FIN: pki_bootstrap.sh is working again with the pki_funcs.sh refactoring
This commit is contained in:
JohnE
parent
e0b1142239
commit
dd6afcba9f
|
|
@ -47,9 +47,11 @@ get_serial() {
|
|||
# IN: UNIQ_ID_CA, SERIAL
|
||||
#
|
||||
gen_ca() {
|
||||
# params
|
||||
UNIQ_ID_CA=$1
|
||||
SERIAL=$2
|
||||
|
||||
echo_block "Create CA (${UNIQ_ID_CA})"
|
||||
|
||||
# encrypt the key
|
||||
#openssl genrsa -aes256 -out ca.keys.pem 4096
|
||||
#openssl genrsa -aes256 -password "pass:password" -out ca.keys.pem 4096
|
||||
|
|
@ -76,18 +78,18 @@ gen_ca() {
|
|||
ca-i_gen_pki() {
|
||||
# organization
|
||||
CDD=`pwd`
|
||||
SERIAL=$1
|
||||
LOOP_NUM=$2
|
||||
ORG_URL=$3
|
||||
ORG_URL=$1
|
||||
SERIAL=$2
|
||||
LOOP_NUM=$3
|
||||
|
||||
UNIQ_DIR_CA="ca_i_${SERIAL}.${ORG_URL}"
|
||||
mkdir -p "distribution/${UNIQ_DIR_CA}"
|
||||
cd "distribution/${UNIQ_DIR_CA}"
|
||||
|
||||
# geneate certificates, organize the files
|
||||
ca-i_gen_pki_certs $SERIAL $LOOP_NUM
|
||||
organize
|
||||
cp_pki_lifecycle
|
||||
ca-i_gen_pki_certs $ORG_URL $SERIAL $LOOP_NUM
|
||||
ca-i_organize
|
||||
ca-i_cp_docs
|
||||
|
||||
# return to last path
|
||||
cd $CDD
|
||||
|
|
@ -105,23 +107,24 @@ ca-i_gen_pki() {
|
|||
# Requires: FQ_CA_CERT, FQ_CA_KEYS
|
||||
#
|
||||
ca-i_gen_pki_certs() {
|
||||
SERIAL=$1
|
||||
NUM_CERTS=$(($2-1))
|
||||
ORG_URL=$1
|
||||
SERIAL_O=$2
|
||||
NUM_CERTS=$(($3-1))
|
||||
|
||||
# Create CA Intermediate
|
||||
UNIQ_ID_CAI="${SERIAL}.${ORG_URL}"
|
||||
ca-i_gen_cert $UNIQ_ID_CAI $SERIAL
|
||||
UNIQ_ID_CAI="${SERIAL_O}.${ORG_URL}"
|
||||
ca-i_gen_cert $UNIQ_ID_CAI $SERIAL_O
|
||||
|
||||
# Server Certificates
|
||||
for NUM in $(seq 0 $NUM_CERTS)
|
||||
do
|
||||
gen_server "$((SERIAL+NUM)).${ORG_URL}" $UNIQ_ID_CAI $((SERIAL+NUM))
|
||||
gen_server $ORG_URL $UNIQ_ID_CAI $((SERIAL_O+NUM))
|
||||
done
|
||||
|
||||
# Client Certificates
|
||||
for NUM in $(seq 0 $NUM_CERTS)
|
||||
do
|
||||
gen_client "$((SERIAL+NUM)).${ORG_URL}" $UNIQ_ID_CAI $((SERIAL+NUM))
|
||||
gen_client $ORG_URL $UNIQ_ID_CAI $((SERIAL_O+NUM))
|
||||
done
|
||||
}
|
||||
|
||||
|
|
@ -132,34 +135,34 @@ ca-i_gen_pki_certs() {
|
|||
# IN: UNIQ_ID_CA, SERIAL
|
||||
#
|
||||
ca-i_gen_cert() {
|
||||
UNIQ_ID_CA=$1
|
||||
UNIQ_ID_CAI=$1
|
||||
SERIAL=$2
|
||||
|
||||
echo_block "Create CA Intermediate (${UNIQ_ID_CA})"
|
||||
echo_block "Create CA Intermediate (${UNIQ_ID_CAI})"
|
||||
|
||||
openssl genrsa -out "ca_i_${UNIQ_ID_CA}.keys.pem" 4096
|
||||
openssl genrsa -out "ca_i_${UNIQ_ID_CAI}.keys.pem" 4096
|
||||
|
||||
# Create Cert Signing Request (CSR)
|
||||
openssl req -config "${CNF_PATH}/ca.cnf" -new -sha256 \
|
||||
-subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID_CA}" \
|
||||
-key "ca_i_${UNIQ_ID_CA}.keys.pem" -out "ca_i_${UNIQ_ID_CA}.csr.pem"
|
||||
-subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID_CAI}" \
|
||||
-key "ca_i_${UNIQ_ID_CAI}.keys.pem" -out "ca_i_${UNIQ_ID_CAI}.csr.pem"
|
||||
|
||||
# Create Certificate (valid for ~2 years, after the entire chain of trust expires)
|
||||
# CA signs Intermediate
|
||||
openssl x509 -req -days 750 -extfile "${CNF_PATH}/ca.cnf" -extensions v3_ca_i \
|
||||
-CA $FQ_CA_CERT -CAkey $FQ_CA_KEYS -set_serial ${SERIAL} \
|
||||
-in "ca_i_${UNIQ_ID_CA}.csr.pem" -out "ca_i_${UNIQ_ID_CA}.crt.pem"
|
||||
-in "ca_i_${UNIQ_ID_CAI}.csr.pem" -out "ca_i_${UNIQ_ID_CAI}.crt.pem"
|
||||
|
||||
# Package the Certificate Authority Certificates for distro (windoze needs this)
|
||||
openssl pkcs12 -export -password "pass:password" -inkey "ca_i_${UNIQ_ID_CA}.keys.pem" \
|
||||
openssl pkcs12 -export -password "pass:password" -inkey "ca_i_${UNIQ_ID_CAI}.keys.pem" \
|
||||
-name "CA Intermediate Mobile Provision" -certfile $FQ_CA_CERT \
|
||||
-in "ca_i_${UNIQ_ID_CA}.crt.pem" -out "ca_i_${UNIQ_ID_CA}.p12"
|
||||
-in "ca_i_${UNIQ_ID_CAI}.crt.pem" -out "ca_i_${UNIQ_ID_CAI}.p12"
|
||||
|
||||
# verify certificate (output to text file for review)
|
||||
openssl x509 -noout -text -in "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_i_${UNIQ_ID_CA}.crt.info.txt"
|
||||
openssl x509 -noout -text -in "ca_i_${UNIQ_ID_CAI}.crt.pem" > "ca_i_${UNIQ_ID_CAI}.crt.info.txt"
|
||||
|
||||
# create certifiate chain
|
||||
cat $FQ_CA_CERT "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_cert-chain_${UNIQ_ID_CA}.crts.pem"
|
||||
cat $FQ_CA_CERT "ca_i_${UNIQ_ID_CAI}.crt.pem" > "ca_cert-chain_${UNIQ_ID_CAI}.crts.pem"
|
||||
}
|
||||
|
||||
#
|
||||
|
|
@ -232,20 +235,21 @@ ca-i_cp_docs() {
|
|||
# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
|
||||
#
|
||||
gen_server() {
|
||||
UNIQ_ID=$1
|
||||
ORG_URL=$1
|
||||
UNIQ_ID_CA=$2
|
||||
SERIAL=$3
|
||||
|
||||
UNIQ_ID="${SERIAL}.${ORG_URL}"
|
||||
echo_block "Generate Server Certificates (${UNIQ_ID})"
|
||||
|
||||
openssl genrsa -out "server_${UNIQ_ID}.keys.pem" 4096
|
||||
|
||||
openssl req -new -config $CNF_PATH/${UNIQ_ID}.cnf -key "server_${UNIQ_ID}.keys.pem" \
|
||||
openssl req -new -config $CNF_PATH/${ORG_URL}.cnf -key "server_${UNIQ_ID}.keys.pem" \
|
||||
-subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \
|
||||
-out "server_${UNIQ_ID}.csr.pem"
|
||||
|
||||
# CA Intermediate signs Server
|
||||
openssl x509 -req -days 365 -extfile $CNF_PATH/cfg.cnf -extensions v3_server \
|
||||
openssl x509 -req -days 365 -extfile $CNF_PATH/${ORG_URL}.cnf -extensions v3_server \
|
||||
-CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \
|
||||
-in "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.crt.pem"
|
||||
|
||||
|
|
@ -263,10 +267,12 @@ gen_server() {
|
|||
# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
|
||||
#
|
||||
gen_client() {
|
||||
UNIQ_ID=$1
|
||||
ORG_URL=$1
|
||||
UNIQ_ID_CA=$2
|
||||
SERIAL=$3
|
||||
|
||||
UNIQ_ID="${SERIAL}.${ORG_URL}"
|
||||
|
||||
echo_block "Generate Client Certificates (${UNIQ_ID})"
|
||||
|
||||
openssl genrsa -out "client_${UNIQ_ID}.keys.pem" 4096
|
||||
|
|
|
|||
|
|
@ -1,155 +0,0 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# all main functions to generate a PKI certificate chain
|
||||
#
|
||||
|
||||
#
|
||||
# print text wrapped in a block
|
||||
#
|
||||
echo_block() {
|
||||
echo
|
||||
echo "***** ***** ***** *****"
|
||||
echo $1
|
||||
echo "***** ***** ***** *****"
|
||||
}
|
||||
|
||||
#
|
||||
# Grab the latest serial # from the file, auto-increment
|
||||
#
|
||||
get_serial() {
|
||||
SERIAL=`head SERIAL`
|
||||
if [[ -z $SERIAL ]]; then
|
||||
SERIAL=11111
|
||||
echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA"
|
||||
fi
|
||||
}
|
||||
|
||||
# ***** ***** ***** ***** *****
|
||||
#
|
||||
# CERTIFICATE AUTHORITY (CA)
|
||||
#
|
||||
# ***** ***** ***** ***** *****
|
||||
# This function will generate a CA Intermediate
|
||||
# IN: UNIQ_ID_CA, SERIAL
|
||||
#
|
||||
generate_ca() {
|
||||
# params
|
||||
UNIQ_ID_CA=$1
|
||||
SERIAL=$2
|
||||
# encrypt the key
|
||||
#openssl genrsa -aes256 -out ca.keys.pem 4096
|
||||
#openssl genrsa -aes256 -password "pass:password" -out ca.keys.pem 4096
|
||||
|
||||
# key un-protected
|
||||
openssl genrsa -out "ca_${UNIQ_ID_CA}.keys.pem" 4096
|
||||
#
|
||||
# Create Certificate (valid for 10 years, after the entire chain of trust expires)
|
||||
openssl req -config $CA_CNF -new -x509 -sha256 -days 3650 -extensions v3_ca \
|
||||
-subj "/C=OO/O=ACME/CN=root.${UNIQ_ID_CA}" -set_serial ${SERIAL} \
|
||||
-key ca_${UNIQ_ID_CA}.keys.pem -out ca_${UNIQ_ID_CA}.crt.pem
|
||||
|
||||
# verify certificate (output to text file for review)
|
||||
openssl x509 -noout -text -in ca_${UNIQ_ID_CA}.crt.pem > ca_${UNIQ_ID_CA}_cert.info.txt
|
||||
}
|
||||
|
||||
#
|
||||
# Create CA Intermediate
|
||||
#
|
||||
#
|
||||
# This function will generate a CA Intermediate
|
||||
# IN: UNIQ_ID_CA, SERIAL
|
||||
#
|
||||
generate_ca_i() {
|
||||
echo_block "Create CA Intermediate (${UNIQ_ID_CA})"
|
||||
# params
|
||||
UNIQ_ID_CA=$1
|
||||
SERIAL=$2
|
||||
|
||||
openssl genrsa -out "ca_i_${UNIQ_ID_CA}.keys.pem" 4096
|
||||
|
||||
# Create Cert Signing Request (CSR)
|
||||
openssl req -config $CA_CNF -new -sha256 \
|
||||
-subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID_CA}" \
|
||||
-key "ca_i_${UNIQ_ID_CA}.keys.pem" -out "ca_i_${UNIQ_ID_CA}.csr.pem"
|
||||
|
||||
# Create Certificate (valid for ~2 years, after the entire chain of trust expires)
|
||||
# CA signs Intermediate
|
||||
openssl x509 -req -days 750 -extfile $CA_CNF -extensions v3_ca_i \
|
||||
-CA $FQ_CA_CERT -CAkey $FQ_CA_KEYS -set_serial ${SERIAL} \
|
||||
-in "ca_i_${UNIQ_ID_CA}.csr.pem" -out "ca_i_${UNIQ_ID_CA}.crt.pem"
|
||||
|
||||
# Package the Certificate Authority Certificates for distro (windoze needs this)
|
||||
openssl pkcs12 -export -password "pass:password" -inkey "ca_i_${UNIQ_ID_CA}.keys.pem" \
|
||||
-name "CA Intermediate Mobile Provision" -certfile $FQ_CA_CERT \
|
||||
-in "ca_i_${UNIQ_ID_CA}.crt.pem" -out "ca_i_${UNIQ_ID_CA}.p12"
|
||||
|
||||
# verify certificate (output to text file for review)
|
||||
openssl x509 -noout -text -in "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_i_${UNIQ_ID_CA}.crt.info.txt"
|
||||
|
||||
# create certifiate chain
|
||||
cat $FQ_CA_CERT "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_cert-chain_${UNIQ_ID_CA}.crts.pem"
|
||||
}
|
||||
#
|
||||
# Generate a Server Certificate
|
||||
# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
|
||||
#
|
||||
generate_server() {
|
||||
echo_block "Generate Server Certificates (${UNIQ_ID})"
|
||||
# params
|
||||
UNIQ_ID=$1
|
||||
UNIQ_ID_CA=$2
|
||||
SERIAL=$3
|
||||
|
||||
openssl genrsa -out "server_${UNIQ_ID}.keys.pem" 4096
|
||||
|
||||
openssl req -new -config $FQ_S_CNF -key "server_${UNIQ_ID}.keys.pem" \
|
||||
-subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \
|
||||
-out "server_${UNIQ_ID}.csr.pem"
|
||||
|
||||
# CA Intermediate signs Server
|
||||
openssl x509 -req -days 365 -extfile $FQ_S_CNF -extensions v3_server \
|
||||
-CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \
|
||||
-in "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.crt.pem"
|
||||
|
||||
# Package the Certificates
|
||||
openssl pkcs12 -export -password "pass:password" -inkey "server_${UNIQ_ID}.keys.pem" \
|
||||
-name "Server ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" -caname "server_${UNIQ_ID}@acme.xyz" \
|
||||
-in "server_${UNIQ_ID}.crt.pem" -out "server_${UNIQ_ID}.p12"
|
||||
|
||||
# verify certificate (output to text file for review)
|
||||
openssl x509 -noout -text -in "server_${UNIQ_ID}.crt.pem" > "server_${UNIQ_ID}.crt.info.txt"
|
||||
}
|
||||
#
|
||||
# Generate a Client Certificate
|
||||
# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
|
||||
#
|
||||
generate_client() {
|
||||
echo_block "Generate Client Certificates (${UNIQ_ID})"
|
||||
# params
|
||||
UNIQ_ID=$1
|
||||
UNIQ_ID_CA=$2
|
||||
SERIAL=$3
|
||||
|
||||
openssl genrsa -out "client_${UNIQ_ID}.keys.pem" 4096
|
||||
|
||||
openssl req -new -key "client_${UNIQ_ID}.keys.pem" \
|
||||
-subj "/C=OO/O=ACME/OU=ACME Standard/CN=client_${UNIQ_ID}" \
|
||||
-out "client_${UNIQ_ID}.csr.pem"
|
||||
# CA Intermediate signs Client
|
||||
openssl x509 -req -days 365 \
|
||||
-CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \
|
||||
-in "client_${UNIQ_ID}.csr.pem" -out "client_${UNIQ_ID}.crt.pem"
|
||||
|
||||
# Package the Certificates
|
||||
openssl pkcs12 -export -password "pass:password" -inkey "client_${UNIQ_ID}.keys.pem" \
|
||||
-name "Client ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" -caname "client_${UNIQ_ID}@acme.xyz" \
|
||||
-in "client_${UNIQ_ID}.crt.pem" -out "client_${UNIQ_ID}.p12"
|
||||
|
||||
# verify certificate (output to text file for review)
|
||||
openssl x509 -noout -text -in "client_${UNIQ_ID}.crt.pem" > "client_${UNIQ_ID}.info.txt"
|
||||
}
|
||||
|
||||
#
|
||||
# give some info if someone tries to execute this
|
||||
echo_block "this script file has only helper functions"
|
||||
|
||||
|
|
@ -97,9 +97,9 @@ main() {
|
|||
|
||||
app_init
|
||||
one-time-ca
|
||||
ca-i_gen_pki ${ORG_URL} 1001 2
|
||||
# gen_pki 50001 5
|
||||
# gen_pki 80001 10
|
||||
ca-i_gen_pki $ORG_URL 1001 2
|
||||
# ca-i_gen_pki $ORG_URL 2001 5
|
||||
# ca-i_gen_pki $ORG_URL 3001 8
|
||||
|
||||
# make sure we return to root execution path
|
||||
cd "${CD_ROOT}"
|
||||
|
|
|
|||
|
|
@ -1,232 +0,0 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# ACME PKI (Certificate) Bootstrap v1.3
|
||||
#
|
||||
# This script will generate all the files necessary to build a certificate chain of trust
|
||||
# using a CA, CA Intermediate, Server, and Client certificates. After the bootstrap the other
|
||||
# helper scripts will generate new client/server certificates
|
||||
#
|
||||
|
||||
# source this file to include the functions
|
||||
. libs/pki_funcs_old.sh
|
||||
|
||||
PARAM1=$1
|
||||
|
||||
usage() {
|
||||
echo
|
||||
echo "This application will generate all the files necessary to build a certificate chain of trust"
|
||||
echo "using a CA, CA Intermediate, Server, and Client certificates. All the files are put into"
|
||||
echo "pki lifecyle package"
|
||||
echo " -put the .cnf config files into the ./cnf directory"
|
||||
echo
|
||||
echo "Usage: pki_bootstrap <.cnf file (minus the .cnf)>"
|
||||
echo
|
||||
echo "Example: pki_bootstrap org.acme.xyz"
|
||||
exit 1
|
||||
}
|
||||
|
||||
#
|
||||
# CA generation requires .cnf files
|
||||
# create CA directory
|
||||
# create bash variables to CA
|
||||
# restore script back to original path
|
||||
#
|
||||
app_init() {
|
||||
if [[ -n $PARAM1 ]]; then
|
||||
# need to know the location of the configuration file (expected to be in same dir path as this script)
|
||||
CA_CNF="$CD_ROOT/cnf/ca.cnf"
|
||||
|
||||
# handle the case of having the ".cnf" extension or not
|
||||
if [[ ${PARAM1: -4} == .cnf ]]; then
|
||||
ORG_URL=${PARAM1%.*}
|
||||
S_CNF=${PARAM1}
|
||||
echo "ASDF: ${ORG_URL}, ${S_CNF}"
|
||||
else
|
||||
ORG_URL=$PARAM1
|
||||
S_CNF="${PARAM1}.cnf"
|
||||
echo "ZXCV: ${ORG_URL}, ${S_CNF}"
|
||||
fi
|
||||
|
||||
FQ_S_CNF="${CD_ROOT}/cnf/${S_CNF}"
|
||||
if [[ ! -f $FQ_S_CNF ]] || [[ ! -f $CA_CNF ]]; then
|
||||
usage
|
||||
fi
|
||||
else
|
||||
usage
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# IN: UNIQ_ID_CA, SERIAL
|
||||
#
|
||||
one-time-ca() {
|
||||
# params
|
||||
#SERIAL="101"
|
||||
|
||||
get_serial
|
||||
echo_block "SERIAL == ${SERIAL}"
|
||||
# Organize
|
||||
#
|
||||
# create a unique path for the server certificate
|
||||
UNIQ_DIR_LC=`date +%Y-%m-%d.%H_%M_%S`
|
||||
UNIQ_DIR_LC="pki-lifecycle_${UNIQ_DIR_LC}"
|
||||
mkdir -p "${UNIQ_DIR_LC}"
|
||||
cd "${UNIQ_DIR_LC}"
|
||||
|
||||
# create certificate
|
||||
UNIQ_ID_CA="${SERIAL}.${ORG_URL}"
|
||||
CA_DIR="ca_${UNIQ_ID_CA}"
|
||||
mkdir $CA_DIR
|
||||
cd $CA_DIR
|
||||
FQ_CA_DIR=`pwd`
|
||||
FQ_CA_CERT="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.crt.pem"
|
||||
FQ_CA_KEYS="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.keys.pem"
|
||||
generate_ca $UNIQ_ID_CA $SERIAL
|
||||
cd ..
|
||||
}
|
||||
|
||||
#
|
||||
# Organize the files into logical folders based on serial #
|
||||
#
|
||||
organize() {
|
||||
# organize the client directory
|
||||
mkdir -p clients/ca-i
|
||||
mkdir -p clients/data
|
||||
mkdir -p clients/distro
|
||||
mkdir -p clients/docs
|
||||
mv client*.pem clients/data/
|
||||
mv client*.p12 clients/distro/
|
||||
mv client*.info.txt clients/docs/
|
||||
cp ca_i*.crt.pem clients/ca-i/
|
||||
cp ca_i*.keys.pem clients/ca-i/
|
||||
|
||||
# organize the server directory
|
||||
mkdir -p servers/ca-i
|
||||
mkdir -p servers/data
|
||||
mkdir -p servers/distro
|
||||
mkdir -p servers/docs
|
||||
mv server_*.pem servers/data/
|
||||
mv server_*.p12 servers/distro/
|
||||
mv server_*.info.txt servers/docs/
|
||||
cp ca_i*.crt.pem servers/ca-i/
|
||||
cp ca_i*.keys.pem servers/ca-i/
|
||||
|
||||
# organize the ca-i directory
|
||||
# order matters: move these files last because they were copied above
|
||||
mkdir -p ca-i/data
|
||||
mkdir -p ca-i/docs
|
||||
mv ca_i*.pem ca-i/data/
|
||||
mv ca_i*.info.txt ca-i/docs/
|
||||
mv ca_i*.p12 ca-i/
|
||||
mv ca_cert-chain*.pem ca-i/
|
||||
cp $FQ_CA_DIR/ca_*.crt.pem ca-i/data/
|
||||
cp $FQ_CA_DIR/ca_*.info.txt ca-i/docs/
|
||||
}
|
||||
|
||||
#
|
||||
# Copies all applcations to the Lifecycle package
|
||||
#
|
||||
# Requires:
|
||||
# UNIQ_DIR_LC : unique string for the Lifecycle directory
|
||||
# UNIQ_ID_CA-I : unique string for the CA-I
|
||||
#
|
||||
cp_pki_lifecycle() {
|
||||
# CA-I
|
||||
cp $CD_ROOT/libs/gen_ca-i.sh $CD_ROOT/$UNIQ_DIR_LC/
|
||||
cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/
|
||||
cp $CD_ROOT/docs/README_LC $CD_ROOT/$UNIQ_DIR_LC/README
|
||||
cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/
|
||||
|
||||
# client
|
||||
cp $CD_ROOT/libs/gen_client.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/
|
||||
cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/
|
||||
cp $CD_ROOT/docs/README_C $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/README
|
||||
cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/
|
||||
|
||||
# server
|
||||
cp $CD_ROOT/libs/gen_server.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/
|
||||
cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/
|
||||
cp $CD_ROOT/docs/README_S $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/README
|
||||
cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/
|
||||
}
|
||||
|
||||
#
|
||||
# Generate a PKI chain
|
||||
# - the certificate chain is unique based on the serial #
|
||||
# - generate a new CA I
|
||||
# - generate two server certificates
|
||||
# - generate two client certificates
|
||||
#
|
||||
# INPUT: BASE SERIAL #, LOOP NUM
|
||||
#
|
||||
gen_pki_certs() {
|
||||
B_SERIAL=$1
|
||||
NUM_CERTS=$(($2-1))
|
||||
|
||||
# Create CA Intermediate
|
||||
UNIQ_ID_CAI="${B_SERIAL}.${ORG_URL}"
|
||||
generate_ca_i $UNIQ_ID_CAI $B_SERIAL
|
||||
|
||||
# Server Certificates
|
||||
for NUM in $(seq 0 $NUM_CERTS)
|
||||
do
|
||||
generate_server "$((B_SERIAL+NUM)).${ORG_URL}" $UNIQ_ID_CAI $((B_SERIAL+NUM))
|
||||
done
|
||||
|
||||
# Client Certificates
|
||||
for NUM in $(seq 0 $NUM_CERTS)
|
||||
do
|
||||
generate_client "$((B_SERIAL+NUM)).${ORG_URL}" $UNIQ_ID_CAI $((B_SERIAL+NUM))
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# INPUT: SERIAL #, LOOP NUM
|
||||
#
|
||||
gen_pki() {
|
||||
# organization
|
||||
CDD=`pwd`
|
||||
|
||||
SERIAL=$1
|
||||
UNIQ_DIR_CA="ca_i_${SERIAL}.${ORG_URL}"
|
||||
mkdir -p "distrobution/${UNIQ_DIR_CA}"
|
||||
cd "distrobution/${UNIQ_DIR_CA}"
|
||||
|
||||
# geneate certificates, organize the files
|
||||
gen_pki_certs $SERIAL $2
|
||||
organize
|
||||
cp_pki_lifecycle
|
||||
|
||||
# return to last path
|
||||
cd $CDD
|
||||
}
|
||||
|
||||
|
||||
main() {
|
||||
CD_ROOT=`pwd`
|
||||
LIB_PATH="${CD_ROOT}/libs"
|
||||
|
||||
app_init
|
||||
one-time-ca
|
||||
gen_pki 1001 2
|
||||
# gen_pki 50001 5
|
||||
# gen_pki 80001 10
|
||||
|
||||
# make sure we return to root execution path
|
||||
cd "${CD_ROOT}"
|
||||
}
|
||||
|
||||
|
||||
# ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** *****
|
||||
#
|
||||
# main execution begins here (because all the functions have to be defined)
|
||||
#
|
||||
# ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** *****
|
||||
|
||||
main
|
||||
|
||||
# ***** ***** ***** *****
|
||||
#
|
||||
#
|
||||
#
|
||||
# ***** ***** ***** *****
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue