diff --git a/docs/ipsec_conf b/docs/ipsec_conf new file mode 100644 index 0000000..04ed3d7 --- /dev/null +++ b/docs/ipsec_conf @@ -0,0 +1,63 @@ +# ipsec.conf - strongSwan IPsec configuration file + +config setup + # uniqueids=never + charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2" + +ca acme + cacert=ca.crt.pem + auto=add + +# this is the default rekey time +# rekeytime = lifetime - (margintime + random(0, margintime * rekeyfuzz)) authby=pubkey +# https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey#ipseconf-Formula +conn %default + # crypto settings + keyexchange=ikev2 + authby=pubkey + ike=aes128-sha256-modp2048,aes256-sha256-modp4096,aes256-sha256-modp2048! + esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes128-sha256-modp1024,aes256-sha256-modp1536! + # tunnel processing info + type=tunnel + fragmentation=yes + forceencaps=yes # force to encrypt UDP also + dpdaction=clear # dead-peer detection to clear any "dangling" connections + dpddelay=300s + rekey=no #TODO check this out + # ikelifetime=60m + # keylife=20m + # rekeymargin=3m + # keyingtries=1 + # + # tunneling config + # If left|rightcert is configured the identity has to be confirmed by the + # certificate, that is, it has to match the full subject DN or one of the + # subjectAltName extensions contained in the certificate + left=192.168.123.129 # attempting to bind to this specific IP + leftid=@s.acme.xyz # the client needs to be configured for the "server id" of this string + leftsubnet=0.0.0.0/0 # required or the right IP's aren't routing to each other... + + +# standard user connection +conn mob-standard + # tunneling config + leftcert=server_s.acme.xyz_s.crt.pem + right=%any + rightca="C=OO, O=ACME, OU=ACME Standard, CN=s.i.acme.xyz" + # virstual IP address pool + rightsourceip=10.10.10.0/24 + rightdns=192.168.123.129 + auto=add + + +# maintenance role connection that will have elevated priveledges +# this configuration can be used with a "maintenance tablet" to update a MOB Hub +conn mob-maintenance + # tunneling config + leftcert=server_s.acme.xyz_m.crt.pem + right=%any + rightca="C=OO, O=ACME, OU=ACME Maintenance, CN=m.i.acme.xyz" + # virstual IP address pool + rightsourceip=10.10.11.0/24 + rightdns=192.168.123.129 + auto=add diff --git a/src/pki_bootstrap/pki_bootstrap.sh b/src/pki_bootstrap/pki_bootstrap.sh index 8edb368..9208eda 100755 --- a/src/pki_bootstrap/pki_bootstrap.sh +++ b/src/pki_bootstrap/pki_bootstrap.sh @@ -81,27 +81,29 @@ gen_lifecycle() { # create a unique path for the server certificate UNIQ_DIR_LC=`date +%Y-%m-%d.%H_%M_%S` UNIQ_DIR_LC="pki-lifecycle_${UNIQ_DIR_LC}" - mkdir -p "${UNIQ_DIR_LC}" - cd "${UNIQ_DIR_LC}" FQ_DIR_LC=`pwd` + FQ_DIR_LC="${FQ_DIR_LC}/${UNIQ_DIR_LC}" # create CA unique dir UNIQ_ID_CA="${SERIAL}.${ORG_URL}" CA_DIR="ca_${UNIQ_ID_CA}" - mkdir $CA_DIR - cd $CA_DIR - FQ_CA_DIR=`pwd` - FQ_CA_CERT="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.crt.pem" - FQ_CA_KEYS="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.keys.pem" + # cd $CA_DIR + # FQ_CA_DIR=`pwd` + # FQ_CA_CERT="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.crt.pem" + # FQ_CA_KEYS="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.keys.pem" + + # mkdir -p "${UNIQ_DIR_LC}/${CA_DIR}" + mkdir -p "${UNIQ_DIR_LC}/ca" + cd "${UNIQ_DIR_LC}" # initialize the functions lib - pki_func_init $FQ_CA_CERT $FQ_CA_KEYS "${CD_ROOT}/res/cnf" + # pki_func_init $FQ_CA_CERT $FQ_CA_KEYS "${CD_ROOT}/res/cnf" # generate a new CA gen_ca $UNIQ_ID_CA $SERIAL # go back to original dir cd .. - cd .. + # cd .. } # @@ -111,6 +113,7 @@ cp_lifecycle_docs() { RES="${CD_ROOT}/res" mkdir -p "${UNIQ_DIR_LC}/cfg" + echo $UNIQ_ID_CA > $CD_ROOT/$UNIQ_DIR_LC/cfg/UNIQ_ID_CA cp -r $CD_ROOT/res $CD_ROOT/$UNIQ_DIR_LC/ cp $RES/libs/gen_ca-i.sh $CD_ROOT/$UNIQ_DIR_LC/ cp $RES/docs/README_LC $CD_ROOT/$UNIQ_DIR_LC/README @@ -118,8 +121,8 @@ cp_lifecycle_docs() { cp $RES/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/cfg/ cp "${RES}/cnf/${ORG_URL}.cnf" $CD_ROOT/$UNIQ_DIR_LC/cfg/ cp "${RES}/cnf/ca.cnf" $CD_ROOT/$UNIQ_DIR_LC/cfg/ - cp $CD_ROOT/$UNIQ_DIR_LC/"ca_${UNIQ_ID_CA}"/ca_*.crt.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.crt.pem - cp $CD_ROOT/$UNIQ_DIR_LC/"ca_${UNIQ_ID_CA}"/ca_*.keys.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.keys.pem + cp $CD_ROOT/$UNIQ_DIR_LC/ca/ca_*.crt.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.crt.pem + cp $CD_ROOT/$UNIQ_DIR_LC/ca/ca_*.keys.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.keys.pem } # @@ -133,6 +136,36 @@ gen_lc_ca_i() { # ca-i_gen_pki $ORG_URL 3001 8 } +# ***** ***** ***** ***** ***** +# +# CERTIFICATE AUTHORITY (CA) +# +# ***** ***** ***** ***** ***** +# This function will generate a CA Intermediate +# IN: UNIQ_ID_CA, SERIAL +# +gen_ca() { + UNIQ_ID_CA=$1 + SERIAL=$2 + + echo_block "Create CA (${UNIQ_ID_CA})" + + # encrypt the key + #openssl genrsa -aes256 -out ca.keys.pem 4096 + #openssl genrsa -aes256 -password "pass:password" -out ca.keys.pem 4096 + + # key un-protected + openssl genrsa -out "ca/ca_${UNIQ_ID_CA}.keys.pem" 4096 + # + # Create Certificate (valid for 10 years, after the entire chain of trust expires) + openssl req -config $CD_ROOT/res/cnf/ca.cnf -new -x509 -sha256 -days 3650 -extensions v3_ca \ + -subj "/C=OO/O=ACME/CN=root.${UNIQ_ID_CA}" -set_serial ${SERIAL} \ + -key ca/ca_${UNIQ_ID_CA}.keys.pem -out ca/ca_${UNIQ_ID_CA}.crt.pem + + # verify certificate (output to text file for review) + openssl x509 -noout -text -in ca/ca_${UNIQ_ID_CA}.crt.pem > ca/ca_${UNIQ_ID_CA}_cert.info.txt +} + main() { CD_ROOT=`pwd` diff --git a/src/pki_bootstrap/res/libs/gen_ca-i.sh b/src/pki_bootstrap/res/libs/gen_ca-i.sh index 132fa23..cd37826 100755 --- a/src/pki_bootstrap/res/libs/gen_ca-i.sh +++ b/src/pki_bootstrap/res/libs/gen_ca-i.sh @@ -32,7 +32,7 @@ usage() { main() { # uses global variables: $PARAM1 $PARAM2 $PARAM3 check_params - ca-i_gen_pki + ca-i_gen_pki $PARAM1 $PARAM2 $PARAM3 } main diff --git a/src/pki_bootstrap/res/libs/pki_funcs.sh b/src/pki_bootstrap/res/libs/pki_funcs.sh index 701b83c..c9843ff 100644 --- a/src/pki_bootstrap/res/libs/pki_funcs.sh +++ b/src/pki_bootstrap/res/libs/pki_funcs.sh @@ -48,6 +48,9 @@ get_serial() { # # check the three parameters: $PARAM1, $PARAM2, $PARAM3 +# PARAM1 : ORG_URL +# PARAM2 : SERIAL +# PARAM3 : Num Certs # the parameters are expected to be global # check_params() { @@ -94,35 +97,6 @@ check_params() { fi } -# ***** ***** ***** ***** ***** -# -# CERTIFICATE AUTHORITY (CA) -# -# ***** ***** ***** ***** ***** -# This function will generate a CA Intermediate -# IN: UNIQ_ID_CA, SERIAL -# -gen_ca() { - UNIQ_ID_CA=$1 - SERIAL=$2 - - echo_block "Create CA (${UNIQ_ID_CA})" - - # encrypt the key - #openssl genrsa -aes256 -out ca.keys.pem 4096 - #openssl genrsa -aes256 -password "pass:password" -out ca.keys.pem 4096 - - # key un-protected - openssl genrsa -out "ca_${UNIQ_ID_CA}.keys.pem" 4096 - # - # Create Certificate (valid for 10 years, after the entire chain of trust expires) - openssl req -config $CNF_PATH/ca.cnf -new -x509 -sha256 -days 3650 -extensions v3_ca \ - -subj "/C=OO/O=ACME/CN=root.${UNIQ_ID_CA}" -set_serial ${SERIAL} \ - -key ca_${UNIQ_ID_CA}.keys.pem -out ca_${UNIQ_ID_CA}.crt.pem - - # verify certificate (output to text file for review) - openssl x509 -noout -text -in ca_${UNIQ_ID_CA}.crt.pem > ca_${UNIQ_ID_CA}_cert.info.txt -} # # Create CA Intermediate PKI @@ -140,8 +114,9 @@ gen_ca() { # ca-i_gen_pki() { CDD=`pwd` - ORG_URL=$PARAM1 - NUM_CERTS=$(($PARAM3-1)) + ORG_URL=$1 + SERIAL=$2 + NUM_CERTS=$(($3-1)) # create unique directory UNIQ_ID="${SERIAL}.${ORG_URL}" @@ -207,7 +182,7 @@ ca-i_create_shell() { DEST_DIR="${CDD}/distribution/ca_i_${UNIQ_ID}" - echo $UNIQ_ID > UNIQ_ID + echo $UNIQ_ID > UNIQ_ID_CA-I # client mkdir -p $DEST_DIR/clients/cfg @@ -220,10 +195,8 @@ ca-i_create_shell() { cp ca_i*.crt.pem $DEST_DIR/clients/cfg/ca-i.crt.pem cp ca_i*.keys.pem $DEST_DIR/clients/cfg/ca-i.keys.pem cp ca_cert-chain*.pem $DEST_DIR/clients/cfg/ca_cert-chain.crts.pem + cp cfg/UNIQ_ID_CA-I $DEST_DIR/clients/cfg/ cp UNIQ_ID $DEST_DIR/clients/cfg/ - # cp $DEST_DIR/ca_i*.crt.pem $DEST_DIR/clients/cfg/ca-i.crt.pem - # cp $DEST_DIR/ca_i*.keys.pem $DEST_DIR/clients/cfg/ca-i.keys.pem - # cp $DEST_DIR/ca_cert-chain*.pem $DEST_DIR/clients/cfg/ca_cert-chain.crts.pem # server mkdir -p $DEST_DIR/servers/cfg @@ -236,27 +209,21 @@ ca-i_create_shell() { cp ca_i*.crt.pem $DEST_DIR/servers/cfg/ca-i.crt.pem cp ca_i*.keys.pem $DEST_DIR/servers/cfg/ca-i.keys.pem cp ca_cert-chain*.pem $DEST_DIR/servers/cfg/ca_cert-chain.crts.pem + cp cfg/UNIQ_ID_CA-I $DEST_DIR/servers/cfg/ cp UNIQ_ID $DEST_DIR/servers/cfg/ - # cp $DEST_DIR/ca_i*.crt.pem $DEST_DIR/servers/cfg/ca-i.crt.pem - # cp $DEST_DIR/ca_i*.keys.pem $DEST_DIR/servers/cfg/ca-i.keys.pem - # cp $DEST_DIR/ca_cert-chain*.pem $DEST_DIR/servers/cfg/ca_cert-chain.crts.pem # CA-I mkdir -p $DEST_DIR/ca-i/data mkdir -p $DEST_DIR/ca-i/docs mkdir -p $DEST_DIR/ca-i/distro cp $CDD/res/docs/README_CAI $DEST_DIR/README - cp $CDD/ca_*/ca_*.crt.pem $DEST_DIR/ca-i/data/ - cp $CDD/ca_*/ca_*.info.txt $DEST_DIR/ca-i/docs/ + cp $CDD/ca/ca_*.crt.pem $DEST_DIR/ca-i/data/ + cp $CDD/ca/ca_*.info.txt $DEST_DIR/ca-i/docs/ # generated files mv ca_i*.pem $DEST_DIR/ca-i/data/ mv ca_i*.info.txt $DEST_DIR/ca-i/docs/ mv ca_i*.p12 $DEST_DIR/ca-i/distro mv ca_cert-chain*.pem $DEST_DIR/ca-i/distro - # mv $DEST_DIR/ca_i*.pem $DEST_DIR/ca-i/data/ - # mv $DEST_DIR/ca_i*.info.txt $DEST_DIR/ca-i/docs/ - # mv $DEST_DIR/ca_i*.p12 $DEST_DIR/ca-i/distro - # mv $DEST_DIR/ca_cert-chain*.pem $DEST_DIR/ca-i/distro } # This function will generate a CA Intermediate @@ -300,12 +267,13 @@ ca-i_gen_cert() { cat cfg/ca.crt.pem "${DEST_DIR}/ca_i_${UNIQ_ID}.crt.pem" > "${DEST_DIR}/ca_cert-chain_${UNIQ_ID}.crts.pem" } -get_org_url() { - ORG_URL=`head cfg/UNIQ_ID` - if [[ -z $ORG_URL ]]; then - echo_block "WARN: no file 'UNIQ_ID' found, using default 11111 as the serial # for CA" - exit 1 - fi +get_uniq_ids() { + UNIQ_ID_CA=`head cfg/UNIQ_ID_CA` + UNIQ_ID_CA-I=`head cfg/UNIQ_ID_CA-I` + # if [[ -z $ORG_URL ]]; then + # echo_block "WARN: no file 'UNIQ_ID' found, using default 11111 as the serial # for CA" + # exit 1 + # fi } gen_client() { @@ -321,28 +289,30 @@ gen_client_cert() { ORG_URL=$1 SERIAL=$2 - UNIQ_ID="${SERIAL}.${ORG_URL}" + get_uniq_ids + + UNIQ_ID="${SERIAL}_${ORG_URL}" CERT_CHAIN="cfg/ca_cert-chain.crts.pem" echo_block "Generate Client Certificates (${UNIQ_ID})" - openssl genrsa -out "data/client_${UNIQ_ID}.keys.pem" 4096 + openssl genrsa -out "data/client-${UNIQ_ID}.keys.pem" 4096 - openssl req -new -key "data/client_${UNIQ_ID}.keys.pem" \ - -subj "/C=OO/O=ACME/OU=ACME Standard/CN=client_${UNIQ_ID}" \ - -out "data/client_${UNIQ_ID}.csr.pem" + openssl req -new -key "data/client-${UNIQ_ID}.keys.pem" \ + -subj "/C=OO/O=ACME/OU=ACME Standard/CN=client-${UNIQ_ID}" \ + -out "data/client-${UNIQ_ID}.csr.pem" # CA Intermediate signs Client openssl x509 -req -days 365 \ -CA "cfg/ca-i.crt.pem" -CAkey "cfg/ca-i.keys.pem" -set_serial ${SERIAL} \ - -in "data/client_${UNIQ_ID}.csr.pem" -out "data/client_${UNIQ_ID}.crt.pem" + -in "data/client-${UNIQ_ID}.csr.pem" -out "data/client-${UNIQ_ID}.crt.pem" # Package the Certificates - openssl pkcs12 -export -password "pass:password" -inkey "data/client_${UNIQ_ID}.keys.pem" \ - -name "Client ${UNIQ_ID} VPN Certificate" -certfile $CERT_CHAIN -caname "client_${UNIQ_ID}@acme.xyz" \ - -in "data/client_${UNIQ_ID}.crt.pem" -out "distro/client_${UNIQ_ID}.p12" + openssl pkcs12 -export -password "pass:password" -inkey "data/client-${UNIQ_ID}.keys.pem" \ + -name "Client ${UNIQ_ID} VPN Certificate" -certfile $CERT_CHAIN -caname "client-${UNIQ_ID}@acme.xyz" \ + -in "data/client-${UNIQ_ID}.crt.pem" -out "distro/client-${UNIQ_ID}.p12" # verify certificate (output to text file for review) - openssl x509 -noout -text -in "data/client_${UNIQ_ID}.crt.pem" > "docs/client_${UNIQ_ID}.info.txt" + openssl x509 -noout -text -in "data/client-${UNIQ_ID}.crt.pem" > "docs/client-${UNIQ_ID}.info.txt" } #