commit 8510375d680e14a379f822e2eb2dd1b4fea1fd5f Author: JohnE Date: Thu Aug 2 11:09:21 2018 -0700 MOD: initial commit diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..af68f6a --- /dev/null +++ b/.gitignore @@ -0,0 +1,31 @@ +# Project specific files +sftp-config.json +.DS_Store +**/var/ +**/cert_gen/acme.xyz_fl/ + + +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +# C extensions +*.so + +# Distribution / packaging +.Python +env/ +build/ +develop-eggs/ +dist/ +downloads/ +eggs/ +.eggs/ +lib/ +lib64/ +parts/ +sdist/ +*.egg-info/ +.installed.cfg +*.egg diff --git a/README b/README new file mode 100644 index 0000000..05e3404 --- /dev/null +++ b/README @@ -0,0 +1,77 @@ + + ============================ + Certificate Generation + Version 3.x + ============================ + + +------------- + INTRO +------------- + +This package contains a set of programs to generate an entire certificate chain of trust + and will configure StrongSwan server. .p12 files are generated for client distribution. + +Features: + * Certificate Authority (CA) creation + * Server and Client certificate generation (based on CA) + * CA and Client certificate packaged as .p12 file for easy import to Android (other clients too) + * Ubuntu networking configuration scripts (tunneling enabled) + + + +--------------------- + VERSIONS +--------------------- + +Version 3.1 - MOB Hub PKI + * PKI Bootstrap + - generate an entire chain-of-trust + * PKI Lifecycle + - generate certificates during the CA's lifecycle +Version 3.0 - CA Intermediate Support + * requires openssl (does not require ipsec) + * CA Intermediate support + -root CA can be generated with 5-10yr expiration, put into cold-storage + * small to large organizational support + + + +--------------------- + TODO +--------------------- + * SCEP support + + + +--------------------- + TROUBLESHOOTING +--------------------- + +1) Look at the error log for detailed information: + $ tail -n 40 /var/log/syslog + +2) Check the date/time of the device. A common problem is a certificate date/time valid range issue. +Make sure your server date is within the CA, and Server certificate valid date. + + + +---------------- + METHODOLOGY +---------------- + + + + +------------ + HISTORY +------------ +version 3.x + * strongswan: new configuration that uses DN (distinguished name) to authenticate clients + (previous configs used local IP address for authentication) + * certificate generation moved to another repository + - separated into two stages + stage 1 : pki bootstrap + stage 2 : pki lifecycle + + diff --git a/docs/bbb b/docs/bbb new file mode 100644 index 0000000..55eb212 --- /dev/null +++ b/docs/bbb @@ -0,0 +1,82 @@ +[[[ BeagleBone Black BBB ]]] + + +[[ Configs ]] + +[ Networking ] +USB0: debian@192.168.7.2 +ETH0: debian@10.10.10.110 +user: debian +pass: temppwd + +screen -L -S bbb /dev/tty.usbserial-AH05JI3A 115200 + + +[ Date / Time ] +Fix the date/time of the BeagleBone Black otherwise the certificates won''t work. + +$ date -s '2016-11-09 12:34:56' +$ date +%Y%m%d -s "yyyymmdd" +$ date +%Y%m%d -s "20100622" + +$ date yymmddhhmmss + + +[ eMMC ] +# Flash the onboard eMMC +$ xz -cd bbb.xz | ssh ubuntu@192.168.7.2 'dd of=/dev/mmcblk1 bs=1M' + +# backup eMMC to laptop +$ dd if=/dev/mmcblk0 bs=1m | ssh j3g@10.5.1.51 'dd of=~/bbb.img' +# compress the .img file +$ xz -z bbb.img + + + + + +[[ Software ]] + +[ Drivers ] +USB Serial Driver +download from my box.com/drivers +@ http://www.ftdichip.com/Drivers/VCP.htm + + +[ Kernel ] +Linux Kernel 2.6+ includes IPsec + + + +[[ Links ]] + +[ BeageBone Black Wireless ] +# general page +@ https://beagleboard.org/black-wireless + +# forum +@ https://beagleboard.org/discuss#bone_forum_embed + + + +[[ Specs ]] +@ http://www.armhf.com/boards/beaglebone-black/ +@ http://elinux.org/BeagleBoardUbuntu + +Ubuntu 14.04 LTS, 4.1.2-bone12.arm +Ubuntu Image 2015-07-08 + + +[ Kernel ] +# compile the kernel on BBB +@ https://help.ubuntu.com/community/Kernel/Compile + + +[ BBB Linux Source Code ] +@ https://github.com/beagleboard/linux + +[ BeagleBone Black Wireless ] +1ghz TI AM335x ARM Cortex A8 +512MB DDR3 +4GB flash storage internal + diff --git a/docs/bbb_ti b/docs/bbb_ti new file mode 100644 index 0000000..311c5e5 --- /dev/null +++ b/docs/bbb_ti @@ -0,0 +1,78 @@ +[[[ BeagleBone Black TI OS Development ]]] + + +[[ TI Arago 3.03 ]] + +user: root + + +[ Network Interfaces ] + +eth0 Link encap:Ethernet HWaddr 50:65:83:E4:4F:37 + UP BROADCAST MULTICAST MTU:1500 Metric:1 +lo Link encap:Local Loopback + UP LOOPBACK RUNNING MTU:65536 Metric:1 + inet addr:127.0.0.1 Mask:255.0.0.0 + + +screen -L -S bbb /dev/tty.usbserial-AH05JI3A 115200 + + + +[[ Toolchain - (Linaro GCC-based toolchain) ]] + + + +[[ StrongSwan Compile ]] + + + + +[[ SDK Install ]] + +1) $ ti-processor-sdk-linux-am335x-evm-03.03.00.04-Linux-x86-Install.bin + +2) $ sudo apt-get install u-boot-tools + $ sudo ./setup.sh + + + + +[ Issues ] + +[ uboot-mkimage ] +Package uboot-mkimage is not available, but is referred to by another package. +This may mean that the package is missing, has been obsoleted, or +is only available from another source +However the following packages replace it: + u-boot-tools:i386 u-boot-tools + + + +[[ TI BeableBone Black Dev Board ]] +@http://www.ti.com/tool/beaglebk +processor: AM335X (1GHz AM3359 Sitara ARM Cortex-A8) + + + +[[ Ubuntu LTS 16.04.x ]] +release notes: @https://wiki.ubuntu.com/XenialXerus/ReleaseNotes + +SDK requires 16.04.x to work properly + + + +[[ PROCESSOR-SDK-LINUX-AM335X 03_03_00_04 ]] + +CPU SDK (AM335X) +@http://www.ti.com/tool/processor-sdk-am335x + +XDEV Lab Supported SDK +@http://software-dl.ti.com/processor-sdk-linux/esd/AM335X/03_03_00_04/index_FDS.html + + +Create SD Card ... using SDK +@http://processors.wiki.ti.com/index.php/Processor_SDK_Linux_create_SD_card_script + + + diff --git a/docs/bbb_wifi b/docs/bbb_wifi new file mode 100644 index 0000000..a212805 --- /dev/null +++ b/docs/bbb_wifi @@ -0,0 +1,90 @@ +[[[ BeagleBone Black Wifi ]]] + + +[[ Config ]] + + +[ Network Interfaces ] +/etc/network/interfaces +USB0: debian@192.168.7.2 +ETH0: debian@192.168.6.1 + + +[ Serial ] +# /dev/tty.usbmodem-XXXX +# /dev/tty.usbserial-XXXX +# /dev/tty.usbserial-AH05JI3A + + +# connect to serial device, log to a file ("screenlog.0"), name screen "bbb" +# ls /dev/tty.usb* +$ screen -L -R bbb /dev/tty.usbserial-AH05JI3A 115200 + +user: root + +# screen commands +detach: Ctrl+A Ctrl+d +exit: Ctrl+A Ctrl+\ + + + +[ WiFi Access Point ] +SSID: BeagleBone-4F37 +Pass: BeagleBone + +"tether" interface +IP: 192.168.0.1 + + + +[[ WiFi Configs ]] + + +[ Config X ] +$ connmanctl + +connmanctl> +connmanctl> scan wifi +connmanctl> services + .. wifi_506583e44f37_2e2e_managed_psk +connmanctl> agent on +connmanctl> connect wifi_506583e44f37_2e2e_managed_psk + Passphrase? 12345Gledhill12345 +Connected wifi_506583e44f37_2e2e_managed_psk + + +[ Config XX ] +wpa_supplicant -B -i wlan0 -c < (SSID PASS) + + +[ Config 1 ] +$ vim /etc/network/interaces +auto wlan0 +iface wlan0 inet dhcp + wpa-ssid {ssid} + wpa-psk {password} + +$ sudo dhclient wlan0 + + +[ Config 2 ] +$ sudo ifconfig wlan0 up +$ sudo iwlist wlan0 scan +$ sudo iwconfig wlan0 essid CrystalWifi key s:newsky12 +$ sudo dhclient wlan0 + +[ Turn off] +$ sudo ifconfig wlan0 down + + +[ Config Option 3 ] +$ connmanctl +#connmanctl> tether wifi disable +#connmanctl> enable wifi +#connmanctl> scan wifi +#connmanctl> services +#connmanctl> agent on +#connmanctl> connect wifi_*_managed_psk +#connmanctl> quit + + diff --git a/docs/ca_dev_notes b/docs/ca_dev_notes new file mode 100644 index 0000000..e15ce06 --- /dev/null +++ b/docs/ca_dev_notes @@ -0,0 +1,30 @@ +[[[ Certificate Dev Notes ]]] + + + +[[ Steps ]] +* install CA certificate +* install CA I certificate + +* install .p12 file for client authentication + -push .p12 to /data/media/0/Download +* install CA I certificate as truste + -push ca_i.crt.pem files to /data/media/0/Download + + + +[[ Issues ]] + +[ Client Authentication Failure ] + +1. CANNOT AUTHENTICATE SERVER + -install CA I certificate (from .pem file) + +2. CANNOT VALIDATE SERVER CERT (timestamp issue) + -"subject certificate invalid (valid from May 1 ...)" + -fix time on Android device + +3. CONSTRAINT CHECK FAILED +"constraint check failed: identity '192.168.123.129' required" + -need to add SAN using v3 extensions + diff --git a/docs/ca_i_notes b/docs/ca_i_notes new file mode 100644 index 0000000..b9a7c5d --- /dev/null +++ b/docs/ca_i_notes @@ -0,0 +1,149 @@ +[[[ Certificates ]]] + + +[[ VPN Two-Factor Authentication (2FA) ]] +# example for 2FA +http://ocserv.gitlab.io/www/recipes-ocserv-2fa.html + + + +[[ OpenSSL ]] +# openssl ca (command that uses a text database to create CRLs and certificates with serials) +@ https://www.openssl.org/docs/manmaster/man1/ca.html + +# opensll x509 +@ https://www.openssl.org/docs/manmaster/man1/x509.html + + + +[[ Android ]] +# Android 7.x changes cert installation behavior changes +@ https://stackoverflow.com/questions/39215229/how-to-get-charles-proxy-work-with-android-7-nougat + +"What complicates matters is that the Settings -> Security -> Install from storage +does not provide an explicit way for the user to specify whether they are installing +a client authentication credential (private key + cert chain) or a server authentication +trust anchor (just a CA cert -- no private key needed). +As a result, the Settings -> Security -> Install from storage flow guesses whether it''s +dealing with client/user authentication credential or server authentication trust anchor +by assuming that, if a private key is specified, it must be a client/user authentication credential." + + +[[ StrongSwan Maintenance Cert ]] + + + +[[ StrongSwan CA Intermediates ]] + + + +[[ Certificate Attributes ]] +@ https://superuser.com/questions/738612/openssl-ca-keyusage-extension#738644 +# example of configuration options +@ https://github.com/JW0914/Wikis/blob/master/Scripts%2BConfigs/OpenSSL/openssl.cnf + +pathLenConstraintof == 0 +"I.e. a pathLenConstraintof 0 does still allow the CA to issue certificates, +but these certificates must be end-entity-certificates (the CA flag in BasicConstraints +is false - these are the "normal" certificates that are issued to people or organizations)" + + +pathLenConstraintof > 0 +"If the pathLenConstraintof a given CA certificate is > 0, then it expresses the number +of possible intermediate CA certificates in a path built from an end-entity certificate +up to the CA certificate. Let''s say CA X has a pathLenConstraint of 2, the end-entity +certificate is issued to EE. Then the following scenarios are valid (I denoting an +intermediate CA certificate)" + +VALID +X - EE +X - I1 - EE +X - I1 - I2 - EE + +INVALID +X - I1 - I2 - I3 - EE + + + + +[[ VPN Clients ]] + +[ misc notes ] +TUN/TAP +"Mac OS X users with OS X 10.6 or older, or using OpenConnect 6.00 or older, +will also need to install the Mac OS X tun/tap driver. Newer versions of OpenConnect +will use the utun device on OS X which does not require additional kernel modules to +be installed." + + +[ openconnect ] +# Support --key-password for GnuTLS PKCS#11 PIN. + +# site +@ http://www.infradead.org/openconnect/ + +# comments that this works +@ https://gist.github.com/moklett/3170636 + +# compiling +@ http://www.infradead.org/openconnect/building.html + + +[ tunnelbrick ] +@ https://github.com/Tunnelblick/Tunnelblick +@ https://www.tunnelblick.net/cInstall.html + + + + +[[ IKEv2 vs OpenVPN ]] +@ https://security.stackexchange.com/questions/105967/ikev2-vs-openvpn +@ https://security.stackexchange.com/questions/63330/are-there-any-reasons-for-using-ssl-over-ipsec + + + + +[[ CA Intermediate ]] + +[ Links ] +# nice tutorial site +@ https://roll.urown.net/ca/ca_intermed_setup.html +# +@ https://jamielinux.com/docs/openssl-certificate-authority/create-the-intermediate-pair.html +# +@ https://smartnets.wordpress.com/2017/04/27/create-certificate-chain-and-sign-certificates-using-openssl/ +# simple, direct, examples +@ https://wiki.cementhorizon.com/display/CH/Example+CA%2C+Intermediate%2C+and+Server+Certificate +# Wiki +@ https://en.wikipedia.org/wiki/Certificate_signing_request + + +[ Example Code ] +# Generate CSR & CA_I keys +$ openssl req -new -newkey rsa:2048 -nodes -out ca_i.csr -keyout ca_i_key_222.key -subj "/C=US/ST=Railroad/L=Train/O=ACME INC./OU=ACME Flyaway/CN=www.acme.xyz" + + +# Create CA +openssl genrsa -out ca.key 4096 +openssl req -new -x509 -nodes -sha1 -days 1825 -key ca.key -out ca.crt + +# Create Intermediate +openssl genrsa -out intermediate.key 4096 +openssl req -new -sha1 -key intermediate.key -out intermediate.csr + +# CA signs Intermediate +openssl x509 -req -days 1825 -in intermediate.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out intermediate.crt + +# Create Server +openssl genrsa -out test.example.com.key 4096 +openssl req -new -key test.example.com.key -out test.example.com.csr + +# Intermediate signs Server +openssl x509 -req -days 1825 -in test.example.com.csr -CA intermediate.crt -CAkey intermediate.key -set_serial 01 -out test.example.com.crt + + +[ Certificate Signing Request ] +# "US", "RailRoad", "City", "ACME", "ACME FLyaway", "flyaway.acme.xyz", "admin@acme.xyz" + + + diff --git a/docs/ca_i_ss b/docs/ca_i_ss new file mode 100644 index 0000000..5c48906 --- /dev/null +++ b/docs/ca_i_ss @@ -0,0 +1,17 @@ +[[[ CA Intermediate StrongSwan Config Notes ]]] + + +[ Info ] +* IKEv2/IPsec + +[ Links ] +# Configure +@ https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-16-04 + +# strongswan ikev2 setup with lets-encrypt certs +@ https://github.com/jawj/IKEv2-setup + +# vpn tech info +@ https://www.bestvpn.com/vpn-encryption-the-complete-guide/ + + diff --git a/docs/ccc_certs b/docs/ccc_certs new file mode 100644 index 0000000..7068094 --- /dev/null +++ b/docs/ccc_certs @@ -0,0 +1,12 @@ +[[[ Certificate Code Command & Control ]]] + + +# show the sections of the package file +$ openssl pkcs12 -in ~/cert.p12 -nodes -passin pass:"password" + +# show all textual information +$ openssl pkcs12 -in ~/cert.p12 -nodes -passin pass:"password" | \ + openssl x509 -noout -text + openssl x509 -noout -subject + + diff --git a/docs/cert_overlord b/docs/cert_overlord new file mode 100644 index 0000000..0d96c40 --- /dev/null +++ b/docs/cert_overlord @@ -0,0 +1,19 @@ +[[[ Certificate Overlord ]]] + +* GUI with modern design (responsive) + -modern form input features: auto complete, highlighting +* simple wizard +* simple mode for "generate client certificate" +* advanced mode for "create template" +* uses modern crypto (wolfssl, openssl, can be in FIPS mode) +* batch generation from templates +* key generation using good random bits +* export to .p12 files using password-scheme + +** SCEP support using 3rd party (headless mode) + -use the GUI to turn the service on/off + -pre-packaged + -can use the same CA-I as the GUI, but headless ("keystore") + + + diff --git a/docs/cert_string_notes b/docs/cert_string_notes new file mode 100644 index 0000000..4222986 --- /dev/null +++ b/docs/cert_string_notes @@ -0,0 +1,99 @@ +[[[ Certificate Strings Notes ]]] + + +[ Certificat Chain Example Strings ] +# look here to find text of a certificate chain for Apple certs +@see ss-vpn/source/ss/dev/screenshots/cert_examples + +* "Apple Root CA" : root certificate authority + --> "Developer ID Certificate Authority" : Intermediate Certificate Authority + --> "Developer ID Installer: Prolific Tech Inc (2MP849R8J5)" + + +* "Apple Root CA" : root certificate authority +Subject Name: + "Common Name" : "Apple Root CA" + "Organization Unit" : "Apple Certificate Authority" + "Organization" : "Apple Inc." + "Country" : "US" +Issuer Name: + "Common Name" : "Apple Root CA" + "Organization Unit" : "Apple Certificate Authority" + "Organization" : "Apple Inc." + "Country" : "US" + "Serial Number" : 2 + "Version" : 3 + "Sign Alg" : "SHA-1" +Extension Key Usage: + Critical : "Yes" + Usage : "Key Cert Sign, CRL Sign" +Extension Basic Constraint: + Critical : "Yes" + Certificate Authority : "Yes" + + +--> "Developer ID Certificate Authority" : Intermediate Certificate Authority +Subject Name: + "Common Name" : "Developer ID Certificate Authority" + "Country" : "US" + "Organization" : "Apple Inc." + "Organization Unit" : "Apple Certificate Authority" +Issuer Name: + "Country" : "US" + "Organization" : "Apple Inc." + "Organization Unit" : "Apple Certificate Authority" + "Common Name" : "Apple Root CA" + "Serial Number" : 2 + "Version" : 3 + "Sign Alg" : "SHA-1" +Extension Key Usage: + Critical : "Yes" + Usage : "Digital Signature, Key Cert Sign, CRL Sign" +Extension Basic Constraint: + Critical : "Yes" + Certificate Authority : "Yes" + + +--> "Developer ID Installer: Prolific Tech Inc (2MP849R8J5)" +Subject Name: + "Country": "US" + "Organization" : "Apple Inc." + "Organization Unit" : "Apple Certificate Authority" + "Common Name" : "Developer ID Certificate Authority" +Issuer Name: + "Country": "US" + "Organization" : "Apple Inc." + "Organization Unit" : "Apple Certificate Authority" + "Common Name" : "Apple Root CA" + "Serial Number" : 2 + "Version" : 3 + "Sign Alg" : "SHA-1" +Extension Key Usage: + Critical : "Yes" + Usage : "Digital Signature" +Extension Basic Constraint: + Critical : "Yes" + Certificate Authority : "No" + + + + +[ Certificate Serial # ] +" +In a certificate, the serial number is chosen by the CA which issued the certificate. +It is just written in the certificate. The CA can choose the serial number in any way +as it sees fit, not necessarily randomly (and it has to fit in 20 bytes). A CA is +supposed to choose unique serial numbers, that is, unique for the CA. You cannot count +on a serial number being unique worldwide; in the dream world of X.509, it is the pair +issuerDN+serial which is unique worldwide (each CA having its own unique distinguished +name, and taking care not to reuse serial numbers). + +The thumbprint is a hash value computed over the complete certificate, which includes +all its fields, including the signature. That one is unique worldwide, for a given +certificate, up to the inherent collision resistance of the used hash function. +Microsoft software tends to use SHA-1, for which some theoretical weaknesses are known, +but no actual collision has been produced (yet). A collision attack on SHA-1 has now +been demonstrated by researchers from CWI and Google. +" + + diff --git a/docs/pkcs12-ca_i_s b/docs/pkcs12-ca_i_s new file mode 100644 index 0000000..c608976 --- /dev/null +++ b/docs/pkcs12-ca_i_s @@ -0,0 +1,95 @@ +openssl pkcs12 -in ca/ca_i_s.p12 -nodes -passin pass:"password" + +MAC verified OK +Bag Attributes + localKeyID: 3F 42 B6 D2 5A EB 0E 82 20 D3 30 9E 3A C9 5F 8A 81 8A 4E BC + friendlyName: CA Intermediate Mobile Provision +subject=/C=OO/O=ACME/OU=ACME Intermediate/CN=01001.i.acme.xyz +issuer=/C=OO/O=ACME/CN=root.acme.xyz +-----BEGIN CERTIFICATE----- +MIIFaTCCA1GgAwIBAgICA+kwDQYJKoZIhvcNAQELBQAwNDELMAkGA1UEBhMCT08x +DTALBgNVBAoMBEFDTUUxFjAUBgNVBAMMDXJvb3QuYWNtZS54eXowHhcNMTgwNzI0 +MDQwMjU4WhcNMjAwODEyMDQwMjU4WjBTMQswCQYDVQQGEwJPTzENMAsGA1UECgwE +QUNNRTEaMBgGA1UECwwRQUNNRSBJbnRlcm1lZGlhdGUxGTAXBgNVBAMMEDAxMDAx +LmkuYWNtZS54eXowggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCbLFcp +bOHbGq/tLmVpW1yH7Erpdixw4v+hGoDAZbWpX/lGDOOusgFWjFpp8cASanjL8s2o +C8fhnjPSuEqyrMcHqCbJkVu95E62yQ1XdQI3FRJQhhHdaHZeUO///+01+kVGf33b +nlMsZhgXmYi4Nb8MC2q88Ydl1gT4w8EUOjE3k0yH86bBO+tzR+33F7d2dLFuF9WJ +KZj6Z0EzkOmer6v7k/Ad/lzbypbAY1NFUUn4F+cXI3gvTVHa5oRD7iLS3sXn7cpa +E07OWRfoc732x7OVnq0FyUZA2BEC5DFsG1f3P2z04aaDFSRknm0GXYnD5eC6i/M6 +CLw5+tSTz9ixEC1SKoOZVPaKZUXmTfCtcg+tZ33or+WBIe2bmhkm6vtct9FF4YAx +xsSLwxmZOAZ6npwUaasC9a9HXXrOcQV/xWc/QcMhEN/ID88fe+3tYZBtSfMxF5qk +3AoTXdQj3YDC3p5qncpeJ91FMs3Szkk6kZ9KJsdoHYdMh3BKBT3ioOrmYMz745Ol +SjUhJ/hikPhhNyaxJx242BOxusQPKpSTdt0j7yDG1Mlb+coyJxL1ll55uShWPZ53 +wUj5tQ5HWAfmTCTwy32AVdFoZwfTppFgeCXcYohonpFHhWbmwRywW8XBCcmnn4o7 +q5Nd4ZHyTSUrGcMOC2dyHFtHG7OAp9ZaIsMdAQIDAQABo2YwZDASBgNVHRMBAf8E +CDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQU+2q/724bafWIAML7 +TJSAZRViI2UwHwYDVR0jBBgwFoAUpT5k6W9jeOoQvPawsOgE/uqx5PEwDQYJKoZI +hvcNAQELBQADggIBAG0N9okW0D9AqRa/mWvGWNxdqfXXw2YJ45Mi15o0P2Z8i6Zc +T3y2Kqeeggkxk3nfDpKcfv60Ke8/0+ou2z3C0CsC7+bUSMHKPhRalOvFyZ6I/+hf +h9nO89wpjAs6xJRe25pyKHPLXf8JVwLEaO+GJqhrxjEsSXL84vcmwWUg8chhOGdU +mBognFtBNfxT6FZmmsZCMkvVtPs7UaPbh3cHCObiAV6uJa06pwCpX+ecNkoaa0+8 +Zfitp6l0ZHSaFjefZfYmRKjl3xtemdHkK+nzHc257/G0bsc/T63GvW37rPVNKvlP ++ce6TBJVxz6cA97iI4GlSqgxcETQzmLn3oTCIUKbKx/V4/84Ffz3boz6Tb2Ry46D +R8QcdJUxZVvwgMWJCOt1p8+p9sLIjVXKCpGriSvKTxopETd9GDFKwUUvWaoTv5r/ +1bdWXQGOHcEA6t0dWQI96pwF9lJJEoOxFwGTFtZxepg2JxFb2knNXQi5Cu/7y6H/ +foR+Zse4u2laJLRpMLcbnVf5gm90J/YOYOSzOQo0D78duwpKALnhaoHDhSQuMiJr +ZGn01mR6Jb64QrBeei0BDrFrfg5da8zJXbXh8afZf4VI8TmaGysrr9zncK31sC+O +BXB9aRHAuBHyhjLBiWzOaRg/slrfj+Wo6CaqSx1Zj69Lg9EABmXVHJW5K8Q4 +-----END CERTIFICATE----- +Bag Attributes + localKeyID: 3F 42 B6 D2 5A EB 0E 82 20 D3 30 9E 3A C9 5F 8A 81 8A 4E BC + friendlyName: CA Intermediate Mobile Provision +Key Attributes: +-----BEGIN PRIVATE KEY----- +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCbLFcpbOHbGq/t +LmVpW1yH7Erpdixw4v+hGoDAZbWpX/lGDOOusgFWjFpp8cASanjL8s2oC8fhnjPS +uEqyrMcHqCbJkVu95E62yQ1XdQI3FRJQhhHdaHZeUO///+01+kVGf33bnlMsZhgX +mYi4Nb8MC2q88Ydl1gT4w8EUOjE3k0yH86bBO+tzR+33F7d2dLFuF9WJKZj6Z0Ez +kOmer6v7k/Ad/lzbypbAY1NFUUn4F+cXI3gvTVHa5oRD7iLS3sXn7cpaE07OWRfo +c732x7OVnq0FyUZA2BEC5DFsG1f3P2z04aaDFSRknm0GXYnD5eC6i/M6CLw5+tST +z9ixEC1SKoOZVPaKZUXmTfCtcg+tZ33or+WBIe2bmhkm6vtct9FF4YAxxsSLwxmZ +OAZ6npwUaasC9a9HXXrOcQV/xWc/QcMhEN/ID88fe+3tYZBtSfMxF5qk3AoTXdQj +3YDC3p5qncpeJ91FMs3Szkk6kZ9KJsdoHYdMh3BKBT3ioOrmYMz745OlSjUhJ/hi +kPhhNyaxJx242BOxusQPKpSTdt0j7yDG1Mlb+coyJxL1ll55uShWPZ53wUj5tQ5H +WAfmTCTwy32AVdFoZwfTppFgeCXcYohonpFHhWbmwRywW8XBCcmnn4o7q5Nd4ZHy +TSUrGcMOC2dyHFtHG7OAp9ZaIsMdAQIDAQABAoICAQCO8Qqd03o+zteu4mVy50FW +yJm9dCm+F62p53MhSNBOZWWIXQlD/R/0bThAjf0EOeZq4ZEHM0r+kDBm9XOCIlz5 +tbF9TxS22WCVSqGqpdPTj+qeGNLOJZOckGx1Y3lNlu1H4tu6ep9dr/KTktB5+LCz +1LSPtuKmMb/EtPbgvjZmXp9KQW2kZaEgQet5CfTr/tUPeI8xWgtc588NRHmgv2zr +RD0WNCGwKnAya4zitt4v1zz+eKMW1+AGiQDgXrbfj225l7gmv9CBj1rRvAULFq1c +r53tTZsU0rTg9/p6/rlKvreM4Wz1JX2v3qzKB1KIDfO1hIQbOr7BnklCnF2dxiwo +LCMTHBxn7HdTcIDg3WdRaaxBCGZJfQauBMr17IIoj1djxaaLKk2wEueqW2YBDN0y +F2QlQNgGO4f/LghYsJZA4k3UqC0eQ7cBC5XmeOEljLT0D/8hzTAUOGKXYfpD+tOE +EpS+uT/pMUO5qJ7PqZHc44OIfY3VbvV6Tb26scAXMkUNFgZxylGF2xojQSzSVFKe +LipYCOFiqq8VOqZmSMuuRBUiunPhH1UT27bg2ugUFkFnVqOteTmzV7Zrk/Avv6ep +Sg0n0Ol7p96EcLvW+G3RloiTtqI13roKNm+45b8JiEzo5Rtcaw6Rli1e0P9Cv2aq +rA7itoLg7Syn94i9an+ADQKCAQEAztTZTCcyM2PsQhiGl035WmJCanjjFRBVav6q +sP37BbMsdPLRZHs10Oa6zuc6qDD/5ovRyGJ0Nys7Yb8SdtyrtK1kkvZmT0j+fvUF +psr+HgEPBFDQ+7Fh3ZfH8t/jhRD+89Ap0J989tGQo1ckaDT/C3KxOv7GoqQ+WHUM +PsH+t4Q+0bbueMzxJMBiQWrfoB7mzUJAfz8fNhXFUXUdxYQrfWjoPkfMoVjCPr0S +w0amp/DkKMDjsxu6pGPkD7NsrHrM/CBE8e1BaRgj/uOcvU/WWF81Y7Mbp7tAkDLK +THCyTBCTJ+Lnc1u/TMWPlZapoSQWAOMYA+fBDv6d+seMhpiUtwKCAQEAwA+5TutW +/KN8Va+mU0yOuhGZ07LJ7MFGOFxF0ud3ehFMAyvsX9t4/r9OmZA6/B7iPCcZCUA5 +4oSRi7NGs7oinf88lT5Yhon3rNysC9VN74ex06JcTHPx6mM+s6CHd1bmzUi6ThRL +xsaKcu3yWpS5wEp9m9s8ut4uTkThoZ1fjdsawxojRc06aWeyPRKT6HfrHiu5VLT1 +HeomtoJ7oOlmW4sR6Wq+cGEsmY6+Z4AgdDhvdNxW83G5ELNUZrsR3WhzjHCH5E2r +TzDj40Ore1g/ZPyCTg5jKEgTRTIs+Ixx8vw/b466WVbmBFKCzqICNmrYU/R2Oqxj +8YkbQnz4XY1UBwKCAQBP3H2+2s+Wajm6V6/4UiI61P/iDqVX58OjmYuc5aR8Ue+T +hIJ3ct+Xts9gvoW2lZzpjwlEf0dyWd4G4vklLhWaoOzZlgxxBrVFniQ9f9nZCf2b +Y/0dgiNQpZ+N1wcJxUM8Lx9GL57Xypk3iJlFJ1lnOTTXm7Jk8FgmXaOJw+wvPf/n +h+PSfweJckM+ER8hu2zQyokO2PebMZLL3hXNwzfrp4stKRoJHrV59hV9kxUceXYP +ilMhQE6z1OIlcdk/S/dETs1wQHTmOG0FqStHKcGQw8pgobLG9BV82C+mjkk595hq +aUGHGGDoKsxDLTZ4Qu/ADe+i6mRv/r5PK6fF/LpHAoIBAEAS/td9W//c6tYLS4nu +uI8K4C7oLsV1lV+oKQM7hXiL3LgSJ0GzjqIuYKKKo6MJCqDWyltzudwALi5VGPlM +18+uHyALNK1tyds5o4wvFVkcBA9+0xwOcl6nzXtPyuHddBJ4eO8jhkRCaF3/VCM0 +CuRD9bPRaGlPRlOGV1/7iK1is4LzbWEUHrCbj7MgR4f+ucnO/H1uAXiBbXjl/yin +tSZFNyyQGAiV4rM4E/2jmTAsw8JQ4BFHl14i9b1wG32qIyJvSGa6IrTAssZXBRaZ +Ukz2kOJJmnsN0J/9JVOmRz2xOdiV3UWA4CwA+vLEycgtzQ31OJxKdu1VuGpuFs3f +IHECggEAHCvk1bye83DETRWhOo5str5QiAN1STcSNhseqji1ElVHIk7PSo8GToFd +65cuh5DCbS1sZlUvloao3fYVqZ5v9Z7qn8/59NSkpoG7OCDqL4ezYxk6/Dp+n/V2 +q3g3nJ/budNT8BMFU2vLVzWPvZgaSajoZG/qVBvgUeswRFAcGxZyg0mT6TDrrHrv +TuyHLH7jhPodjFTYYxNrGRZ6yIwhxJgmmQDFROXSixTzhtT9JTbtM+XPRrLLTOIN +NKUcT1HpNZczKxm4hpASaGs1EIPmk0nlNCONZByOZxwFT/4SPsoaHMesoBkFGf4L +3WcUYO26Cdy4E0fQNkDINROy0rS5RA== +-----END PRIVATE KEY----- \ No newline at end of file diff --git a/docs/pkcs12-client_m b/docs/pkcs12-client_m new file mode 100644 index 0000000..7bbb66e --- /dev/null +++ b/docs/pkcs12-client_m @@ -0,0 +1,163 @@ +openssl pkcs12 -in ca/ca_i_s.p12 -nodes -passin pass:"password" + +MAC verified OK +Bag Attributes + localKeyID: 6E 5B F0 AF 1A 9A 92 CC D9 A5 51 8E 84 3C F5 7A BE 03 99 72 + friendlyName: Client 1 VPN Certificate +subject=/C=OO/O=ACME/OU=ACME Maintenance/CN=client_m +issuer=/C=OO/O=ACME/OU=ACME Intermediate/CN=01002.i.acme.xyz +-----BEGIN CERTIFICATE----- +MIIFEjCCAvoCAgPpMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNVBAYTAk9PMQ0wCwYD +VQQKDARBQ01FMRowGAYDVQQLDBFBQ01FIEludGVybWVkaWF0ZTEZMBcGA1UEAwwQ +MDEwMDIuaS5hY21lLnh5ejAeFw0xODA3MjQwNDAzMDFaFw0xOTA3MjQwNDAzMDFa +MEoxCzAJBgNVBAYTAk9PMQ0wCwYDVQQKDARBQ01FMRkwFwYDVQQLDBBBQ01FIE1h +aW50ZW5hbmNlMREwDwYDVQQDDAhjbGllbnRfbTCCAiIwDQYJKoZIhvcNAQEBBQAD +ggIPADCCAgoCggIBALk8RV65kDzZHVk542YrO0okz8KczdWs0aEIGnjZRyoCoBLa +YqFTsR9Nj1Zn1rkEcC22EYZO/GCfeSEfywZGvTI1fyZ4fMPC4hKZ6f1CpdgHw+Zu +3seAUtkXg2vtb4WMeCAvIN1KlpjxsIwU89RTAhFlJ9eC5s/tqjfb8Sg6ifrxGzCh +FuPsiu/1zIFmgUXmK/sWIX3P7YZShaTSiAlKR4M86ZLIhoK4ezCd9hwTmw5zHlQj +ktpQBsbpvmzPUpNfkeocUkF88LmlFCvGxXgKePQgWGXmVC2Rlo3kZUmq+r/6JTJv +5QcUU9o4Us/G+FJp24+RDSuHP6wQt86REbD2i4XsKa9ldM5ZDPJqa/7eM3C4nvsg +9pxfQHDVTmJPmmHscd1/kHXLCzQdt6sB9EhR9lxsPeOs0Bmk3sZ3J4qjq4kNyMxT +wfP5wL3TSSHjVSYuGpBqieuRwYrCPZBUG3OpBrWq/a97kSSkzI/pt1w3ySXkQD1s +7ZXHWNYrozdhoTB9TkBxQcoO5ALGz92fV75dAOh93oZMXxcQeJgsKY1aLEkgE/+C +NbZSeiWpr6Xf6EgJsR839ucEsDi/yUyOcpGA5peCZzpAnZVF8Ga2rHeer7TlIFR6 +9vOLV1N5TPW9QJjRygKEtb/ykMHCnh0OFdb8OxNNSfLDTDixfgJBqw3FcFUzAgMB +AAEwDQYJKoZIhvcNAQELBQADggIBAASuxNTPgjtRHCYJ2spXpf+sFs0uVkoCzi6R +2VxI16a0j5zEC8xS9ras+G39o5Om/U8f/dl2K37nmY9kMVk4LwNPXbWgHdTvZd8p +G1j7WjrjnbigbKEiQwyXVDz4u9UHZHmAahyez4cz0juTx9M91LIBU03YALKESF40 +kL/GAXbfVVtCqUuk4FJwYODRcSB3+7Hz4XxObdlwsQGjNdB3tT/oMG2PCWfdhE0I +hazzzq+6UOMDrFvhgpYzrfYr+LR/nggYq0P86q8pwiwnccrflhbJq+Ec318WYeqi +d3gx/JAmB5Kqtzabo6C3Us0kxlMkTNmNmQ46gqj+GmA4gSZhXbTk3Q1fjwmfTTGR +m90+S/mmkO9HISGxJbcC8wf1dksvdt027BYXoJPNXsrxdmlB+an21r9oiCjoI6r5 +DD2K/iFGah7cRhSdUlPvi924myshKE0KMSg987sPlDFdy6yNGdqq+blL2FlhlMGz +g0OVtWzZKWYgQnPsQ/9AGLoQ+kttQrIgkmTd0SdLhT6DSSvK8VwNb9SwpHsp8X2Y +68vCjR8NK6FmtOVwRTaJ/EJSHjKv5VEzVR9uZCxtjKJd1qjfhE8mM6ADz9DVKH8k +DFq9kjgmTg2YZlVRBFkexYv/jMqs0PrnY3y4RAyVv0kSPYaAJ10AErhCE/VtZJ5e +vCWuFzRQ +-----END CERTIFICATE----- +Bag Attributes + friendlyName: client_m@acme.xyz +subject=/C=OO/O=ACME/OU=ACME Intermediate/CN=01002.i.acme.xyz +issuer=/C=OO/O=ACME/CN=root.acme.xyz +-----BEGIN CERTIFICATE----- +MIIFaTCCA1GgAwIBAgICA+owDQYJKoZIhvcNAQELBQAwNDELMAkGA1UEBhMCT08x +DTALBgNVBAoMBEFDTUUxFjAUBgNVBAMMDXJvb3QuYWNtZS54eXowHhcNMTgwNzI0 +MDQwMjU5WhcNMjAwODEyMDQwMjU5WjBTMQswCQYDVQQGEwJPTzENMAsGA1UECgwE +QUNNRTEaMBgGA1UECwwRQUNNRSBJbnRlcm1lZGlhdGUxGTAXBgNVBAMMEDAxMDAy +LmkuYWNtZS54eXowggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDOTPgC +OdAt5tJRv8sV5Bv3GQOXCthu9pir4oFnCYf5SO0pqlghsu8JEkg5yASTm5dGJhCE +3OnioERC5BRxYJAosDK2VGza+QtMeMxefa6pskEH5tQdKDoxPbyL7aWg5wYuDdQm +VqJKIgb/89LM2ABkvJocHq/ytYsyyB+KH359R2qxsaxv0lhYmmdd/4KhKGIOkwlY +pl8a6a9Uxz57Zye2U6vZ2pVloF0ClmJIVCYMZ4Hk/V/9Y1BqAQwjvPc8vpP7Oo+7 +LdY31D/FMXOGMJC0S6G117j5ICbhucTPfE1/QZCWLDlhc/Ixi1M6fgUhQ9Ncg93Q +U5xxHMlR43FDzPIKVU2m41fu7bhEBgiqdGmMGl9t+swIR+eONGySfrSLDo0novl/ +8Qt5sha2zfu92BJ03L4qdWu3B22JsyArE4Ynre6mzgcOpSpx5aluydSvjKwd9AQR +RLM6PZMkzaps8bwXuWv5j4PLigbAJo17QQeE8aRpo1HrjAXgXCIEhDHXI6trz+AX +bAIIO6DpFYvpMboBhnvwEFQzy78/sYjxsF3wYjPcioPFQy03QvP70W9+HCnfctg+ +202lbZMsaQbkiCmeif/LpgzpUB5yTYqmQWMd9pfWXD4ERN6gSj1fFx1ValoLmHZ2 ++EN+56sKlnnmwNITjgSq3Aw1kfuchJ+Xk4NgVQIDAQABo2YwZDASBgNVHRMBAf8E +CDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUDYnnqs8iDpzxT/9R +m0er88HZGxMwHwYDVR0jBBgwFoAUpT5k6W9jeOoQvPawsOgE/uqx5PEwDQYJKoZI +hvcNAQELBQADggIBAKuIrbositQWWM6kmcSO0Ihq6+q8rf+0if/fRZCLWVJxerzw +U0FQ8uAmOwQs5GYN/hEqvjMwy0LZ9kI9tqP/hiBwpGuXoCuTdwZrybb3H5z8SQTK +xvq5/h3QJJW2BryWn3taJhuJJePnLaYAeVAIp0ema3nmXNPMH4QzDSRNray3rGlG +CdIoh7bl5ogxiuGk0oaCcvw/YN0q107+C+OpBlCSrGgJILkYhpu0NNEGlbKJuYOO +QvzLBGfVJJpGXBDDYoF8YRXAwGHpGlJHOEOfVm2CjwsQeMfkT/cZnL2I0d58WKyi +Yl1qLexyQySpqJf2Es+7hrRyMUoNTMDZ+cVAYJECINbhmCiLNOLcduzwnevDjkuf +npd4jj4zwo781iVeyWcRYdhj9bkoyLwi5sHN3ATOEBWWuDDldvUo9fup/+abflwP +h8L6km5GV5DR4GUfstAWVJ8GXasKbV5O0SG7c2kjmKGCv9+8OMoRgl+3qnDLZVan +ZLgfjeD/6PkoFqLchzeOrKeM5wnUC4SBpAqQEdfhSMMGHr4ByxgfOUaddMXlrXmp +JMOBT3Kxdoye49BrlUjzkd/wLVp0BeGIv9Qo39F4sd6sgGTCj+c70qPf/rWPxzbe +6RL7PGxTvU7EQ7+ToCUHkrx5mUWjQXKQu7h0LPgfKDvrk3oDIh0QUDgnOOTX +-----END CERTIFICATE----- +Bag Attributes: +subject=/C=OO/O=ACME/CN=root.acme.xyz +issuer=/C=OO/O=ACME/CN=root.acme.xyz +-----BEGIN CERTIFICATE----- +MIIFTjCCAzagAwIBAgIJAKcONZlUpZgaMA0GCSqGSIb3DQEBCwUAMDQxCzAJBgNV +BAYTAk9PMQ0wCwYDVQQKDARBQ01FMRYwFAYDVQQDDA1yb290LmFjbWUueHl6MB4X +DTE4MDcyNDA0MDI1OFoXDTI4MDcyMTA0MDI1OFowNDELMAkGA1UEBhMCT08xDTAL +BgNVBAoMBEFDTUUxFjAUBgNVBAMMDXJvb3QuYWNtZS54eXowggIiMA0GCSqGSIb3 +DQEBAQUAA4ICDwAwggIKAoICAQDwdFus1b2FSJlhCxNu2UyExezoZbvjx1mjtCal +NTD3+Yrr0uXA2uPFn8wNZ5CkKH4vEE1qLsJYQtBmeOj7K4qTU2VkFFL3JWzFXgUC +pNJVzZ0PGwMIyhiW/N5mJkPydpdynqQl3HltylEtXoCtqGiW+2EbNCCEpwiuhOcM +3Pyld2SYpJ/NnDsVkydb6AESbFSsLa5VSypCmaRt8HNIGX6owsuNkD9tiAklK3mL +MtnawH87czuOXXe3eIYpcGuPtWrIRzz9qFpxymhMoTlbBcVqme0WqdN6KrLbqkRL +CiSev+R6FI1yskN+vOjJ9h77md334p/5ZVDXmVLY1hQyaWNhVhwCgsZyvAT8Oaok +Ozh+8KtEnVDHzt47kMdxuwPzSOvDFScCMasg5Nvs2Kl896HY8n4YMPukC8+KaCae +cF+sC7z01TKIpgUOeTmBIU6aYQKCfWSQgf/7WjrO2faKGtSqUcSKPAX6KzpPfQ6e ++sz+/OZjQZCMrjsxTfcd00IKBLZQmoFC5dPkg4MXVrjL8O2FeY3NfuYmEaRyINv/ +UqlcEzaDsXSPpfmDnaQVuh8CARbushDjomYOKl5J3JPW/SctqF7P/ENG2NXzgTSA +dmjMhN1HOXaVWuCgPYFnDu8p/P7p4DVGZcEoH2jEZKcu65JeTJnKAlbYu92nkjsD +8W6U2QIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAd +BgNVHQ4EFgQUpT5k6W9jeOoQvPawsOgE/uqx5PEwHwYDVR0jBBgwFoAUpT5k6W9j +eOoQvPawsOgE/uqx5PEwDQYJKoZIhvcNAQELBQADggIBACFLzG5R7HhIIgJszLtZ +qr5zYZhnzWBDEVrGHpPVqUlRx3eleSgT4RAa/hpEklkJTKIAcoZpE0jvzdjegr+C +Kb/AveXSTjTok4rie+Cgo3aFLEJ7qtnxxLXi4o/Pgsv1L12VfXl6qy53isrUhlPv +1d/y+Bccl36TuEyuy9eAktdT+cPHR7Gn9RK2lnKLTxCR/mBlbDCg/u6s7SA90hky +ZPUesfO6XaFIjaZMQlAwbz4/O44sYSj+Fuuh2wQgIZAp+5tgFXHmHZvH8b5exZlZ +PEmyA6qgtQ2F620pUoUVTxSiEKjTHE+qNOr5ZdyY7NH4X9fVG7jBdxfaUP7gDrv6 +sGtL2bbMc1u3+qnNKA6MeS+UGxEKe46kTzNcFu8aXnhxt6McMs6/l72K52jxhvVn +yI+KvTGeqN1H4qI3RjTL7uQWyHZhkw6TsRLRBfqhU6BxRLq+EH0vHECB7usFLhr+ +BEqRNnNgrqZMS4quhBCRifpxORThoPjNeWVs9pcsBTSR2JgP7blSMkdwxcqXXezB +/PRJKtm2MPuhqvUKrwIzJ5IkwBvATwUkOmBDm6kejTZLmqZ4w47iswSvYxdtmZpM +ZORP9wgpuXRu2un7q2xERjlJA7bmw8y+NSweCTWLGLTeQzBzcEOEneNixjklCDXy +sITp+32xUz86IxAbwYuFb0gn +-----END CERTIFICATE----- +Bag Attributes + localKeyID: 6E 5B F0 AF 1A 9A 92 CC D9 A5 51 8E 84 3C F5 7A BE 03 99 72 + friendlyName: Client 1 VPN Certificate +Key Attributes: +-----BEGIN PRIVATE KEY----- +MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC5PEVeuZA82R1Z +OeNmKztKJM/CnM3VrNGhCBp42UcqAqAS2mKhU7EfTY9WZ9a5BHAtthGGTvxgn3kh +H8sGRr0yNX8meHzDwuISmen9QqXYB8Pmbt7HgFLZF4Nr7W+FjHggLyDdSpaY8bCM +FPPUUwIRZSfXgubP7ao32/EoOon68RswoRbj7Irv9cyBZoFF5iv7FiF9z+2GUoWk +0ogJSkeDPOmSyIaCuHswnfYcE5sOcx5UI5LaUAbG6b5sz1KTX5HqHFJBfPC5pRQr +xsV4Cnj0IFhl5lQtkZaN5GVJqvq/+iUyb+UHFFPaOFLPxvhSaduPkQ0rhz+sELfO +kRGw9ouF7CmvZXTOWQzyamv+3jNwuJ77IPacX0Bw1U5iT5ph7HHdf5B1yws0Hber +AfRIUfZcbD3jrNAZpN7GdyeKo6uJDcjMU8Hz+cC900kh41UmLhqQaonrkcGKwj2Q +VBtzqQa1qv2ve5EkpMyP6bdcN8kl5EA9bO2Vx1jWK6M3YaEwfU5AcUHKDuQCxs/d +n1e+XQDofd6GTF8XEHiYLCmNWixJIBP/gjW2Unolqa+l3+hICbEfN/bnBLA4v8lM +jnKRgOaXgmc6QJ2VRfBmtqx3nq+05SBUevbzi1dTeUz1vUCY0coChLW/8pDBwp4d +DhXW/DsTTUnyw0w4sX4CQasNxXBVMwIDAQABAoICAQCN1Hw5H1Q1gvhZzV00aX2o +M69wj6d7KCwKZK4AQj2fCQuP4+8JH4/LLBPIURGz8JYEKhgZAnlzcifJGRLW52sN ++rA0wKSnL5zyKS9kX5ekZa21zsZ9ct/8oWhbRx3Q39FKs0sypV3SFZzcZV6dAEHh +F9b9yJj6NDvVMW7hIpFrtxjejzl7oy5utYG0wsvQvYCHbFaQgpiX9K+nmBvZISrI +bedaIHf9t0t72jcLIGflFHfwbJyQ1B2cSHUp00Si2tZarvy8b/HR83gSXMvuMfaS +1gFZZJannYXtdyem1GfSfrHkgJCYbxQVTnL57JtOXwdiUeoHnjM+iD50x9cH7H6+ +6hh82yd/hlO+boDZ5847Dr18CYvXGRgFkZSndwUAqBy6jnSvITbsE4QeHajTx8Q2 +gRePIqMq0ZEe9RumXd3Eg1l9A3CbNDb65oMCtE2d4bhdCFxDrsYDylE8YzX0O5Ao +Wa5ugOFNu0VP00JeCjhKxAjb2lxFHEFSHrqzwNHLeAYfxLAy96p5b9NzSqe4Ud23 +v1Yo7rXefl6OPoooEmdHwjIQOm/gSXuRljfp1EI0/7wsN4wzgQYHklnGflQuy9Mw +TtZjHi5TJ28KfIHy/WttHFrEb9on2DoV00XhQjTh9yzBlbIXga3QeLpGuJPKd84t +106RJn0V+AkeD59+s8sAoQKCAQEA5xdxddhthlTnQl0930LeYgbyP59tUxj3pGPs +zhxS4DnLlRG5nk4CPB4ASdjcWaGNVXee2IgBZR3dO9NtWiW6fJO611wyj1XEw4zw +f2ZQN34eFlrxrt7WhFlyIl5S4vPAXdBtFUcROy5kj/TXizHSzBubGrrnKUyUXlqj +ELL28z0AIpKj7+Zs8rQCmjW59Z7L+Cif37CTAk9GdY9LrLJ47RHMI0VjiGHrYmWG +pTyR1pVpXVV9wQ/+Y6N9X19r9Ea26jajAiK6A13tsqp+J03AhC6OHcuE3PqlEgex +C2+roRjo83DMEYOm9L3jmj6HxtLJHQJnHVNd0Svo0D3EqYfZLQKCAQEAzTOCi2m3 +LJ0Kt2rOQbrJKmk1OoSLUjGkhsE7gxomaFO6RipDqhs4ubRZrP2unWEfdrHxWvP4 +t5n5A9mtiIRYjO6fgrxTtLoyEdkAMZagqjKVdxer8C6VON2n2sERvyy2MfC2VSYb +Lz1YTaXHe3C13Ds+vb1jVcFqBd3cZPt3lhlfwohBfKYy6AVkd720MrQd9z4nNfpX +I6ofQ0NFRC5w3289pzfa1TeJOOUw5n5cqo/nyk2bO8guUXKit67SiRWFNCSp1N5k +i9dA2/KMuR7DbK3Gt8gn9dYW9aYDVP8LXwVqcks7UtTQAFPE4DUVEoy6O7m3vdDg +Ua8FIoHDCq0j3wKCAQApzyr+6C5AnIHOlvIHv6BeWeVgL2bnHuBHBLEmRSeVW7+C +c9eCVZi/6amhsrODH+BjMyYxBMJD2hhZp5HkOmk3+r5WEl8vYZQc0RX95rPiplWp +M8EAI17qSQiGQUx7tR/7mSbzL41liKo3BVQt4dDCjsgMGP6TkUBSpdFUxxw4u7OX +jbJNSAI0Eu9ZmRjQ4G8Esczi+p5OT6tuv4MwdoW8Vnj5dKdiWFzuy3GF2aSFDzkl +4r7CvDMJMd4P8EKmylhznXj2fPPsggTsSz5RvBZ1k7qwl06tcEeHMI8Og6Con8od +qS2yiYAeTXCtSlzkUuSB9BpVyuxxWKFhc5tuFJ7tAoIBAQCLrvi6dige0ngtCyOE +UuYFXMDDKN6+ANUCdh9Qy0hB1F0EzlhpP0aKA17YB4gJ0cddQRwO0e0I7mM4X8Fl +INI2fWlP0WsZp3XV+GXNW7/am7xq6U49nTgvEZPlsW+nN4R+0mEL7Xir25J0qNj2 +Cm+Bj0LSXk10XskRXUld5GAvaO5qud36QBh/IMyXRieYLEwJteFzOQqAWJoXa3+H +PiXPsyXA4qCwa7GZbUqwXGwwHu2mJNX7B/Wfs+1YJEVk06VtLVf+c7T2DH02PBHX +Ij3diR2wlSu+iRHv/iZegY74C/O+AcBMTlmZH2zxQrEpg2pypaWSLNHGSOGx76sZ +ZWr5AoIBAD8ZRn0EruCKcmxRucR5Ybbp7uSxBGlA2LHq10MAz1moanVSk+hZAzkw +7mhn/vtTzBfTn0InKgHE4XNF35nY0ndxZKnreS5t4vYdFXyhT0yuJiKo42LpPP8+ +GKG0H7d+mypKbgRWaWpVV6S3Rhcg7T6r8xoMM6h18Eae0oBmQ9vbAOkgV9wm+dxD +LThzcMidgya4a6AmEXmep8SUkTipdvNq8WIC1UY3azxuhr1nuM7QTfRZh9gI9uzc +08t2qiT/h1UN2zo/i4BvkAzZ/uRgaRa2MKVz/UOa2lb4z7J3Ok1+4GnyKgDsoG09 +3+lXPccGI6cmYqFTy8FSzjzQrzuBL5E= +-----END PRIVATE KEY----- \ No newline at end of file diff --git a/docs/pki_agile b/docs/pki_agile new file mode 100644 index 0000000..d3533d1 --- /dev/null +++ b/docs/pki_agile @@ -0,0 +1,51 @@ +[[[ Agile Tasking ]]] + + +[[ WORKING ]] + +* CA-I serial #s ?? + X.p12 file for CA-I (to import into M$ products) + -.p12 file extractor for MH provisioning +* create GUI for cert gen process (electron+crypto-interface) +* create certificate installation guide + -copy file to sd, select .p12 file, password="password" +* can I install certificates from an android application?? + -can I used knox to install certificates?? + + + +[[ BACKLOG ]] + +[ ver3 ] +* create new "certificate bootstrap" with .cfg parameters for CA ".mil" strings +* create new CA generation script that also reads .cfg +* create new CA-I generation script that uses a CA + -also packages .p12 for distrobution (use random high quality password) +* create new client generation script that uses CA-I + -just for testing purposes +* create new server generation script that uses CA-I + -just for testing purposes +* update ver3/conf so that ipsec.conf is default + -update ipsec_dev.conf to have developer + + +[ bootstrap cert chain-of-trust ] +* select bootstrap generation cpu (beaglebone, raspi) +* change strings from "acme.xyz" to ".mil" +* generate bootstrap + -sneakernet two CA-I + + + +[ ver4 ] + + + + +[[ COMPLETED ]] + + + +[[ ISSUES ]] + + diff --git a/docs/screen_clean_dev b/docs/screen_clean_dev new file mode 100644 index 0000000..30fd020 --- /dev/null +++ b/docs/screen_clean_dev @@ -0,0 +1,17 @@ + +cat -v screenlog.0 | tr -d '^@^M' >> fartface + + + +sed 's/\x00\x0a//g' screenlog.0 > fartface + +sed 's/^@^M//g' screenlog.0 > fartface + + +@^@^M + + +tr -d '\b\r^M\000' < screenlog.0 | cat -v >> whyusuck + +cat -v screenlog.0 | tr -d '\b\r' + diff --git a/docs/tablets b/docs/tablets new file mode 100644 index 0000000..7a0b5c7 --- /dev/null +++ b/docs/tablets @@ -0,0 +1,10 @@ +[[[ Samsung Tablets ]]] + + +[[ Android Recovery (bootloader) ]] + +[ Wipe data / Factory reset ] +1. Turn off the device. +2. Press and hold the Volume Up key and the Home key, then press and hold the Power key. +3. When the Samsung Galaxy Tab E logo screen displays, release only the Power key + diff --git a/src/pki_bootstrap/cert_bootstrap.sh b/src/pki_bootstrap/cert_bootstrap.sh new file mode 100755 index 0000000..2132f33 --- /dev/null +++ b/src/pki_bootstrap/cert_bootstrap.sh @@ -0,0 +1,303 @@ +#!/bin/bash +# +# ACME Certificate Bootstrap v1.3 +# +# This script will generate all the files necessary to build a certificate chain of trust +# using a CA, CA Intermediate, Server, and Client certificates. After the bootstrap the other +# helper scripts will generate new client/server certificates +# +PARAM1=$1 + +usage() { + echo + echo "This script will generate all the files necessary to build a certificate chain of trust" + echo "using a CA, CA Intermediate, Server, and Client certificates. After the bootstrap the other" + echo "helper scripts will generate new certificates" + echo + echo "Usage: cert_bootstrap <.cnf file (minus the .cnf)>" + echo + echo "Example: cert_bootstrap org.acme.xyz" + exit 1 +} + +echo_block() { + echo + echo + echo "***** ***** ***** *****" + echo $1 + echo "***** ***** ***** *****" +} + +# +# CA generation requires .cnf files +# create CA directory +# create bash variables to CA +# restore script back to original path +# +app_init() { + if [[ -n $PARAM1 ]]; then + # need to know the location of the configuration file (expected to be in same dir path as this script) + CA_CNF="$CD/ca.cnf" + + # handle the case of having the ".cnf" extension or not + if [[ ${PARAM1: -4} == .cnf ]]; then + ORG_URL=${PARAM1%.*} + S_CNF=${PARAM1} + echo "ASDF: ${ORG_URL}, ${S_CNF}" + else + ORG_URL=$PARAM1 + S_CNF="${PARAM1}.cnf" + echo "ZXCV: ${ORG_URL}, ${S_CNF}" + fi + + FQ_S_CNF="${CD}/${S_CNF}" + if [[ ! -f $FQ_S_CNF ]] || [[ ! -f $CA_CNF ]]; then + usage + fi + else + usage + fi + + # Organize + # + # create a unique path for the server certificate + UNIQ_DIR=`date +%Y-%m-%d.%H_%M_%S` + UNIQ_DIR="cert-chain_${UNIQ_DIR}" + mkdir -p "${UNIQ_DIR}" + cd "${UNIQ_DIR}" + # FQ_DIR="${CD}/${UNIQ_DIR}" +} + +# +# IN: UNIQ_ID_CA, SERIAL +# +one-time-ca() { + # params + SERIAL="101" + UNIQ_ID_CA="${SERIAL}.${ORG_URL}" + CA_DIR="ca_${UNIQ_ID_CA}" + mkdir $CA_DIR + cd $CA_DIR + generate_ca $UNIQ_ID_CA $SERIAL + FQ_CA_DIR=`pwd` + FQ_CA_CERT="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.crt.pem" + FQ_CA_KEYS="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.keys.pem" + cd .. +} + +# ***** ***** ***** ***** +# +# CERTIFICATE AUTHORITY +# +# ***** ***** ***** ***** +# This function will generate a CA Intermediate +# IN: UNIQ_ID_CA, SERIAL +# +generate_ca() { + # params + UNIQ_ID_CA=$1 + SERIAL=$2 + # encrypt the key + #openssl genrsa -aes256 -out ca.keys.pem 4096 + #openssl genrsa -aes256 -password "pass:password" -out ca.keys.pem 4096 + + # key un-protected + openssl genrsa -out "ca_${UNIQ_ID_CA}.keys.pem" 4096 + # + # Create Certificate (valid for 10 years, after the entire chain of trust expires) + openssl req -config $CA_CNF -new -x509 -sha256 -days 3650 -extensions v3_ca \ + -subj "/C=OO/O=ACME/CN=root.${UNIQ_ID_CA}" -set_serial ${SERIAL} \ + -key ca_${UNIQ_ID_CA}.keys.pem -out ca_${UNIQ_ID_CA}.crt.pem + + # verify certificate (output to text file for review) + openssl x509 -noout -text -in ca_${UNIQ_ID_CA}.crt.pem > ca_${UNIQ_ID_CA}_cert.info.txt +} + +# +# Create CA Intermediate +# +# +# This function will generate a CA Intermediate +# IN: UNIQ_ID_CA, SERIAL +# +generate_ca_i() { + echo_block "Create CA Intermediate (${UNIQ_ID_CA})" + # params + UNIQ_ID_CA=$1 + SERIAL=$2 + + openssl genrsa -out "ca_i_${UNIQ_ID_CA}.keys.pem" 4096 + + # Create Cert Signing Request (CSR) + openssl req -config $CA_CNF -new -sha256 \ + -subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID_CA}" \ + -key "ca_i_${UNIQ_ID_CA}.keys.pem" -out "ca_i_${UNIQ_ID_CA}.csr.pem" + + # Create Certificate (valid for ~2 years, after the entire chain of trust expires) + # CA signs Intermediate + openssl x509 -req -days 750 -extfile $CA_CNF -extensions v3_ca_i \ + -CA $FQ_CA_CERT -CAkey $FQ_CA_KEYS -set_serial ${SERIAL} \ + -in "ca_i_${UNIQ_ID_CA}.csr.pem" -out "ca_i_${UNIQ_ID_CA}.crt.pem" + + # Package the Certificate Authority Certificates for distro (windoze needs this) + openssl pkcs12 -export -password "pass:password" -inkey "ca_i_${UNIQ_ID_CA}.keys.pem" \ + -name "CA Intermediate Mobile Provision" -certfile $FQ_CA_CERT \ + -in "ca_i_${UNIQ_ID_CA}.crt.pem" -out "ca_i_${UNIQ_ID_CA}.p12" + + # verify certificate (output to text file for review) + openssl x509 -noout -text -in "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_i_${UNIQ_ID_CA}_crt_info.txt" + + # create certifiate chain + cat $FQ_CA_CERT "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" +} +# +# Generate a Server Certificate +# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL +# +generate_server() { + echo_block "Generate Server Certificates (${UNIQ_ID})" + # params + UNIQ_ID=$1 + UNIQ_ID_CA=$2 + SERIAL=$3 + + openssl genrsa -out "server_${UNIQ_ID}.keys.pem" 4096 + + openssl req -new -config $FQ_S_CNF -key "server_${UNIQ_ID}.keys.pem" \ + -subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \ + -out "server_${UNIQ_ID}.csr.pem" + + # Intermediate signs Server + openssl x509 -req -days 365 -extfile $FQ_S_CNF -extensions v3_server \ + -CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \ + -in "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.crt.pem" + + # Package the Certificates + openssl pkcs12 -export -password "pass:password" -inkey "server_${UNIQ_ID}.keys.pem" \ + -name "Server ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" -caname "server_${UNIQ_ID}@acme.xyz" \ + -in "server_${UNIQ_ID}.crt.pem" -out "server_${UNIQ_ID}.p12" + + # verify certificate (output to text file for review) + openssl x509 -noout -text -in "server_${UNIQ_ID}.crt.pem" > "server_${UNIQ_ID}.crt.info.txt" +} +# +# Generate a Client Certificate +# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL +# +generate_client() { + echo_block "Generate Client Certificates (${UNIQ_ID})" + # params + UNIQ_ID=$1 + UNIQ_ID_CA=$2 + SERIAL=$3 + + openssl genrsa -out "client_${UNIQ_ID}.keys.pem" 4096 + + openssl req -new -key "client_${UNIQ_ID}.keys.pem" \ + -subj "/C=OO/O=ACME/OU=ACME Standard/CN=client_${UNIQ_ID}" \ + -out "client_${UNIQ_ID}.csr.pem" + # Intermediate signs Client + openssl x509 -req -days 365 \ + -CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \ + -in "client_${UNIQ_ID}.csr.pem" -out "client_${UNIQ_ID}.crt.pem" + + # Package the Certificates + openssl pkcs12 -export -password "pass:password" -inkey "client_${UNIQ_ID}.keys.pem" \ + -name "Client ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" -caname "client_${UNIQ_ID}@acme.xyz" \ + -in "client_${UNIQ_ID}.crt.pem" -out "client_${UNIQ_ID}.p12" + + # verify certificate (output to text file for review) + openssl x509 -noout -text -in "client_${UNIQ_ID}.crt.pem" > "client_${UNIQ_ID}.info.txt" +} + +# +# Organize the files into logical folders based on serial # +# +organize() { + # cert info + mkdir docs + mv *.txt docs/ + + # move all files to folders + mkdir ca-i + mv ca_i*.pem ca-i/ + + mkdir servers + mv server_*.pem servers/ + + mkdir clients + mv client*.pem clients/ +} + +# +# Generate a PKI chain +# - the certificate chain is unique based on the serial # +# - generate a new CA I +# - generate two server certificates +# - generate two client certificates +# +# INPUT: BASE SERIAL #, LOOP NUM +# +gen_pki_certs() { + B_SERIAL=$1 + NUM_CERTS=$2 + + # Create CA Intermediate + UNIQ_ID_CA="${B_SERIAL}.${ORG_URL}" + generate_ca_i $UNIQ_ID_CA $B_SERIAL + + # Server Certificates + for NUM in $(seq 1 $2) + do + generate_server "$((B_SERIAL+NUM)).${ORG_URL}" $UNIQ_ID_CA $((B_SERIAL+NUM)) + done + + # Client Certificates + for NUM in $(seq 1 $2) + do + generate_client "$((B_SERIAL+NUM)).${ORG_URL}" $UNIQ_ID_CA $((B_SERIAL+NUM)) + done +} + +# +# INPUT: SERIAL #, LOOP NUM +# +gen_pki() { + SERIAL=$1 + + mkdir "ca_i_${SERIAL}.${ORG_URL}" + cd "ca_i_${SERIAL}.${ORG_URL}" + + gen_pki_certs $SERIAL $2 + organize + + cd .. +} + + +main() { + CD=`pwd` + + app_init + one-time-ca + gen_pki 10001 2 + gen_pki 50001 5 + gen_pki 80001 10 + + cd "${CD}" +} + + +# ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** +# +# main execution begins here (because all the functions have to be defined) +# +# ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** + +main + +# ***** ***** ***** ***** +# +# +# +# ***** ***** ***** ***** diff --git a/src/pki_bootstrap/cnf/192.168.1.3.cnf b/src/pki_bootstrap/cnf/192.168.1.3.cnf new file mode 100644 index 0000000..c6ddfea --- /dev/null +++ b/src/pki_bootstrap/cnf/192.168.1.3.cnf @@ -0,0 +1,56 @@ +# +# +# IMPORTANT INFO +# +# +[ v3_server ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server +nsComment = "ACME Generated" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth +subjectAltName = IP:192.168.1.3 +#subjectAltName = @san_info + +[ san_info ] +IP = 192.168.1.3 + + +# +# +# FORCED TO INCLUDE THIS JUNK +# +# +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 4096 +distinguished_name = req_distinguished_name +string_mask = utf8only + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +# Extension to add when the -x509 option is used. +#x509_extensions = v3_ca + +[ req_distinguished_name ] +# See . +countryName = Country Name (2 letter code) +stateOrProvinceName = State or Province Name +localityName = Locality Name +0.organizationName = Organization Name +organizationalUnitName = Organizational Unit Name +commonName = Common Name +emailAddress = Email Address + +# Optionally, specify some defaults. +countryName_default = US +stateOrProvinceName_default = State51 +localityName_default = +0.organizationName_default = ACME R&D +organizationalUnitName_default = +emailAddress_default = + diff --git a/src/pki_bootstrap/cnf/ca.cnf b/src/pki_bootstrap/cnf/ca.cnf new file mode 100644 index 0000000..691733f --- /dev/null +++ b/src/pki_bootstrap/cnf/ca.cnf @@ -0,0 +1,113 @@ +# Root CA configuration file. + +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +name_opt = ca_default +cert_opt = ca_default +default_days = 375 +preserve = no +policy = policy_strict + +[ policy_strict ] +# The root CA should only sign intermediate certificates that match. +# See the POLICY FORMAT section of `man ca`. +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_loose ] +# Allow the intermediate CA to sign a more diverse range of certificates. +# See the POLICY FORMAT section of the `ca` man page. +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 4096 +distinguished_name = req_distinguished_name +string_mask = utf8only + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +# Extension to add when the -x509 option is used. +x509_extensions = v3_ca + +[ req_distinguished_name ] +# See . +countryName = Country Name (2 letter code) +stateOrProvinceName = State or Province Name +localityName = Locality Name +0.organizationName = Organization Name +organizationalUnitName = Organizational Unit Name +commonName = Common Name +emailAddress = Email Address + +# Optionally, specify some defaults. +countryName_default = US +stateOrProvinceName_default = State51 +localityName_default = +0.organizationName_default = ACME R&D +organizationalUnitName_default = +emailAddress_default = + +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +basicConstraints = critical, CA:true +keyUsage = critical, cRLSign, digitalSignature, keyCertSign +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer + +[ v3_ca_i ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, cRLSign, digitalSignature, keyCertSign +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer + +[ usr_cert ] +# Extensions for client certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = client, email +nsComment = "ACME Generated" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection + +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server +nsComment = "ACME Generated" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth +#subjectAltName = "192.168.123.129" + +[ crl_ext ] +# Extension for CRLs (`man x509v3_config`). +authorityKeyIdentifier=keyid:always + +[ ocsp ] +# Extension for OCSP signing certificates (`man ocsp`). +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, digitalSignature +extendedKeyUsage = critical, OCSPSigning \ No newline at end of file diff --git a/src/pki_bootstrap/cnf/skunkworks.acme.xyz.cnf b/src/pki_bootstrap/cnf/skunkworks.acme.xyz.cnf new file mode 100644 index 0000000..9bf9706 --- /dev/null +++ b/src/pki_bootstrap/cnf/skunkworks.acme.xyz.cnf @@ -0,0 +1,55 @@ +# +# +# IMPORTANT INFO +# +# +[ v3_server ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server +nsComment = "ACME Corp" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth +subjectAltName = @alt_names +#subjectAltName = IP:192.168.123.129 + +[ alt_names ] +DNS.1 = "skunkworks.acme.xyz" + +# +# +# FORCED TO INCLUDE THIS JUNK +# +# +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 4096 +distinguished_name = req_distinguished_name +string_mask = utf8only + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +# Extension to add when the -x509 option is used. +#x509_extensions = v3_ca + +[ req_distinguished_name ] +# See . +countryName = Country Name (2 letter code) +stateOrProvinceName = State or Province Name +localityName = Locality Name +0.organizationName = Organization Name +organizationalUnitName = Organizational Unit Name +commonName = Common Name +emailAddress = Email Address + +# Optionally, specify some defaults. +countryName_default = US +stateOrProvinceName_default = State51 +localityName_default = +0.organizationName_default = ACME R&D +organizationalUnitName_default = +emailAddress_default = + diff --git a/src/pki_lifecycle/ca-i/ca/ca.crt.pem b/src/pki_lifecycle/ca-i/ca/ca.crt.pem new file mode 100644 index 0000000..e69de29 diff --git a/src/pki_lifecycle/ca-i/gen_ca-i.sh b/src/pki_lifecycle/ca-i/gen_ca-i.sh new file mode 100755 index 0000000..8523602 --- /dev/null +++ b/src/pki_lifecycle/ca-i/gen_ca-i.sh @@ -0,0 +1,80 @@ +#!/bin/bash +# +# Create CA Intermediate +# +# +# This function will generate a CA Intermediate +# IN: UNIQ_ID_CA, SERIAL +# +PARAM1=$1 +PARAM2=$2 + +usage() { + echo + echo "Generate a new CA Intermediate certificate" + echo + echo "This program will generate a new certificate authority (CA) intermediate" + echo "It requires a CA certificate used to sign CA Intermediate" + echo "Requires the file \"ca.pem\" that is used to sign the certificates" + echo "" + echo "" + echo "" + echo + echo " usage: gen_ca-i.sh " + echo + echo " example: gen_ca-i.sh skunkworks.acme.xyz \\" + echo " 10052 \\" + echo + exit 1 +} + +error_no_ca_file() { + echo + echo "ERROR: missing ca.pem" + echo + usage +} + + +generate_ca_i() { + echo_block "Create CA Intermediate (${UNIQ_ID_CA})" + # params + UNIQ_ID_CA=$1 + SERIAL=$2 + + openssl genrsa -out "ca_i_${UNIQ_ID_CA}.keys.pem" 4096 + + # Create Cert Signing Request (CSR) + openssl req -config $CA_CNF -new -sha256 \ + -subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID_CA}" \ + -key "ca_i_${UNIQ_ID_CA}.keys.pem" -out "ca_i_${UNIQ_ID_CA}.csr.pem" + + # Create Certificate (valid for ~2 years, after the entire chain of trust expires) + # CA signs Intermediate + openssl x509 -req -days 750 -extfile $CA_CNF -extensions v3_ca_i \ + -CA $FQ_CA_CERT -CAkey $FQ_CA_KEYS -set_serial ${SERIAL} \ + -in "ca_i_${UNIQ_ID_CA}.csr.pem" -out "ca_i_${UNIQ_ID_CA}.crt.pem" + + # Package the Certificate Authority Certificates for distro (windoze needs this) + openssl pkcs12 -export -password "pass:password" -inkey "ca_i_${UNIQ_ID_CA}.keys.pem" \ + -name "CA Intermediate Mobile Provision" -certfile $FQ_CA_CERT \ + -in "ca_i_${UNIQ_ID_CA}.crt.pem" -out "ca_i_${UNIQ_ID_CA}.p12" + + # verify certificate (output to text file for review) + openssl x509 -noout -text -in "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_i_${UNIQ_ID_CA}_crt_info.txt" + + # create certifiate chain + cat $FQ_CA_CERT "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" +} + +main() { + if [[ ! -f ca-i.pem ]] + error_no_ca_file + if [[ -n $PARAM1 ]] || [[ -n $PARAM2 ]]; then + generate_ca_i $PARAM1 $PARAM2 + else + usage + fi +} + +main diff --git a/src/pki_lifecycle/ca/cnf/192.168.1.3.cnf b/src/pki_lifecycle/ca/cnf/192.168.1.3.cnf new file mode 100644 index 0000000..c6ddfea --- /dev/null +++ b/src/pki_lifecycle/ca/cnf/192.168.1.3.cnf @@ -0,0 +1,56 @@ +# +# +# IMPORTANT INFO +# +# +[ v3_server ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server +nsComment = "ACME Generated" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth +subjectAltName = IP:192.168.1.3 +#subjectAltName = @san_info + +[ san_info ] +IP = 192.168.1.3 + + +# +# +# FORCED TO INCLUDE THIS JUNK +# +# +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 4096 +distinguished_name = req_distinguished_name +string_mask = utf8only + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +# Extension to add when the -x509 option is used. +#x509_extensions = v3_ca + +[ req_distinguished_name ] +# See . +countryName = Country Name (2 letter code) +stateOrProvinceName = State or Province Name +localityName = Locality Name +0.organizationName = Organization Name +organizationalUnitName = Organizational Unit Name +commonName = Common Name +emailAddress = Email Address + +# Optionally, specify some defaults. +countryName_default = US +stateOrProvinceName_default = State51 +localityName_default = +0.organizationName_default = ACME R&D +organizationalUnitName_default = +emailAddress_default = + diff --git a/src/pki_lifecycle/ca/cnf/ca.cnf b/src/pki_lifecycle/ca/cnf/ca.cnf new file mode 100644 index 0000000..691733f --- /dev/null +++ b/src/pki_lifecycle/ca/cnf/ca.cnf @@ -0,0 +1,113 @@ +# Root CA configuration file. + +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +name_opt = ca_default +cert_opt = ca_default +default_days = 375 +preserve = no +policy = policy_strict + +[ policy_strict ] +# The root CA should only sign intermediate certificates that match. +# See the POLICY FORMAT section of `man ca`. +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_loose ] +# Allow the intermediate CA to sign a more diverse range of certificates. +# See the POLICY FORMAT section of the `ca` man page. +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 4096 +distinguished_name = req_distinguished_name +string_mask = utf8only + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +# Extension to add when the -x509 option is used. +x509_extensions = v3_ca + +[ req_distinguished_name ] +# See . +countryName = Country Name (2 letter code) +stateOrProvinceName = State or Province Name +localityName = Locality Name +0.organizationName = Organization Name +organizationalUnitName = Organizational Unit Name +commonName = Common Name +emailAddress = Email Address + +# Optionally, specify some defaults. +countryName_default = US +stateOrProvinceName_default = State51 +localityName_default = +0.organizationName_default = ACME R&D +organizationalUnitName_default = +emailAddress_default = + +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +basicConstraints = critical, CA:true +keyUsage = critical, cRLSign, digitalSignature, keyCertSign +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer + +[ v3_ca_i ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, cRLSign, digitalSignature, keyCertSign +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer + +[ usr_cert ] +# Extensions for client certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = client, email +nsComment = "ACME Generated" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection + +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server +nsComment = "ACME Generated" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth +#subjectAltName = "192.168.123.129" + +[ crl_ext ] +# Extension for CRLs (`man x509v3_config`). +authorityKeyIdentifier=keyid:always + +[ ocsp ] +# Extension for OCSP signing certificates (`man ocsp`). +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, digitalSignature +extendedKeyUsage = critical, OCSPSigning \ No newline at end of file diff --git a/src/pki_lifecycle/ca/cnf/skunkworks.acme.xyz.cnf b/src/pki_lifecycle/ca/cnf/skunkworks.acme.xyz.cnf new file mode 100644 index 0000000..9bf9706 --- /dev/null +++ b/src/pki_lifecycle/ca/cnf/skunkworks.acme.xyz.cnf @@ -0,0 +1,55 @@ +# +# +# IMPORTANT INFO +# +# +[ v3_server ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server +nsComment = "ACME Corp" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth +subjectAltName = @alt_names +#subjectAltName = IP:192.168.123.129 + +[ alt_names ] +DNS.1 = "skunkworks.acme.xyz" + +# +# +# FORCED TO INCLUDE THIS JUNK +# +# +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 4096 +distinguished_name = req_distinguished_name +string_mask = utf8only + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +# Extension to add when the -x509 option is used. +#x509_extensions = v3_ca + +[ req_distinguished_name ] +# See . +countryName = Country Name (2 letter code) +stateOrProvinceName = State or Province Name +localityName = Locality Name +0.organizationName = Organization Name +organizationalUnitName = Organizational Unit Name +commonName = Common Name +emailAddress = Email Address + +# Optionally, specify some defaults. +countryName_default = US +stateOrProvinceName_default = State51 +localityName_default = +0.organizationName_default = ACME R&D +organizationalUnitName_default = +emailAddress_default = + diff --git a/src/pki_lifecycle/ca/gen_ca.sh b/src/pki_lifecycle/ca/gen_ca.sh new file mode 100644 index 0000000..cdbea88 --- /dev/null +++ b/src/pki_lifecycle/ca/gen_ca.sh @@ -0,0 +1,116 @@ +#!/bin/bash +# +# ACME Certificate Authority Generation v1.0 +# +# +PARAM1=$1 + +usage() { + echo + echo "This script will generate all the files necessary to build a certificate chain of trust" + echo "using a CA, CA Intermediate, Server, and Client certificates. After the bootstrap the other" + echo "helper scripts will generate new certificates" + echo + echo "Usage: cert_bootstrap <.cnf file (minus the .cnf)>" + echo + echo "Example: cert_bootstrap org.acme.xyz" + exit 1 +} + +echo_block() { + echo + echo + echo "***** ***** ***** *****" + echo $1 + echo "***** ***** ***** *****" +} + +# +# CA generation requires .cnf files +# create CA directory +# create bash variables to CA +# restore script back to original path +# +app_init() { + if [[ -n $PARAM1 ]]; then + # need to know the location of the configuration file (expected to be in same dir path as this script) + CA_CNF="$CD/ca.cnf" + + # handle the case of having the ".cnf" extension or not + if [[ ${PARAM1: -4} == .cnf ]]; then + ORG_URL=${PARAM1%.*} + S_CNF=${PARAM1} + echo "ASDF: ${ORG_URL}, ${S_CNF}" + else + ORG_URL=$PARAM1 + S_CNF="${PARAM1}.cnf" + echo "ZXCV: ${ORG_URL}, ${S_CNF}" + fi + + FQ_S_CNF="${CD}/${S_CNF}" + if [[ ! -f $FQ_S_CNF ]] || [[ ! -f $CA_CNF ]]; then + usage + fi + else + usage + fi + + # Organize + # + # create a unique path for the server certificate + UNIQ_DIR=`date +%Y-%m-%d.%H_%M_%S` + UNIQ_DIR="cert-chain_${UNIQ_DIR}" + mkdir -p "${UNIQ_DIR}" + cd "${UNIQ_DIR}" + # FQ_DIR="${CD}/${UNIQ_DIR}" +} + +# +# IN: UNIQ_ID_CA, SERIAL +# +one-time-ca() { + # params + SERIAL="101" + UNIQ_ID_CA="${SERIAL}.${ORG_URL}" + CA_DIR="ca_${UNIQ_ID_CA}" + mkdir $CA_DIR + cd $CA_DIR + generate_ca $UNIQ_ID_CA $SERIAL + FQ_CA_DIR=`pwd` + FQ_CA_CERT="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.crt.pem" + FQ_CA_KEYS="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.keys.pem" + cd .. +} + +# ***** ***** ***** ***** +# +# CERTIFICATE AUTHORITY +# +# ***** ***** ***** ***** +# This function will generate a CA Intermediate +# IN: UNIQ_ID_CA, SERIAL +# +generate_ca() { + # params + UNIQ_ID_CA=$1 + SERIAL=$2 + # encrypt the key + #openssl genrsa -aes256 -out ca.keys.pem 4096 + #openssl genrsa -aes256 -password "pass:password" -out ca.keys.pem 4096 + + # key un-protected + openssl genrsa -out "ca_${UNIQ_ID_CA}.keys.pem" 4096 + # + # Create Certificate (valid for 10 years, after the entire chain of trust expires) + openssl req -config $CA_CNF -new -x509 -sha256 -days 3650 -extensions v3_ca \ + -subj "/C=OO/O=ACME/CN=root.${UNIQ_ID_CA}" -set_serial ${SERIAL} \ + -key ca_${UNIQ_ID_CA}.keys.pem -out ca_${UNIQ_ID_CA}.crt.pem + + # verify certificate (output to text file for review) + openssl x509 -noout -text -in ca_${UNIQ_ID_CA}.crt.pem > ca_${UNIQ_ID_CA}_cert.info.txt +} + +main() { + +} + diff --git a/src/pki_lifecycle/mh/ca-i/ca-i.crt.pem b/src/pki_lifecycle/mh/ca-i/ca-i.crt.pem new file mode 100644 index 0000000..e69de29 diff --git a/src/pki_lifecycle/mh/gen_server.sh b/src/pki_lifecycle/mh/gen_server.sh new file mode 100755 index 0000000..ad7e320 --- /dev/null +++ b/src/pki_lifecycle/mh/gen_server.sh @@ -0,0 +1,62 @@ +#!/bin/bash +# +# Create CA Intermediate +# +# +# This function will generate a CA Intermediate +# IN: UNIQ_ID_CA, SERIAL +# +PARAM1=$1 +PARAM2=$2 + +usage() { + echo + echo "Generate a new certificate" + echo + echo "This program will generate a new certificate authority intermediate" + echo "Requires the file ca-i.pem that is used to sign the certificates" + echo "The script requires a CA Intermediate certificate used to sign the client" + echo "" + echo "" + echo "" + echo + echo "Generate a new certificate" + echo " usage: gen_server.sh " + echo + echo " example: gen_server.sh ca_i_skunkworks.acme.xyz_10001.crt.pem \\" + echo " skunkworks.acme.xyz \\" + echo " 10052 \\" + echo + exit 1 +} + +# +# Generate a Server Certificate +# IN: ${SERIAL}, ${UNIQ_ID} +# +generate_server() { + openssl genrsa -out "server_${UNIQ_ID}.keys.pem" 4096 + + openssl req -new -config $FQ_S_CNF -key "server_${UNIQ_ID}.keys.pem" \ + -subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \ + -out "server_${UNIQ_ID}.csr.pem" + + # Intermediate signs Server + openssl x509 -req -days 365 -extfile $FQ_S_CNF -extensions v3_server \ + -CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \ + -in "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.crt.pem" + + # verify certificate (output to text file for review) + openssl x509 -noout -text -in "server_${UNIQ_ID}.crt.pem" > "server_${UNIQ_ID}.crt.info.txt" +} + +# if all argument strings are empty, then continue execution +if [[ -n $1 ]] && [[ -n $2 ]] && [[ -n $3 ]]; then + UNIQ_ID_CA=$1 + ORG_URL=$2 + SERIAL=$3 + UNIQ_ID="${ORG_URL}_${SERIAL}" + generate_server +else + usage +fi diff --git a/src/pki_lifecycle/tt/ca-i/ca-i.crt.pem b/src/pki_lifecycle/tt/ca-i/ca-i.crt.pem new file mode 100644 index 0000000..e69de29 diff --git a/src/pki_lifecycle/tt/gen_client.sh b/src/pki_lifecycle/tt/gen_client.sh new file mode 100755 index 0000000..5c83030 --- /dev/null +++ b/src/pki_lifecycle/tt/gen_client.sh @@ -0,0 +1,58 @@ +#!/bin/bash +# +# Create CA Intermediate +# +# +# This function will generate a CA Intermediate +# IN: UNIQ_ID_CA, SERIAL +# +PARAM1=$1 +PARAM2=$2 + +usage() { + echo + echo "Generate a new certificate" + echo + echo "This program will generate a new certificate authority intermediate" + echo "Requires the file ca-i.pem that is used to sign the certificates" + echo "The script requires a CA Intermediate certificate used to sign the client" + echo "" + echo "" + echo "" + echo + echo "Generate a new certificate" + echo " usage: gen_server.sh " + echo + echo " example: gen_server.sh ca_i_skunkworks.acme.xyz_10001.crt.pem \\" + echo " skunkworks.acme.xyz \\" + echo " 10052 \\" + echo + exit 1 +} + + +generate_client() { + echo_block "Generate Client Certificates (${UNIQ_ID})" + # params + UNIQ_ID=$1 + UNIQ_ID_CA=$2 + SERIAL=$3 + + openssl genrsa -out "client_${UNIQ_ID}.keys.pem" 4096 + + openssl req -new -key "client_${UNIQ_ID}.keys.pem" \ + -subj "/C=OO/O=ACME/OU=ACME Standard/CN=client_${UNIQ_ID}" \ + -out "client_${UNIQ_ID}.csr.pem" + # Intermediate signs Client + openssl x509 -req -days 365 \ + -CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \ + -in "client_${UNIQ_ID}.csr.pem" -out "client_${UNIQ_ID}.crt.pem" + + # Package the Certificates + openssl pkcs12 -export -password "pass:password" -inkey "client_${UNIQ_ID}.keys.pem" \ + -name "Client ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" -caname "client_${UNIQ_ID}@acme.xyz" \ + -in "client_${UNIQ_ID}.crt.pem" -out "client_${UNIQ_ID}.p12" + + # verify certificate (output to text file for review) + openssl x509 -noout -text -in "client_${UNIQ_ID}.crt.pem" > "client_${UNIQ_ID}.info.txt" +}