j3g
/
pki-bootstrap_pub
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

MOD: initial commit

This commit is contained in:
JohnE 2018-08-02 11:09:21 -07:00
commit 8510375d68
30 changed files with 2087 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
.gitignore vendored Normal file
View File

@ -0,0 +1,31 @@
# Project specific files
sftp-config.json
.DS_Store
**/var/
**/cert_gen/acme.xyz_fl/
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class
# C extensions
*.so
# Distribution / packaging
.Python
env/
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
*.egg-info/
.installed.cfg
*.egg

77
README Normal file
View File

@ -0,0 +1,77 @@
============================
Certificate Generation
Version 3.x
============================
-------------
INTRO
-------------
This package contains a set of programs to generate an entire certificate chain of trust
and will configure StrongSwan server. .p12 files are generated for client distribution.
Features:
* Certificate Authority (CA) creation
* Server and Client certificate generation (based on CA)
* CA and Client certificate packaged as .p12 file for easy import to Android (other clients too)
* Ubuntu networking configuration scripts (tunneling enabled)
---------------------
VERSIONS
---------------------
Version 3.1 - MOB Hub PKI
* PKI Bootstrap
- generate an entire chain-of-trust
* PKI Lifecycle
- generate certificates during the CA's lifecycle
Version 3.0 - CA Intermediate Support
* requires openssl (does not require ipsec)
* CA Intermediate support
-root CA can be generated with 5-10yr expiration, put into cold-storage
* small to large organizational support
---------------------
TODO
---------------------
* SCEP support
---------------------
TROUBLESHOOTING
---------------------
1) Look at the error log for detailed information:
$ tail -n 40 /var/log/syslog
2) Check the date/time of the device. A common problem is a certificate date/time valid range issue.
Make sure your server date is within the CA, and Server certificate valid date.
----------------
METHODOLOGY
----------------
------------
HISTORY
------------
version 3.x
* strongswan: new configuration that uses DN (distinguished name) to authenticate clients
(previous configs used local IP address for authentication)
* certificate generation moved to another repository
- separated into two stages
stage 1 : pki bootstrap
stage 2 : pki lifecycle

82
docs/bbb Normal file
View File

@ -0,0 +1,82 @@
[[[ BeagleBone Black BBB ]]]
[[ Configs ]]
[ Networking ]
USB0: debian@192.168.7.2
ETH0: debian@10.10.10.110
user: debian
pass: temppwd
screen -L -S bbb /dev/tty.usbserial-AH05JI3A 115200
[ Date / Time ]
Fix the date/time of the BeagleBone Black otherwise the certificates won''t work.
$ date -s '2016-11-09 12:34:56'
$ date +%Y%m%d -s "yyyymmdd"
$ date +%Y%m%d -s "20100622"
$ date yymmddhhmmss
[ eMMC ]
# Flash the onboard eMMC
$ xz -cd bbb.xz | ssh ubuntu@192.168.7.2 'dd of=/dev/mmcblk1 bs=1M'
# backup eMMC to laptop
$ dd if=/dev/mmcblk0 bs=1m | ssh j3g@10.5.1.51 'dd of=~/bbb.img'
# compress the .img file
$ xz -z bbb.img
[[ Software ]]
[ Drivers ]
USB Serial Driver
download from my box.com/drivers
@ http://www.ftdichip.com/Drivers/VCP.htm
[ Kernel ]
Linux Kernel 2.6+ includes IPsec
[[ Links ]]
[ BeageBone Black Wireless ]
# general page
@ https://beagleboard.org/black-wireless
# forum
@ https://beagleboard.org/discuss#bone_forum_embed
[[ Specs ]]
@ http://www.armhf.com/boards/beaglebone-black/
@ http://elinux.org/BeagleBoardUbuntu
Ubuntu 14.04 LTS, 4.1.2-bone12.arm
Ubuntu Image 2015-07-08
[ Kernel ]
# compile the kernel on BBB
@ https://help.ubuntu.com/community/Kernel/Compile
[ BBB Linux Source Code ]
@ https://github.com/beagleboard/linux
[ BeagleBone Black Wireless ]
1ghz TI AM335x ARM Cortex A8
512MB DDR3
4GB flash storage internal

78
docs/bbb_ti Normal file
View File

@ -0,0 +1,78 @@
[[[ BeagleBone Black TI OS Development ]]]
[[ TI Arago 3.03 ]]
user: root
[ Network Interfaces ]
eth0 Link encap:Ethernet HWaddr 50:65:83:E4:4F:37
UP BROADCAST MULTICAST MTU:1500 Metric:1
lo Link encap:Local Loopback
UP LOOPBACK RUNNING MTU:65536 Metric:1
inet addr:127.0.0.1 Mask:255.0.0.0
screen -L -S bbb /dev/tty.usbserial-AH05JI3A 115200
[[ Toolchain - (Linaro GCC-based toolchain) ]]
[[ StrongSwan Compile ]]
[[ SDK Install ]]
1) $ ti-processor-sdk-linux-am335x-evm-03.03.00.04-Linux-x86-Install.bin
2) $ sudo apt-get install u-boot-tools
$ sudo ./setup.sh
[ Issues ]
[ uboot-mkimage ]
Package uboot-mkimage is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
However the following packages replace it:
u-boot-tools:i386 u-boot-tools
[[ TI BeableBone Black Dev Board ]]
@http://www.ti.com/tool/beaglebk
processor: AM335X (1GHz AM3359 Sitara ARM Cortex-A8)
[[ Ubuntu LTS 16.04.x ]]
release notes: @https://wiki.ubuntu.com/XenialXerus/ReleaseNotes
SDK requires 16.04.x to work properly
[[ PROCESSOR-SDK-LINUX-AM335X 03_03_00_04 ]]
CPU SDK (AM335X)
@http://www.ti.com/tool/processor-sdk-am335x
XDEV Lab Supported SDK
@http://software-dl.ti.com/processor-sdk-linux/esd/AM335X/03_03_00_04/index_FDS.html
Create SD Card ... using SDK
@http://processors.wiki.ti.com/index.php/Processor_SDK_Linux_create_SD_card_script

90
docs/bbb_wifi Normal file
View File

@ -0,0 +1,90 @@
[[[ BeagleBone Black Wifi ]]]
[[ Config ]]
[ Network Interfaces ]
/etc/network/interfaces
USB0: debian@192.168.7.2
ETH0: debian@192.168.6.1
[ Serial ]
# /dev/tty.usbmodem-XXXX
# /dev/tty.usbserial-XXXX
# /dev/tty.usbserial-AH05JI3A
# connect to serial device, log to a file ("screenlog.0"), name screen "bbb"
# ls /dev/tty.usb*
$ screen -L -R bbb /dev/tty.usbserial-AH05JI3A 115200
user: root
# screen commands
detach: Ctrl+A Ctrl+d
exit: Ctrl+A Ctrl+\
[ WiFi Access Point ]
SSID: BeagleBone-4F37
Pass: BeagleBone
"tether" interface
IP: 192.168.0.1
[[ WiFi Configs ]]
[ Config X ]
$ connmanctl
connmanctl>
connmanctl> scan wifi
connmanctl> services
.. wifi_506583e44f37_2e2e_managed_psk
connmanctl> agent on
connmanctl> connect wifi_506583e44f37_2e2e_managed_psk
Passphrase? 12345Gledhill12345
Connected wifi_506583e44f37_2e2e_managed_psk
[ Config XX ]
wpa_supplicant -B -i wlan0 -c < (SSID PASS)
[ Config 1 ]
$ vim /etc/network/interaces
auto wlan0
iface wlan0 inet dhcp
wpa-ssid {ssid}
wpa-psk {password}
$ sudo dhclient wlan0
[ Config 2 ]
$ sudo ifconfig wlan0 up
$ sudo iwlist wlan0 scan
$ sudo iwconfig wlan0 essid CrystalWifi key s:newsky12
$ sudo dhclient wlan0
[ Turn off]
$ sudo ifconfig wlan0 down
[ Config Option 3 ]
$ connmanctl
#connmanctl> tether wifi disable
#connmanctl> enable wifi
#connmanctl> scan wifi
#connmanctl> services
#connmanctl> agent on
#connmanctl> connect wifi_*_managed_psk
#connmanctl> quit

30
docs/ca_dev_notes Normal file
View File

@ -0,0 +1,30 @@
[[[ Certificate Dev Notes ]]]
[[ Steps ]]
* install CA certificate
* install CA I certificate
* install .p12 file for client authentication
-push .p12 to /data/media/0/Download
* install CA I certificate as truste
-push ca_i.crt.pem files to /data/media/0/Download
[[ Issues ]]
[ Client Authentication Failure ]
1. CANNOT AUTHENTICATE SERVER
-install CA I certificate (from .pem file)
2. CANNOT VALIDATE SERVER CERT (timestamp issue)
-"subject certificate invalid (valid from May 1 ...)"
-fix time on Android device
3. CONSTRAINT CHECK FAILED
"constraint check failed: identity '192.168.123.129' required"
-need to add SAN using v3 extensions

149
docs/ca_i_notes Normal file
View File

@ -0,0 +1,149 @@
[[[ Certificates ]]]
[[ VPN Two-Factor Authentication (2FA) ]]
# example for 2FA
http://ocserv.gitlab.io/www/recipes-ocserv-2fa.html
[[ OpenSSL ]]
# openssl ca (command that uses a text database to create CRLs and certificates with serials)
@ https://www.openssl.org/docs/manmaster/man1/ca.html
# opensll x509
@ https://www.openssl.org/docs/manmaster/man1/x509.html
[[ Android ]]
# Android 7.x changes cert installation behavior changes
@ https://stackoverflow.com/questions/39215229/how-to-get-charles-proxy-work-with-android-7-nougat
"What complicates matters is that the Settings -> Security -> Install from storage
does not provide an explicit way for the user to specify whether they are installing
a client authentication credential (private key + cert chain) or a server authentication
trust anchor (just a CA cert -- no private key needed).
As a result, the Settings -> Security -> Install from storage flow guesses whether it''s
dealing with client/user authentication credential or server authentication trust anchor
by assuming that, if a private key is specified, it must be a client/user authentication credential."
[[ StrongSwan Maintenance Cert ]]
[[ StrongSwan CA Intermediates ]]
[[ Certificate Attributes ]]
@ https://superuser.com/questions/738612/openssl-ca-keyusage-extension#738644
# example of configuration options
@ https://github.com/JW0914/Wikis/blob/master/Scripts%2BConfigs/OpenSSL/openssl.cnf
pathLenConstraintof == 0
"I.e. a pathLenConstraintof 0 does still allow the CA to issue certificates,
but these certificates must be end-entity-certificates (the CA flag in BasicConstraints
is false - these are the "normal" certificates that are issued to people or organizations)"
pathLenConstraintof > 0
"If the pathLenConstraintof a given CA certificate is > 0, then it expresses the number
of possible intermediate CA certificates in a path built from an end-entity certificate
up to the CA certificate. Let''s say CA X has a pathLenConstraint of 2, the end-entity
certificate is issued to EE. Then the following scenarios are valid (I denoting an
intermediate CA certificate)"
VALID
X - EE
X - I1 - EE
X - I1 - I2 - EE
INVALID
X - I1 - I2 - I3 - EE
[[ VPN Clients ]]
[ misc notes ]
TUN/TAP
"Mac OS X users with OS X 10.6 or older, or using OpenConnect 6.00 or older,
will also need to install the Mac OS X tun/tap driver. Newer versions of OpenConnect
will use the utun device on OS X which does not require additional kernel modules to
be installed."
[ openconnect ]
# Support --key-password for GnuTLS PKCS#11 PIN.
# site
@ http://www.infradead.org/openconnect/
# comments that this works
@ https://gist.github.com/moklett/3170636
# compiling
@ http://www.infradead.org/openconnect/building.html
[ tunnelbrick ]
@ https://github.com/Tunnelblick/Tunnelblick
@ https://www.tunnelblick.net/cInstall.html
[[ IKEv2 vs OpenVPN ]]
@ https://security.stackexchange.com/questions/105967/ikev2-vs-openvpn
@ https://security.stackexchange.com/questions/63330/are-there-any-reasons-for-using-ssl-over-ipsec
[[ CA Intermediate ]]
[ Links ]
# nice tutorial site
@ https://roll.urown.net/ca/ca_intermed_setup.html
#
@ https://jamielinux.com/docs/openssl-certificate-authority/create-the-intermediate-pair.html
#
@ https://smartnets.wordpress.com/2017/04/27/create-certificate-chain-and-sign-certificates-using-openssl/
# simple, direct, examples
@ https://wiki.cementhorizon.com/display/CH/Example+CA%2C+Intermediate%2C+and+Server+Certificate
# Wiki
@ https://en.wikipedia.org/wiki/Certificate_signing_request
[ Example Code ]
# Generate CSR & CA_I keys
$ openssl req -new -newkey rsa:2048 -nodes -out ca_i.csr -keyout ca_i_key_222.key -subj "/C=US/ST=Railroad/L=Train/O=ACME INC./OU=ACME Flyaway/CN=www.acme.xyz"
# Create CA
openssl genrsa -out ca.key 4096
openssl req -new -x509 -nodes -sha1 -days 1825 -key ca.key -out ca.crt
# Create Intermediate
openssl genrsa -out intermediate.key 4096
openssl req -new -sha1 -key intermediate.key -out intermediate.csr
# CA signs Intermediate
openssl x509 -req -days 1825 -in intermediate.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out intermediate.crt
# Create Server
openssl genrsa -out test.example.com.key 4096
openssl req -new -key test.example.com.key -out test.example.com.csr
# Intermediate signs Server
openssl x509 -req -days 1825 -in test.example.com.csr -CA intermediate.crt -CAkey intermediate.key -set_serial 01 -out test.example.com.crt
[ Certificate Signing Request ]
# "US", "RailRoad", "City", "ACME", "ACME FLyaway", "flyaway.acme.xyz", "admin@acme.xyz"

17
docs/ca_i_ss Normal file
View File

@ -0,0 +1,17 @@
[[[ CA Intermediate StrongSwan Config Notes ]]]
[ Info ]
* IKEv2/IPsec
[ Links ]
# Configure
@ https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-16-04
# strongswan ikev2 setup with lets-encrypt certs
@ https://github.com/jawj/IKEv2-setup
# vpn tech info
@ https://www.bestvpn.com/vpn-encryption-the-complete-guide/

12
docs/ccc_certs Normal file
View File

@ -0,0 +1,12 @@
[[[ Certificate Code Command & Control ]]]
# show the sections of the package file
$ openssl pkcs12 -in ~/cert.p12 -nodes -passin pass:"password"
# show all textual information
$ openssl pkcs12 -in ~/cert.p12 -nodes -passin pass:"password" | \
openssl x509 -noout -text
openssl x509 -noout -subject

19
docs/cert_overlord Normal file
View File

@ -0,0 +1,19 @@
[[[ Certificate Overlord ]]]
* GUI with modern design (responsive)
-modern form input features: auto complete, highlighting
* simple wizard
* simple mode for "generate client certificate"
* advanced mode for "create template"
* uses modern crypto (wolfssl, openssl, can be in FIPS mode)
* batch generation from templates
* key generation using good random bits
* export to .p12 files using password-scheme
** SCEP support using 3rd party (headless mode)
-use the GUI to turn the service on/off
-pre-packaged
-can use the same CA-I as the GUI, but headless ("keystore")

99
docs/cert_string_notes Normal file
View File

@ -0,0 +1,99 @@
[[[ Certificate Strings Notes ]]]
[ Certificat Chain Example Strings ]
# look here to find text of a certificate chain for Apple certs
@see ss-vpn/source/ss/dev/screenshots/cert_examples
* "Apple Root CA" : root certificate authority
--> "Developer ID Certificate Authority" : Intermediate Certificate Authority
--> "Developer ID Installer: Prolific Tech Inc (2MP849R8J5)"
* "Apple Root CA" : root certificate authority
Subject Name:
"Common Name" : "Apple Root CA"
"Organization Unit" : "Apple Certificate Authority"
"Organization" : "Apple Inc."
"Country" : "US"
Issuer Name:
"Common Name" : "Apple Root CA"
"Organization Unit" : "Apple Certificate Authority"
"Organization" : "Apple Inc."
"Country" : "US"
"Serial Number" : 2
"Version" : 3
"Sign Alg" : "SHA-1"
Extension Key Usage:
Critical : "Yes"
Usage : "Key Cert Sign, CRL Sign"
Extension Basic Constraint:
Critical : "Yes"
Certificate Authority : "Yes"
--> "Developer ID Certificate Authority" : Intermediate Certificate Authority
Subject Name:
"Common Name" : "Developer ID Certificate Authority"
"Country" : "US"
"Organization" : "Apple Inc."
"Organization Unit" : "Apple Certificate Authority"
Issuer Name:
"Country" : "US"
"Organization" : "Apple Inc."
"Organization Unit" : "Apple Certificate Authority"
"Common Name" : "Apple Root CA"
"Serial Number" : 2
"Version" : 3
"Sign Alg" : "SHA-1"
Extension Key Usage:
Critical : "Yes"
Usage : "Digital Signature, Key Cert Sign, CRL Sign"
Extension Basic Constraint:
Critical : "Yes"
Certificate Authority : "Yes"
--> "Developer ID Installer: Prolific Tech Inc (2MP849R8J5)"
Subject Name:
"Country": "US"
"Organization" : "Apple Inc."
"Organization Unit" : "Apple Certificate Authority"
"Common Name" : "Developer ID Certificate Authority"
Issuer Name:
"Country": "US"
"Organization" : "Apple Inc."
"Organization Unit" : "Apple Certificate Authority"
"Common Name" : "Apple Root CA"
"Serial Number" : 2
"Version" : 3
"Sign Alg" : "SHA-1"
Extension Key Usage:
Critical : "Yes"
Usage : "Digital Signature"
Extension Basic Constraint:
Critical : "Yes"
Certificate Authority : "No"
[ Certificate Serial # ]
"
In a certificate, the serial number is chosen by the CA which issued the certificate.
It is just written in the certificate. The CA can choose the serial number in any way
as it sees fit, not necessarily randomly (and it has to fit in 20 bytes). A CA is
supposed to choose unique serial numbers, that is, unique for the CA. You cannot count
on a serial number being unique worldwide; in the dream world of X.509, it is the pair
issuerDN+serial which is unique worldwide (each CA having its own unique distinguished
name, and taking care not to reuse serial numbers).
The thumbprint is a hash value computed over the complete certificate, which includes
all its fields, including the signature. That one is unique worldwide, for a given
certificate, up to the inherent collision resistance of the used hash function.
Microsoft software tends to use SHA-1, for which some theoretical weaknesses are known,
but no actual collision has been produced (yet). A collision attack on SHA-1 has now
been demonstrated by researchers from CWI and Google.
"

95
docs/pkcs12-ca_i_s Normal file
View File

@ -0,0 +1,95 @@
openssl pkcs12 -in ca/ca_i_s.p12 -nodes -passin pass:"password"
MAC verified OK
Bag Attributes
localKeyID: 3F 42 B6 D2 5A EB 0E 82 20 D3 30 9E 3A C9 5F 8A 81 8A 4E BC
friendlyName: CA Intermediate Mobile Provision
subject=/C=OO/O=ACME/OU=ACME Intermediate/CN=01001.i.acme.xyz
issuer=/C=OO/O=ACME/CN=root.acme.xyz
-----BEGIN CERTIFICATE-----
MIIFaTCCA1GgAwIBAgICA+kwDQYJKoZIhvcNAQELBQAwNDELMAkGA1UEBhMCT08x
DTALBgNVBAoMBEFDTUUxFjAUBgNVBAMMDXJvb3QuYWNtZS54eXowHhcNMTgwNzI0
MDQwMjU4WhcNMjAwODEyMDQwMjU4WjBTMQswCQYDVQQGEwJPTzENMAsGA1UECgwE
QUNNRTEaMBgGA1UECwwRQUNNRSBJbnRlcm1lZGlhdGUxGTAXBgNVBAMMEDAxMDAx
LmkuYWNtZS54eXowggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCbLFcp
bOHbGq/tLmVpW1yH7Erpdixw4v+hGoDAZbWpX/lGDOOusgFWjFpp8cASanjL8s2o
C8fhnjPSuEqyrMcHqCbJkVu95E62yQ1XdQI3FRJQhhHdaHZeUO///+01+kVGf33b
nlMsZhgXmYi4Nb8MC2q88Ydl1gT4w8EUOjE3k0yH86bBO+tzR+33F7d2dLFuF9WJ
KZj6Z0EzkOmer6v7k/Ad/lzbypbAY1NFUUn4F+cXI3gvTVHa5oRD7iLS3sXn7cpa
E07OWRfoc732x7OVnq0FyUZA2BEC5DFsG1f3P2z04aaDFSRknm0GXYnD5eC6i/M6
CLw5+tSTz9ixEC1SKoOZVPaKZUXmTfCtcg+tZ33or+WBIe2bmhkm6vtct9FF4YAx
xsSLwxmZOAZ6npwUaasC9a9HXXrOcQV/xWc/QcMhEN/ID88fe+3tYZBtSfMxF5qk
3AoTXdQj3YDC3p5qncpeJ91FMs3Szkk6kZ9KJsdoHYdMh3BKBT3ioOrmYMz745Ol
SjUhJ/hikPhhNyaxJx242BOxusQPKpSTdt0j7yDG1Mlb+coyJxL1ll55uShWPZ53
wUj5tQ5HWAfmTCTwy32AVdFoZwfTppFgeCXcYohonpFHhWbmwRywW8XBCcmnn4o7
q5Nd4ZHyTSUrGcMOC2dyHFtHG7OAp9ZaIsMdAQIDAQABo2YwZDASBgNVHRMBAf8E
CDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQU+2q/724bafWIAML7
TJSAZRViI2UwHwYDVR0jBBgwFoAUpT5k6W9jeOoQvPawsOgE/uqx5PEwDQYJKoZI
hvcNAQELBQADggIBAG0N9okW0D9AqRa/mWvGWNxdqfXXw2YJ45Mi15o0P2Z8i6Zc
T3y2Kqeeggkxk3nfDpKcfv60Ke8/0+ou2z3C0CsC7+bUSMHKPhRalOvFyZ6I/+hf
h9nO89wpjAs6xJRe25pyKHPLXf8JVwLEaO+GJqhrxjEsSXL84vcmwWUg8chhOGdU
mBognFtBNfxT6FZmmsZCMkvVtPs7UaPbh3cHCObiAV6uJa06pwCpX+ecNkoaa0+8
Zfitp6l0ZHSaFjefZfYmRKjl3xtemdHkK+nzHc257/G0bsc/T63GvW37rPVNKvlP
+ce6TBJVxz6cA97iI4GlSqgxcETQzmLn3oTCIUKbKx/V4/84Ffz3boz6Tb2Ry46D
R8QcdJUxZVvwgMWJCOt1p8+p9sLIjVXKCpGriSvKTxopETd9GDFKwUUvWaoTv5r/
1bdWXQGOHcEA6t0dWQI96pwF9lJJEoOxFwGTFtZxepg2JxFb2knNXQi5Cu/7y6H/
foR+Zse4u2laJLRpMLcbnVf5gm90J/YOYOSzOQo0D78duwpKALnhaoHDhSQuMiJr
ZGn01mR6Jb64QrBeei0BDrFrfg5da8zJXbXh8afZf4VI8TmaGysrr9zncK31sC+O
BXB9aRHAuBHyhjLBiWzOaRg/slrfj+Wo6CaqSx1Zj69Lg9EABmXVHJW5K8Q4
-----END CERTIFICATE-----
Bag Attributes
localKeyID: 3F 42 B6 D2 5A EB 0E 82 20 D3 30 9E 3A C9 5F 8A 81 8A 4E BC
friendlyName: CA Intermediate Mobile Provision
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCbLFcpbOHbGq/t
LmVpW1yH7Erpdixw4v+hGoDAZbWpX/lGDOOusgFWjFpp8cASanjL8s2oC8fhnjPS
uEqyrMcHqCbJkVu95E62yQ1XdQI3FRJQhhHdaHZeUO///+01+kVGf33bnlMsZhgX
mYi4Nb8MC2q88Ydl1gT4w8EUOjE3k0yH86bBO+tzR+33F7d2dLFuF9WJKZj6Z0Ez
kOmer6v7k/Ad/lzbypbAY1NFUUn4F+cXI3gvTVHa5oRD7iLS3sXn7cpaE07OWRfo
c732x7OVnq0FyUZA2BEC5DFsG1f3P2z04aaDFSRknm0GXYnD5eC6i/M6CLw5+tST
z9ixEC1SKoOZVPaKZUXmTfCtcg+tZ33or+WBIe2bmhkm6vtct9FF4YAxxsSLwxmZ
OAZ6npwUaasC9a9HXXrOcQV/xWc/QcMhEN/ID88fe+3tYZBtSfMxF5qk3AoTXdQj
3YDC3p5qncpeJ91FMs3Szkk6kZ9KJsdoHYdMh3BKBT3ioOrmYMz745OlSjUhJ/hi
kPhhNyaxJx242BOxusQPKpSTdt0j7yDG1Mlb+coyJxL1ll55uShWPZ53wUj5tQ5H
WAfmTCTwy32AVdFoZwfTppFgeCXcYohonpFHhWbmwRywW8XBCcmnn4o7q5Nd4ZHy
TSUrGcMOC2dyHFtHG7OAp9ZaIsMdAQIDAQABAoICAQCO8Qqd03o+zteu4mVy50FW
yJm9dCm+F62p53MhSNBOZWWIXQlD/R/0bThAjf0EOeZq4ZEHM0r+kDBm9XOCIlz5
tbF9TxS22WCVSqGqpdPTj+qeGNLOJZOckGx1Y3lNlu1H4tu6ep9dr/KTktB5+LCz
1LSPtuKmMb/EtPbgvjZmXp9KQW2kZaEgQet5CfTr/tUPeI8xWgtc588NRHmgv2zr
RD0WNCGwKnAya4zitt4v1zz+eKMW1+AGiQDgXrbfj225l7gmv9CBj1rRvAULFq1c
r53tTZsU0rTg9/p6/rlKvreM4Wz1JX2v3qzKB1KIDfO1hIQbOr7BnklCnF2dxiwo
LCMTHBxn7HdTcIDg3WdRaaxBCGZJfQauBMr17IIoj1djxaaLKk2wEueqW2YBDN0y
F2QlQNgGO4f/LghYsJZA4k3UqC0eQ7cBC5XmeOEljLT0D/8hzTAUOGKXYfpD+tOE
EpS+uT/pMUO5qJ7PqZHc44OIfY3VbvV6Tb26scAXMkUNFgZxylGF2xojQSzSVFKe
LipYCOFiqq8VOqZmSMuuRBUiunPhH1UT27bg2ugUFkFnVqOteTmzV7Zrk/Avv6ep
Sg0n0Ol7p96EcLvW+G3RloiTtqI13roKNm+45b8JiEzo5Rtcaw6Rli1e0P9Cv2aq
rA7itoLg7Syn94i9an+ADQKCAQEAztTZTCcyM2PsQhiGl035WmJCanjjFRBVav6q
sP37BbMsdPLRZHs10Oa6zuc6qDD/5ovRyGJ0Nys7Yb8SdtyrtK1kkvZmT0j+fvUF
psr+HgEPBFDQ+7Fh3ZfH8t/jhRD+89Ap0J989tGQo1ckaDT/C3KxOv7GoqQ+WHUM
PsH+t4Q+0bbueMzxJMBiQWrfoB7mzUJAfz8fNhXFUXUdxYQrfWjoPkfMoVjCPr0S
w0amp/DkKMDjsxu6pGPkD7NsrHrM/CBE8e1BaRgj/uOcvU/WWF81Y7Mbp7tAkDLK
THCyTBCTJ+Lnc1u/TMWPlZapoSQWAOMYA+fBDv6d+seMhpiUtwKCAQEAwA+5TutW
/KN8Va+mU0yOuhGZ07LJ7MFGOFxF0ud3ehFMAyvsX9t4/r9OmZA6/B7iPCcZCUA5
4oSRi7NGs7oinf88lT5Yhon3rNysC9VN74ex06JcTHPx6mM+s6CHd1bmzUi6ThRL
xsaKcu3yWpS5wEp9m9s8ut4uTkThoZ1fjdsawxojRc06aWeyPRKT6HfrHiu5VLT1
HeomtoJ7oOlmW4sR6Wq+cGEsmY6+Z4AgdDhvdNxW83G5ELNUZrsR3WhzjHCH5E2r
TzDj40Ore1g/ZPyCTg5jKEgTRTIs+Ixx8vw/b466WVbmBFKCzqICNmrYU/R2Oqxj
8YkbQnz4XY1UBwKCAQBP3H2+2s+Wajm6V6/4UiI61P/iDqVX58OjmYuc5aR8Ue+T
hIJ3ct+Xts9gvoW2lZzpjwlEf0dyWd4G4vklLhWaoOzZlgxxBrVFniQ9f9nZCf2b
Y/0dgiNQpZ+N1wcJxUM8Lx9GL57Xypk3iJlFJ1lnOTTXm7Jk8FgmXaOJw+wvPf/n
h+PSfweJckM+ER8hu2zQyokO2PebMZLL3hXNwzfrp4stKRoJHrV59hV9kxUceXYP
ilMhQE6z1OIlcdk/S/dETs1wQHTmOG0FqStHKcGQw8pgobLG9BV82C+mjkk595hq
aUGHGGDoKsxDLTZ4Qu/ADe+i6mRv/r5PK6fF/LpHAoIBAEAS/td9W//c6tYLS4nu
uI8K4C7oLsV1lV+oKQM7hXiL3LgSJ0GzjqIuYKKKo6MJCqDWyltzudwALi5VGPlM
18+uHyALNK1tyds5o4wvFVkcBA9+0xwOcl6nzXtPyuHddBJ4eO8jhkRCaF3/VCM0
CuRD9bPRaGlPRlOGV1/7iK1is4LzbWEUHrCbj7MgR4f+ucnO/H1uAXiBbXjl/yin
tSZFNyyQGAiV4rM4E/2jmTAsw8JQ4BFHl14i9b1wG32qIyJvSGa6IrTAssZXBRaZ
Ukz2kOJJmnsN0J/9JVOmRz2xOdiV3UWA4CwA+vLEycgtzQ31OJxKdu1VuGpuFs3f
IHECggEAHCvk1bye83DETRWhOo5str5QiAN1STcSNhseqji1ElVHIk7PSo8GToFd
65cuh5DCbS1sZlUvloao3fYVqZ5v9Z7qn8/59NSkpoG7OCDqL4ezYxk6/Dp+n/V2
q3g3nJ/budNT8BMFU2vLVzWPvZgaSajoZG/qVBvgUeswRFAcGxZyg0mT6TDrrHrv
TuyHLH7jhPodjFTYYxNrGRZ6yIwhxJgmmQDFROXSixTzhtT9JTbtM+XPRrLLTOIN
NKUcT1HpNZczKxm4hpASaGs1EIPmk0nlNCONZByOZxwFT/4SPsoaHMesoBkFGf4L
3WcUYO26Cdy4E0fQNkDINROy0rS5RA==
-----END PRIVATE KEY-----

163
docs/pkcs12-client_m Normal file
View File

@ -0,0 +1,163 @@
openssl pkcs12 -in ca/ca_i_s.p12 -nodes -passin pass:"password"
MAC verified OK
Bag Attributes
localKeyID: 6E 5B F0 AF 1A 9A 92 CC D9 A5 51 8E 84 3C F5 7A BE 03 99 72
friendlyName: Client 1 VPN Certificate
subject=/C=OO/O=ACME/OU=ACME Maintenance/CN=client_m
issuer=/C=OO/O=ACME/OU=ACME Intermediate/CN=01002.i.acme.xyz
-----BEGIN CERTIFICATE-----
MIIFEjCCAvoCAgPpMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNVBAYTAk9PMQ0wCwYD
VQQKDARBQ01FMRowGAYDVQQLDBFBQ01FIEludGVybWVkaWF0ZTEZMBcGA1UEAwwQ
MDEwMDIuaS5hY21lLnh5ejAeFw0xODA3MjQwNDAzMDFaFw0xOTA3MjQwNDAzMDFa
MEoxCzAJBgNVBAYTAk9PMQ0wCwYDVQQKDARBQ01FMRkwFwYDVQQLDBBBQ01FIE1h
aW50ZW5hbmNlMREwDwYDVQQDDAhjbGllbnRfbTCCAiIwDQYJKoZIhvcNAQEBBQAD
ggIPADCCAgoCggIBALk8RV65kDzZHVk542YrO0okz8KczdWs0aEIGnjZRyoCoBLa
YqFTsR9Nj1Zn1rkEcC22EYZO/GCfeSEfywZGvTI1fyZ4fMPC4hKZ6f1CpdgHw+Zu
3seAUtkXg2vtb4WMeCAvIN1KlpjxsIwU89RTAhFlJ9eC5s/tqjfb8Sg6ifrxGzCh
FuPsiu/1zIFmgUXmK/sWIX3P7YZShaTSiAlKR4M86ZLIhoK4ezCd9hwTmw5zHlQj
ktpQBsbpvmzPUpNfkeocUkF88LmlFCvGxXgKePQgWGXmVC2Rlo3kZUmq+r/6JTJv
5QcUU9o4Us/G+FJp24+RDSuHP6wQt86REbD2i4XsKa9ldM5ZDPJqa/7eM3C4nvsg
9pxfQHDVTmJPmmHscd1/kHXLCzQdt6sB9EhR9lxsPeOs0Bmk3sZ3J4qjq4kNyMxT
wfP5wL3TSSHjVSYuGpBqieuRwYrCPZBUG3OpBrWq/a97kSSkzI/pt1w3ySXkQD1s
7ZXHWNYrozdhoTB9TkBxQcoO5ALGz92fV75dAOh93oZMXxcQeJgsKY1aLEkgE/+C
NbZSeiWpr6Xf6EgJsR839ucEsDi/yUyOcpGA5peCZzpAnZVF8Ga2rHeer7TlIFR6
9vOLV1N5TPW9QJjRygKEtb/ykMHCnh0OFdb8OxNNSfLDTDixfgJBqw3FcFUzAgMB
AAEwDQYJKoZIhvcNAQELBQADggIBAASuxNTPgjtRHCYJ2spXpf+sFs0uVkoCzi6R
2VxI16a0j5zEC8xS9ras+G39o5Om/U8f/dl2K37nmY9kMVk4LwNPXbWgHdTvZd8p
G1j7WjrjnbigbKEiQwyXVDz4u9UHZHmAahyez4cz0juTx9M91LIBU03YALKESF40
kL/GAXbfVVtCqUuk4FJwYODRcSB3+7Hz4XxObdlwsQGjNdB3tT/oMG2PCWfdhE0I
hazzzq+6UOMDrFvhgpYzrfYr+LR/nggYq0P86q8pwiwnccrflhbJq+Ec318WYeqi
d3gx/JAmB5Kqtzabo6C3Us0kxlMkTNmNmQ46gqj+GmA4gSZhXbTk3Q1fjwmfTTGR
m90+S/mmkO9HISGxJbcC8wf1dksvdt027BYXoJPNXsrxdmlB+an21r9oiCjoI6r5
DD2K/iFGah7cRhSdUlPvi924myshKE0KMSg987sPlDFdy6yNGdqq+blL2FlhlMGz
g0OVtWzZKWYgQnPsQ/9AGLoQ+kttQrIgkmTd0SdLhT6DSSvK8VwNb9SwpHsp8X2Y
68vCjR8NK6FmtOVwRTaJ/EJSHjKv5VEzVR9uZCxtjKJd1qjfhE8mM6ADz9DVKH8k
DFq9kjgmTg2YZlVRBFkexYv/jMqs0PrnY3y4RAyVv0kSPYaAJ10AErhCE/VtZJ5e
vCWuFzRQ
-----END CERTIFICATE-----
Bag Attributes
friendlyName: client_m@acme.xyz
subject=/C=OO/O=ACME/OU=ACME Intermediate/CN=01002.i.acme.xyz
issuer=/C=OO/O=ACME/CN=root.acme.xyz
-----BEGIN CERTIFICATE-----
MIIFaTCCA1GgAwIBAgICA+owDQYJKoZIhvcNAQELBQAwNDELMAkGA1UEBhMCT08x
DTALBgNVBAoMBEFDTUUxFjAUBgNVBAMMDXJvb3QuYWNtZS54eXowHhcNMTgwNzI0
MDQwMjU5WhcNMjAwODEyMDQwMjU5WjBTMQswCQYDVQQGEwJPTzENMAsGA1UECgwE
QUNNRTEaMBgGA1UECwwRQUNNRSBJbnRlcm1lZGlhdGUxGTAXBgNVBAMMEDAxMDAy
LmkuYWNtZS54eXowggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDOTPgC
OdAt5tJRv8sV5Bv3GQOXCthu9pir4oFnCYf5SO0pqlghsu8JEkg5yASTm5dGJhCE
3OnioERC5BRxYJAosDK2VGza+QtMeMxefa6pskEH5tQdKDoxPbyL7aWg5wYuDdQm
VqJKIgb/89LM2ABkvJocHq/ytYsyyB+KH359R2qxsaxv0lhYmmdd/4KhKGIOkwlY
pl8a6a9Uxz57Zye2U6vZ2pVloF0ClmJIVCYMZ4Hk/V/9Y1BqAQwjvPc8vpP7Oo+7
LdY31D/FMXOGMJC0S6G117j5ICbhucTPfE1/QZCWLDlhc/Ixi1M6fgUhQ9Ncg93Q
U5xxHMlR43FDzPIKVU2m41fu7bhEBgiqdGmMGl9t+swIR+eONGySfrSLDo0novl/
8Qt5sha2zfu92BJ03L4qdWu3B22JsyArE4Ynre6mzgcOpSpx5aluydSvjKwd9AQR
RLM6PZMkzaps8bwXuWv5j4PLigbAJo17QQeE8aRpo1HrjAXgXCIEhDHXI6trz+AX
bAIIO6DpFYvpMboBhnvwEFQzy78/sYjxsF3wYjPcioPFQy03QvP70W9+HCnfctg+
202lbZMsaQbkiCmeif/LpgzpUB5yTYqmQWMd9pfWXD4ERN6gSj1fFx1ValoLmHZ2
+EN+56sKlnnmwNITjgSq3Aw1kfuchJ+Xk4NgVQIDAQABo2YwZDASBgNVHRMBAf8E
CDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUDYnnqs8iDpzxT/9R
m0er88HZGxMwHwYDVR0jBBgwFoAUpT5k6W9jeOoQvPawsOgE/uqx5PEwDQYJKoZI
hvcNAQELBQADggIBAKuIrbositQWWM6kmcSO0Ihq6+q8rf+0if/fRZCLWVJxerzw
U0FQ8uAmOwQs5GYN/hEqvjMwy0LZ9kI9tqP/hiBwpGuXoCuTdwZrybb3H5z8SQTK
xvq5/h3QJJW2BryWn3taJhuJJePnLaYAeVAIp0ema3nmXNPMH4QzDSRNray3rGlG
CdIoh7bl5ogxiuGk0oaCcvw/YN0q107+C+OpBlCSrGgJILkYhpu0NNEGlbKJuYOO
QvzLBGfVJJpGXBDDYoF8YRXAwGHpGlJHOEOfVm2CjwsQeMfkT/cZnL2I0d58WKyi
Yl1qLexyQySpqJf2Es+7hrRyMUoNTMDZ+cVAYJECINbhmCiLNOLcduzwnevDjkuf
npd4jj4zwo781iVeyWcRYdhj9bkoyLwi5sHN3ATOEBWWuDDldvUo9fup/+abflwP
h8L6km5GV5DR4GUfstAWVJ8GXasKbV5O0SG7c2kjmKGCv9+8OMoRgl+3qnDLZVan
ZLgfjeD/6PkoFqLchzeOrKeM5wnUC4SBpAqQEdfhSMMGHr4ByxgfOUaddMXlrXmp
JMOBT3Kxdoye49BrlUjzkd/wLVp0BeGIv9Qo39F4sd6sgGTCj+c70qPf/rWPxzbe
6RL7PGxTvU7EQ7+ToCUHkrx5mUWjQXKQu7h0LPgfKDvrk3oDIh0QUDgnOOTX
-----END CERTIFICATE-----
Bag Attributes: <No Attributes>
subject=/C=OO/O=ACME/CN=root.acme.xyz
issuer=/C=OO/O=ACME/CN=root.acme.xyz
-----BEGIN CERTIFICATE-----
MIIFTjCCAzagAwIBAgIJAKcONZlUpZgaMA0GCSqGSIb3DQEBCwUAMDQxCzAJBgNV
BAYTAk9PMQ0wCwYDVQQKDARBQ01FMRYwFAYDVQQDDA1yb290LmFjbWUueHl6MB4X
DTE4MDcyNDA0MDI1OFoXDTI4MDcyMTA0MDI1OFowNDELMAkGA1UEBhMCT08xDTAL
BgNVBAoMBEFDTUUxFjAUBgNVBAMMDXJvb3QuYWNtZS54eXowggIiMA0GCSqGSIb3
DQEBAQUAA4ICDwAwggIKAoICAQDwdFus1b2FSJlhCxNu2UyExezoZbvjx1mjtCal
NTD3+Yrr0uXA2uPFn8wNZ5CkKH4vEE1qLsJYQtBmeOj7K4qTU2VkFFL3JWzFXgUC
pNJVzZ0PGwMIyhiW/N5mJkPydpdynqQl3HltylEtXoCtqGiW+2EbNCCEpwiuhOcM
3Pyld2SYpJ/NnDsVkydb6AESbFSsLa5VSypCmaRt8HNIGX6owsuNkD9tiAklK3mL
MtnawH87czuOXXe3eIYpcGuPtWrIRzz9qFpxymhMoTlbBcVqme0WqdN6KrLbqkRL
CiSev+R6FI1yskN+vOjJ9h77md334p/5ZVDXmVLY1hQyaWNhVhwCgsZyvAT8Oaok
Ozh+8KtEnVDHzt47kMdxuwPzSOvDFScCMasg5Nvs2Kl896HY8n4YMPukC8+KaCae
cF+sC7z01TKIpgUOeTmBIU6aYQKCfWSQgf/7WjrO2faKGtSqUcSKPAX6KzpPfQ6e
+sz+/OZjQZCMrjsxTfcd00IKBLZQmoFC5dPkg4MXVrjL8O2FeY3NfuYmEaRyINv/
UqlcEzaDsXSPpfmDnaQVuh8CARbushDjomYOKl5J3JPW/SctqF7P/ENG2NXzgTSA
dmjMhN1HOXaVWuCgPYFnDu8p/P7p4DVGZcEoH2jEZKcu65JeTJnKAlbYu92nkjsD
8W6U2QIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAd
BgNVHQ4EFgQUpT5k6W9jeOoQvPawsOgE/uqx5PEwHwYDVR0jBBgwFoAUpT5k6W9j
eOoQvPawsOgE/uqx5PEwDQYJKoZIhvcNAQELBQADggIBACFLzG5R7HhIIgJszLtZ
qr5zYZhnzWBDEVrGHpPVqUlRx3eleSgT4RAa/hpEklkJTKIAcoZpE0jvzdjegr+C
Kb/AveXSTjTok4rie+Cgo3aFLEJ7qtnxxLXi4o/Pgsv1L12VfXl6qy53isrUhlPv
1d/y+Bccl36TuEyuy9eAktdT+cPHR7Gn9RK2lnKLTxCR/mBlbDCg/u6s7SA90hky
ZPUesfO6XaFIjaZMQlAwbz4/O44sYSj+Fuuh2wQgIZAp+5tgFXHmHZvH8b5exZlZ
PEmyA6qgtQ2F620pUoUVTxSiEKjTHE+qNOr5ZdyY7NH4X9fVG7jBdxfaUP7gDrv6
sGtL2bbMc1u3+qnNKA6MeS+UGxEKe46kTzNcFu8aXnhxt6McMs6/l72K52jxhvVn
yI+KvTGeqN1H4qI3RjTL7uQWyHZhkw6TsRLRBfqhU6BxRLq+EH0vHECB7usFLhr+
BEqRNnNgrqZMS4quhBCRifpxORThoPjNeWVs9pcsBTSR2JgP7blSMkdwxcqXXezB
/PRJKtm2MPuhqvUKrwIzJ5IkwBvATwUkOmBDm6kejTZLmqZ4w47iswSvYxdtmZpM
ZORP9wgpuXRu2un7q2xERjlJA7bmw8y+NSweCTWLGLTeQzBzcEOEneNixjklCDXy
sITp+32xUz86IxAbwYuFb0gn
-----END CERTIFICATE-----
Bag Attributes
localKeyID: 6E 5B F0 AF 1A 9A 92 CC D9 A5 51 8E 84 3C F5 7A BE 03 99 72
friendlyName: Client 1 VPN Certificate
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC5PEVeuZA82R1Z
OeNmKztKJM/CnM3VrNGhCBp42UcqAqAS2mKhU7EfTY9WZ9a5BHAtthGGTvxgn3kh
H8sGRr0yNX8meHzDwuISmen9QqXYB8Pmbt7HgFLZF4Nr7W+FjHggLyDdSpaY8bCM
FPPUUwIRZSfXgubP7ao32/EoOon68RswoRbj7Irv9cyBZoFF5iv7FiF9z+2GUoWk
0ogJSkeDPOmSyIaCuHswnfYcE5sOcx5UI5LaUAbG6b5sz1KTX5HqHFJBfPC5pRQr
xsV4Cnj0IFhl5lQtkZaN5GVJqvq/+iUyb+UHFFPaOFLPxvhSaduPkQ0rhz+sELfO
kRGw9ouF7CmvZXTOWQzyamv+3jNwuJ77IPacX0Bw1U5iT5ph7HHdf5B1yws0Hber
AfRIUfZcbD3jrNAZpN7GdyeKo6uJDcjMU8Hz+cC900kh41UmLhqQaonrkcGKwj2Q
VBtzqQa1qv2ve5EkpMyP6bdcN8kl5EA9bO2Vx1jWK6M3YaEwfU5AcUHKDuQCxs/d
n1e+XQDofd6GTF8XEHiYLCmNWixJIBP/gjW2Unolqa+l3+hICbEfN/bnBLA4v8lM
jnKRgOaXgmc6QJ2VRfBmtqx3nq+05SBUevbzi1dTeUz1vUCY0coChLW/8pDBwp4d
DhXW/DsTTUnyw0w4sX4CQasNxXBVMwIDAQABAoICAQCN1Hw5H1Q1gvhZzV00aX2o
M69wj6d7KCwKZK4AQj2fCQuP4+8JH4/LLBPIURGz8JYEKhgZAnlzcifJGRLW52sN
+rA0wKSnL5zyKS9kX5ekZa21zsZ9ct/8oWhbRx3Q39FKs0sypV3SFZzcZV6dAEHh
F9b9yJj6NDvVMW7hIpFrtxjejzl7oy5utYG0wsvQvYCHbFaQgpiX9K+nmBvZISrI
bedaIHf9t0t72jcLIGflFHfwbJyQ1B2cSHUp00Si2tZarvy8b/HR83gSXMvuMfaS
1gFZZJannYXtdyem1GfSfrHkgJCYbxQVTnL57JtOXwdiUeoHnjM+iD50x9cH7H6+
6hh82yd/hlO+boDZ5847Dr18CYvXGRgFkZSndwUAqBy6jnSvITbsE4QeHajTx8Q2
gRePIqMq0ZEe9RumXd3Eg1l9A3CbNDb65oMCtE2d4bhdCFxDrsYDylE8YzX0O5Ao
Wa5ugOFNu0VP00JeCjhKxAjb2lxFHEFSHrqzwNHLeAYfxLAy96p5b9NzSqe4Ud23
v1Yo7rXefl6OPoooEmdHwjIQOm/gSXuRljfp1EI0/7wsN4wzgQYHklnGflQuy9Mw
TtZjHi5TJ28KfIHy/WttHFrEb9on2DoV00XhQjTh9yzBlbIXga3QeLpGuJPKd84t
106RJn0V+AkeD59+s8sAoQKCAQEA5xdxddhthlTnQl0930LeYgbyP59tUxj3pGPs
zhxS4DnLlRG5nk4CPB4ASdjcWaGNVXee2IgBZR3dO9NtWiW6fJO611wyj1XEw4zw
f2ZQN34eFlrxrt7WhFlyIl5S4vPAXdBtFUcROy5kj/TXizHSzBubGrrnKUyUXlqj
ELL28z0AIpKj7+Zs8rQCmjW59Z7L+Cif37CTAk9GdY9LrLJ47RHMI0VjiGHrYmWG
pTyR1pVpXVV9wQ/+Y6N9X19r9Ea26jajAiK6A13tsqp+J03AhC6OHcuE3PqlEgex
C2+roRjo83DMEYOm9L3jmj6HxtLJHQJnHVNd0Svo0D3EqYfZLQKCAQEAzTOCi2m3
LJ0Kt2rOQbrJKmk1OoSLUjGkhsE7gxomaFO6RipDqhs4ubRZrP2unWEfdrHxWvP4
t5n5A9mtiIRYjO6fgrxTtLoyEdkAMZagqjKVdxer8C6VON2n2sERvyy2MfC2VSYb
Lz1YTaXHe3C13Ds+vb1jVcFqBd3cZPt3lhlfwohBfKYy6AVkd720MrQd9z4nNfpX
I6ofQ0NFRC5w3289pzfa1TeJOOUw5n5cqo/nyk2bO8guUXKit67SiRWFNCSp1N5k
i9dA2/KMuR7DbK3Gt8gn9dYW9aYDVP8LXwVqcks7UtTQAFPE4DUVEoy6O7m3vdDg
Ua8FIoHDCq0j3wKCAQApzyr+6C5AnIHOlvIHv6BeWeVgL2bnHuBHBLEmRSeVW7+C
c9eCVZi/6amhsrODH+BjMyYxBMJD2hhZp5HkOmk3+r5WEl8vYZQc0RX95rPiplWp
M8EAI17qSQiGQUx7tR/7mSbzL41liKo3BVQt4dDCjsgMGP6TkUBSpdFUxxw4u7OX
jbJNSAI0Eu9ZmRjQ4G8Esczi+p5OT6tuv4MwdoW8Vnj5dKdiWFzuy3GF2aSFDzkl
4r7CvDMJMd4P8EKmylhznXj2fPPsggTsSz5RvBZ1k7qwl06tcEeHMI8Og6Con8od
qS2yiYAeTXCtSlzkUuSB9BpVyuxxWKFhc5tuFJ7tAoIBAQCLrvi6dige0ngtCyOE
UuYFXMDDKN6+ANUCdh9Qy0hB1F0EzlhpP0aKA17YB4gJ0cddQRwO0e0I7mM4X8Fl
INI2fWlP0WsZp3XV+GXNW7/am7xq6U49nTgvEZPlsW+nN4R+0mEL7Xir25J0qNj2
Cm+Bj0LSXk10XskRXUld5GAvaO5qud36QBh/IMyXRieYLEwJteFzOQqAWJoXa3+H
PiXPsyXA4qCwa7GZbUqwXGwwHu2mJNX7B/Wfs+1YJEVk06VtLVf+c7T2DH02PBHX
Ij3diR2wlSu+iRHv/iZegY74C/O+AcBMTlmZH2zxQrEpg2pypaWSLNHGSOGx76sZ
ZWr5AoIBAD8ZRn0EruCKcmxRucR5Ybbp7uSxBGlA2LHq10MAz1moanVSk+hZAzkw
7mhn/vtTzBfTn0InKgHE4XNF35nY0ndxZKnreS5t4vYdFXyhT0yuJiKo42LpPP8+
GKG0H7d+mypKbgRWaWpVV6S3Rhcg7T6r8xoMM6h18Eae0oBmQ9vbAOkgV9wm+dxD
LThzcMidgya4a6AmEXmep8SUkTipdvNq8WIC1UY3azxuhr1nuM7QTfRZh9gI9uzc
08t2qiT/h1UN2zo/i4BvkAzZ/uRgaRa2MKVz/UOa2lb4z7J3Ok1+4GnyKgDsoG09
3+lXPccGI6cmYqFTy8FSzjzQrzuBL5E=
-----END PRIVATE KEY-----

51
docs/pki_agile Normal file
View File

@ -0,0 +1,51 @@
[[[ Agile Tasking ]]]
[[ WORKING ]]
* CA-I serial #s ??
X.p12 file for CA-I (to import into M$ products)
-.p12 file extractor for MH provisioning
* create GUI for cert gen process (electron+crypto-interface)
* create certificate installation guide
-copy file to sd, select .p12 file, password="password"
* can I install certificates from an android application??
-can I used knox to install certificates??
[[ BACKLOG ]]
[ ver3 ]
* create new "certificate bootstrap" with .cfg parameters for CA ".mil" strings
* create new CA generation script that also reads .cfg
* create new CA-I generation script that uses a CA
-also packages .p12 for distrobution (use random high quality password)
* create new client generation script that uses CA-I
-just for testing purposes
* create new server generation script that uses CA-I
-just for testing purposes
* update ver3/conf so that ipsec.conf is default
-update ipsec_dev.conf to have developer
[ bootstrap cert chain-of-trust ]
* select bootstrap generation cpu (beaglebone, raspi)
* change strings from "acme.xyz" to ".mil"
* generate bootstrap
-sneakernet two CA-I
[ ver4 ]
[[ COMPLETED ]]
[[ ISSUES ]]

17
docs/screen_clean_dev Normal file
View File

@ -0,0 +1,17 @@
cat -v screenlog.0 | tr -d '^@^M' >> fartface
sed 's/\x00\x0a//g' screenlog.0 > fartface
sed 's/^@^M//g' screenlog.0 > fartface
@^@^M
tr -d '\b\r^M\000' < screenlog.0 | cat -v >> whyusuck
cat -v screenlog.0 | tr -d '\b\r'

10
docs/tablets Normal file
View File

@ -0,0 +1,10 @@
[[[ Samsung Tablets ]]]
[[ Android Recovery (bootloader) ]]
[ Wipe data / Factory reset ]
1. Turn off the device.
2. Press and hold the Volume Up key and the Home key, then press and hold the Power key.
3. When the Samsung Galaxy Tab E logo screen displays, release only the Power key

303
src/pki_bootstrap/cert_bootstrap.sh Executable file
View File

@ -0,0 +1,303 @@
#!/bin/bash
#
# ACME Certificate Bootstrap v1.3
#
# This script will generate all the files necessary to build a certificate chain of trust
# using a CA, CA Intermediate, Server, and Client certificates. After the bootstrap the other
# helper scripts will generate new client/server certificates
#
PARAM1=$1
usage() {
echo
echo "This script will generate all the files necessary to build a certificate chain of trust"
echo "using a CA, CA Intermediate, Server, and Client certificates. After the bootstrap the other"
echo "helper scripts will generate new certificates"
echo
echo "Usage: cert_bootstrap <.cnf file (minus the .cnf)>"
echo
echo "Example: cert_bootstrap org.acme.xyz"
exit 1
}
echo_block() {
echo
echo
echo "***** ***** ***** *****"
echo $1
echo "***** ***** ***** *****"
}
#
# CA generation requires .cnf files
# create CA directory
# create bash variables to CA
# restore script back to original path
#
app_init() {
if [[ -n $PARAM1 ]]; then
# need to know the location of the configuration file (expected to be in same dir path as this script)
CA_CNF="$CD/ca.cnf"
# handle the case of having the ".cnf" extension or not
if [[ ${PARAM1: -4} == .cnf ]]; then
ORG_URL=${PARAM1%.*}
S_CNF=${PARAM1}
echo "ASDF: ${ORG_URL}, ${S_CNF}"
else
ORG_URL=$PARAM1
S_CNF="${PARAM1}.cnf"
echo "ZXCV: ${ORG_URL}, ${S_CNF}"
fi
FQ_S_CNF="${CD}/${S_CNF}"
if [[ ! -f $FQ_S_CNF ]] || [[ ! -f $CA_CNF ]]; then
usage
fi
else
usage
fi
# Organize
#
# create a unique path for the server certificate
UNIQ_DIR=`date +%Y-%m-%d.%H_%M_%S`
UNIQ_DIR="cert-chain_${UNIQ_DIR}"
mkdir -p "${UNIQ_DIR}"
cd "${UNIQ_DIR}"
# FQ_DIR="${CD}/${UNIQ_DIR}"
}
#
# IN: UNIQ_ID_CA, SERIAL
#
one-time-ca() {
# params
SERIAL="101"
UNIQ_ID_CA="${SERIAL}.${ORG_URL}"
CA_DIR="ca_${UNIQ_ID_CA}"
mkdir $CA_DIR
cd $CA_DIR
generate_ca $UNIQ_ID_CA $SERIAL
FQ_CA_DIR=`pwd`
FQ_CA_CERT="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.crt.pem"
FQ_CA_KEYS="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.keys.pem"
cd ..
}
# ***** ***** ***** *****
#
# CERTIFICATE AUTHORITY
#
# ***** ***** ***** *****
# This function will generate a CA Intermediate
# IN: UNIQ_ID_CA, SERIAL
#
generate_ca() {
# params
UNIQ_ID_CA=$1
SERIAL=$2
# encrypt the key
#openssl genrsa -aes256 -out ca.keys.pem 4096
#openssl genrsa -aes256 -password "pass:password" -out ca.keys.pem 4096
# key un-protected
openssl genrsa -out "ca_${UNIQ_ID_CA}.keys.pem" 4096
#
# Create Certificate (valid for 10 years, after the entire chain of trust expires)
openssl req -config $CA_CNF -new -x509 -sha256 -days 3650 -extensions v3_ca \
-subj "/C=OO/O=ACME/CN=root.${UNIQ_ID_CA}" -set_serial ${SERIAL} \
-key ca_${UNIQ_ID_CA}.keys.pem -out ca_${UNIQ_ID_CA}.crt.pem
# verify certificate (output to text file for review)
openssl x509 -noout -text -in ca_${UNIQ_ID_CA}.crt.pem > ca_${UNIQ_ID_CA}_cert.info.txt
}
#
# Create CA Intermediate
#
#
# This function will generate a CA Intermediate
# IN: UNIQ_ID_CA, SERIAL
#
generate_ca_i() {
echo_block "Create CA Intermediate (${UNIQ_ID_CA})"
# params
UNIQ_ID_CA=$1
SERIAL=$2
openssl genrsa -out "ca_i_${UNIQ_ID_CA}.keys.pem" 4096
# Create Cert Signing Request (CSR)
openssl req -config $CA_CNF -new -sha256 \
-subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID_CA}" \
-key "ca_i_${UNIQ_ID_CA}.keys.pem" -out "ca_i_${UNIQ_ID_CA}.csr.pem"
# Create Certificate (valid for ~2 years, after the entire chain of trust expires)
# CA signs Intermediate
openssl x509 -req -days 750 -extfile $CA_CNF -extensions v3_ca_i \
-CA $FQ_CA_CERT -CAkey $FQ_CA_KEYS -set_serial ${SERIAL} \
-in "ca_i_${UNIQ_ID_CA}.csr.pem" -out "ca_i_${UNIQ_ID_CA}.crt.pem"
# Package the Certificate Authority Certificates for distro (windoze needs this)
openssl pkcs12 -export -password "pass:password" -inkey "ca_i_${UNIQ_ID_CA}.keys.pem" \
-name "CA Intermediate Mobile Provision" -certfile $FQ_CA_CERT \
-in "ca_i_${UNIQ_ID_CA}.crt.pem" -out "ca_i_${UNIQ_ID_CA}.p12"
# verify certificate (output to text file for review)
openssl x509 -noout -text -in "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_i_${UNIQ_ID_CA}_crt_info.txt"
# create certifiate chain
cat $FQ_CA_CERT "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_cert-chain_${UNIQ_ID_CA}.crts.pem"
}
#
# Generate a Server Certificate
# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
#
generate_server() {
echo_block "Generate Server Certificates (${UNIQ_ID})"
# params
UNIQ_ID=$1
UNIQ_ID_CA=$2
SERIAL=$3
openssl genrsa -out "server_${UNIQ_ID}.keys.pem" 4096
openssl req -new -config $FQ_S_CNF -key "server_${UNIQ_ID}.keys.pem" \
-subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \
-out "server_${UNIQ_ID}.csr.pem"
# Intermediate signs Server
openssl x509 -req -days 365 -extfile $FQ_S_CNF -extensions v3_server \
-CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \
-in "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.crt.pem"
# Package the Certificates
openssl pkcs12 -export -password "pass:password" -inkey "server_${UNIQ_ID}.keys.pem" \
-name "Server ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" -caname "server_${UNIQ_ID}@acme.xyz" \
-in "server_${UNIQ_ID}.crt.pem" -out "server_${UNIQ_ID}.p12"
# verify certificate (output to text file for review)
openssl x509 -noout -text -in "server_${UNIQ_ID}.crt.pem" > "server_${UNIQ_ID}.crt.info.txt"
}
#
# Generate a Client Certificate
# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
#
generate_client() {
echo_block "Generate Client Certificates (${UNIQ_ID})"
# params
UNIQ_ID=$1
UNIQ_ID_CA=$2
SERIAL=$3
openssl genrsa -out "client_${UNIQ_ID}.keys.pem" 4096
openssl req -new -key "client_${UNIQ_ID}.keys.pem" \
-subj "/C=OO/O=ACME/OU=ACME Standard/CN=client_${UNIQ_ID}" \
-out "client_${UNIQ_ID}.csr.pem"
# Intermediate signs Client
openssl x509 -req -days 365 \
-CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \
-in "client_${UNIQ_ID}.csr.pem" -out "client_${UNIQ_ID}.crt.pem"
# Package the Certificates
openssl pkcs12 -export -password "pass:password" -inkey "client_${UNIQ_ID}.keys.pem" \
-name "Client ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" -caname "client_${UNIQ_ID}@acme.xyz" \
-in "client_${UNIQ_ID}.crt.pem" -out "client_${UNIQ_ID}.p12"
# verify certificate (output to text file for review)
openssl x509 -noout -text -in "client_${UNIQ_ID}.crt.pem" > "client_${UNIQ_ID}.info.txt"
}
#
# Organize the files into logical folders based on serial #
#
organize() {
# cert info
mkdir docs
mv *.txt docs/
# move all files to folders
mkdir ca-i
mv ca_i*.pem ca-i/
mkdir servers
mv server_*.pem servers/
mkdir clients
mv client*.pem clients/
}
#
# Generate a PKI chain
# - the certificate chain is unique based on the serial #
# - generate a new CA I
# - generate two server certificates
# - generate two client certificates
#
# INPUT: BASE SERIAL #, LOOP NUM
#
gen_pki_certs() {
B_SERIAL=$1
NUM_CERTS=$2
# Create CA Intermediate
UNIQ_ID_CA="${B_SERIAL}.${ORG_URL}"
generate_ca_i $UNIQ_ID_CA $B_SERIAL
# Server Certificates
for NUM in $(seq 1 $2)
do
generate_server "$((B_SERIAL+NUM)).${ORG_URL}" $UNIQ_ID_CA $((B_SERIAL+NUM))
done
# Client Certificates
for NUM in $(seq 1 $2)
do
generate_client "$((B_SERIAL+NUM)).${ORG_URL}" $UNIQ_ID_CA $((B_SERIAL+NUM))
done
}
#
# INPUT: SERIAL #, LOOP NUM
#
gen_pki() {
SERIAL=$1
mkdir "ca_i_${SERIAL}.${ORG_URL}"
cd "ca_i_${SERIAL}.${ORG_URL}"
gen_pki_certs $SERIAL $2
organize
cd ..
}
main() {
CD=`pwd`
app_init
one-time-ca
gen_pki 10001 2
gen_pki 50001 5
gen_pki 80001 10
cd "${CD}"
}
# ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** *****
#
# main execution begins here (because all the functions have to be defined)
#
# ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** *****
main
# ***** ***** ***** *****
#
#
#
# ***** ***** ***** *****

56
src/pki_bootstrap/cnf/192.168.1.3.cnf Normal file
View File

@ -0,0 +1,56 @@
#
#
# IMPORTANT INFO
#
#
[ v3_server ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "ACME Generated"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = IP:192.168.1.3
#subjectAltName = @san_info
[ san_info ]
IP = 192.168.1.3
#
#
# FORCED TO INCLUDE THIS JUNK
#
#
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 4096
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
#x509_extensions = v3_ca
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = US
stateOrProvinceName_default = State51
localityName_default =
0.organizationName_default = ACME R&D
organizationalUnitName_default =
emailAddress_default =

113
src/pki_bootstrap/cnf/ca.cnf Normal file
View File

@ -0,0 +1,113 @@
# Root CA configuration file.
[ ca ]
# `man ca`
default_ca = CA_default
[ CA_default ]
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_strict
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 4096
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = US
stateOrProvinceName_default = State51
localityName_default =
0.organizationName_default = ACME R&D
organizationalUnitName_default =
emailAddress_default =
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
basicConstraints = critical, CA:true
keyUsage = critical, cRLSign, digitalSignature, keyCertSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
[ v3_ca_i ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, cRLSign, digitalSignature, keyCertSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "ACME Generated"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "ACME Generated"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
#subjectAltName = "192.168.123.129"
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning

55
src/pki_bootstrap/cnf/skunkworks.acme.xyz.cnf Normal file
View File

@ -0,0 +1,55 @@
#
#
# IMPORTANT INFO
#
#
[ v3_server ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "ACME Corp"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
#subjectAltName = IP:192.168.123.129
[ alt_names ]
DNS.1 = "skunkworks.acme.xyz"
#
#
# FORCED TO INCLUDE THIS JUNK
#
#
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 4096
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
#x509_extensions = v3_ca
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = US
stateOrProvinceName_default = State51
localityName_default =
0.organizationName_default = ACME R&D
organizationalUnitName_default =
emailAddress_default =

0
src/pki_lifecycle/ca-i/ca/ca.crt.pem Normal file
View File

80
src/pki_lifecycle/ca-i/gen_ca-i.sh Executable file
View File

@ -0,0 +1,80 @@
#!/bin/bash
#
# Create CA Intermediate
#
#
# This function will generate a CA Intermediate
# IN: UNIQ_ID_CA, SERIAL
#
PARAM1=$1
PARAM2=$2
usage() {
echo
echo "Generate a new CA Intermediate certificate"
echo
echo "This program will generate a new certificate authority (CA) intermediate"
echo "It requires a CA certificate used to sign CA Intermediate"
echo "Requires the file \"ca.pem\" that is used to sign the certificates"
echo ""
echo ""
echo ""
echo
echo " usage: gen_ca-i.sh <Org URL> <Serial>"
echo
echo " example: gen_ca-i.sh skunkworks.acme.xyz \\"
echo " 10052 \\"
echo
exit 1
}
error_no_ca_file() {
echo
echo "ERROR: missing ca.pem"
echo
usage
}
generate_ca_i() {
echo_block "Create CA Intermediate (${UNIQ_ID_CA})"
# params
UNIQ_ID_CA=$1
SERIAL=$2
openssl genrsa -out "ca_i_${UNIQ_ID_CA}.keys.pem" 4096
# Create Cert Signing Request (CSR)
openssl req -config $CA_CNF -new -sha256 \
-subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID_CA}" \
-key "ca_i_${UNIQ_ID_CA}.keys.pem" -out "ca_i_${UNIQ_ID_CA}.csr.pem"
# Create Certificate (valid for ~2 years, after the entire chain of trust expires)
# CA signs Intermediate
openssl x509 -req -days 750 -extfile $CA_CNF -extensions v3_ca_i \
-CA $FQ_CA_CERT -CAkey $FQ_CA_KEYS -set_serial ${SERIAL} \
-in "ca_i_${UNIQ_ID_CA}.csr.pem" -out "ca_i_${UNIQ_ID_CA}.crt.pem"
# Package the Certificate Authority Certificates for distro (windoze needs this)
openssl pkcs12 -export -password "pass:password" -inkey "ca_i_${UNIQ_ID_CA}.keys.pem" \
-name "CA Intermediate Mobile Provision" -certfile $FQ_CA_CERT \
-in "ca_i_${UNIQ_ID_CA}.crt.pem" -out "ca_i_${UNIQ_ID_CA}.p12"
# verify certificate (output to text file for review)
openssl x509 -noout -text -in "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_i_${UNIQ_ID_CA}_crt_info.txt"
# create certifiate chain
cat $FQ_CA_CERT "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_cert-chain_${UNIQ_ID_CA}.crts.pem"
}
main() {
if [[ ! -f ca-i.pem ]]
error_no_ca_file
if [[ -n $PARAM1 ]] || [[ -n $PARAM2 ]]; then
generate_ca_i $PARAM1 $PARAM2
else
usage
fi
}
main

56
src/pki_lifecycle/ca/cnf/192.168.1.3.cnf Normal file
View File

@ -0,0 +1,56 @@
#
#
# IMPORTANT INFO
#
#
[ v3_server ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "ACME Generated"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = IP:192.168.1.3
#subjectAltName = @san_info
[ san_info ]
IP = 192.168.1.3
#
#
# FORCED TO INCLUDE THIS JUNK
#
#
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 4096
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
#x509_extensions = v3_ca
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = US
stateOrProvinceName_default = State51
localityName_default =
0.organizationName_default = ACME R&D
organizationalUnitName_default =
emailAddress_default =

113
src/pki_lifecycle/ca/cnf/ca.cnf Normal file
View File

@ -0,0 +1,113 @@
# Root CA configuration file.
[ ca ]
# `man ca`
default_ca = CA_default
[ CA_default ]
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_strict
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 4096
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = US
stateOrProvinceName_default = State51
localityName_default =
0.organizationName_default = ACME R&D
organizationalUnitName_default =
emailAddress_default =
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
basicConstraints = critical, CA:true
keyUsage = critical, cRLSign, digitalSignature, keyCertSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
[ v3_ca_i ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, cRLSign, digitalSignature, keyCertSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "ACME Generated"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "ACME Generated"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
#subjectAltName = "192.168.123.129"
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning

55
src/pki_lifecycle/ca/cnf/skunkworks.acme.xyz.cnf Normal file
View File

@ -0,0 +1,55 @@
#
#
# IMPORTANT INFO
#
#
[ v3_server ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "ACME Corp"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
#subjectAltName = IP:192.168.123.129
[ alt_names ]
DNS.1 = "skunkworks.acme.xyz"
#
#
# FORCED TO INCLUDE THIS JUNK
#
#
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 4096
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
#x509_extensions = v3_ca
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = US
stateOrProvinceName_default = State51
localityName_default =
0.organizationName_default = ACME R&D
organizationalUnitName_default =
emailAddress_default =

116
src/pki_lifecycle/ca/gen_ca.sh Normal file
View File

@ -0,0 +1,116 @@
#!/bin/bash
#
# ACME Certificate Authority Generation v1.0
#
#
PARAM1=$1
usage() {
echo
echo "This script will generate all the files necessary to build a certificate chain of trust"
echo "using a CA, CA Intermediate, Server, and Client certificates. After the bootstrap the other"
echo "helper scripts will generate new certificates"
echo
echo "Usage: cert_bootstrap <.cnf file (minus the .cnf)>"
echo
echo "Example: cert_bootstrap org.acme.xyz"
exit 1
}
echo_block() {
echo
echo
echo "***** ***** ***** *****"
echo $1
echo "***** ***** ***** *****"
}
#
# CA generation requires .cnf files
# create CA directory
# create bash variables to CA
# restore script back to original path
#
app_init() {
if [[ -n $PARAM1 ]]; then
# need to know the location of the configuration file (expected to be in same dir path as this script)
CA_CNF="$CD/ca.cnf"
# handle the case of having the ".cnf" extension or not
if [[ ${PARAM1: -4} == .cnf ]]; then
ORG_URL=${PARAM1%.*}
S_CNF=${PARAM1}
echo "ASDF: ${ORG_URL}, ${S_CNF}"
else
ORG_URL=$PARAM1
S_CNF="${PARAM1}.cnf"
echo "ZXCV: ${ORG_URL}, ${S_CNF}"
fi
FQ_S_CNF="${CD}/${S_CNF}"
if [[ ! -f $FQ_S_CNF ]] || [[ ! -f $CA_CNF ]]; then
usage
fi
else
usage
fi
# Organize
#
# create a unique path for the server certificate
UNIQ_DIR=`date +%Y-%m-%d.%H_%M_%S`
UNIQ_DIR="cert-chain_${UNIQ_DIR}"
mkdir -p "${UNIQ_DIR}"
cd "${UNIQ_DIR}"
# FQ_DIR="${CD}/${UNIQ_DIR}"
}
#
# IN: UNIQ_ID_CA, SERIAL
#
one-time-ca() {
# params
SERIAL="101"
UNIQ_ID_CA="${SERIAL}.${ORG_URL}"
CA_DIR="ca_${UNIQ_ID_CA}"
mkdir $CA_DIR
cd $CA_DIR
generate_ca $UNIQ_ID_CA $SERIAL
FQ_CA_DIR=`pwd`
FQ_CA_CERT="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.crt.pem"
FQ_CA_KEYS="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.keys.pem"
cd ..
}
# ***** ***** ***** *****
#
# CERTIFICATE AUTHORITY
#
# ***** ***** ***** *****
# This function will generate a CA Intermediate
# IN: UNIQ_ID_CA, SERIAL
#
generate_ca() {
# params
UNIQ_ID_CA=$1
SERIAL=$2
# encrypt the key
#openssl genrsa -aes256 -out ca.keys.pem 4096
#openssl genrsa -aes256 -password "pass:password" -out ca.keys.pem 4096
# key un-protected
openssl genrsa -out "ca_${UNIQ_ID_CA}.keys.pem" 4096
#
# Create Certificate (valid for 10 years, after the entire chain of trust expires)
openssl req -config $CA_CNF -new -x509 -sha256 -days 3650 -extensions v3_ca \
-subj "/C=OO/O=ACME/CN=root.${UNIQ_ID_CA}" -set_serial ${SERIAL} \
-key ca_${UNIQ_ID_CA}.keys.pem -out ca_${UNIQ_ID_CA}.crt.pem
# verify certificate (output to text file for review)
openssl x509 -noout -text -in ca_${UNIQ_ID_CA}.crt.pem > ca_${UNIQ_ID_CA}_cert.info.txt
}
main() {
}

0
src/pki_lifecycle/mh/ca-i/ca-i.crt.pem Normal file
View File

62
src/pki_lifecycle/mh/gen_server.sh Executable file
View File

@ -0,0 +1,62 @@
#!/bin/bash
#
# Create CA Intermediate
#
#
# This function will generate a CA Intermediate
# IN: UNIQ_ID_CA, SERIAL
#
PARAM1=$1
PARAM2=$2
usage() {
echo
echo "Generate a new certificate"
echo
echo "This program will generate a new certificate authority intermediate"
echo "Requires the file ca-i.pem that is used to sign the certificates"
echo "The script requires a CA Intermediate certificate used to sign the client"
echo ""
echo ""
echo ""
echo
echo "Generate a new certificate"
echo " usage: gen_server.sh <CA Intermediate> <Org URL> <Serial>"
echo
echo " example: gen_server.sh ca_i_skunkworks.acme.xyz_10001.crt.pem \\"
echo " skunkworks.acme.xyz \\"
echo " 10052 \\"
echo
exit 1
}
#
# Generate a Server Certificate
# IN: ${SERIAL}, ${UNIQ_ID}
#
generate_server() {
openssl genrsa -out "server_${UNIQ_ID}.keys.pem" 4096
openssl req -new -config $FQ_S_CNF -key "server_${UNIQ_ID}.keys.pem" \
-subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \
-out "server_${UNIQ_ID}.csr.pem"
# Intermediate signs Server
openssl x509 -req -days 365 -extfile $FQ_S_CNF -extensions v3_server \
-CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \
-in "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.crt.pem"
# verify certificate (output to text file for review)
openssl x509 -noout -text -in "server_${UNIQ_ID}.crt.pem" > "server_${UNIQ_ID}.crt.info.txt"
}
# if all argument strings are empty, then continue execution
if [[ -n $1 ]] && [[ -n $2 ]] && [[ -n $3 ]]; then
UNIQ_ID_CA=$1
ORG_URL=$2
SERIAL=$3
UNIQ_ID="${ORG_URL}_${SERIAL}"
generate_server
else
usage
fi

0
src/pki_lifecycle/tt/ca-i/ca-i.crt.pem Normal file
View File

58
src/pki_lifecycle/tt/gen_client.sh Executable file
View File

@ -0,0 +1,58 @@
#!/bin/bash
#
# Create CA Intermediate
#
#
# This function will generate a CA Intermediate
# IN: UNIQ_ID_CA, SERIAL
#
PARAM1=$1
PARAM2=$2
usage() {
echo
echo "Generate a new certificate"
echo
echo "This program will generate a new certificate authority intermediate"
echo "Requires the file ca-i.pem that is used to sign the certificates"
echo "The script requires a CA Intermediate certificate used to sign the client"
echo ""
echo ""
echo ""
echo
echo "Generate a new certificate"
echo " usage: gen_server.sh <CA Intermediate> <Org URL> <Serial>"
echo
echo " example: gen_server.sh ca_i_skunkworks.acme.xyz_10001.crt.pem \\"
echo " skunkworks.acme.xyz \\"
echo " 10052 \\"
echo
exit 1
}
generate_client() {
echo_block "Generate Client Certificates (${UNIQ_ID})"
# params
UNIQ_ID=$1
UNIQ_ID_CA=$2
SERIAL=$3
openssl genrsa -out "client_${UNIQ_ID}.keys.pem" 4096
openssl req -new -key "client_${UNIQ_ID}.keys.pem" \
-subj "/C=OO/O=ACME/OU=ACME Standard/CN=client_${UNIQ_ID}" \
-out "client_${UNIQ_ID}.csr.pem"
# Intermediate signs Client
openssl x509 -req -days 365 \
-CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \
-in "client_${UNIQ_ID}.csr.pem" -out "client_${UNIQ_ID}.crt.pem"
# Package the Certificates
openssl pkcs12 -export -password "pass:password" -inkey "client_${UNIQ_ID}.keys.pem" \
-name "Client ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" -caname "client_${UNIQ_ID}@acme.xyz" \
-in "client_${UNIQ_ID}.crt.pem" -out "client_${UNIQ_ID}.p12"
# verify certificate (output to text file for review)
openssl x509 -noout -text -in "client_${UNIQ_ID}.crt.pem" > "client_${UNIQ_ID}.info.txt"
}