/
}
#
# Copies all applcations to the Lifecycle package
#
# Requires:
# UNIQ_DIR_LC : unique string for the Lifecycle directory
# UNIQ_ID_CA-I : unique string for the CA-I
#
ca-i_cp_docs() {
# CA-I
cp $CD_ROOT/libs/gen_ca-i.sh $CD_ROOT/$UNIQ_DIR_LC/
cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/
cp $CD_ROOT/docs/README_LC $CD_ROOT/$UNIQ_DIR_LC/README
cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/
# client
cp $CD_ROOT/libs/gen_client.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/
cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/
cp $CD_ROOT/docs/README_C $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/README
cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/
# server
cp $CD_ROOT/libs/gen_server.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/
cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/
cp $CD_ROOT/docs/README_S $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/README
cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/
}
# #
# Generate a Server Certificate # Generate a Server Certificate
# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL # IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
# #
generate_server() { gen_server() {
echo_block "Generate Server Certificates (${UNIQ_ID})" echo_block "Generate Server Certificates (${UNIQ_ID})"
# params # params
UNIQ_ID=$1 UNIQ_ID=$1
@ -102,12 +238,12 @@ generate_server() {
openssl genrsa -out "server_${UNIQ_ID}.keys.pem" 4096 openssl genrsa -out "server_${UNIQ_ID}.keys.pem" 4096
openssl req -new -config $FQ_S_CNF -key "server_${UNIQ_ID}.keys.pem" \ openssl req -new -config $CNF_PATH/${UNIQ_ID}.cnf -key "server_${UNIQ_ID}.keys.pem" \
-subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \ -subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \
-out "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.csr.pem"
# CA Intermediate signs Server # CA Intermediate signs Server
openssl x509 -req -days 365 -extfile $FQ_S_CNF -extensions v3_server \ openssl x509 -req -days 365 -extfile $CNF_PATH/cfg.cnf -extensions v3_server \
-CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \ -CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \
-in "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.crt.pem" -in "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.crt.pem"
@ -119,11 +255,12 @@ generate_server() {
# verify certificate (output to text file for review) # verify certificate (output to text file for review)
openssl x509 -noout -text -in "server_${UNIQ_ID}.crt.pem" > "server_${UNIQ_ID}.crt.info.txt" openssl x509 -noout -text -in "server_${UNIQ_ID}.crt.pem" > "server_${UNIQ_ID}.crt.info.txt"
} }
# #
# Generate a Client Certificate # Generate a Client Certificate
# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL # IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
# #
generate_client() { gen_client() {
echo_block "Generate Client Certificates (${UNIQ_ID})" echo_block "Generate Client Certificates (${UNIQ_ID})"
# params # params
UNIQ_ID=$1 UNIQ_ID=$1
@ -151,5 +288,5 @@ generate_client() {
# #
# give some info if someone tries to execute this # give some info if someone tries to execute this
echo_block "this script file has only helper functions" # echo_block "this script file has only helper functions"

155
src/pki_bootstrap/libs/pki_funcs_old.sh Normal file
View File

@ -0,0 +1,155 @@
#!/bin/bash
#
# all main functions to generate a PKI certificate chain
#
#
# print text wrapped in a block
#
echo_block() {
echo
echo "***** ***** ***** *****"
echo $1
echo "***** ***** ***** *****"
}
#
# Grab the latest serial # from the file, auto-increment
#
get_serial() {
SERIAL=`head SERIAL`
if [[ -z $SERIAL ]]; then
SERIAL=11111
echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA"
fi
}
# ***** ***** ***** ***** *****
#
# CERTIFICATE AUTHORITY (CA)
#
# ***** ***** ***** ***** *****
# This function will generate a CA Intermediate
# IN: UNIQ_ID_CA, SERIAL
#
generate_ca() {
# params
UNIQ_ID_CA=$1
SERIAL=$2
# encrypt the key
#openssl genrsa -aes256 -out ca.keys.pem 4096
#openssl genrsa -aes256 -password "pass:password" -out ca.keys.pem 4096
# key un-protected
openssl genrsa -out "ca_${UNIQ_ID_CA}.keys.pem" 4096
#
# Create Certificate (valid for 10 years, after the entire chain of trust expires)
openssl req -config $CA_CNF -new -x509 -sha256 -days 3650 -extensions v3_ca \
-subj "/C=OO/O=ACME/CN=root.${UNIQ_ID_CA}" -set_serial ${SERIAL} \
-key ca_${UNIQ_ID_CA}.keys.pem -out ca_${UNIQ_ID_CA}.crt.pem
# verify certificate (output to text file for review)
openssl x509 -noout -text -in ca_${UNIQ_ID_CA}.crt.pem > ca_${UNIQ_ID_CA}_cert.info.txt
}
#
# Create CA Intermediate
#
#
# This function will generate a CA Intermediate
# IN: UNIQ_ID_CA, SERIAL
#
generate_ca_i() {
echo_block "Create CA Intermediate (${UNIQ_ID_CA})"
# params
UNIQ_ID_CA=$1
SERIAL=$2
openssl genrsa -out "ca_i_${UNIQ_ID_CA}.keys.pem" 4096
# Create Cert Signing Request (CSR)
openssl req -config $CA_CNF -new -sha256 \
-subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID_CA}" \
-key "ca_i_${UNIQ_ID_CA}.keys.pem" -out "ca_i_${UNIQ_ID_CA}.csr.pem"
# Create Certificate (valid for ~2 years, after the entire chain of trust expires)
# CA signs Intermediate
openssl x509 -req -days 750 -extfile $CA_CNF -extensions v3_ca_i \
-CA $FQ_CA_CERT -CAkey $FQ_CA_KEYS -set_serial ${SERIAL} \
-in "ca_i_${UNIQ_ID_CA}.csr.pem" -out "ca_i_${UNIQ_ID_CA}.crt.pem"
# Package the Certificate Authority Certificates for distro (windoze needs this)
openssl pkcs12 -export -password "pass:password" -inkey "ca_i_${UNIQ_ID_CA}.keys.pem" \
-name "CA Intermediate Mobile Provision" -certfile $FQ_CA_CERT \
-in "ca_i_${UNIQ_ID_CA}.crt.pem" -out "ca_i_${UNIQ_ID_CA}.p12"
# verify certificate (output to text file for review)
openssl x509 -noout -text -in "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_i_${UNIQ_ID_CA}.crt.info.txt"
# create certifiate chain
cat $FQ_CA_CERT "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_cert-chain_${UNIQ_ID_CA}.crts.pem"
}
#
# Generate a Server Certificate
# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
#
generate_server() {
echo_block "Generate Server Certificates (${UNIQ_ID})"
# params
UNIQ_ID=$1
UNIQ_ID_CA=$2
SERIAL=$3
openssl genrsa -out "server_${UNIQ_ID}.keys.pem" 4096
openssl req -new -config $FQ_S_CNF -key "server_${UNIQ_ID}.keys.pem" \
-subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \
-out "server_${UNIQ_ID}.csr.pem"
# CA Intermediate signs Server
openssl x509 -req -days 365 -extfile $FQ_S_CNF -extensions v3_server \
-CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \
-in "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.crt.pem"
# Package the Certificates
openssl pkcs12 -export -password "pass:password" -inkey "server_${UNIQ_ID}.keys.pem" \
-name "Server ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" -caname "server_${UNIQ_ID}@acme.xyz" \
-in "server_${UNIQ_ID}.crt.pem" -out "server_${UNIQ_ID}.p12"
# verify certificate (output to text file for review)
openssl x509 -noout -text -in "server_${UNIQ_ID}.crt.pem" > "server_${UNIQ_ID}.crt.info.txt"
}
#
# Generate a Client Certificate
# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
#
generate_client() {
echo_block "Generate Client Certificates (${UNIQ_ID})"
# params
UNIQ_ID=$1
UNIQ_ID_CA=$2
SERIAL=$3
openssl genrsa -out "client_${UNIQ_ID}.keys.pem" 4096
openssl req -new -key "client_${UNIQ_ID}.keys.pem" \
-subj "/C=OO/O=ACME/OU=ACME Standard/CN=client_${UNIQ_ID}" \
-out "client_${UNIQ_ID}.csr.pem"
# CA Intermediate signs Client
openssl x509 -req -days 365 \
-CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \
-in "client_${UNIQ_ID}.csr.pem" -out "client_${UNIQ_ID}.crt.pem"
# Package the Certificates
openssl pkcs12 -export -password "pass:password" -inkey "client_${UNIQ_ID}.keys.pem" \
-name "Client ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" -caname "client_${UNIQ_ID}@acme.xyz" \
-in "client_${UNIQ_ID}.crt.pem" -out "client_${UNIQ_ID}.p12"
# verify certificate (output to text file for review)
openssl x509 -noout -text -in "client_${UNIQ_ID}.crt.pem" > "client_${UNIQ_ID}.info.txt"
}
#
# give some info if someone tries to execute this
echo_block "this script file has only helper functions"

125
src/pki_bootstrap/pki_bootstrap.sh
View File

@ -81,126 +81,15 @@ one-time-ca() {
FQ_CA_DIR=`pwd` FQ_CA_DIR=`pwd`
FQ_CA_CERT="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.crt.pem" FQ_CA_CERT="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.crt.pem"
FQ_CA_KEYS="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.keys.pem" FQ_CA_KEYS="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.keys.pem"
generate_ca $UNIQ_ID_CA $SERIAL
# initialize the functions lib
pki_func_init $FQ_CA_CERT $FQ_CA_KEYS "${CD_ROOT}/cnf/"
# generate a new CA
gen_ca $UNIQ_ID_CA $SERIAL
cd .. cd ..
} }
#
# Organize the files into logical folders based on serial #
#
organize() {
# organize the client directory
mkdir -p clients/ca-i
mkdir -p clients/data
mkdir -p clients/distro
mkdir -p clients/docs
mv client*.pem clients/data/
mv client*.p12 clients/distro/
mv client*.info.txt clients/docs/
cp ca_i*.crt.pem clients/ca-i/
cp ca_i*.keys.pem clients/ca-i/
# organize the server directory
mkdir -p servers/ca-i
mkdir -p servers/data
mkdir -p servers/distro
mkdir -p servers/docs
mv server_*.pem servers/data/
mv server_*.p12 servers/distro/
mv server_*.info.txt servers/docs/
cp ca_i*.crt.pem servers/ca-i/
cp ca_i*.keys.pem servers/ca-i/
# organize the ca-i directory
# order matters: move these files last because they were copied above
mkdir -p ca-i/data
mkdir -p ca-i/docs
mv ca_i*.pem ca-i/data/
mv ca_i*.info.txt ca-i/docs/
mv ca_i*.p12 ca-i/
mv ca_cert-chain*.pem ca-i/
cp $FQ_CA_DIR/ca_*.crt.pem ca-i/data/
cp $FQ_CA_DIR/ca_*.info.txt ca-i/docs/
}
#
# Copies all applcations to the Lifecycle package
#
# Requires:
# UNIQ_DIR_LC : unique string for the Lifecycle directory
# UNIQ_ID_CA-I : unique string for the CA-I
#
cp_pki_lifecycle() {
# CA-I
cp $CD_ROOT/libs/gen_ca-i.sh $CD_ROOT/$UNIQ_DIR_LC/
cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/
cp $CD_ROOT/docs/README_LC $CD_ROOT/$UNIQ_DIR_LC/README
cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/
# client
cp $CD_ROOT/libs/gen_client.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/
cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/
cp $CD_ROOT/docs/README_C $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/README
cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/
# server
cp $CD_ROOT/libs/gen_server.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/
cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/
cp $CD_ROOT/docs/README_S $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/README
cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/
}
#
# Generate a PKI chain
# - the certificate chain is unique based on the serial #
# - generate a new CA I
# - generate two server certificates
# - generate two client certificates
#
# INPUT: BASE SERIAL #, LOOP NUM
#
gen_pki_certs() {
B_SERIAL=$1
NUM_CERTS=$(($2-1))
# Create CA Intermediate
UNIQ_ID_CAI="${B_SERIAL}.${ORG_URL}"
generate_ca_i $UNIQ_ID_CAI $B_SERIAL
# Server Certificates
for NUM in $(seq 0 $NUM_CERTS)
do
generate_server "$((B_SERIAL+NUM)).${ORG_URL}" $UNIQ_ID_CAI $((B_SERIAL+NUM))
done
# Client Certificates
for NUM in $(seq 0 $NUM_CERTS)
do
generate_client "$((B_SERIAL+NUM)).${ORG_URL}" $UNIQ_ID_CAI $((B_SERIAL+NUM))
done
}
#
# INPUT: SERIAL #, LOOP NUM
#
gen_pki() {
# organization
CDD=`pwd`
SERIAL=$1
UNIQ_DIR_CA="ca_i_${SERIAL}.${ORG_URL}"
mkdir -p "distrobution/${UNIQ_DIR_CA}"
cd "distrobution/${UNIQ_DIR_CA}"
# geneate certificates, organize the files
gen_pki_certs $SERIAL $2
organize
cp_pki_lifecycle
# return to last path
cd $CDD
}
main() { main() {
CD_ROOT=`pwd` CD_ROOT=`pwd`
@ -208,7 +97,7 @@ main() {
app_init app_init
one-time-ca one-time-ca
gen_pki 1001 2 ca-i_gen_pki 1001 2
# gen_pki 50001 5 # gen_pki 50001 5
# gen_pki 80001 10 # gen_pki 80001 10

232
src/pki_bootstrap/pki_bootstrap2.sh Executable file
View File

@ -0,0 +1,232 @@
#!/bin/bash
#
# ACME PKI (Certificate) Bootstrap v1.3
#
# This script will generate all the files necessary to build a certificate chain of trust
# using a CA, CA Intermediate, Server, and Client certificates. After the bootstrap the other
# helper scripts will generate new client/server certificates
#
# source this file to include the functions
. libs/pki_funcs_old.sh
PARAM1=$1
usage() {
echo
echo "This application will generate all the files necessary to build a certificate chain of trust"
echo "using a CA, CA Intermediate, Server, and Client certificates. All the files are put into"
echo "pki lifecyle package"
echo " -put the .cnf config files into the ./cnf directory"
echo
echo "Usage: pki_bootstrap <.cnf file (minus the .cnf)>"
echo
echo "Example: pki_bootstrap org.acme.xyz"
exit 1
}
#
# CA generation requires .cnf files
# create CA directory
# create bash variables to CA
# restore script back to original path
#
app_init() {
if [[ -n $PARAM1 ]]; then
# need to know the location of the configuration file (expected to be in same dir path as this script)
CA_CNF="$CD_ROOT/cnf/ca.cnf"
# handle the case of having the ".cnf" extension or not
if [[ ${PARAM1: -4} == .cnf ]]; then
ORG_URL=${PARAM1%.*}
S_CNF=${PARAM1}
echo "ASDF: ${ORG_URL}, ${S_CNF}"
else
ORG_URL=$PARAM1
S_CNF="${PARAM1}.cnf"
echo "ZXCV: ${ORG_URL}, ${S_CNF}"
fi
FQ_S_CNF="${CD_ROOT}/cnf/${S_CNF}"
if [[ ! -f $FQ_S_CNF ]] || [[ ! -f $CA_CNF ]]; then
usage
fi
else
usage
fi
}
#
# IN: UNIQ_ID_CA, SERIAL
#
one-time-ca() {
# params
#SERIAL="101"
get_serial
echo_block "SERIAL == ${SERIAL}"
# Organize
#
# create a unique path for the server certificate
UNIQ_DIR_LC=`date +%Y-%m-%d.%H_%M_%S`
UNIQ_DIR_LC="pki-lifecycle_${UNIQ_DIR_LC}"
mkdir -p "${UNIQ_DIR_LC}"
cd "${UNIQ_DIR_LC}"
# create certificate
UNIQ_ID_CA="${SERIAL}.${ORG_URL}"
CA_DIR="ca_${UNIQ_ID_CA}"
mkdir $CA_DIR
cd $CA_DIR
FQ_CA_DIR=`pwd`
FQ_CA_CERT="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.crt.pem"
FQ_CA_KEYS="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.keys.pem"
generate_ca $UNIQ_ID_CA $SERIAL
cd ..
}
#
# Organize the files into logical folders based on serial #
#
organize() {
# organize the client directory
mkdir -p clients/ca-i
mkdir -p clients/data
mkdir -p clients/distro
mkdir -p clients/docs
mv client*.pem clients/data/
mv client*.p12 clients/distro/
mv client*.info.txt clients/docs/
cp ca_i*.crt.pem clients/ca-i/
cp ca_i*.keys.pem clients/ca-i/
# organize the server directory
mkdir -p servers/ca-i
mkdir -p servers/data
mkdir -p servers/distro
mkdir -p servers/docs
mv server_*.pem servers/data/
mv server_*.p12 servers/distro/
mv server_*.info.txt servers/docs/
cp ca_i*.crt.pem servers/ca-i/
cp ca_i*.keys.pem servers/ca-i/
# organize the ca-i directory
# order matters: move these files last because they were copied above
mkdir -p ca-i/data
mkdir -p ca-i/docs
mv ca_i*.pem ca-i/data/
mv ca_i*.info.txt ca-i/docs/
mv ca_i*.p12 ca-i/
mv ca_cert-chain*.pem ca-i/
cp $FQ_CA_DIR/ca_*.crt.pem ca-i/data/
cp $FQ_CA_DIR/ca_*.info.txt ca-i/docs/
}
#
# Copies all applcations to the Lifecycle package
#
# Requires:
# UNIQ_DIR_LC : unique string for the Lifecycle directory
# UNIQ_ID_CA-I : unique string for the CA-I
#
cp_pki_lifecycle() {
# CA-I
cp $CD_ROOT/libs/gen_ca-i.sh $CD_ROOT/$UNIQ_DIR_LC/
cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/
cp $CD_ROOT/docs/README_LC $CD_ROOT/$UNIQ_DIR_LC/README
cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/
# client
cp $CD_ROOT/libs/gen_client.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/
cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/
cp $CD_ROOT/docs/README_C $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/README
cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/
# server
cp $CD_ROOT/libs/gen_server.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/
cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/
cp $CD_ROOT/docs/README_S $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/README
cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/
}
#
# Generate a PKI chain
# - the certificate chain is unique based on the serial #
# - generate a new CA I
# - generate two server certificates
# - generate two client certificates
#
# INPUT: BASE SERIAL #, LOOP NUM
#
gen_pki_certs() {
B_SERIAL=$1
NUM_CERTS=$(($2-1))
# Create CA Intermediate
UNIQ_ID_CAI="${B_SERIAL}.${ORG_URL}"
generate_ca_i $UNIQ_ID_CAI $B_SERIAL
# Server Certificates
for NUM in $(seq 0 $NUM_CERTS)
do
generate_server "$((B_SERIAL+NUM)).${ORG_URL}" $UNIQ_ID_CAI $((B_SERIAL+NUM))
done
# Client Certificates
for NUM in $(seq 0 $NUM_CERTS)
do
generate_client "$((B_SERIAL+NUM)).${ORG_URL}" $UNIQ_ID_CAI $((B_SERIAL+NUM))
done
}
#
# INPUT: SERIAL #, LOOP NUM
#
gen_pki() {
# organization
CDD=`pwd`
SERIAL=$1
UNIQ_DIR_CA="ca_i_${SERIAL}.${ORG_URL}"
mkdir -p "distrobution/${UNIQ_DIR_CA}"
cd "distrobution/${UNIQ_DIR_CA}"
# geneate certificates, organize the files
gen_pki_certs $SERIAL $2
organize
cp_pki_lifecycle
# return to last path
cd $CDD
}
main() {
CD_ROOT=`pwd`
LIB_PATH="${CD_ROOT}/libs"
app_init
one-time-ca
gen_pki 1001 2
# gen_pki 50001 5
# gen_pki 80001 10
# make sure we return to root execution path
cd "${CD_ROOT}"
}
# ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** *****
#
# main execution begins here (because all the functions have to be defined)
#
# ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** *****
main
# ***** ***** ***** *****
#
#
#
# ***** ***** ***** *****

0
src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/clients/SERIAL → src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/clients/cfg/SERIAL
View File

0
src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/clients/ca-i/ca-i.crt.pem → src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/clients/cfg/ca-i.crt.pem
View File

0
src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/servers/SERIAL → src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/servers/cfg/SERIAL
View File

0
src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/servers/ca-i/ca-i.crt.pem → src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/servers/cfg/ca-i.crt.pem
View File

55
src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/servers/cfg/skunkworks.acme.xyz.cnf Normal file
View File

@ -0,0 +1,55 @@
#
#
# IMPORTANT INFO
#
#
[ v3_server ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "ACME Corp"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
#subjectAltName = IP:192.168.123.129
[ alt_names ]
DNS.1 = "skunkworks.acme.xyz"
#
#
# FORCED TO INCLUDE THIS JUNK
#
#
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 4096
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
#x509_extensions = v3_ca
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = US
stateOrProvinceName_default = State51
localityName_default =
0.organizationName_default = ACME R&D
organizationalUnitName_default =
emailAddress_default =