WIP: re-org the code to support the lifecycle applications. working on the variables passed and the paths to the .cnf, CA-I files

src/pki_bootstrap/libs/pki_funcs.sh

@@ -3,6 +3,20 @@
 # all main functions to generate a PKI certificate chain
 # 
 
+#
+# Set the CA variables
+#
+pki_func_init() {
+  if [[ -n $1 ]] || [[ -n $2 ]] || [[ -n $3 ]]; then
+    FQ_CA_CERT=$1
+    FQ_CA_KEYS=$2
+    CNF_PATH=$3
+    APP_INIT=1
+  else
+    APP_INIT=0
+  fi
+}
+
 #
 # print text wrapped in a block
 #
@@ -32,7 +46,7 @@ get_serial() {
 # This function will generate a CA Intermediate
 # IN: UNIQ_ID_CA, SERIAL
 #
-generate_ca() {
+gen_ca() {
   # params
   UNIQ_ID_CA=$1
   SERIAL=$2
@@ -44,7 +58,7 @@ generate_ca() {
   openssl genrsa -out "ca_${UNIQ_ID_CA}.keys.pem" 4096
   # 
   # Create Certificate   (valid for 10 years, after the entire chain of trust expires)
-  openssl req -config $CA_CNF -new -x509 -sha256 -days 3650 -extensions v3_ca \
+  openssl req -config $CNF_PATH/ca.cnf -new -x509 -sha256 -days 3650 -extensions v3_ca \
               -subj "/C=OO/O=ACME/CN=root.${UNIQ_ID_CA}" -set_serial ${SERIAL} \
               -key ca_${UNIQ_ID_CA}.keys.pem -out ca_${UNIQ_ID_CA}.crt.pem
 
@@ -53,28 +67,84 @@ generate_ca() {
 }
 
 #
+# Create CA Intermediate PKI
+# 
+# 
+#
+# INPUT:  SERIAL #, LOOP NUM
+# 
+ca-i_gen_pki() {
+  # organization
+  CDD=`pwd`
+  SERIAL=$1
+  LOOP_NUM=$2
+  UNIQ_DIR_CA="ca_i_${SERIAL}.${ORG_URL}"
+  mkdir -p "distrobution/${UNIQ_DIR_CA}"
+  cd "distrobution/${UNIQ_DIR_CA}"
+
+  # geneate certificates, organize the files
+  ca-i_gen_pki_certs $SERIAL $LOOP_NUM
+  organize
+  cp_pki_lifecycle
+
+  # return to last path
+  cd $CDD
+}
+
+#
+# Generate a PKI chain
+#   - the certificate chain is unique based on the serial #
+#   - generate a new CA I
+#   - generate two server certificates
+#   - generate two client certificates
+#
+# INPUT:  BASE SERIAL #, LOOP NUM
+# 
+# Requires: FQ_CA_CERT, FQ_CA_KEYS
+# 
+ca-i_gen_pki_certs() {
+  SERIAL=$1
+  NUM_CERTS=$(($2-1))
+
   # Create CA Intermediate
-# 
-# 
+  UNIQ_ID_CAI="${SERIAL}.${ORG_URL}" 
+  ca-i_gen_cert $UNIQ_ID_CAI $SERIAL
+
+  # Server Certificates
+  for NUM in $(seq 0 $NUM_CERTS)
+  do
+    gen_server "$((SERIAL+NUM)).${ORG_URL}" $UNIQ_ID_CAI $((SERIAL+NUM))
+  done
+
+  # Client Certificates
+  for NUM in $(seq 0 $NUM_CERTS)
+  do
+    gen_client "$((SERIAL+NUM)).${ORG_URL}" $UNIQ_ID_CAI $((SERIAL+NUM))
+  done
+}
+
 # This function will generate a CA Intermediate
+# 
+# Requires:  CNF file, CA cert, CA key
+# 
 # IN: UNIQ_ID_CA, SERIAL
 #
-generate_ca_i() {
+ca-i_gen_cert() {
   echo_block "Create CA Intermediate  (${UNIQ_ID_CA})"
   # params
-  UNIQ_ID_CA=$1
-  SERIAL=$2
+  UNIQ_ID_CA=$3
+  SERIAL=$4
 
   openssl genrsa -out "ca_i_${UNIQ_ID_CA}.keys.pem" 4096
 
   # Create Cert Signing Request (CSR)
-  openssl req -config $CA_CNF -new -sha256 \
+  openssl req -config "${CNF_PATH}/ca.cnf" -new -sha256 \
               -subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID_CA}" \
               -key "ca_i_${UNIQ_ID_CA}.keys.pem" -out "ca_i_${UNIQ_ID_CA}.csr.pem"
 
   # Create Certificate   (valid for ~2 years, after the entire chain of trust expires)
   # CA signs Intermediate
-  openssl x509 -req -days 750 -extfile $CA_CNF -extensions v3_ca_i \
+  openssl x509 -req -days 750 -extfile "${CNF_PATH}/ca.cnf" -extensions v3_ca_i \
                -CA $FQ_CA_CERT -CAkey $FQ_CA_KEYS -set_serial ${SERIAL} \
                -in "ca_i_${UNIQ_ID_CA}.csr.pem" -out "ca_i_${UNIQ_ID_CA}.crt.pem"
 
@@ -89,11 +159,77 @@ generate_ca_i() {
   # create certifiate chain
   cat $FQ_CA_CERT "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_cert-chain_${UNIQ_ID_CA}.crts.pem"
 }
+
+#
+# Organize the files into logical folders based on serial #
+#
+ca-i_organize() {
+  # organize the client directory
+  mkdir -p clients/ca-i
+  mkdir -p clients/data
+  mkdir -p clients/distro
+  mkdir -p clients/docs
+  mv client*.pem clients/data/
+  mv client*.p12 clients/distro/
+  mv client*.info.txt clients/docs/
+  cp ca_i*.crt.pem clients/ca-i/
+  cp ca_i*.keys.pem clients/ca-i/
+
+  # organize the server directory
+  mkdir -p servers/ca-i
+  mkdir -p servers/data
+  mkdir -p servers/distro
+  mkdir -p servers/docs
+  mv server_*.pem servers/data/
+  mv server_*.p12 servers/distro/
+  mv server_*.info.txt servers/docs/
+  cp ca_i*.crt.pem servers/ca-i/
+  cp ca_i*.keys.pem servers/ca-i/
+
+  # organize the ca-i directory
+  # order matters:  move these files last because they were copied above
+  mkdir -p ca-i/data
+  mkdir -p ca-i/docs
+  mv ca_i*.pem ca-i/data/
+  mv ca_i*.info.txt ca-i/docs/
+  mv ca_i*.p12 ca-i/
+  mv ca_cert-chain*.pem ca-i/
+  cp $FQ_CA_DIR/ca_*.crt.pem ca-i/data/
+  cp $FQ_CA_DIR/ca_*.info.txt ca-i/docs/
+}
+
+#
+# Copies all applcations to the Lifecycle package
+# 
+# Requires: 
+#   UNIQ_DIR_LC  : unique string for the Lifecycle directory
+#   UNIQ_ID_CA-I : unique string for the CA-I
+#
+ca-i_cp_docs() {
+  # CA-I
+  cp $CD_ROOT/libs/gen_ca-i.sh $CD_ROOT/$UNIQ_DIR_LC/
+  cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/
+  cp $CD_ROOT/docs/README_LC $CD_ROOT/$UNIQ_DIR_LC/README
+  cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/
+
+  # client
+  cp $CD_ROOT/libs/gen_client.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/
+  cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/
+  cp $CD_ROOT/docs/README_C $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/README
+  cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/
+
+  # server
+  cp $CD_ROOT/libs/gen_server.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/
+  cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/
+  cp $CD_ROOT/docs/README_S $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/README
+  cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/
+}
+
 #
 # Generate a Server Certificate
 # IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
 #
-generate_server() {
+gen_server() {
   echo_block "Generate Server Certificates  (${UNIQ_ID})"
   # params
   UNIQ_ID=$1
@@ -102,12 +238,12 @@ generate_server() {
 
   openssl genrsa -out "server_${UNIQ_ID}.keys.pem" 4096
 
-  openssl req -new -config $FQ_S_CNF -key "server_${UNIQ_ID}.keys.pem" \
+  openssl req -new -config $CNF_PATH/${UNIQ_ID}.cnf -key "server_${UNIQ_ID}.keys.pem" \
               -subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \
               -out "server_${UNIQ_ID}.csr.pem"
 
   # CA Intermediate signs Server
-  openssl x509 -req -days 365 -extfile $FQ_S_CNF -extensions v3_server \
+  openssl x509 -req -days 365 -extfile $CNF_PATH/cfg.cnf -extensions v3_server \
                -CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \
                -in "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.crt.pem"
 
@@ -119,11 +255,12 @@ generate_server() {
   # verify certificate (output to text file for review)
   openssl x509 -noout -text -in "server_${UNIQ_ID}.crt.pem" > "server_${UNIQ_ID}.crt.info.txt" 
 }
+
 #
 # Generate a Client Certificate
 # IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
 #
-generate_client() {
+gen_client() {
   echo_block "Generate Client Certificates  (${UNIQ_ID})"
   # params
   UNIQ_ID=$1
@@ -151,5 +288,5 @@ generate_client() {
 
 #
 # give some info if someone tries to execute this
-echo_block "this script file has only helper functions"
+# echo_block "this script file has only helper functions"
 

src/pki_bootstrap/libs/pki_funcs_old.sh

@@ -0,0 +1,155 @@
+#!/bin/bash
+#
+# all main functions to generate a PKI certificate chain
+# 
+
+#
+# print text wrapped in a block
+#
+echo_block() {
+  echo
+  echo "***** ***** ***** *****"
+  echo $1
+  echo "***** ***** ***** *****"
+}
+
+# 
+# Grab the latest serial # from the file, auto-increment
+# 
+get_serial() {
+  SERIAL=`head SERIAL`
+  if [[ -z $SERIAL ]]; then
+    SERIAL=11111
+    echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA"
+  fi
+}
+
+# ***** ***** ***** ***** *****
+# 
+# CERTIFICATE AUTHORITY (CA)
+# 
+# ***** ***** ***** ***** *****
+# This function will generate a CA Intermediate
+# IN: UNIQ_ID_CA, SERIAL
+#
+generate_ca() {
+  # params
+  UNIQ_ID_CA=$1
+  SERIAL=$2
+  # encrypt the key
+  #openssl genrsa -aes256 -out ca.keys.pem 4096
+  #openssl genrsa -aes256 -password "pass:password" -out ca.keys.pem 4096 
+
+  # key un-protected
+  openssl genrsa -out "ca_${UNIQ_ID_CA}.keys.pem" 4096
+  # 
+  # Create Certificate   (valid for 10 years, after the entire chain of trust expires)
+  openssl req -config $CA_CNF -new -x509 -sha256 -days 3650 -extensions v3_ca \
+              -subj "/C=OO/O=ACME/CN=root.${UNIQ_ID_CA}" -set_serial ${SERIAL} \
+              -key ca_${UNIQ_ID_CA}.keys.pem -out ca_${UNIQ_ID_CA}.crt.pem
+
+  # verify certificate (output to text file for review)
+  openssl x509 -noout -text -in ca_${UNIQ_ID_CA}.crt.pem > ca_${UNIQ_ID_CA}_cert.info.txt
+}
+
+#
+# Create CA Intermediate
+# 
+# 
+# This function will generate a CA Intermediate
+# IN: UNIQ_ID_CA, SERIAL
+#
+generate_ca_i() {
+  echo_block "Create CA Intermediate  (${UNIQ_ID_CA})"
+  # params
+  UNIQ_ID_CA=$1
+  SERIAL=$2
+
+  openssl genrsa -out "ca_i_${UNIQ_ID_CA}.keys.pem" 4096
+
+  # Create Cert Signing Request (CSR)
+  openssl req -config $CA_CNF -new -sha256 \
+              -subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID_CA}" \
+              -key "ca_i_${UNIQ_ID_CA}.keys.pem" -out "ca_i_${UNIQ_ID_CA}.csr.pem"
+
+  # Create Certificate   (valid for ~2 years, after the entire chain of trust expires)
+  # CA signs Intermediate
+  openssl x509 -req -days 750 -extfile $CA_CNF -extensions v3_ca_i \
+               -CA $FQ_CA_CERT -CAkey $FQ_CA_KEYS -set_serial ${SERIAL} \
+               -in "ca_i_${UNIQ_ID_CA}.csr.pem" -out "ca_i_${UNIQ_ID_CA}.crt.pem"
+
+  # Package the Certificate Authority Certificates for distro  (windoze needs this)
+  openssl pkcs12 -export -password "pass:password" -inkey "ca_i_${UNIQ_ID_CA}.keys.pem" \
+                 -name "CA Intermediate Mobile Provision" -certfile $FQ_CA_CERT \
+                 -in "ca_i_${UNIQ_ID_CA}.crt.pem" -out "ca_i_${UNIQ_ID_CA}.p12"
+
+  # verify certificate (output to text file for review)
+  openssl x509 -noout -text -in "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_i_${UNIQ_ID_CA}.crt.info.txt"
+
+  # create certifiate chain
+  cat $FQ_CA_CERT "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_cert-chain_${UNIQ_ID_CA}.crts.pem"
+}
+#
+# Generate a Server Certificate
+# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
+#
+generate_server() {
+  echo_block "Generate Server Certificates  (${UNIQ_ID})"
+  # params
+  UNIQ_ID=$1
+  UNIQ_ID_CA=$2
+  SERIAL=$3
+
+  openssl genrsa -out "server_${UNIQ_ID}.keys.pem" 4096
+
+  openssl req -new -config $FQ_S_CNF -key "server_${UNIQ_ID}.keys.pem" \
+              -subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \
+              -out "server_${UNIQ_ID}.csr.pem"
+
+  # CA Intermediate signs Server
+  openssl x509 -req -days 365 -extfile $FQ_S_CNF -extensions v3_server \
+               -CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \
+               -in "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.crt.pem"
+
+  # Package the Certificates
+  openssl pkcs12 -export -password "pass:password" -inkey "server_${UNIQ_ID}.keys.pem" \
+                 -name "Server ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" -caname "server_${UNIQ_ID}@acme.xyz" \
+                 -in "server_${UNIQ_ID}.crt.pem" -out "server_${UNIQ_ID}.p12"
+
+  # verify certificate (output to text file for review)
+  openssl x509 -noout -text -in "server_${UNIQ_ID}.crt.pem" > "server_${UNIQ_ID}.crt.info.txt" 
+}
+#
+# Generate a Client Certificate
+# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
+#
+generate_client() {
+  echo_block "Generate Client Certificates  (${UNIQ_ID})"
+  # params
+  UNIQ_ID=$1
+  UNIQ_ID_CA=$2
+  SERIAL=$3
+
+  openssl genrsa -out "client_${UNIQ_ID}.keys.pem" 4096
+
+  openssl req -new -key "client_${UNIQ_ID}.keys.pem" \
+              -subj "/C=OO/O=ACME/OU=ACME Standard/CN=client_${UNIQ_ID}" \
+              -out "client_${UNIQ_ID}.csr.pem"
+  # CA Intermediate signs Client
+  openssl x509 -req -days 365 \
+               -CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \
+               -in "client_${UNIQ_ID}.csr.pem" -out "client_${UNIQ_ID}.crt.pem"
+
+  # Package the Certificates
+  openssl pkcs12 -export -password "pass:password" -inkey "client_${UNIQ_ID}.keys.pem" \
+                 -name "Client ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" -caname "client_${UNIQ_ID}@acme.xyz" \
+                 -in "client_${UNIQ_ID}.crt.pem" -out "client_${UNIQ_ID}.p12"
+
+  # verify certificate (output to text file for review)
+  openssl x509 -noout -text -in "client_${UNIQ_ID}.crt.pem" > "client_${UNIQ_ID}.info.txt"
+}
+
+#
+# give some info if someone tries to execute this
+echo_block "this script file has only helper functions"
+

src/pki_bootstrap/pki_bootstrap.sh

@@ -81,126 +81,15 @@ one-time-ca() {
   FQ_CA_DIR=`pwd`
   FQ_CA_CERT="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.crt.pem"
   FQ_CA_KEYS="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.keys.pem"
-  generate_ca $UNIQ_ID_CA $SERIAL
+
+  # initialize the functions lib
+  pki_func_init $FQ_CA_CERT $FQ_CA_KEYS "${CD_ROOT}/cnf/"
+
+  # generate a new CA
+  gen_ca $UNIQ_ID_CA $SERIAL
   cd ..
 }
 
-#
-# Organize the files into logical folders based on serial #
-#
-organize() {
-  # organize the client directory
-  mkdir -p clients/ca-i
-  mkdir -p clients/data
-  mkdir -p clients/distro
-  mkdir -p clients/docs
-  mv client*.pem clients/data/
-  mv client*.p12 clients/distro/
-  mv client*.info.txt clients/docs/
-  cp ca_i*.crt.pem clients/ca-i/
-  cp ca_i*.keys.pem clients/ca-i/
-
-  # organize the server directory
-  mkdir -p servers/ca-i
-  mkdir -p servers/data
-  mkdir -p servers/distro
-  mkdir -p servers/docs
-  mv server_*.pem servers/data/
-  mv server_*.p12 servers/distro/
-  mv server_*.info.txt servers/docs/
-  cp ca_i*.crt.pem servers/ca-i/
-  cp ca_i*.keys.pem servers/ca-i/
-
-  # organize the ca-i directory
-  # order matters:  move these files last because they were copied above
-  mkdir -p ca-i/data
-  mkdir -p ca-i/docs
-  mv ca_i*.pem ca-i/data/
-  mv ca_i*.info.txt ca-i/docs/
-  mv ca_i*.p12 ca-i/
-  mv ca_cert-chain*.pem ca-i/
-  cp $FQ_CA_DIR/ca_*.crt.pem ca-i/data/
-  cp $FQ_CA_DIR/ca_*.info.txt ca-i/docs/
-}
-
-#
-# Copies all applcations to the Lifecycle package
-# 
-# Requires: 
-#   UNIQ_DIR_LC  : unique string for the Lifecycle directory
-#   UNIQ_ID_CA-I : unique string for the CA-I
-#
-cp_pki_lifecycle() {
-  # CA-I
-  cp $CD_ROOT/libs/gen_ca-i.sh $CD_ROOT/$UNIQ_DIR_LC/
-  cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/
-  cp $CD_ROOT/docs/README_LC $CD_ROOT/$UNIQ_DIR_LC/README
-  cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/
-
-  # client
-  cp $CD_ROOT/libs/gen_client.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/
-  cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/
-  cp $CD_ROOT/docs/README_C $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/README
-  cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/
-
-  # server
-  cp $CD_ROOT/libs/gen_server.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/
-  cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/
-  cp $CD_ROOT/docs/README_S $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/README
-  cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/
-}
-
-#
-# Generate a PKI chain
-#   - the certificate chain is unique based on the serial #
-#   - generate a new CA I
-#   - generate two server certificates
-#   - generate two client certificates
-#
-# INPUT:  BASE SERIAL #, LOOP NUM
-# 
-gen_pki_certs() {
-  B_SERIAL=$1
-  NUM_CERTS=$(($2-1))
-
-  # Create CA Intermediate
-  UNIQ_ID_CAI="${B_SERIAL}.${ORG_URL}" 
-  generate_ca_i $UNIQ_ID_CAI $B_SERIAL
-
-  # Server Certificates
-  for NUM in $(seq 0 $NUM_CERTS)
-  do
-    generate_server "$((B_SERIAL+NUM)).${ORG_URL}" $UNIQ_ID_CAI $((B_SERIAL+NUM))
-  done
-
-  # Client Certificates
-  for NUM in $(seq 0 $NUM_CERTS)
-  do
-    generate_client "$((B_SERIAL+NUM)).${ORG_URL}" $UNIQ_ID_CAI $((B_SERIAL+NUM))
-  done
-}
-
-#
-# INPUT:  SERIAL #, LOOP NUM
-# 
-gen_pki() {
-  # organization
-  CDD=`pwd`
-
-  SERIAL=$1
-  UNIQ_DIR_CA="ca_i_${SERIAL}.${ORG_URL}"
-  mkdir -p "distrobution/${UNIQ_DIR_CA}"
-  cd "distrobution/${UNIQ_DIR_CA}"
-
-  # geneate certificates, organize the files
-  gen_pki_certs $SERIAL $2
-  organize
-  cp_pki_lifecycle
-
-  # return to last path
-  cd $CDD
-}
-
 
 main() {
   CD_ROOT=`pwd`
@@ -208,7 +97,7 @@ main() {
 
   app_init
   one-time-ca
-  gen_pki 1001 2
+  ca-i_gen_pki 1001 2
 #  gen_pki 50001 5
 #  gen_pki 80001 10
   

src/pki_bootstrap/pki_bootstrap2.sh

@@ -0,0 +1,232 @@
+#!/bin/bash
+#
+# ACME PKI (Certificate) Bootstrap v1.3
+# 
+# This script will generate all the files necessary to build a certificate chain of trust
+# using a CA, CA Intermediate, Server, and Client certificates. After the bootstrap the other
+# helper scripts will generate new client/server certificates
+# 
+
+# source this file to include the functions
+. libs/pki_funcs_old.sh
+
+PARAM1=$1
+
+usage() {
+  echo
+  echo "This application will generate all the files necessary to build a certificate chain of trust"
+  echo "using a CA, CA Intermediate, Server, and Client certificates. All the files are put into"
+  echo "pki lifecyle package"
+  echo "  -put the .cnf config files into the ./cnf directory"
+  echo 
+  echo "Usage: pki_bootstrap  <.cnf file (minus the .cnf)>"
+  echo
+  echo "Example: pki_bootstrap  org.acme.xyz"
+  exit 1
+}
+
+#
+# CA generation requires .cnf files
+# create CA directory
+# create bash variables to CA
+# restore script back to original path
+#
+app_init() {
+  if [[ -n $PARAM1 ]]; then
+    # need to know the location of the configuration file  (expected to be in same dir path as this script)
+    CA_CNF="$CD_ROOT/cnf/ca.cnf"
+
+    # handle the case of having the ".cnf" extension or not
+    if [[ ${PARAM1: -4} == .cnf ]]; then
+      ORG_URL=${PARAM1%.*}
+      S_CNF=${PARAM1}
+      echo "ASDF: ${ORG_URL},  ${S_CNF}"
+    else
+      ORG_URL=$PARAM1
+      S_CNF="${PARAM1}.cnf"
+      echo "ZXCV: ${ORG_URL},  ${S_CNF}"
+    fi
+
+    FQ_S_CNF="${CD_ROOT}/cnf/${S_CNF}"
+    if [[ ! -f $FQ_S_CNF ]] || [[ ! -f $CA_CNF ]]; then
+      usage
+    fi
+  else
+    usage
+  fi
+}
+
+#
+# IN: UNIQ_ID_CA, SERIAL
+#
+one-time-ca() {
+  # params
+  #SERIAL="101"
+
+  get_serial
+  echo_block "SERIAL == ${SERIAL}"
+  # Organize
+  # 
+  # create a unique path for the server certificate
+  UNIQ_DIR_LC=`date +%Y-%m-%d.%H_%M_%S`
+  UNIQ_DIR_LC="pki-lifecycle_${UNIQ_DIR_LC}"
+  mkdir -p "${UNIQ_DIR_LC}"
+  cd "${UNIQ_DIR_LC}"
+
+  # create certificate
+  UNIQ_ID_CA="${SERIAL}.${ORG_URL}"
+  CA_DIR="ca_${UNIQ_ID_CA}"
+  mkdir $CA_DIR
+  cd $CA_DIR
+  FQ_CA_DIR=`pwd`
+  FQ_CA_CERT="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.crt.pem"
+  FQ_CA_KEYS="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.keys.pem"
+  generate_ca $UNIQ_ID_CA $SERIAL
+  cd ..
+}
+
+#
+# Organize the files into logical folders based on serial #
+#
+organize() {
+  # organize the client directory
+  mkdir -p clients/ca-i
+  mkdir -p clients/data
+  mkdir -p clients/distro
+  mkdir -p clients/docs
+  mv client*.pem clients/data/
+  mv client*.p12 clients/distro/
+  mv client*.info.txt clients/docs/
+  cp ca_i*.crt.pem clients/ca-i/
+  cp ca_i*.keys.pem clients/ca-i/
+
+  # organize the server directory
+  mkdir -p servers/ca-i
+  mkdir -p servers/data
+  mkdir -p servers/distro
+  mkdir -p servers/docs
+  mv server_*.pem servers/data/
+  mv server_*.p12 servers/distro/
+  mv server_*.info.txt servers/docs/
+  cp ca_i*.crt.pem servers/ca-i/
+  cp ca_i*.keys.pem servers/ca-i/
+
+  # organize the ca-i directory
+  # order matters:  move these files last because they were copied above
+  mkdir -p ca-i/data
+  mkdir -p ca-i/docs
+  mv ca_i*.pem ca-i/data/
+  mv ca_i*.info.txt ca-i/docs/
+  mv ca_i*.p12 ca-i/
+  mv ca_cert-chain*.pem ca-i/
+  cp $FQ_CA_DIR/ca_*.crt.pem ca-i/data/
+  cp $FQ_CA_DIR/ca_*.info.txt ca-i/docs/
+}
+
+#
+# Copies all applcations to the Lifecycle package
+# 
+# Requires: 
+#   UNIQ_DIR_LC  : unique string for the Lifecycle directory
+#   UNIQ_ID_CA-I : unique string for the CA-I
+#
+cp_pki_lifecycle() {
+  # CA-I
+  cp $CD_ROOT/libs/gen_ca-i.sh $CD_ROOT/$UNIQ_DIR_LC/
+  cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/
+  cp $CD_ROOT/docs/README_LC $CD_ROOT/$UNIQ_DIR_LC/README
+  cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/
+
+  # client
+  cp $CD_ROOT/libs/gen_client.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/
+  cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/
+  cp $CD_ROOT/docs/README_C $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/README
+  cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/
+
+  # server
+  cp $CD_ROOT/libs/gen_server.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/
+  cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/
+  cp $CD_ROOT/docs/README_S $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/README
+  cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/
+}
+
+#
+# Generate a PKI chain
+#   - the certificate chain is unique based on the serial #
+#   - generate a new CA I
+#   - generate two server certificates
+#   - generate two client certificates
+#
+# INPUT:  BASE SERIAL #, LOOP NUM
+# 
+gen_pki_certs() {
+  B_SERIAL=$1
+  NUM_CERTS=$(($2-1))
+
+  # Create CA Intermediate
+  UNIQ_ID_CAI="${B_SERIAL}.${ORG_URL}" 
+  generate_ca_i $UNIQ_ID_CAI $B_SERIAL
+
+  # Server Certificates
+  for NUM in $(seq 0 $NUM_CERTS)
+  do
+    generate_server "$((B_SERIAL+NUM)).${ORG_URL}" $UNIQ_ID_CAI $((B_SERIAL+NUM))
+  done
+
+  # Client Certificates
+  for NUM in $(seq 0 $NUM_CERTS)
+  do
+    generate_client "$((B_SERIAL+NUM)).${ORG_URL}" $UNIQ_ID_CAI $((B_SERIAL+NUM))
+  done
+}
+
+#
+# INPUT:  SERIAL #, LOOP NUM
+# 
+gen_pki() {
+  # organization
+  CDD=`pwd`
+
+  SERIAL=$1
+  UNIQ_DIR_CA="ca_i_${SERIAL}.${ORG_URL}"
+  mkdir -p "distrobution/${UNIQ_DIR_CA}"
+  cd "distrobution/${UNIQ_DIR_CA}"
+
+  # geneate certificates, organize the files
+  gen_pki_certs $SERIAL $2
+  organize
+  cp_pki_lifecycle
+
+  # return to last path
+  cd $CDD
+}
+
+
+main() {
+  CD_ROOT=`pwd`
+  LIB_PATH="${CD_ROOT}/libs"
+
+  app_init
+  one-time-ca
+  gen_pki 1001 2
+#  gen_pki 50001 5
+#  gen_pki 80001 10
+  
+  # make sure we return to root execution path
+  cd "${CD_ROOT}"
+}
+
+
+# ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** *****
+# 
+# main execution begins here  (because all the functions have to be defined)
+# 
+# ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** *****
+
+main
+
+# ***** ***** ***** *****
+# 
+#
+# 
+# ***** ***** ***** *****

src/sandbox/pki-chain_2018-08-06.11_53_11/distrobution/ca_i_10001.skunkworks.acme.xyz/servers/cfg/skunkworks.acme.xyz.cnf

@@ -0,0 +1,55 @@
+#
+#
+#  IMPORTANT INFO
+#
+#
+[ v3_server ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "ACME Corp"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+#subjectAltName = IP:192.168.123.129
+
+[ alt_names ]
+DNS.1 = "skunkworks.acme.xyz"
+
+#
+#
+# FORCED TO INCLUDE THIS JUNK
+#
+#
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 4096
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+
+# Extension to add when the -x509 option is used.
+#x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
+
+# Optionally, specify some defaults.
+countryName_default             = US
+stateOrProvinceName_default     = State51
+localityName_default            =
+0.organizationName_default      = ACME R&D
+organizationalUnitName_default  =
+emailAddress_default            =
+