j3g
/
pki-bootstrap_pub
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: j3g:a
Branches Tags
j3g:a
j3g:master
j3g:ver3.3
j3g:ver3.2
j3g:c_server
..
compare: j3g:ver3.2
Branches Tags
j3g:a
j3g:master
j3g:ver3.3
j3g:ver3.2
j3g:c_server

No commits in common. "a" and "ver3.2" have entirely different histories.
a ... ver3.2

22 changed files with 367 additions and 929 deletions
Show Stats Expand all files Collapse all files

5
.gitignore vendored
View File

@ -1,9 +1,12 @@
#
pki-lifecycle_*
# Project specific files # Project specific files
sftp-config.json sftp-config.json
.DS_Store .DS_Store
**/var/ **/var/
**/cert_gen/acme.xyz_fl/ **/cert_gen/acme.xyz_fl/
pki-lifecycle_*
# Byte-compiled / optimized / DLL files # Byte-compiled / optimized / DLL files
__pycache__/ __pycache__/

10
README
View File

@ -31,17 +31,13 @@ There are two main applications contained in this project.
VERSIONS VERSIONS
--------------------- ---------------------
ver 3.3 - MOB Hub CA-I Package Ver 3.2 - MOB Hub PKI Lifecycle
* updated applications to be more modular
* each CA-I package has
ver 3.2 - MOB Hub PKI Lifecycle
* PKI Lifecycle * PKI Lifecycle
- generate certificates during the CA's lifecycle - generate certificates during the CA's lifecycle
ver 3.1 - MOB Hub PKI Bootstrap Ver 3.1 - MOB Hub PKI Bootstrap
* PKI Bootstrap * PKI Bootstrap
- generate an entire chain-of-trust - generate an entire chain-of-trust
ver 3.0 - CA Intermediate Support Ver 3.0 - CA Intermediate Support
* requires openssl (does not require ipsec) * requires openssl (does not require ipsec)
* CA Intermediate support * CA Intermediate support
-root CA can be generated with 5-10yr expiration, put into cold-storage -root CA can be generated with 5-10yr expiration, put into cold-storage

52
docs/ccc_ss
View File

@ -1,52 +0,0 @@
[[[ StrongSwan Code Command & Control ]]]
[[ Networking ]]
# VPN UDP service (StrongSwan ipsec)
$ nc -zuv 192.168.123.129 500
$ nc -zuv 192.168.123.129 4500
# view all network services
$ netstat -pntul
# openconnect VPN client (only works for https, cisco style VPN (not IKEv2) )
$ openconnect -v -c clients/porkypig\@acme.xyz_2018-04-23.21_48_11/porkypig\@acme.xyz.p12 192.168.123.129:500
[[ Service ]]
$ sudo ipsec statusall | start | stop
[[ Android ]]
# install certificates
Settings -> Security -> Credential Storage -> Install from SD
"ca.crt.pem", "client_s.p12"
# alias the multi-connections
alias adb1='adb -s 192.168.123.131'
alias adb2='adb -s 192.168.123.132'
# connect to android IP
$ adb connect 192.168.123.131
$ adb connect 192.168.123.132
# execute commands to the connected android
$ adb -s 192.168.123.132 push client_s.p12 /data/media/0/Download/
$ adb -s 192.168.123.131 shell
# restarting adb as root
$ adb -s 192.168.123.132 root
$ adb -s 192.168.123.132 shell
# push the .p12 file to the Downloads folder of the user storage
$ adb push client_s.p12 /data/media/0/Download/
$ adb push ca_i.crt.pem /data/media/0/Download/
# using the alias, push the apk, then install
$ adb2 push strongSwan-1.9.6.apk /data/local/tmp/ss.apk
$ adb2 shell pm install "/data/local/tmp/ss.apk"

23
docs/elphdt
View File

@ -1,23 +0,0 @@
[[ modify elphdt ]]
From what I am seeing it appears as though the directory “/certs” is mounted from the NAS. I will need to add the new certificates to the NAS and they will be accessed from the “/certs” directory.
I will generate a new certificate chain with the PKI Bootstrap applicaiton. I will copy the new “CA Intermediate package” to this location:
/certs/cai/09-2018/
It will contain the CA Intermediates and the server certificates.
Looking at elphdt, there is a file .gitlab-ci.yml: this file contains the “CI/CD configuration”. In the file the there are two global variables that are significant:
GITLAB_CI_CERTIFICATE_DIRECTORY_CA_PREFIX: /certs/acme.xyz/CA/ACME_06-2018_ca'
GITLAB_CI_CERTIFICATE_DIRECTORY_SERVER: /certs/acme.xyz/servers/192.168.2.1_2018-06-13.10_11_38'
I will modify these variables to point to the new locations (this can be done for each build type):
GITLAB_CI_CERTIFICATE_DIRECTORY_CA_PREFIX: /certs/acme.xyz/CA/ACME_06-2018_ca'
GITLAB_CI_CERTIFICATE_DIRECTORY_SERVER: /certs/acme.xyz/servers/192.168.2.1_2018-06-13.10_11_38'
This solution will work fine for now. And in the future we can worry about generating a new server certificate for each MOB Hub.

63
docs/ipsec_conf
View File

@ -1,63 +0,0 @@
# ipsec.conf - strongSwan IPsec configuration file
config setup
# uniqueids=never
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
ca acme
cacert=ca.crt.pem
auto=add
# this is the default rekey time
# rekeytime = lifetime - (margintime + random(0, margintime * rekeyfuzz)) authby=pubkey
# https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey#ipseconf-Formula
conn %default
# crypto settings
keyexchange=ikev2
authby=pubkey
ike=aes128-sha256-modp2048,aes256-sha256-modp4096,aes256-sha256-modp2048!
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes128-sha256-modp1024,aes256-sha256-modp1536!
# tunnel processing info
type=tunnel
fragmentation=yes
forceencaps=yes # force to encrypt UDP also
dpdaction=clear # dead-peer detection to clear any "dangling" connections
dpddelay=300s
rekey=no #TODO check this out
# ikelifetime=60m
# keylife=20m
# rekeymargin=3m
# keyingtries=1
#
# tunneling config
# If left|rightcert is configured the identity has to be confirmed by the
# certificate, that is, it has to match the full subject DN or one of the
# subjectAltName extensions contained in the certificate
left=192.168.123.129 # attempting to bind to this specific IP
leftid=@s.acme.xyz # the client needs to be configured for the "server id" of this string
leftsubnet=0.0.0.0/0 # required or the right IP's aren't routing to each other...
# standard user connection
conn mob-standard
# tunneling config
leftcert=server_s.acme.xyz_s.crt.pem
right=%any
rightca="C=OO, O=ACME, OU=ACME Standard, CN=s.i.acme.xyz"
# virstual IP address pool
rightsourceip=10.10.10.0/24
rightdns=192.168.123.129
auto=add
# maintenance role connection that will have elevated priveledges
# this configuration can be used with a "maintenance tablet" to update a MOB Hub
conn mob-maintenance
# tunneling config
leftcert=server_s.acme.xyz_m.crt.pem
right=%any
rightca="C=OO, O=ACME, OU=ACME Maintenance, CN=m.i.acme.xyz"
# virstual IP address pool
rightsourceip=10.10.11.0/24
rightdns=192.168.123.129
auto=add

81
docs/pki_agile
View File

@ -3,84 +3,40 @@
[[ WORKING ]] [[ WORKING ]]
* .p12 file using on strongswan (works, kind of) * PKI Bootstrap: cp lifecycle functions
* PKI Bootstrap slide deck
-request a meeting to go over the PKI and show the slide deck
* research gitlab CI
-install gitlab in docker
-configure CI
-try to have it run pki bootstrap??
[[ BACKLOG ]] [[ BACKLOG ]]
[ current ] [ current ]
* create a ("CA-I package") zip file for distribution (folder: ca_i_4321.skunkworks.acme.xyz.zip) * auto-increment SERIAL
* add CA password?? * create certificate installation guide
* create Andriod certificate installation guide
-copy file to sd, select .p12 file, password="password" -copy file to sd, select .p12 file, password="password"
* remove client .p12 password (have no password)
[ misc ]
* can I install certificates from an android application?? * can I install certificates from an android application??
-can I used knox to install certificates?? -can I used knox to install certificates??
* create GUI for cert gen process (electron+crypto-interface) * create GUI for cert gen process (electron+crypto-interface)
* add tool for .p12 file extractor for MH provisioning * add tool for .p12 file extractor for MH provisioning
* add havegd (make sure there is adequite entropy)
[ ver 3.5 : xdev bootstrap chain-of-trust ] [ ver 1.4 ]
* select bootstrap generation computer (beaglebone, raspi) * create new "certificate bootstrap" with .cfg parameters for CA ".mil" strings
-create PKI Lifecycle package for "navy.mil" * create new CA generation script that also reads .cfg
-sneakernet two CA-I
* create a "navy-prod" branch
-change strings from "acme.xyz" to ".mil"
-make any other sensitive specific changes
* create a "navy-dev" branch
* create a "navy-int" branch (integration branch, similar to a beta branch)
* integrate into the build
-modify CI global variables (for each build)
-certs are generated BEFORE pulled into image (not part of build process)
-modify cert gen on NAS (looks for files in mount dir)
[ ver 3.6 ]
[[ COMPLETED ]]
[ ver 3.4 ]
* testing multiple CA-I compatibility
-"103.cai.skunkworks.acme.xyz" -worked
-"104.cai.skunkworks.acme.xyz" -worked
* test "104.cai.skunkworks.acme.xyz"
-load client certificate onto different tablet -worked
[ ver 3.3 ]
* SERIOUS refactoring to focus on local execution with default configs and SERIAL # incrementation
* configuration defaults generated so that the CA-I package is all automated
* gen_client.sh modified run with config defaults
* gen_server.sh modified to run with config defaults
* gen_client.sh will generate # of certs
* gen_server.sh will generate # of certs
* auto-increment SERIAL
* CA FQDN saved to config file
* CA-I FQDN saved to config file
* added certificate generation count to PKI Bootstrap application
* added certificate generation count to cai_gen application
[ ver 3.2 ]
* create new CA-I generation script that uses a CA * create new CA-I generation script that uses a CA
-also packages .p12 for distrobution (use random high quality password) -also packages .p12 for distrobution (use random high quality password)
* added resources directory
* added files to be copied during CA-I package creation
[ bootstrap cert chain-of-trust ]
* select bootstrap generation cpu (beaglebone, raspi)
* change strings from "acme.xyz" to ".mil"
* generate bootstrap
-sneakernet two CA-I
[ ver 1.5 ]
@ -97,6 +53,7 @@ PKI Lifecycle Package
[[ COMPLETED ]]

28
docs/ss_cfg
View File

@ -1,28 +0,0 @@
j3g@ubuntu-16:~$ sudo ipsec statusall
[sudo] password for j3g:
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-116-generic, x86_64):
uptime: 9 hours, since Sep 11 14:12:51 2018
malloc: sbrk 1486848, mmap 0, used 370000, free 1116848
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Virtual IP pools (size/online/offline):
10.10.10.0/30: 2/0/0
10.10.11.0/30: 2/0/0
Listening IP addresses:
192.168.123.129
Connections:
standard: 192.168.123.129...%any IKEv2, dpddelay=300s
standard: local: [s.acme.xyz] uses public key authentication
standard: cert: "C=OO, O=ACME, OU=ACME Standard, CN=s.acme.xyz"
standard: remote: uses public key authentication
standard: ca: "C=OO, O=ACME, OU=ACME Standard, CN=s.i.acme.xyz"
standard: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
maintenance: 192.168.123.129...%any IKEv2, dpddelay=300s
maintenance: local: [s.acme.xyz] uses public key authentication
maintenance: cert: "C=OO, O=ACME, OU=ACME Maintenance, CN=s.acme.xyz"
maintenance: remote: uses public key authentication
maintenance: ca: "C=OO, O=ACME, OU=ACME Maintenance, CN=m.i.acme.xyz"
maintenance: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (0 up, 0 connecting):
none

172
src/pki_bootstrap/README
View File

@ -1,180 +1,24 @@
===============================================
=============================================== Certificate Authority (CA) Generation
Certificate Authority (CA) Generation CA Intermediate Generation and Distribution
CA Intermediate Generation and Distribution Version 3.x
Version 3.x ===============================================
===============================================
------------- -------------
INTRO INTRO
------------- -------------
The PKI Bootstrap application will generate a new "PKI Lifecycle" package. The PKI Lifecycle
package holds a new Certificate Authority (CA) and a complete certificate chain-of-trust. The
PKI Lifecycle package has a life of 5-10 years. Each package has embedded programs to generate new
certificate authority intermediate (CA I), client, and server certificates.
------------- -------------
USAGE USAGE
------------- -------------
This application will generate all the files necessary to build a certificate chain of trust
using a CA, CA Intermediate, Server, and Client certificates. All the files are put into a
PKI Lifecycle package
-put the .cnf config files into the ./cnf directory
Usage: pki_bootstrap <.cnf file (minus the .cnf)>
Example: pki_bootstrap org.acme.xyz
[ .cnf files ]
.cnf file is required for the domain name. The .cnf file is found in the ./res/cnf directory
└── res
├── cnf
│   ├── 192.168.1.3.cnf
│   ├── ca.cnf
│   ├── skunkworks.acme.xyz.cnf
│   └── vpn.backchannel.es.cnf
----------------------- -------------
APPLICATION DESIGN FEATURES
----------------------- -------------
The ./res directory contains all the resources for the application. The resources include:
readme files, configuration files, and application files.
The PKI Bootstrap application directory structure is the following:
├── README
├── pki_bootstrap.sh
└── res
├── cfg
│   └── SERIAL
├── cnf
│   ├── 192.168.1.3.cnf
│   ├── ca.cnf
│   ├── skunkworks.acme.xyz.cnf
│   └── vpn.backchannel.es.cnf
├── docs
│   ├── README_C
│   ├── README_CAI
│   ├── README_LC
│   ├── README_S
│   ├── SERIAL
│   └── SERIAL_LC
└── libs
├── gen_ca-i.sh
├── gen_client.sh
├── gen_server.sh
└── pki_funcs.sh
-------------------------
PKI Lifecycle Package
-------------------------
The PKI Lifecycle packagee is a complete certificate chain of trust with a root self-signed
certificate. The package contains all the configuration and data inforomation to generate
Certificate Authority Intermediate packages.
The PKI Lifecycle packge is NOT to be removed from the generation system. It should be
protected as it contains the root CA. The package contains the root CA, configuration files,
and the a copy of the resources directory.
The PKI Lifecycle package structure is the following:
├── README
├── ca
│   ├── 101.ca.skunkworks.acme.xyz.crt.pem
│   ├── 101.ca.skunkworks.acme.xyz.keys.pem
│   └── 101.ca.skunkworks.acme.xyz_cert.info.txt
├── cfg
│   ├── SERIAL
│   ├── UNIQ_ID_CA
│   ├── UNIQ_ID_CA-I
│   ├── ca.cnf
│   ├── ca.crt.pem
│   ├── ca.keys.pem
│   ├── pki_funcs.sh
│   └── skunkworks.acme.xyz.cnf
├── distribution
│   └── 101.cai.skunkworks.acme.xyz
├── gen_ca-i.sh
└── res
├── cfg
├── cnf
├── docs
└── libs
----------------
CA-I Package
----------------
The CA-I package contains a complete certifate chain of trust using a certificate authority
intermediate. The CA intermediate has permission to sign certificates. Included in the packages
is a client and server certificate generation applications that run on Bash linux. The CA intermediate
can be used with 3rd party applications to generate certificates.
The CA-I package structure is the following:
├── distribution
│   └── 101.cai.skunkworks.acme.xyz
│   ├── README
│   ├── ca-i
│   │   ├── data
│   │   │   ├── 101.ca.skunkworks.acme.xyz.crt.pem
│   │   │   ├── 101.cai.skunkworks.acme.xyz.crt.pem
│   │   │   ├── 101.cai.skunkworks.acme.xyz.csr.pem
│   │   │   └── 101.cai.skunkworks.acme.xyz.keys.pem
│   │   ├── distro
│   │   │   ├── 101.cai.skunkworks.acme.xyz.p12
│   │   │   └── ca_cert-chain_101.cai.skunkworks.acme.xyz.crts.pem
│   │   └── docs
│   │   ├── 101.ca.skunkworks.acme.xyz_cert.info.txt
│   │   └── 101.cai.skunkworks.acme.xyz.crt.info.txt
│   ├── clients
│   │   ├── README
│   │   ├── cfg
│   │   │   ├── SERIAL
│   │   │   ├── UNIQ_ID_CA
│   │   │   ├── UNIQ_ID_CA-I
│   │   │   ├── ca-i.crt.pem
│   │   │   ├── ca-i.keys.pem
│   │   │   ├── ca_cert-chain.crts.pem
│   │   │   ├── cert.cnf
│   │   │   └── pki_funcs.sh
│   │   ├── data
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.crt.pem
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.csr.pem
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.keys.pem
│   │   ├── distro
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.p12
│   │   ├── docs
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.info.txt
│   │   └── gen_client.sh
│   └── servers
│   ├── README
│   ├── cfg
│   │   ├── SERIAL
│   │   ├── UNIQ_ID_CA
│   │   ├── UNIQ_ID_CA-I
│   │   ├── ca-i.crt.pem
│   │   ├── ca-i.keys.pem
│   │   ├── ca_cert-chain.crts.pem
│   │   ├── cert.cnf
│   │   └── pki_funcs.sh
│   ├── data
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.crt.pem
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.csr.pem
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.keys.pem
│   ├── distro
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.p12
│   ├── docs
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.crt.info.txt
│   └── gen_server.sh

114
src/pki_bootstrap/pki_bootstrap.sh
View File

@ -11,20 +11,17 @@
. res/libs/pki_funcs.sh . res/libs/pki_funcs.sh
PARAM1=$1 PARAM1=$1
PARAM2=$2
usage() { usage() {
echo echo
echo "This application will generate all the files necessary to build a certificate chain of trust" echo "This application will generate all the files necessary to build a certificate chain of trust"
echo "using a CA, CA Intermediate, Server, and Client certificates. All the files are put into a" echo "using a CA, CA Intermediate, Server, and Client certificates. All the files are put into"
echo "PKI Lifecycle package. A .cnf file is required for the domain. The domain url should match" echo "pki lifecyle package"
echo "the .cnf file name. Put the .cnf config file into the .res/cnf/ directory" echo " -put the .cnf config files into the ./cnf directory"
echo echo
echo "Usage: pki_bootstrap <.cnf file (minus the .cnf)> [# of CA-I to generate]" echo "Usage: pki_bootstrap <.cnf file (minus the .cnf)>"
echo echo
echo "Example: pki_bootstrap org.acme.xyz" echo "Example: pki_bootstrap org.acme.xyz"
echo " pki_bootstrap org.acme.xyz 5"
echo
exit 1 exit 1
} }
@ -32,18 +29,18 @@ usage() {
# Grab the latest serial # from the file, auto-increment # Grab the latest serial # from the file, auto-increment
# #
get_serial_ca() { get_serial_ca() {
SERIAL=`head res/cfg/SERIAL` SERIAL=`head "res/cfg/SERIAL"`
if [[ -z $SERIAL ]]; then if [[ -z $SERIAL ]]; then
SERIAL=11111 SERIAL=11111
echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA" echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA"
else
PLUS1=$((SERIAL+1))
echo $PLUS1 > res/cfg/SERIAL
fi fi
} }
# #
# CA generation requires .cnf files # CA generation requires .cnf files
# create CA directory
# create bash variables to CA
# restore script back to original path
# #
app_init() { app_init() {
if [[ -n $PARAM1 ]]; then if [[ -n $PARAM1 ]]; then
@ -54,9 +51,11 @@ app_init() {
if [[ ${PARAM1: -4} == .cnf ]]; then if [[ ${PARAM1: -4} == .cnf ]]; then
ORG_URL=${PARAM1%.*} ORG_URL=${PARAM1%.*}
S_CNF=${PARAM1} S_CNF=${PARAM1}
echo "ASDF: ${ORG_URL}, ${S_CNF}"
else else
ORG_URL=$PARAM1 ORG_URL=$PARAM1
S_CNF="${PARAM1}.cnf" S_CNF="${PARAM1}.cnf"
echo "ZXCV: ${ORG_URL}, ${S_CNF}"
fi fi
FQ_S_CNF="${CD_ROOT}/res/cnf/${S_CNF}" FQ_S_CNF="${CD_ROOT}/res/cnf/${S_CNF}"
@ -74,95 +73,64 @@ app_init() {
# #
# IN: UNIQ_ID_CA, SERIAL # IN: UNIQ_ID_CA, SERIAL
# #
mk_lifecycle_pkg() { gen_lifecycle() {
get_serial_ca get_serial_ca
echo_block "SERIAL == ${SERIAL}"
# Organize # Organize
# #
# create a unique path for the server certificate # create a unique path for the server certificate
UNIQ_DIR_LC=`date +%Y-%m-%d.%H_%M_%S` UNIQ_DIR_LC=`date +%Y-%m-%d.%H_%M_%S`
UNIQ_DIR_LC="pki-lifecycle_${UNIQ_DIR_LC}" UNIQ_DIR_LC="pki-lifecycle_${UNIQ_DIR_LC}"
mkdir -p "${UNIQ_DIR_LC}"
cd "${UNIQ_DIR_LC}"
FQ_DIR_LC=`pwd` FQ_DIR_LC=`pwd`
FQ_DIR_LC="${FQ_DIR_LC}/${UNIQ_DIR_LC}"
# create CA unique dir # create CA unique dir
UNIQ_ID_CA="${SERIAL}.ca.${ORG_URL}" UNIQ_ID_CA="${SERIAL}.${ORG_URL}"
mkdir -p "${UNIQ_DIR_LC}/ca" CA_DIR="ca_${UNIQ_ID_CA}"
cd "${UNIQ_DIR_LC}" mkdir $CA_DIR
cd $CA_DIR
FQ_CA_DIR=`pwd`
FQ_CA_CERT="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.crt.pem"
FQ_CA_KEYS="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.keys.pem"
# initialize the functions lib
pki_func_init $FQ_CA_CERT $FQ_CA_KEYS "${CD_ROOT}/res/cnf"
# generate a new CA # generate a new CA
gen_ca $UNIQ_ID_CA $SERIAL gen_ca $UNIQ_ID_CA $SERIAL
# go back to original dir # go back to original dir
cd .. cd ..
cd ..
} }
# #
# #
# #
cp_lifecycle_docs() { cp_lifecycle_docs() {
# resource files to be copied to the PKI Lifecycle Package
RES="${CD_ROOT}/res" RES="${CD_ROOT}/res"
mkdir -p "${UNIQ_DIR_LC}/cfg"
echo $UNIQ_ID_CA > $CD_ROOT/$UNIQ_DIR_LC/cfg/UNIQ_ID_CA
cp -r $CD_ROOT/res $CD_ROOT/$UNIQ_DIR_LC/
cp $RES/libs/gen_ca-i.sh $CD_ROOT/$UNIQ_DIR_LC/
cp $RES/docs/README_LC $CD_ROOT/$UNIQ_DIR_LC/README
cp $RES/docs/SERIAL_LC $CD_ROOT/$UNIQ_DIR_LC/cfg/SERIAL
cp $RES/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/cfg/
cp $RES/cnf/$ORG_URL.cnf $CD_ROOT/$UNIQ_DIR_LC/cfg/
cp $RES/cnf/ca.cnf $CD_ROOT/$UNIQ_DIR_LC/cfg/
# CA certs mkdir -p "${UNIQ_DIR_LC}/cfg"
cp $CD_ROOT/$UNIQ_DIR_LC/ca/*.crt.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.crt.pem cp -r $CD_ROOT/res $CD_ROOT/$UNIQ_DIR_LC/
cp $CD_ROOT/$UNIQ_DIR_LC/ca/*.keys.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.keys.pem cp $RES/libs/gen_ca-i.sh $CD_ROOT/$UNIQ_DIR_LC/
cp $RES/docs/README_LC $CD_ROOT/$UNIQ_DIR_LC/README
cp $RES/docs/SERIAL_LC $CD_ROOT/$UNIQ_DIR_LC/cfg/SERIAL
cp $RES/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/cfg/
cp "${RES}/cnf/${ORG_URL}.cnf" $CD_ROOT/$UNIQ_DIR_LC/cfg/
cp "${RES}/cnf/ca.cnf" $CD_ROOT/$UNIQ_DIR_LC/cfg/
cp $CD_ROOT/$UNIQ_DIR_LC/"ca_${UNIQ_ID_CA}"/ca_*.crt.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.crt.pem
cp $CD_ROOT/$UNIQ_DIR_LC/"ca_${UNIQ_ID_CA}"/ca_*.keys.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.keys.pem
} }
# #
# Generate Lifecycle CA Intermediates # Generate Lifecycle CA Intermediates
# #
gen_lc_cai() { gen_lc_ca_i() {
cd $FQ_DIR_LC cd $FQ_DIR_LC
# generate new CA-I
if [[ -n $PARAM2 ]]; then ca-i_gen_pki $ORG_URL 1001 2
COUNT=$(($PARAM2-1)) # ca-i_gen_pki $ORG_URL 2001 5
else # ca-i_gen_pki $ORG_URL 3001 8
COUNT=1
fi
for NUM in $(seq 0 $COUNT)
do
ca-i_gen_pki $ORG_URL 5
done
}
# ***** ***** ***** ***** *****
#
# CERTIFICATE AUTHORITY (CA)
#
# ***** ***** ***** ***** *****
# This function will generate a CA Intermediate
# IN: UNIQ_ID_CA, SERIAL
#
gen_ca() {
UNIQ_ID_CA=$1
SERIAL=$2
echo_block "Create CA (${UNIQ_ID_CA})"
# encrypt the key
#openssl genrsa -aes256 -password "pass:password" -out ca.keys.pem 4096
# key un-protected
openssl genrsa -out "ca/${UNIQ_ID_CA}.keys.pem" 4096
#
# Create Certificate (valid for 10 years, after the entire chain of trust expires)
openssl req -config $CD_ROOT/res/cnf/ca.cnf -new -x509 -sha256 -days 3650 -extensions v3_ca \
-subj "/C=OO/O=ACME/CN=${UNIQ_ID_CA}" -set_serial ${SERIAL} \
-key ca/${UNIQ_ID_CA}.keys.pem -out ca/${UNIQ_ID_CA}.crt.pem
# verify certificate (output to text file for review)
openssl x509 -noout -text -in ca/${UNIQ_ID_CA}.crt.pem > ca/${UNIQ_ID_CA}_cert.info.txt
} }
@ -172,11 +140,11 @@ main() {
# generate new CA # generate new CA
# create new PKI Lifecycle Package # create new PKI Lifecycle Package
app_init app_init
mk_lifecycle_pkg gen_lifecycle
cp_lifecycle_docs cp_lifecycle_docs
# gen some CAs # gen some CAs
gen_lc_cai gen_lc_ca_i
# make sure we return to root execution path # make sure we return to root execution path
cd "${CD_ROOT}" cd "${CD_ROOT}"

2
src/pki_bootstrap/res/cfg/SERIAL
View File

@ -1 +1 @@
101 101

40
src/pki_bootstrap/res/docs/README_C
View File

@ -8,49 +8,15 @@
------------- -------------
INTRO INTRO
------------- -------------
This application will generate new client certificates. The certificate chain is also included
(CA certificate & CA-I certificate).
This application will generate new client certificates. The certificates can be used with any
VPN client service. The certificate chain is also included (CA certificate & CA-I certificate).
------------- -------------
USAGE USAGE
------------- -------------
Generate a new client certificate
usage: gen_client.sh <# to generate> ./ gen_client.sh
example: gen_client.sh 2
-----------------------
APPLICATION DESIGN
-----------------------
The ./clients directory contains the files needed to generate client certificates. The directory
is portable and will operate properly if moved to another linux system. The ./client/cfg contains
configuration files that are used by the client generation application. The configuation files
do not need to be edited and they provide information congruent with the CA and server. The
./clients/data directory contains the raw data (in .pem) of the certificates generated. The
./clients/distro contains the files to be distributed and installed on clients. The ./clients/docs
directory contains certificate information in plain text format.
├── README
├── cfg
│   ├── SERIAL
│   ├── UNIQ_ID_CA
│   ├── UNIQ_ID_CA-I
│   ├── ca-i.crt.pem
│   ├── ca-i.keys.pem
│   ├── ca_cert-chain.crts.pem
│   ├── cert.cnf
│   └── pki_funcs.sh
├── data
│   ├── 1001.client.101.cai.skunkworks.acme.xyz.crt.pem
│   ├── 1001.client.101.cai.skunkworks.acme.xyz.csr.pem
│   ├── 1001.client.101.cai.skunkworks.acme.xyz.keys.pem
├── distro
│   ├── 1001.client.101.cai.skunkworks.acme.xyz.p12
├── docs
│   ├── 1001.client.101.cai.skunkworks.acme.xyz.info.txt
└── gen_client.sh

112
src/pki_bootstrap/res/docs/README_CAI
View File

@ -1,123 +1,21 @@
=================== ============================
CA Intermediate CA Intermediate README
Version 3.1 Version 3.1
=================== ============================
------------- -------------
INTRO INTRO
------------- -------------
This application will generate new Certificate Authority Intermediate packages to be distributed This application will generate new client certificates. The certificates can be used with any
to organizations for external usage. VPN client service. The certificate chain is also included (CA certificate & CA-I certificate).
The CA-I package contains a complete certifate chain of trust using a certificate authority
intermediate. The CA intermediate has permission to sign certificates. Included in the package
is client and server certificate generation applications that run on Bash linux. The CA intermediate
can be used with 3rd party applications to generate certificates.
------------- -------------
USAGE USAGE
------------- -------------
Generate a new CA Intermediate certificate
This program will generate a new certificate authority (CA) intermediate
It requires a CA certificate to sign a CA Intermediate
Requires the file "ca.pem" that is used to sign the certificates
usage: gen_ca-i.sh <Org URL> [# of client/server certs]
example: gen_ca-i.sh skunkworks.acme.xyz \
10 (optional) \
-----------------------
APPLICATION DESIGN
-----------------------
The CA-I package contains all the files needed to generate certificates. The ./ca-i directory
contains the certificate authority files. The ./ca-i/data directory contains all the raw ca
files. The ./ca-i/distro directory contains the files to be distributed and installed on clients.
The .p12 files contins the CA certificate, and client certificates. The ./ca-i/docs directory
contains certificate information in plain text format.
The ./clients directory contains the files needed to generate client certificates. The directory
is portable and will operate properly if moved to another linux system. The ./client/cfg contains
configuration files that are used by the client generation application. The configuation files
do not need to be edited and they provide information congruent with the CA and server. The
./clients/data directory contains the raw data (in .pem) of the certificates generated. The
./clients/distro contains the files to be distributed and installed on clients. The ./clients/docs
directory contains certificate information in plain text format.
The ./servers directory contains the files needed to generate server certificates. The directory
is portable and will operate properly if moved to another linux system. The ./server/cfg contains
configuration files that are used by the server generation application. The configuation files
do not need to be edited and they provide information congruent with the CA and server. The
./servers/data directory contains the raw data (in .pem) of the certificates generated. The
./servers/distro contains the files to be distributed and installed on servers. The ./servers/docs
directory contains certificate information in plain text format.
----------------
CA-I Package
----------------
The CA-I package structure is the following:
├── distribution
│   └── 101.cai.skunkworks.acme.xyz
│   ├── README
│   ├── ca-i
│   │   ├── data
│   │   │   ├── 101.ca.skunkworks.acme.xyz.crt.pem
│   │   │   ├── 101.cai.skunkworks.acme.xyz.crt.pem
│   │   │   ├── 101.cai.skunkworks.acme.xyz.csr.pem
│   │   │   └── 101.cai.skunkworks.acme.xyz.keys.pem
│   │   ├── distro
│   │   │   ├── 101.cai.skunkworks.acme.xyz.p12
│   │   │   └── ca_cert-chain_101.cai.skunkworks.acme.xyz.crts.pem
│   │   └── docs
│   │   ├── 101.ca.skunkworks.acme.xyz_cert.info.txt
│   │   └── 101.cai.skunkworks.acme.xyz.crt.info.txt
│   ├── clients
│   │   ├── README
│   │   ├── cfg
│   │   │   ├── SERIAL
│   │   │   ├── UNIQ_ID_CA
│   │   │   ├── UNIQ_ID_CA-I
│   │   │   ├── ca-i.crt.pem
│   │   │   ├── ca-i.keys.pem
│   │   │   ├── ca_cert-chain.crts.pem
│   │   │   ├── cert.cnf
│   │   │   └── pki_funcs.sh
│   │   ├── data
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.crt.pem
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.csr.pem
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.keys.pem
│   │   ├── distro
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.p12
│   │   ├── docs
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.info.txt
│   │   └── gen_client.sh
│   └── servers
│   ├── README
│   ├── cfg
│   │   ├── SERIAL
│   │   ├── UNIQ_ID_CA
│   │   ├── UNIQ_ID_CA-I
│   │   ├── ca-i.crt.pem
│   │   ├── ca-i.keys.pem
│   │   ├── ca_cert-chain.crts.pem
│   │   ├── cert.cnf
│   │   └── pki_funcs.sh
│   ├── data
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.crt.pem
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.csr.pem
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.keys.pem
│   ├── distro
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.p12
│   ├── docs
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.crt.info.txt
│   └── gen_server.sh

39
src/pki_bootstrap/res/docs/README_S
View File

@ -8,49 +8,14 @@
------------- -------------
INTRO INTRO
------------- -------------
This application will generate new server certificates. The certificate chain is also included
(CA certificate & CA-I certificate).
This application will generate new server certificates to be used with a VPN service.
------------- -------------
USAGE USAGE
------------- -------------
Generate a new server certificate
usage: gen_server.sh <# to generate> ./ gen_server.sh
example: gen_server.sh 2
-----------------------
APPLICATION DESIGN
-----------------------
The ./servers directory contains the files needed to generate server certificates. The directory
is portable and will operate properly if moved to another linux system. The ./server/cfg contains
configuration files that are used by the server generation application. The configuation files
do not need to be edited and they provide information congruent with the CA and server. The
./servers/data directory contains the raw data (in .pem) of the certificates generated. The
./servers/distro contains the files to be distributed and installed on servers. The ./servers/docs
directory contains certificate information in plain text format.
├── README
├── cfg
│   ├── SERIAL
│   ├── UNIQ_ID_CA
│   ├── UNIQ_ID_CA-I
│   ├── ca-i.crt.pem
│   ├── ca-i.keys.pem
│   ├── ca_cert-chain.crts.pem
│   ├── cert.cnf
│   └── pki_funcs.sh
├── data
│   ├── 5001.server.101.cai.skunkworks.acme.xyz.crt.pem
│   ├── 5001.server.101.cai.skunkworks.acme.xyz.csr.pem
│   ├── 5001.server.101.cai.skunkworks.acme.xyz.keys.pem
├── distro
│   ├── 5001.server.101.cai.skunkworks.acme.xyz.p12
├── docs
│   ├── 5001.server.101.cai.skunkworks.acme.xyz.crt.info.txt
└── gen_server.sh

0
src/pki_bootstrap/res/docs/SERIAL_C → src/pki_bootstrap/res/docs/SERIAL
View File

1
src/pki_bootstrap/res/docs/SERIAL_S
View File

@ -1 +0,0 @@
5001

58
src/pki_bootstrap/res/libs/gen_ca-i.sh
View File

@ -3,12 +3,17 @@
# Create CA Intermediate # Create CA Intermediate
# #
# #
# This function will generate a CA Intermediate
# IN: UNIQ_ID_CA, SERIAL
#
# source this file to include the functions # source this file to include the functions
. cfg/pki_funcs.sh . cfg/pki_funcs.sh
PARAM1=$1 PARAM1=$1
PARAM2=$2 PARAM2=$2
PARAM3=$3
usage() { usage() {
echo echo
@ -18,44 +23,39 @@ usage() {
echo "It requires a CA certificate used to sign CA Intermediate" echo "It requires a CA certificate used to sign CA Intermediate"
echo "Requires the file \"ca.pem\" that is used to sign the certificates" echo "Requires the file \"ca.pem\" that is used to sign the certificates"
echo echo
echo " usage: gen_ca-i.sh <Org URL> [# of client/server certs]" echo " usage: gen_ca-i.sh <Org URL> <Serial>"
echo echo
echo " example: gen_ca-i.sh skunkworks.acme.xyz \\" echo " example: gen_ca-i.sh skunkworks.acme.xyz"
echo " 10 (optional)" echo " 10052"
echo echo
exit 1 exit 1
} }
check_params() { error_no_ca_file() {
# the parameter must be the URL (not the filename, .cnf) echo_block "ERROR: missing ca.crt.pem, ca.keys.pem"
if [[ -n $PARAM1 ]]; then usage
if [[ ${PARAM1: -4} == .cnf ]]; then }
if [[ ! -f "cfg/${PARAM1}" ]]; then
echo_block "ERROR: file cfg/${PARAM1} is missing"
usage main() {
else CDD=`pwd`
PARAM1=${PARAM1%.*} FQ_CA_KEYS="${CDD}/cfg/ca.keys.pem"
fi FQ_CA_CRT="${CDD}/cfg/ca.crt.pem"
else if [[ ! -f $FQ_CA_KEYS ]] || [[ ! -f $FQ_CA_CRT ]]; then
if [[ ! -f "cfg/${PARAM1}.cnf" ]]; then error_no_ca_file
echo_block "ERROR: file cfg/${PARAM1}.cnf is missing" fi
usage
fi if [[ -n $PARAM1 ]] && [[ -n $PARAM2 ]]; then
pki_func_init $FQ_CA_CRT $FQ_CA_KEYS "${CDD}/cfg"
if [[ -z $PARAM3 ]]; then
PARAM3=5
fi fi
ca-i_gen_pki $PARAM1 $PARAM2 $PARAM3
else else
usage usage
fi fi
if [[ -z $PARAM2 ]]; then
PARAM2=5
fi
}
main() {
# uses global variables: $PARAM1 $PARAM2 $PARAM3
check_cai_pkg
check_params
ca-i_gen_pki $PARAM1 $PARAM2
} }
main main

44
src/pki_bootstrap/res/libs/gen_client.sh
View File

@ -3,34 +3,54 @@
# Create Client Certificates # Create Client Certificates
# #
# #
# This function will generate a Client cert
# IN: UNIQ_ID, SERIAL
#
# source this file to include the functions # source this file to include the functions
. cfg/pki_funcs.sh . cfg/pki_funcs.sh
PARAM1=$1 PARAM1=$1
PARAM2=$2
PARAM3=$3
usage() { usage() {
echo echo
echo "Generate a new client certificate" echo "Generate a new Client certificate"
echo echo
echo " usage: gen_client.sh <# to generate>"
echo echo
echo " example: gen_client.sh 2" echo "Generate a new certificate"
echo " usage: gen_client.sh <Org URL> <Serial #>"
echo
echo " example: gen_client.sh skunkworks.acme.xyz \\"
echo " 10052 \\"
echo echo
exit 1 exit 1
} }
check_params() {
if [[ -z $PARAM1 ]]; then main() {
if [[ ! -f cfg/ca-i.crt.pem ]] || [[ ! -f cfg/ca-i.keys.pem ]]; then
echo_block "ERROR: file cfg/ca-i.crt.pem cfg/ca-i.keys.pem is missing"
usage
fi
if [[ ! -f cfg/SERIAL ]]; then
echo_block "ERROR: file cfg/SERIAL is missing"
usage
fi
if [[ -n $PARAM1 ]] && [[ -n $PARAM2 ]]; then
UNIQ_ID="${PARAM2}.${PARAM1}"
if [[ -f "distro/client_${UNIQ_ID}.p12" ]]; then
echo_block "ERROR: certifate <<distro/client_${UNIQ_ID}.p12>> already exists"
usage
fi
gen_client $PARAM1 $PARAM2
else
usage usage
fi fi
} }
main() {
# uses global variables: $PARAM1
check_cai_pkg
check_params
gen_client $PARAM1
}
main main

48
src/pki_bootstrap/res/libs/gen_server.sh
View File

@ -3,34 +3,58 @@
# Create Server Certificates # Create Server Certificates
# #
# #
# This function will generate a Server cert
# IN: UNIQ_ID, SERIAL
#
# source this file to include the functions # source this file to include the functions
. cfg/pki_funcs.sh . cfg/pki_funcs.sh
PARAM1=$1 PARAM1=$1
PARAM2=$2
PARAM3=$3
usage() { usage() {
echo echo
echo "Generate a new server certificate" echo "Generate a new Server certificate"
echo echo
echo " usage: gen_server.sh <# to generate>"
echo echo
echo " example: gen_server.sh 2" echo "Generate a new certificate"
echo " usage: gen_server.sh <Org URL> <Serial #>"
echo
echo " example: gen_server.sh skunkworks.acme.xyz \\"
echo " 10052 \\"
echo echo
exit 1 exit 1
} }
check_params() {
if [[ -z $PARAM1 ]]; then main() {
if [[ ! -f cfg/ca-i.crt.pem ]] || [[ ! -f cfg/ca-i.keys.pem ]]; then
echo_block "ERROR: file cfg/ca-i.crt.pem cfg/ca-i.keys.pem is missing"
usage
fi
if [[ ! -f cfg/SERIAL ]]; then
echo_block "ERROR: file cfg/SERIAL is missing"
usage
fi
if [[ -n $PARAM1 ]] && [[ -n $PARAM2 ]]; then
UNIQ_ID="${PARAM2}.${PARAM1}"
if [[ -f "distro/server_${UNIQ_ID}.p12" ]]; then
echo_block "ERROR: certifate <<distro/server_${UNIQ_ID}.p12>> already exists"
usage
fi
if [[ ! -f "cfg/${PARAM1}.cnf" ]]; then
echo_block "ERROR: configuration file <<cfg/${PARAM1}.cnf>> is missing"
usage
fi
gen_server $PARAM1 $PARAM2
else
usage usage
fi fi
} }
main() {
# uses global variables: $PARAM1
check_cai_pkg
check_params
gen_server $PARAM1
}
main main

355
src/pki_bootstrap/res/libs/pki_funcs.sh
View File

@ -3,6 +3,20 @@
# all main functions to generate a PKI certificate chain # all main functions to generate a PKI certificate chain
# #
#
# Set the CA variables
#
pki_func_init() {
if [[ -n $1 ]] || [[ -n $2 ]] || [[ -n $3 ]]; then
FQ_CA_CERT=$1
FQ_CA_KEYS=$2
CNF_PATH=$3
APP_INIT=1
else
APP_INIT=0
fi
}
# #
# print text wrapped in a block # print text wrapped in a block
# #
@ -17,30 +31,41 @@ echo_block() {
# Grab the latest serial # from the file, auto-increment # Grab the latest serial # from the file, auto-increment
# #
get_serial() { get_serial() {
SERIAL=`head cfg/SERIAL` SERIAL=`head "cfg/SERIAL"`
if [[ -z $SERIAL ]]; then if [[ -z $SERIAL ]]; then
SERIAL=11111 SERIAL=11111
echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA" echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA"
else
PLUS1=$((SERIAL+1))
echo $PLUS1 > cfg/SERIAL
fi fi
} }
# # ***** ***** ***** ***** *****
# check the integrity of the CA-I package
# #
check_cai_pkg() { # CERTIFICATE AUTHORITY (CA)
if [[ ! -f cfg/ca.keys.pem ]] || [[ ! -f cfg/ca.crt.pem ]]; then #
if [[ ! -f cfg/ca-i.keys.pem ]] || [[ ! -f cfg/ca-i.crt.pem ]]; then # ***** ***** ***** ***** *****
echo_block "ERROR: missing a config file: cfg/ca.crt.pem, cfg/ca.keys.pem, cfg/ca-i.crt.pem, cfg/ca-i.keys.pem" # This function will generate a CA Intermediate
usage # IN: UNIQ_ID_CA, SERIAL
fi #
fi gen_ca() {
if [[ ! -f cfg/SERIAL ]]; then UNIQ_ID_CA=$1
echo_block "ERROR: file cfg/SERIAL is missing" SERIAL=$2
usage
fi echo_block "Create CA (${UNIQ_ID_CA})"
# encrypt the key
#openssl genrsa -aes256 -out ca.keys.pem 4096
#openssl genrsa -aes256 -password "pass:password" -out ca.keys.pem 4096
# key un-protected
openssl genrsa -out "ca_${UNIQ_ID_CA}.keys.pem" 4096
#
# Create Certificate (valid for 10 years, after the entire chain of trust expires)
openssl req -config $CNF_PATH/ca.cnf -new -x509 -sha256 -days 3650 -extensions v3_ca \
-subj "/C=OO/O=ACME/CN=root.${UNIQ_ID_CA}" -set_serial ${SERIAL} \
-key ca_${UNIQ_ID_CA}.keys.pem -out ca_${UNIQ_ID_CA}.crt.pem
# verify certificate (output to text file for review)
openssl x509 -noout -text -in ca_${UNIQ_ID_CA}.crt.pem > ca_${UNIQ_ID_CA}_cert.info.txt
} }
# #
@ -55,227 +80,215 @@ check_cai_pkg() {
# - generate server certificates # - generate server certificates
# - generate client certificates # - generate client certificates
# #
# INPUT: ORG URL, SERIAL #, LOOP NUM # INPUT: BASE SERIAL #, LOOP NUM
#
# Requires: FQ_CA_CERT, FQ_CA_KEYS
# #
ca-i_gen_pki() { ca-i_gen_pki() {
CDD=`pwd` CDD=`pwd`
ORG_URL=$1 ORG_URL=$1
NUM_CERTS=$2 SERIAL_O=$2
NUM_CERTS=$(($3-1))
# create unique directory # create unique directory
get_serial UNIQ_ID_CAI="${SERIAL_O}.${ORG_URL}"
UNIQ_ID_CAI="${SERIAL}.cai.${ORG_URL}" mkdir -p "distribution/ca_i_${UNIQ_ID_CAI}"
mkdir -p "distribution/${UNIQ_ID_CAI}" cd "distribution/ca_i_${UNIQ_ID_CAI}"
# generate CA Intermediate # Create CA Intermediate
ca-i_gen_cert $UNIQ_ID_CAI ca-i_gen_cert $ORG_URL $SERIAL_O
# create directories, copy files, before generating client/server # create directories, copy files, before generating client/server
__ca-i_create_pkg ca-i_create_shell
# the client & server applications need to execute in their perspective directories __ca-i_gen_client
cd $CDD/distribution/$UNIQ_ID_CAI/clients
gen_client $NUM_CERTS
cd $CDD/distribution/$UNIQ_ID_CAI/servers __ca-i_gen_server
gen_server $NUM_CERTS
# return to last path # return to last path
cd $CDD cd $CDD
} }
#
# Client Certificates
#
__ca-i_gen_client() {
# create directories
mkdir -p clients/data
mkdir -p clients/distro
mkdir -p clients/docs
cd clients
for NUM in $(seq 0 $NUM_CERTS)
do
gen_client $ORG_URL $((SERIAL_O+NUM))
done
cd ..
}
#
# Server Certificates
#
__ca-i_gen_server() {
# create directories
mkdir -p servers/data
mkdir -p servers/distro
mkdir -p servers/docs
cd servers
for NUM in $(seq 0 $NUM_CERTS)
do
gen_server $ORG_URL $((SERIAL_O+NUM))
done
cd ..
}
# This function will generate a CA Intermediate
#
# Requires: CNF file, CA cert, CA key
#
# IN: UNIQ_ID_CA, SERIAL
#
ca-i_gen_cert() {
ORG_URL=$1
SERIAL=$2
UNIQ_ID="${SERIAL}.${ORG_URL}"
echo_block "Create CA Intermediate (${UNIQ_ID})"
openssl genrsa -out "ca_i_${UNIQ_ID}.keys.pem" 4096
# Create Cert Signing Request (CSR)
openssl req -config "${CNF_PATH}/ca.cnf" -new -sha256 \
-subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID}" \
-key "ca_i_${UNIQ_ID}.keys.pem" -out "ca_i_${UNIQ_ID}.csr.pem"
# Create Certificate (valid for ~2 years, after the entire chain of trust expires)
# CA signs Intermediate
openssl x509 -req -days 750 -extfile "${CNF_PATH}/ca.cnf" -extensions v3_ca_i \
-CA $FQ_CA_CERT -CAkey $FQ_CA_KEYS -set_serial ${SERIAL} \
-in "ca_i_${UNIQ_ID}.csr.pem" -out "ca_i_${UNIQ_ID}.crt.pem"
# Package the Certificate Authority Certificates for distro (windoze needs this)
openssl pkcs12 -export -password "pass:password" -inkey "ca_i_${UNIQ_ID}.keys.pem" \
-name "CA Intermediate Mobile Provision" -certfile $FQ_CA_CERT \
-in "ca_i_${UNIQ_ID}.crt.pem" -out "ca_i_${UNIQ_ID}.p12"
# verify certificate (output to text file for review)
openssl x509 -noout -text -in "ca_i_${UNIQ_ID}.crt.pem" > "ca_i_${UNIQ_ID}.crt.info.txt"
# create certifiate chain
cat $FQ_CA_CERT "ca_i_${UNIQ_ID}.crt.pem" > "ca_cert-chain_${UNIQ_ID}.crts.pem"
}
# #
# Copies all applcations to the Lifecycle package # Copies all applcations to the Lifecycle package
# organize the ca-i directory # organize the ca-i directory
# order matters: move these files last because they were copied above # order matters: move these files last because they were copied above
# #
__ca-i_create_pkg() { ca-i_create_shell() {
DEST_DIR="${CDD}/distribution/${UNIQ_ID}"
echo $UNIQ_ID > cfg/UNIQ_ID_CA-I DEST_DIR="${CDD}/distribution/ca_i_${UNIQ_ID_CAI}"
# # client
# Client mkdir -p clients/cfg
#
# create directories
mkdir -p $DEST_DIR/clients/data
mkdir -p $DEST_DIR/clients/distro
mkdir -p $DEST_DIR/clients/docs
mkdir -p $DEST_DIR/clients/cfg
# copy resource files
cp $CDD/res/libs/gen_client.sh $DEST_DIR/clients/ cp $CDD/res/libs/gen_client.sh $DEST_DIR/clients/
cp $CDD/res/libs/pki_funcs.sh $DEST_DIR/clients/cfg cp $CDD/res/libs/pki_funcs.sh $DEST_DIR/clients/cfg
cp $CDD/res/docs/README_C $DEST_DIR/clients/README cp $CDD/res/docs/README_C $DEST_DIR/clients/README
cp $CDD/res/docs/SERIAL_C $DEST_DIR/clients/cfg/SERIAL cp $CDD/res/docs/SERIAL $DEST_DIR/clients/cfg/
cp "${CDD}/cfg/${ORG_URL}.cnf" $DEST_DIR/clients/cfg/cert.cnf cp "${CDD}/cfg/${ORG_URL}.cnf" $DEST_DIR/clients/cfg/
# generated files # generated files
cp $UNIQ_ID_CAI.crt.pem $DEST_DIR/clients/cfg/ca-i.crt.pem cp $DEST_DIR/ca_i*.crt.pem $DEST_DIR/clients/cfg/ca-i.crt.pem
cp $UNIQ_ID_CAI.keys.pem $DEST_DIR/clients/cfg/ca-i.keys.pem cp $DEST_DIR/ca_i*.keys.pem $DEST_DIR/clients/cfg/ca-i.keys.pem
cp ca_cert-chain*.pem $DEST_DIR/clients/cfg/ca_cert-chain.crts.pem cp $DEST_DIR/ca_cert-chain*.pem $DEST_DIR/clients/cfg/ca_cert-chain.crts.pem
cp cfg/UNIQ_ID_CA-I $DEST_DIR/clients/cfg/
cp cfg/UNIQ_ID_CA $DEST_DIR/clients/cfg/
# # server
# Server mkdir -p servers/cfg
#
# create directories
mkdir -p $DEST_DIR/servers/data
mkdir -p $DEST_DIR/servers/distro
mkdir -p $DEST_DIR/servers/docs
mkdir -p $DEST_DIR/servers/cfg
# copy resource files
cp $CDD/res/libs/gen_server.sh $DEST_DIR/servers/ cp $CDD/res/libs/gen_server.sh $DEST_DIR/servers/
cp $CDD/res/libs/pki_funcs.sh $DEST_DIR/servers/cfg/ cp $CDD/res/libs/pki_funcs.sh $DEST_DIR/servers/cfg/
cp $CDD/res/docs/README_S $DEST_DIR/servers/README cp $CDD/res/docs/README_S $DEST_DIR/servers/README
cp $CDD/res/docs/SERIAL_S $DEST_DIR/servers/cfg/SERIAL cp $CDD/res/docs/SERIAL $DEST_DIR/servers/cfg/
cp "${CDD}/cfg/${ORG_URL}.cnf" $DEST_DIR/servers/cfg/cert.cnf cp "${CDD}/cfg/${ORG_URL}.cnf" $DEST_DIR/servers/cfg/
# generated files # generated files
cp $UNIQ_ID_CAI.crt.pem $DEST_DIR/servers/cfg/ca-i.crt.pem cp $DEST_DIR/ca_i*.crt.pem $DEST_DIR/servers/cfg/ca-i.crt.pem
cp $UNIQ_ID_CAI.keys.pem $DEST_DIR/servers/cfg/ca-i.keys.pem cp $DEST_DIR/ca_i*.keys.pem $DEST_DIR/servers/cfg/ca-i.keys.pem
cp ca_cert-chain*.pem $DEST_DIR/servers/cfg/ca_cert-chain.crts.pem cp $DEST_DIR/ca_cert-chain*.pem $DEST_DIR/servers/cfg/ca_cert-chain.crts.pem
cp cfg/UNIQ_ID_CA-I $DEST_DIR/servers/cfg/
cp cfg/UNIQ_ID_CA $DEST_DIR/servers/cfg/
#
# CA-I # CA-I
# mkdir -p ca-i/data
# create directories mkdir -p ca-i/docs
mkdir -p $DEST_DIR/ca-i/data mkdir -p ca-i/distro
mkdir -p $DEST_DIR/ca-i/docs cp $CDD/res/docs/README_CAI $DEST_DIR/README
mkdir -p $DEST_DIR/ca-i/distro cp $CDD/ca_*/ca_*.crt.pem $DEST_DIR/ca-i/data/
# copy resource files cp $CDD/ca_*/ca_*.info.txt $DEST_DIR/ca-i/docs/
cp $CDD/res/docs/README_CAI $DEST_DIR/README
cp $CDD/ca/*.crt.pem $DEST_DIR/ca-i/data/
cp $CDD/ca/*.info.txt $DEST_DIR/ca-i/docs/
# generated files # generated files
mv $UNIQ_ID_CAI*.pem $DEST_DIR/ca-i/data/ mv $DEST_DIR/ca_i*.pem $DEST_DIR/ca-i/data/
mv $UNIQ_ID_CAI.crt.info.txt $DEST_DIR/ca-i/docs/ mv $DEST_DIR/ca_i*.info.txt $DEST_DIR/ca-i/docs/
mv $UNIQ_ID_CAI.p12 $DEST_DIR/ca-i/distro mv $DEST_DIR/ca_i*.p12 $DEST_DIR/ca-i/distro
mv ca_cert-chain*.pem $DEST_DIR/ca-i/distro mv $DEST_DIR/ca_cert-chain*.pem $DEST_DIR/ca-i/distro
}
# This function will generate a CA Intermediate
#
# Requires: CNF file, CA cert, CA key
#
# IN: UNIQ_ID_CA
#
ca-i_gen_cert() {
UNIQ_ID=$1
DEST_DIR="."
UNIQ_ID="${SERIAL}.cai.${ORG_URL}"
echo_block "Create CA Intermediate (${UNIQ_ID})"
openssl genrsa -out "${DEST_DIR}/${UNIQ_ID}.keys.pem" 4096
# Create Cert Signing Request (CSR)
openssl req -config "cfg/ca.cnf" -new -sha256 \
-subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID}" \
-key "${DEST_DIR}/${UNIQ_ID}.keys.pem" -out "${DEST_DIR}/${UNIQ_ID}.csr.pem"
# Create Certificate (valid for ~2 years, after the entire chain of trust expires)
# CA signs Intermediate
openssl x509 -req -days 750 -extfile "cfg/ca.cnf" -extensions v3_ca_i \
-CA cfg/ca.crt.pem -CAkey cfg/ca.keys.pem -set_serial ${SERIAL} \
-in "${DEST_DIR}/${UNIQ_ID}.csr.pem" -out "${DEST_DIR}/${UNIQ_ID}.crt.pem"
# Package the Certificate Authority Certificates for distro (windoze needs this)
openssl pkcs12 -export -password "pass:password" -inkey "${DEST_DIR}/${UNIQ_ID}.keys.pem" \
-name "CA Intermediate Mobile Provision" -certfile cfg/ca.crt.pem \
-in "${DEST_DIR}/${UNIQ_ID}.crt.pem" -out "${DEST_DIR}/${UNIQ_ID}.p12"
# verify certificate (output to text file for review)
openssl x509 -noout -text -in "${DEST_DIR}/${UNIQ_ID}.crt.pem" > "${DEST_DIR}/${UNIQ_ID}.crt.info.txt"
# create certifiate chain
cat cfg/ca.crt.pem "${DEST_DIR}/${UNIQ_ID}.crt.pem" > "${DEST_DIR}/ca_cert-chain_${UNIQ_ID}.crts.pem"
}
get_uniq_ids() {
UNIQ_ID_CA=`head cfg/UNIQ_ID_CA`
UNIQ_ID_CAI=`head cfg/UNIQ_ID_CA-I`
}
gen_client() {
COUNT=$(($1-1))
get_uniq_ids
for NUM in $(seq 0 $COUNT)
do
get_serial
UNIQ_ID="${SERIAL}.client.${UNIQ_ID_CAI}"
gen_client_cert $UNIQ_ID
done
} }
# #
# Generate a Client Certificate # Generate a Client Certificate
# IN: UNIQ_ID, SERIAL # IN: UNIQ_ID, UNIQ_ID_CAI, SERIAL
# #
gen_client_cert() { gen_client() {
UNIQ_ID=$1 ORG_URL=$1
SERIAL=$2
UNIQ_ID="${SERIAL}.${ORG_URL}"
CERT_CHAIN="cfg/ca_cert-chain.crts.pem"
echo_block "Generate Client Certificates (${UNIQ_ID})" echo_block "Generate Client Certificates (${UNIQ_ID})"
openssl genrsa -out "data/${UNIQ_ID}.keys.pem" 4096 openssl genrsa -out "data/client_${UNIQ_ID}.keys.pem" 4096
openssl req -new -key "data/${UNIQ_ID}.keys.pem" \ openssl req -new -key "data/client_${UNIQ_ID}.keys.pem" \
-subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \ -subj "/C=OO/O=ACME/OU=ACME Standard/CN=client_${UNIQ_ID}" \
-out "data/${UNIQ_ID}.csr.pem" -out "data/client_${UNIQ_ID}.csr.pem"
# CA Intermediate signs Client # CA Intermediate signs Client
openssl x509 -req -days 365 \ openssl x509 -req -days 365 \
-CA "cfg/ca-i.crt.pem" -CAkey "cfg/ca-i.keys.pem" -set_serial ${SERIAL} \ -CA "cfg/ca-i.crt.pem" -CAkey "cfg/ca-i.keys.pem" -set_serial ${SERIAL} \
-in "data/${UNIQ_ID}.csr.pem" -out "data/${UNIQ_ID}.crt.pem" -in "data/client_${UNIQ_ID}.csr.pem" -out "data/client_${UNIQ_ID}.crt.pem"
# Package the Certificates # Package the Certificates
openssl pkcs12 -export -password "pass:password" -inkey "data/${UNIQ_ID}.keys.pem" \ openssl pkcs12 -export -password "pass:password" -inkey "data/client_${UNIQ_ID}.keys.pem" \
-name "Client ${UNIQ_ID} VPN Certificate" -certfile "cfg/ca_cert-chain.crts.pem" -caname "${UNIQ_ID}@acme.xyz" \ -name "Client ${UNIQ_ID} VPN Certificate" -certfile $CERT_CHAIN -caname "client_${UNIQ_ID}@acme.xyz" \
-in "data/${UNIQ_ID}.crt.pem" -out "distro/${UNIQ_ID}.p12" -in "data/client_${UNIQ_ID}.crt.pem" -out "distro/client_${UNIQ_ID}.p12"
# verify certificate (output to text file for review) # verify certificate (output to text file for review)
openssl x509 -noout -text -in "data/${UNIQ_ID}.crt.pem" > "docs/${UNIQ_ID}.info.txt" openssl x509 -noout -text -in "data/client_${UNIQ_ID}.crt.pem" > "docs/client_${UNIQ_ID}.info.txt"
}
gen_server() {
COUNT=$(($1-1))
get_uniq_ids
for NUM in $(seq 0 $COUNT)
do
get_serial
UNIQ_ID="${SERIAL}.server.${UNIQ_ID_CAI}"
gen_server_cert $UNIQ_ID
done
} }
# #
# Generate a Server Certificate # Generate a Server Certificate
# IN: UNIQ_ID, SERIAL # IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
# #
gen_server_cert() { gen_server() {
UNIQ_ID=$1 ORG_URL=$1
SERIAL=$2
UNIQ_ID="${SERIAL}.${ORG_URL}"
CERT_CHAIN="cfg/ca_cert-chain.crts.pem"
echo_block "Generate Server Certificates (${UNIQ_ID})" echo_block "Generate Server Certificates (${UNIQ_ID})"
openssl genrsa -out "data/${UNIQ_ID}.keys.pem" 4096 openssl genrsa -out "data/server_${UNIQ_ID}.keys.pem" 4096
openssl req -new -config "cfg/cert.cnf" -key "data/${UNIQ_ID}.keys.pem" \ openssl req -new -config "cfg/${ORG_URL}.cnf" -key "data/server_${UNIQ_ID}.keys.pem" \
-subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \ -subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \
-out "data/${UNIQ_ID}.csr.pem" -out "data/server_${UNIQ_ID}.csr.pem"
# CA Intermediate signs Server # CA Intermediate signs Server
openssl x509 -req -days 365 -extfile "cfg/cert.cnf" -extensions v3_server \ openssl x509 -req -days 365 -extfile "cfg/${ORG_URL}.cnf" -extensions v3_server \
-CA "cfg/ca-i.crt.pem" -CAkey "cfg/ca-i.keys.pem" -set_serial ${SERIAL} \ -CA "cfg/ca-i.crt.pem" -CAkey "cfg/ca-i.keys.pem" -set_serial ${SERIAL} \
-in "data/${UNIQ_ID}.csr.pem" -out "data/${UNIQ_ID}.crt.pem" -in "data/server_${UNIQ_ID}.csr.pem" -out "data/server_${UNIQ_ID}.crt.pem"
# Package the Certificates # Package the Certificates
openssl pkcs12 -export -password "pass:password" -inkey "data/${UNIQ_ID}.keys.pem" \ openssl pkcs12 -export -password "pass:password" -inkey "data/server_${UNIQ_ID}.keys.pem" \
-name "Server ${UNIQ_ID} VPN Certificate" -certfile "cfg/ca_cert-chain.crts.pem" -caname "${UNIQ_ID}@acme.xyz" \ -name "Server ${UNIQ_ID} VPN Certificate" -certfile $CERT_CHAIN -caname "server_${UNIQ_ID}@acme.xyz" \
-in "data/${UNIQ_ID}.crt.pem" -out "distro/${UNIQ_ID}.p12" -in "data/server_${UNIQ_ID}.crt.pem" -out "distro/server_${UNIQ_ID}.p12"
# verify certificate (output to text file for review) # verify certificate (output to text file for review)
openssl x509 -noout -text -in "data/${UNIQ_ID}.crt.pem" > "docs/${UNIQ_ID}.crt.info.txt" openssl x509 -noout -text -in "data/server_${UNIQ_ID}.crt.pem" > "docs/server_${UNIQ_ID}.crt.info.txt"
} }

1
src/sandbox/SERIAL
View File

@ -1 +0,0 @@
2010

37
src/sandbox/p12ext.sh
View File

@ -1,37 +0,0 @@
#!/bin/bash
#
# Extract the ca certificate, user certificate, user keys from the p12 package
#
#
# -clcerts (only output client certificates (not CA certificates))
# -cacerts (only output CA certificates (not client certificates))
# -nocerts (no certificates at all will be output)
# -nokeys (no private keys will be output)
#
#
if [[ -n $1 ]]; then
echo
else
echo
echo "This script will copy the certificates and keys to the strongswan configuration paths"
echo
echo "Usage: p12ext <file> [password]"
echo
echo "Example: p12ext file.p12"
echo
exit 1
fi
# create a unique path for the server certificate
UNIQ_DIR_LC=`date +%Y-%m-%d.%H_%M_%S`
UNIQ_DIR_LC="p12ext_${UNIQ_DIR_LC}"
mkdir $UNIQ_DIR_LC
# keys
openssl pkcs12 -nodes -nocerts -password "pass:password" -in $1 -out $UNIQ_DIR_LC/user.keys.pem
# certificate
openssl pkcs12 -nodes -clcerts -nokeys -password "pass:password" -in $1 -out $UNIQ_DIR_LC/user.crt.pem
# CA
openssl pkcs12 -nodes -cacerts -nokeys -password "pass:password" -in $1 -out $UNIQ_DIR_LC/ca-chain.crt.pem

11
src/sandbox/serial.sh
View File

@ -1,11 +0,0 @@
#!/bin/bash
SERIAL=`head SERIAL`
if [[ -z $SERIAL ]]; then
SERIAL=11111
echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA"
else
PLUS1=$((SERIAL+1))
echo $PLUS1 > SERIAL
fi