FIN: pki_bootstrap.sh is working again with the pki_funcs.sh refactoring
This commit is contained in:
JohnE
parent
e0b1142239
commit
dd6afcba9f
|
|
@ -47,9 +47,11 @@ get_serial() {
|
||||||
# IN: UNIQ_ID_CA, SERIAL
|
# IN: UNIQ_ID_CA, SERIAL
|
||||||
#
|
#
|
||||||
gen_ca() {
|
gen_ca() {
|
||||||
# params
|
|
||||||
UNIQ_ID_CA=$1
|
UNIQ_ID_CA=$1
|
||||||
SERIAL=$2
|
SERIAL=$2
|
||||||
|
|
||||||
|
echo_block "Create CA (${UNIQ_ID_CA})"
|
||||||
|
|
||||||
# encrypt the key
|
# encrypt the key
|
||||||
#openssl genrsa -aes256 -out ca.keys.pem 4096
|
#openssl genrsa -aes256 -out ca.keys.pem 4096
|
||||||
#openssl genrsa -aes256 -password "pass:password" -out ca.keys.pem 4096
|
#openssl genrsa -aes256 -password "pass:password" -out ca.keys.pem 4096
|
||||||
|
|
@ -76,18 +78,18 @@ gen_ca() {
|
||||||
ca-i_gen_pki() {
|
ca-i_gen_pki() {
|
||||||
# organization
|
# organization
|
||||||
CDD=`pwd`
|
CDD=`pwd`
|
||||||
SERIAL=$1
|
ORG_URL=$1
|
||||||
LOOP_NUM=$2
|
SERIAL=$2
|
||||||
ORG_URL=$3
|
LOOP_NUM=$3
|
||||||
|
|
||||||
UNIQ_DIR_CA="ca_i_${SERIAL}.${ORG_URL}"
|
UNIQ_DIR_CA="ca_i_${SERIAL}.${ORG_URL}"
|
||||||
mkdir -p "distribution/${UNIQ_DIR_CA}"
|
mkdir -p "distribution/${UNIQ_DIR_CA}"
|
||||||
cd "distribution/${UNIQ_DIR_CA}"
|
cd "distribution/${UNIQ_DIR_CA}"
|
||||||
|
|
||||||
# geneate certificates, organize the files
|
# geneate certificates, organize the files
|
||||||
ca-i_gen_pki_certs $SERIAL $LOOP_NUM
|
ca-i_gen_pki_certs $ORG_URL $SERIAL $LOOP_NUM
|
||||||
organize
|
ca-i_organize
|
||||||
cp_pki_lifecycle
|
ca-i_cp_docs
|
||||||
|
|
||||||
# return to last path
|
# return to last path
|
||||||
cd $CDD
|
cd $CDD
|
||||||
|
|
@ -105,23 +107,24 @@ ca-i_gen_pki() {
|
||||||
# Requires: FQ_CA_CERT, FQ_CA_KEYS
|
# Requires: FQ_CA_CERT, FQ_CA_KEYS
|
||||||
#
|
#
|
||||||
ca-i_gen_pki_certs() {
|
ca-i_gen_pki_certs() {
|
||||||
SERIAL=$1
|
ORG_URL=$1
|
||||||
NUM_CERTS=$(($2-1))
|
SERIAL_O=$2
|
||||||
|
NUM_CERTS=$(($3-1))
|
||||||
|
|
||||||
# Create CA Intermediate
|
# Create CA Intermediate
|
||||||
UNIQ_ID_CAI="${SERIAL}.${ORG_URL}"
|
UNIQ_ID_CAI="${SERIAL_O}.${ORG_URL}"
|
||||||
ca-i_gen_cert $UNIQ_ID_CAI $SERIAL
|
ca-i_gen_cert $UNIQ_ID_CAI $SERIAL_O
|
||||||
|
|
||||||
# Server Certificates
|
# Server Certificates
|
||||||
for NUM in $(seq 0 $NUM_CERTS)
|
for NUM in $(seq 0 $NUM_CERTS)
|
||||||
do
|
do
|
||||||
gen_server "$((SERIAL+NUM)).${ORG_URL}" $UNIQ_ID_CAI $((SERIAL+NUM))
|
gen_server $ORG_URL $UNIQ_ID_CAI $((SERIAL_O+NUM))
|
||||||
done
|
done
|
||||||
|
|
||||||
# Client Certificates
|
# Client Certificates
|
||||||
for NUM in $(seq 0 $NUM_CERTS)
|
for NUM in $(seq 0 $NUM_CERTS)
|
||||||
do
|
do
|
||||||
gen_client "$((SERIAL+NUM)).${ORG_URL}" $UNIQ_ID_CAI $((SERIAL+NUM))
|
gen_client $ORG_URL $UNIQ_ID_CAI $((SERIAL_O+NUM))
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -132,34 +135,34 @@ ca-i_gen_pki_certs() {
|
||||||
# IN: UNIQ_ID_CA, SERIAL
|
# IN: UNIQ_ID_CA, SERIAL
|
||||||
#
|
#
|
||||||
ca-i_gen_cert() {
|
ca-i_gen_cert() {
|
||||||
UNIQ_ID_CA=$1
|
UNIQ_ID_CAI=$1
|
||||||
SERIAL=$2
|
SERIAL=$2
|
||||||
|
|
||||||
echo_block "Create CA Intermediate (${UNIQ_ID_CA})"
|
echo_block "Create CA Intermediate (${UNIQ_ID_CAI})"
|
||||||
|
|
||||||
openssl genrsa -out "ca_i_${UNIQ_ID_CA}.keys.pem" 4096
|
openssl genrsa -out "ca_i_${UNIQ_ID_CAI}.keys.pem" 4096
|
||||||
|
|
||||||
# Create Cert Signing Request (CSR)
|
# Create Cert Signing Request (CSR)
|
||||||
openssl req -config "${CNF_PATH}/ca.cnf" -new -sha256 \
|
openssl req -config "${CNF_PATH}/ca.cnf" -new -sha256 \
|
||||||
-subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID_CA}" \
|
-subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID_CAI}" \
|
||||||
-key "ca_i_${UNIQ_ID_CA}.keys.pem" -out "ca_i_${UNIQ_ID_CA}.csr.pem"
|
-key "ca_i_${UNIQ_ID_CAI}.keys.pem" -out "ca_i_${UNIQ_ID_CAI}.csr.pem"
|
||||||
|
|
||||||
# Create Certificate (valid for ~2 years, after the entire chain of trust expires)
|
# Create Certificate (valid for ~2 years, after the entire chain of trust expires)
|
||||||
# CA signs Intermediate
|
# CA signs Intermediate
|
||||||
openssl x509 -req -days 750 -extfile "${CNF_PATH}/ca.cnf" -extensions v3_ca_i \
|
openssl x509 -req -days 750 -extfile "${CNF_PATH}/ca.cnf" -extensions v3_ca_i \
|
||||||
-CA $FQ_CA_CERT -CAkey $FQ_CA_KEYS -set_serial ${SERIAL} \
|
-CA $FQ_CA_CERT -CAkey $FQ_CA_KEYS -set_serial ${SERIAL} \
|
||||||
-in "ca_i_${UNIQ_ID_CA}.csr.pem" -out "ca_i_${UNIQ_ID_CA}.crt.pem"
|
-in "ca_i_${UNIQ_ID_CAI}.csr.pem" -out "ca_i_${UNIQ_ID_CAI}.crt.pem"
|
||||||
|
|
||||||
# Package the Certificate Authority Certificates for distro (windoze needs this)
|
# Package the Certificate Authority Certificates for distro (windoze needs this)
|
||||||
openssl pkcs12 -export -password "pass:password" -inkey "ca_i_${UNIQ_ID_CA}.keys.pem" \
|
openssl pkcs12 -export -password "pass:password" -inkey "ca_i_${UNIQ_ID_CAI}.keys.pem" \
|
||||||
-name "CA Intermediate Mobile Provision" -certfile $FQ_CA_CERT \
|
-name "CA Intermediate Mobile Provision" -certfile $FQ_CA_CERT \
|
||||||
-in "ca_i_${UNIQ_ID_CA}.crt.pem" -out "ca_i_${UNIQ_ID_CA}.p12"
|
-in "ca_i_${UNIQ_ID_CAI}.crt.pem" -out "ca_i_${UNIQ_ID_CAI}.p12"
|
||||||
|
|
||||||
# verify certificate (output to text file for review)
|
# verify certificate (output to text file for review)
|
||||||
openssl x509 -noout -text -in "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_i_${UNIQ_ID_CA}.crt.info.txt"
|
openssl x509 -noout -text -in "ca_i_${UNIQ_ID_CAI}.crt.pem" > "ca_i_${UNIQ_ID_CAI}.crt.info.txt"
|
||||||
|
|
||||||
# create certifiate chain
|
# create certifiate chain
|
||||||
cat $FQ_CA_CERT "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_cert-chain_${UNIQ_ID_CA}.crts.pem"
|
cat $FQ_CA_CERT "ca_i_${UNIQ_ID_CAI}.crt.pem" > "ca_cert-chain_${UNIQ_ID_CAI}.crts.pem"
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
|
|
@ -232,20 +235,21 @@ ca-i_cp_docs() {
|
||||||
# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
|
# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
|
||||||
#
|
#
|
||||||
gen_server() {
|
gen_server() {
|
||||||
UNIQ_ID=$1
|
ORG_URL=$1
|
||||||
UNIQ_ID_CA=$2
|
UNIQ_ID_CA=$2
|
||||||
SERIAL=$3
|
SERIAL=$3
|
||||||
|
|
||||||
|
UNIQ_ID="${SERIAL}.${ORG_URL}"
|
||||||
echo_block "Generate Server Certificates (${UNIQ_ID})"
|
echo_block "Generate Server Certificates (${UNIQ_ID})"
|
||||||
|
|
||||||
openssl genrsa -out "server_${UNIQ_ID}.keys.pem" 4096
|
openssl genrsa -out "server_${UNIQ_ID}.keys.pem" 4096
|
||||||
|
|
||||||
openssl req -new -config $CNF_PATH/${UNIQ_ID}.cnf -key "server_${UNIQ_ID}.keys.pem" \
|
openssl req -new -config $CNF_PATH/${ORG_URL}.cnf -key "server_${UNIQ_ID}.keys.pem" \
|
||||||
-subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \
|
-subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \
|
||||||
-out "server_${UNIQ_ID}.csr.pem"
|
-out "server_${UNIQ_ID}.csr.pem"
|
||||||
|
|
||||||
# CA Intermediate signs Server
|
# CA Intermediate signs Server
|
||||||
openssl x509 -req -days 365 -extfile $CNF_PATH/cfg.cnf -extensions v3_server \
|
openssl x509 -req -days 365 -extfile $CNF_PATH/${ORG_URL}.cnf -extensions v3_server \
|
||||||
-CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \
|
-CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \
|
||||||
-in "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.crt.pem"
|
-in "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.crt.pem"
|
||||||
|
|
||||||
|
|
@ -263,10 +267,12 @@ gen_server() {
|
||||||
# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
|
# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
|
||||||
#
|
#
|
||||||
gen_client() {
|
gen_client() {
|
||||||
UNIQ_ID=$1
|
ORG_URL=$1
|
||||||
UNIQ_ID_CA=$2
|
UNIQ_ID_CA=$2
|
||||||
SERIAL=$3
|
SERIAL=$3
|
||||||
|
|
||||||
|
UNIQ_ID="${SERIAL}.${ORG_URL}"
|
||||||
|
|
||||||
echo_block "Generate Client Certificates (${UNIQ_ID})"
|
echo_block "Generate Client Certificates (${UNIQ_ID})"
|
||||||
|
|
||||||
openssl genrsa -out "client_${UNIQ_ID}.keys.pem" 4096
|
openssl genrsa -out "client_${UNIQ_ID}.keys.pem" 4096
|
||||||
|
|
|
||||||
|
|
@ -1,155 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
#
|
|
||||||
# all main functions to generate a PKI certificate chain
|
|
||||||
#
|
|
||||||
|
|
||||||
#
|
|
||||||
# print text wrapped in a block
|
|
||||||
#
|
|
||||||
echo_block() {
|
|
||||||
echo
|
|
||||||
echo "***** ***** ***** *****"
|
|
||||||
echo $1
|
|
||||||
echo "***** ***** ***** *****"
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Grab the latest serial # from the file, auto-increment
|
|
||||||
#
|
|
||||||
get_serial() {
|
|
||||||
SERIAL=`head SERIAL`
|
|
||||||
if [[ -z $SERIAL ]]; then
|
|
||||||
SERIAL=11111
|
|
||||||
echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA"
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
# ***** ***** ***** ***** *****
|
|
||||||
#
|
|
||||||
# CERTIFICATE AUTHORITY (CA)
|
|
||||||
#
|
|
||||||
# ***** ***** ***** ***** *****
|
|
||||||
# This function will generate a CA Intermediate
|
|
||||||
# IN: UNIQ_ID_CA, SERIAL
|
|
||||||
#
|
|
||||||
generate_ca() {
|
|
||||||
# params
|
|
||||||
UNIQ_ID_CA=$1
|
|
||||||
SERIAL=$2
|
|
||||||
# encrypt the key
|
|
||||||
#openssl genrsa -aes256 -out ca.keys.pem 4096
|
|
||||||
#openssl genrsa -aes256 -password "pass:password" -out ca.keys.pem 4096
|
|
||||||
|
|
||||||
# key un-protected
|
|
||||||
openssl genrsa -out "ca_${UNIQ_ID_CA}.keys.pem" 4096
|
|
||||||
#
|
|
||||||
# Create Certificate (valid for 10 years, after the entire chain of trust expires)
|
|
||||||
openssl req -config $CA_CNF -new -x509 -sha256 -days 3650 -extensions v3_ca \
|
|
||||||
-subj "/C=OO/O=ACME/CN=root.${UNIQ_ID_CA}" -set_serial ${SERIAL} \
|
|
||||||
-key ca_${UNIQ_ID_CA}.keys.pem -out ca_${UNIQ_ID_CA}.crt.pem
|
|
||||||
|
|
||||||
# verify certificate (output to text file for review)
|
|
||||||
openssl x509 -noout -text -in ca_${UNIQ_ID_CA}.crt.pem > ca_${UNIQ_ID_CA}_cert.info.txt
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Create CA Intermediate
|
|
||||||
#
|
|
||||||
#
|
|
||||||
# This function will generate a CA Intermediate
|
|
||||||
# IN: UNIQ_ID_CA, SERIAL
|
|
||||||
#
|
|
||||||
generate_ca_i() {
|
|
||||||
echo_block "Create CA Intermediate (${UNIQ_ID_CA})"
|
|
||||||
# params
|
|
||||||
UNIQ_ID_CA=$1
|
|
||||||
SERIAL=$2
|
|
||||||
|
|
||||||
openssl genrsa -out "ca_i_${UNIQ_ID_CA}.keys.pem" 4096
|
|
||||||
|
|
||||||
# Create Cert Signing Request (CSR)
|
|
||||||
openssl req -config $CA_CNF -new -sha256 \
|
|
||||||
-subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID_CA}" \
|
|
||||||
-key "ca_i_${UNIQ_ID_CA}.keys.pem" -out "ca_i_${UNIQ_ID_CA}.csr.pem"
|
|
||||||
|
|
||||||
# Create Certificate (valid for ~2 years, after the entire chain of trust expires)
|
|
||||||
# CA signs Intermediate
|
|
||||||
openssl x509 -req -days 750 -extfile $CA_CNF -extensions v3_ca_i \
|
|
||||||
-CA $FQ_CA_CERT -CAkey $FQ_CA_KEYS -set_serial ${SERIAL} \
|
|
||||||
-in "ca_i_${UNIQ_ID_CA}.csr.pem" -out "ca_i_${UNIQ_ID_CA}.crt.pem"
|
|
||||||
|
|
||||||
# Package the Certificate Authority Certificates for distro (windoze needs this)
|
|
||||||
openssl pkcs12 -export -password "pass:password" -inkey "ca_i_${UNIQ_ID_CA}.keys.pem" \
|
|
||||||
-name "CA Intermediate Mobile Provision" -certfile $FQ_CA_CERT \
|
|
||||||
-in "ca_i_${UNIQ_ID_CA}.crt.pem" -out "ca_i_${UNIQ_ID_CA}.p12"
|
|
||||||
|
|
||||||
# verify certificate (output to text file for review)
|
|
||||||
openssl x509 -noout -text -in "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_i_${UNIQ_ID_CA}.crt.info.txt"
|
|
||||||
|
|
||||||
# create certifiate chain
|
|
||||||
cat $FQ_CA_CERT "ca_i_${UNIQ_ID_CA}.crt.pem" > "ca_cert-chain_${UNIQ_ID_CA}.crts.pem"
|
|
||||||
}
|
|
||||||
#
|
|
||||||
# Generate a Server Certificate
|
|
||||||
# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
|
|
||||||
#
|
|
||||||
generate_server() {
|
|
||||||
echo_block "Generate Server Certificates (${UNIQ_ID})"
|
|
||||||
# params
|
|
||||||
UNIQ_ID=$1
|
|
||||||
UNIQ_ID_CA=$2
|
|
||||||
SERIAL=$3
|
|
||||||
|
|
||||||
openssl genrsa -out "server_${UNIQ_ID}.keys.pem" 4096
|
|
||||||
|
|
||||||
openssl req -new -config $FQ_S_CNF -key "server_${UNIQ_ID}.keys.pem" \
|
|
||||||
-subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \
|
|
||||||
-out "server_${UNIQ_ID}.csr.pem"
|
|
||||||
|
|
||||||
# CA Intermediate signs Server
|
|
||||||
openssl x509 -req -days 365 -extfile $FQ_S_CNF -extensions v3_server \
|
|
||||||
-CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \
|
|
||||||
-in "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.crt.pem"
|
|
||||||
|
|
||||||
# Package the Certificates
|
|
||||||
openssl pkcs12 -export -password "pass:password" -inkey "server_${UNIQ_ID}.keys.pem" \
|
|
||||||
-name "Server ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" -caname "server_${UNIQ_ID}@acme.xyz" \
|
|
||||||
-in "server_${UNIQ_ID}.crt.pem" -out "server_${UNIQ_ID}.p12"
|
|
||||||
|
|
||||||
# verify certificate (output to text file for review)
|
|
||||||
openssl x509 -noout -text -in "server_${UNIQ_ID}.crt.pem" > "server_${UNIQ_ID}.crt.info.txt"
|
|
||||||
}
|
|
||||||
#
|
|
||||||
# Generate a Client Certificate
|
|
||||||
# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
|
|
||||||
#
|
|
||||||
generate_client() {
|
|
||||||
echo_block "Generate Client Certificates (${UNIQ_ID})"
|
|
||||||
# params
|
|
||||||
UNIQ_ID=$1
|
|
||||||
UNIQ_ID_CA=$2
|
|
||||||
SERIAL=$3
|
|
||||||
|
|
||||||
openssl genrsa -out "client_${UNIQ_ID}.keys.pem" 4096
|
|
||||||
|
|
||||||
openssl req -new -key "client_${UNIQ_ID}.keys.pem" \
|
|
||||||
-subj "/C=OO/O=ACME/OU=ACME Standard/CN=client_${UNIQ_ID}" \
|
|
||||||
-out "client_${UNIQ_ID}.csr.pem"
|
|
||||||
# CA Intermediate signs Client
|
|
||||||
openssl x509 -req -days 365 \
|
|
||||||
-CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \
|
|
||||||
-in "client_${UNIQ_ID}.csr.pem" -out "client_${UNIQ_ID}.crt.pem"
|
|
||||||
|
|
||||||
# Package the Certificates
|
|
||||||
openssl pkcs12 -export -password "pass:password" -inkey "client_${UNIQ_ID}.keys.pem" \
|
|
||||||
-name "Client ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CA}.crts.pem" -caname "client_${UNIQ_ID}@acme.xyz" \
|
|
||||||
-in "client_${UNIQ_ID}.crt.pem" -out "client_${UNIQ_ID}.p12"
|
|
||||||
|
|
||||||
# verify certificate (output to text file for review)
|
|
||||||
openssl x509 -noout -text -in "client_${UNIQ_ID}.crt.pem" > "client_${UNIQ_ID}.info.txt"
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# give some info if someone tries to execute this
|
|
||||||
echo_block "this script file has only helper functions"
|
|
||||||
|
|
||||||
|
|
@ -97,9 +97,9 @@ main() {
|
||||||
|
|
||||||
app_init
|
app_init
|
||||||
one-time-ca
|
one-time-ca
|
||||||
ca-i_gen_pki ${ORG_URL} 1001 2
|
ca-i_gen_pki $ORG_URL 1001 2
|
||||||
# gen_pki 50001 5
|
# ca-i_gen_pki $ORG_URL 2001 5
|
||||||
# gen_pki 80001 10
|
# ca-i_gen_pki $ORG_URL 3001 8
|
||||||
|
|
||||||
# make sure we return to root execution path
|
# make sure we return to root execution path
|
||||||
cd "${CD_ROOT}"
|
cd "${CD_ROOT}"
|
||||||
|
|
|
||||||
|
|
@ -1,232 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
#
|
|
||||||
# ACME PKI (Certificate) Bootstrap v1.3
|
|
||||||
#
|
|
||||||
# This script will generate all the files necessary to build a certificate chain of trust
|
|
||||||
# using a CA, CA Intermediate, Server, and Client certificates. After the bootstrap the other
|
|
||||||
# helper scripts will generate new client/server certificates
|
|
||||||
#
|
|
||||||
|
|
||||||
# source this file to include the functions
|
|
||||||
. libs/pki_funcs_old.sh
|
|
||||||
|
|
||||||
PARAM1=$1
|
|
||||||
|
|
||||||
usage() {
|
|
||||||
echo
|
|
||||||
echo "This application will generate all the files necessary to build a certificate chain of trust"
|
|
||||||
echo "using a CA, CA Intermediate, Server, and Client certificates. All the files are put into"
|
|
||||||
echo "pki lifecyle package"
|
|
||||||
echo " -put the .cnf config files into the ./cnf directory"
|
|
||||||
echo
|
|
||||||
echo "Usage: pki_bootstrap <.cnf file (minus the .cnf)>"
|
|
||||||
echo
|
|
||||||
echo "Example: pki_bootstrap org.acme.xyz"
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# CA generation requires .cnf files
|
|
||||||
# create CA directory
|
|
||||||
# create bash variables to CA
|
|
||||||
# restore script back to original path
|
|
||||||
#
|
|
||||||
app_init() {
|
|
||||||
if [[ -n $PARAM1 ]]; then
|
|
||||||
# need to know the location of the configuration file (expected to be in same dir path as this script)
|
|
||||||
CA_CNF="$CD_ROOT/cnf/ca.cnf"
|
|
||||||
|
|
||||||
# handle the case of having the ".cnf" extension or not
|
|
||||||
if [[ ${PARAM1: -4} == .cnf ]]; then
|
|
||||||
ORG_URL=${PARAM1%.*}
|
|
||||||
S_CNF=${PARAM1}
|
|
||||||
echo "ASDF: ${ORG_URL}, ${S_CNF}"
|
|
||||||
else
|
|
||||||
ORG_URL=$PARAM1
|
|
||||||
S_CNF="${PARAM1}.cnf"
|
|
||||||
echo "ZXCV: ${ORG_URL}, ${S_CNF}"
|
|
||||||
fi
|
|
||||||
|
|
||||||
FQ_S_CNF="${CD_ROOT}/cnf/${S_CNF}"
|
|
||||||
if [[ ! -f $FQ_S_CNF ]] || [[ ! -f $CA_CNF ]]; then
|
|
||||||
usage
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
usage
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# IN: UNIQ_ID_CA, SERIAL
|
|
||||||
#
|
|
||||||
one-time-ca() {
|
|
||||||
# params
|
|
||||||
#SERIAL="101"
|
|
||||||
|
|
||||||
get_serial
|
|
||||||
echo_block "SERIAL == ${SERIAL}"
|
|
||||||
# Organize
|
|
||||||
#
|
|
||||||
# create a unique path for the server certificate
|
|
||||||
UNIQ_DIR_LC=`date +%Y-%m-%d.%H_%M_%S`
|
|
||||||
UNIQ_DIR_LC="pki-lifecycle_${UNIQ_DIR_LC}"
|
|
||||||
mkdir -p "${UNIQ_DIR_LC}"
|
|
||||||
cd "${UNIQ_DIR_LC}"
|
|
||||||
|
|
||||||
# create certificate
|
|
||||||
UNIQ_ID_CA="${SERIAL}.${ORG_URL}"
|
|
||||||
CA_DIR="ca_${UNIQ_ID_CA}"
|
|
||||||
mkdir $CA_DIR
|
|
||||||
cd $CA_DIR
|
|
||||||
FQ_CA_DIR=`pwd`
|
|
||||||
FQ_CA_CERT="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.crt.pem"
|
|
||||||
FQ_CA_KEYS="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.keys.pem"
|
|
||||||
generate_ca $UNIQ_ID_CA $SERIAL
|
|
||||||
cd ..
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Organize the files into logical folders based on serial #
|
|
||||||
#
|
|
||||||
organize() {
|
|
||||||
# organize the client directory
|
|
||||||
mkdir -p clients/ca-i
|
|
||||||
mkdir -p clients/data
|
|
||||||
mkdir -p clients/distro
|
|
||||||
mkdir -p clients/docs
|
|
||||||
mv client*.pem clients/data/
|
|
||||||
mv client*.p12 clients/distro/
|
|
||||||
mv client*.info.txt clients/docs/
|
|
||||||
cp ca_i*.crt.pem clients/ca-i/
|
|
||||||
cp ca_i*.keys.pem clients/ca-i/
|
|
||||||
|
|
||||||
# organize the server directory
|
|
||||||
mkdir -p servers/ca-i
|
|
||||||
mkdir -p servers/data
|
|
||||||
mkdir -p servers/distro
|
|
||||||
mkdir -p servers/docs
|
|
||||||
mv server_*.pem servers/data/
|
|
||||||
mv server_*.p12 servers/distro/
|
|
||||||
mv server_*.info.txt servers/docs/
|
|
||||||
cp ca_i*.crt.pem servers/ca-i/
|
|
||||||
cp ca_i*.keys.pem servers/ca-i/
|
|
||||||
|
|
||||||
# organize the ca-i directory
|
|
||||||
# order matters: move these files last because they were copied above
|
|
||||||
mkdir -p ca-i/data
|
|
||||||
mkdir -p ca-i/docs
|
|
||||||
mv ca_i*.pem ca-i/data/
|
|
||||||
mv ca_i*.info.txt ca-i/docs/
|
|
||||||
mv ca_i*.p12 ca-i/
|
|
||||||
mv ca_cert-chain*.pem ca-i/
|
|
||||||
cp $FQ_CA_DIR/ca_*.crt.pem ca-i/data/
|
|
||||||
cp $FQ_CA_DIR/ca_*.info.txt ca-i/docs/
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Copies all applcations to the Lifecycle package
|
|
||||||
#
|
|
||||||
# Requires:
|
|
||||||
# UNIQ_DIR_LC : unique string for the Lifecycle directory
|
|
||||||
# UNIQ_ID_CA-I : unique string for the CA-I
|
|
||||||
#
|
|
||||||
cp_pki_lifecycle() {
|
|
||||||
# CA-I
|
|
||||||
cp $CD_ROOT/libs/gen_ca-i.sh $CD_ROOT/$UNIQ_DIR_LC/
|
|
||||||
cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/
|
|
||||||
cp $CD_ROOT/docs/README_LC $CD_ROOT/$UNIQ_DIR_LC/README
|
|
||||||
cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/
|
|
||||||
|
|
||||||
# client
|
|
||||||
cp $CD_ROOT/libs/gen_client.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/
|
|
||||||
cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/
|
|
||||||
cp $CD_ROOT/docs/README_C $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/README
|
|
||||||
cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/clients/
|
|
||||||
|
|
||||||
# server
|
|
||||||
cp $CD_ROOT/libs/gen_server.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/
|
|
||||||
cp $CD_ROOT/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/
|
|
||||||
cp $CD_ROOT/docs/README_S $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/README
|
|
||||||
cp $CD_ROOT/docs/SERIAL $CD_ROOT/$UNIQ_DIR_LC/distrobution/$UNIQ_DIR_CA/servers/
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Generate a PKI chain
|
|
||||||
# - the certificate chain is unique based on the serial #
|
|
||||||
# - generate a new CA I
|
|
||||||
# - generate two server certificates
|
|
||||||
# - generate two client certificates
|
|
||||||
#
|
|
||||||
# INPUT: BASE SERIAL #, LOOP NUM
|
|
||||||
#
|
|
||||||
gen_pki_certs() {
|
|
||||||
B_SERIAL=$1
|
|
||||||
NUM_CERTS=$(($2-1))
|
|
||||||
|
|
||||||
# Create CA Intermediate
|
|
||||||
UNIQ_ID_CAI="${B_SERIAL}.${ORG_URL}"
|
|
||||||
generate_ca_i $UNIQ_ID_CAI $B_SERIAL
|
|
||||||
|
|
||||||
# Server Certificates
|
|
||||||
for NUM in $(seq 0 $NUM_CERTS)
|
|
||||||
do
|
|
||||||
generate_server "$((B_SERIAL+NUM)).${ORG_URL}" $UNIQ_ID_CAI $((B_SERIAL+NUM))
|
|
||||||
done
|
|
||||||
|
|
||||||
# Client Certificates
|
|
||||||
for NUM in $(seq 0 $NUM_CERTS)
|
|
||||||
do
|
|
||||||
generate_client "$((B_SERIAL+NUM)).${ORG_URL}" $UNIQ_ID_CAI $((B_SERIAL+NUM))
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# INPUT: SERIAL #, LOOP NUM
|
|
||||||
#
|
|
||||||
gen_pki() {
|
|
||||||
# organization
|
|
||||||
CDD=`pwd`
|
|
||||||
|
|
||||||
SERIAL=$1
|
|
||||||
UNIQ_DIR_CA="ca_i_${SERIAL}.${ORG_URL}"
|
|
||||||
mkdir -p "distrobution/${UNIQ_DIR_CA}"
|
|
||||||
cd "distrobution/${UNIQ_DIR_CA}"
|
|
||||||
|
|
||||||
# geneate certificates, organize the files
|
|
||||||
gen_pki_certs $SERIAL $2
|
|
||||||
organize
|
|
||||||
cp_pki_lifecycle
|
|
||||||
|
|
||||||
# return to last path
|
|
||||||
cd $CDD
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
main() {
|
|
||||||
CD_ROOT=`pwd`
|
|
||||||
LIB_PATH="${CD_ROOT}/libs"
|
|
||||||
|
|
||||||
app_init
|
|
||||||
one-time-ca
|
|
||||||
gen_pki 1001 2
|
|
||||||
# gen_pki 50001 5
|
|
||||||
# gen_pki 80001 10
|
|
||||||
|
|
||||||
# make sure we return to root execution path
|
|
||||||
cd "${CD_ROOT}"
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
# ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** *****
|
|
||||||
#
|
|
||||||
# main execution begins here (because all the functions have to be defined)
|
|
||||||
#
|
|
||||||
# ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** *****
|
|
||||||
|
|
||||||
main
|
|
||||||
|
|
||||||
# ***** ***** ***** *****
|
|
||||||
#
|
|
||||||
#
|
|
||||||
#
|
|
||||||
# ***** ***** ***** *****
|
|
||||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue