j3g
/
pki-bootstrap_pub
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

merge into: j3g:ver3.2
Branches Tags
j3g:a
j3g:master
j3g:ver3.3
j3g:ver3.2
j3g:c_server
...
pull from: j3g:a
Branches Tags
j3g:a
j3g:master
j3g:ver3.3
j3g:ver3.2
j3g:c_server

9 Commits
ver3.2 ... a

Author SHA1 Message Date
JohnE 171bc44728 MOD: updated docs 2018-10-04 12:20:45 -07:00
JohnE 2ec57697cb MOD: documentation updates 2018-09-17 21:40:34 -07:00
JohnE da07fd1845 MOD: docs update 2018-09-17 10:38:56 -07:00
JohnE ab056455ec NEW: new p12 extractor application, doc updates 2018-09-14 09:29:17 -07:00
JohnE fdfb893a5f FIX: fixed the serial # back to 101 as we want to keep it vanilla in the repo 2018-09-10 20:13:47 -07:00
JohnE 5366ef101d FIN: refactoring complete, serial #s are all coherent, distinguished names (DN) is strong with both CA-I serial #s and client/server serial #s 2018-09-10 19:09:48 -07:00
JohnE 03d003b151 WIP: working to get docs and features in congruent 2018-09-08 13:01:50 -07:00
JohnE ffd416b5d1 WIP: bugs exist...arrrg 2018-08-29 01:17:34 -07:00
JohnE 23ea416acf MOD: refactoring to allow for auto-gen of serial #s and fixing unique id 2018-08-28 16:25:19 -07:00
22 changed files with 929 additions and 367 deletions
Show Stats Expand all files Collapse all files

5
.gitignore vendored
View File

@ -1,12 +1,9 @@
#
pki-lifecycle_*
# Project specific files # Project specific files
sftp-config.json sftp-config.json
.DS_Store .DS_Store
**/var/ **/var/
**/cert_gen/acme.xyz_fl/ **/cert_gen/acme.xyz_fl/
pki-lifecycle_*
# Byte-compiled / optimized / DLL files # Byte-compiled / optimized / DLL files
__pycache__/ __pycache__/

10
README
View File

@ -31,13 +31,17 @@ There are two main applications contained in this project.
VERSIONS VERSIONS
--------------------- ---------------------
Ver 3.2 - MOB Hub PKI Lifecycle ver 3.3 - MOB Hub CA-I Package
* updated applications to be more modular
* each CA-I package has
ver 3.2 - MOB Hub PKI Lifecycle
* PKI Lifecycle * PKI Lifecycle
- generate certificates during the CA's lifecycle - generate certificates during the CA's lifecycle
Ver 3.1 - MOB Hub PKI Bootstrap ver 3.1 - MOB Hub PKI Bootstrap
* PKI Bootstrap * PKI Bootstrap
- generate an entire chain-of-trust - generate an entire chain-of-trust
Ver 3.0 - CA Intermediate Support ver 3.0 - CA Intermediate Support
* requires openssl (does not require ipsec) * requires openssl (does not require ipsec)
* CA Intermediate support * CA Intermediate support
-root CA can be generated with 5-10yr expiration, put into cold-storage -root CA can be generated with 5-10yr expiration, put into cold-storage

52
docs/ccc_ss Normal file
View File

@ -0,0 +1,52 @@
[[[ StrongSwan Code Command & Control ]]]
[[ Networking ]]
# VPN UDP service (StrongSwan ipsec)
$ nc -zuv 192.168.123.129 500
$ nc -zuv 192.168.123.129 4500
# view all network services
$ netstat -pntul
# openconnect VPN client (only works for https, cisco style VPN (not IKEv2) )
$ openconnect -v -c clients/porkypig\@acme.xyz_2018-04-23.21_48_11/porkypig\@acme.xyz.p12 192.168.123.129:500
[[ Service ]]
$ sudo ipsec statusall | start | stop
[[ Android ]]
# install certificates
Settings -> Security -> Credential Storage -> Install from SD
"ca.crt.pem", "client_s.p12"
# alias the multi-connections
alias adb1='adb -s 192.168.123.131'
alias adb2='adb -s 192.168.123.132'
# connect to android IP
$ adb connect 192.168.123.131
$ adb connect 192.168.123.132
# execute commands to the connected android
$ adb -s 192.168.123.132 push client_s.p12 /data/media/0/Download/
$ adb -s 192.168.123.131 shell
# restarting adb as root
$ adb -s 192.168.123.132 root
$ adb -s 192.168.123.132 shell
# push the .p12 file to the Downloads folder of the user storage
$ adb push client_s.p12 /data/media/0/Download/
$ adb push ca_i.crt.pem /data/media/0/Download/
# using the alias, push the apk, then install
$ adb2 push strongSwan-1.9.6.apk /data/local/tmp/ss.apk
$ adb2 shell pm install "/data/local/tmp/ss.apk"

23
docs/elphdt Normal file
View File

@ -0,0 +1,23 @@
[[ modify elphdt ]]
From what I am seeing it appears as though the directory “/certs” is mounted from the NAS. I will need to add the new certificates to the NAS and they will be accessed from the “/certs” directory.
I will generate a new certificate chain with the PKI Bootstrap applicaiton. I will copy the new “CA Intermediate package” to this location:
/certs/cai/09-2018/
It will contain the CA Intermediates and the server certificates.
Looking at elphdt, there is a file .gitlab-ci.yml: this file contains the “CI/CD configuration”. In the file the there are two global variables that are significant:
GITLAB_CI_CERTIFICATE_DIRECTORY_CA_PREFIX: /certs/acme.xyz/CA/ACME_06-2018_ca'
GITLAB_CI_CERTIFICATE_DIRECTORY_SERVER: /certs/acme.xyz/servers/192.168.2.1_2018-06-13.10_11_38'
I will modify these variables to point to the new locations (this can be done for each build type):
GITLAB_CI_CERTIFICATE_DIRECTORY_CA_PREFIX: /certs/acme.xyz/CA/ACME_06-2018_ca'
GITLAB_CI_CERTIFICATE_DIRECTORY_SERVER: /certs/acme.xyz/servers/192.168.2.1_2018-06-13.10_11_38'
This solution will work fine for now. And in the future we can worry about generating a new server certificate for each MOB Hub.

63
docs/ipsec_conf Normal file
View File

@ -0,0 +1,63 @@
# ipsec.conf - strongSwan IPsec configuration file
config setup
# uniqueids=never
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
ca acme
cacert=ca.crt.pem
auto=add
# this is the default rekey time
# rekeytime = lifetime - (margintime + random(0, margintime * rekeyfuzz)) authby=pubkey
# https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey#ipseconf-Formula
conn %default
# crypto settings
keyexchange=ikev2
authby=pubkey
ike=aes128-sha256-modp2048,aes256-sha256-modp4096,aes256-sha256-modp2048!
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes128-sha256-modp1024,aes256-sha256-modp1536!
# tunnel processing info
type=tunnel
fragmentation=yes
forceencaps=yes # force to encrypt UDP also
dpdaction=clear # dead-peer detection to clear any "dangling" connections
dpddelay=300s
rekey=no #TODO check this out
# ikelifetime=60m
# keylife=20m
# rekeymargin=3m
# keyingtries=1
#
# tunneling config
# If left|rightcert is configured the identity has to be confirmed by the
# certificate, that is, it has to match the full subject DN or one of the
# subjectAltName extensions contained in the certificate
left=192.168.123.129 # attempting to bind to this specific IP
leftid=@s.acme.xyz # the client needs to be configured for the "server id" of this string
leftsubnet=0.0.0.0/0 # required or the right IP's aren't routing to each other...
# standard user connection
conn mob-standard
# tunneling config
leftcert=server_s.acme.xyz_s.crt.pem
right=%any
rightca="C=OO, O=ACME, OU=ACME Standard, CN=s.i.acme.xyz"
# virstual IP address pool
rightsourceip=10.10.10.0/24
rightdns=192.168.123.129
auto=add
# maintenance role connection that will have elevated priveledges
# this configuration can be used with a "maintenance tablet" to update a MOB Hub
conn mob-maintenance
# tunneling config
leftcert=server_s.acme.xyz_m.crt.pem
right=%any
rightca="C=OO, O=ACME, OU=ACME Maintenance, CN=m.i.acme.xyz"
# virstual IP address pool
rightsourceip=10.10.11.0/24
rightdns=192.168.123.129
auto=add

81
docs/pki_agile
View File

@ -3,40 +3,84 @@
[[ WORKING ]] [[ WORKING ]]
* PKI Bootstrap: cp lifecycle functions * .p12 file using on strongswan (works, kind of)
* PKI Bootstrap slide deck
-request a meeting to go over the PKI and show the slide deck
* research gitlab CI
-install gitlab in docker
-configure CI
-try to have it run pki bootstrap??
[[ BACKLOG ]] [[ BACKLOG ]]
[ current ] [ current ]
* auto-increment SERIAL * create a ("CA-I package") zip file for distribution (folder: ca_i_4321.skunkworks.acme.xyz.zip)
* create certificate installation guide * add CA password??
* create Andriod certificate installation guide
-copy file to sd, select .p12 file, password="password" -copy file to sd, select .p12 file, password="password"
* remove client .p12 password (have no password)
[ misc ]
* can I install certificates from an android application?? * can I install certificates from an android application??
-can I used knox to install certificates?? -can I used knox to install certificates??
* create GUI for cert gen process (electron+crypto-interface) * create GUI for cert gen process (electron+crypto-interface)
* add tool for .p12 file extractor for MH provisioning * add tool for .p12 file extractor for MH provisioning
* add havegd (make sure there is adequite entropy)
[ ver 1.4 ] [ ver 3.5 : xdev bootstrap chain-of-trust ]
* create new "certificate bootstrap" with .cfg parameters for CA ".mil" strings * select bootstrap generation computer (beaglebone, raspi)
* create new CA generation script that also reads .cfg -create PKI Lifecycle package for "navy.mil"
-sneakernet two CA-I
* create a "navy-prod" branch
-change strings from "acme.xyz" to ".mil"
-make any other sensitive specific changes
* create a "navy-dev" branch
* create a "navy-int" branch (integration branch, similar to a beta branch)
* integrate into the build
-modify CI global variables (for each build)
-certs are generated BEFORE pulled into image (not part of build process)
-modify cert gen on NAS (looks for files in mount dir)
[ ver 3.6 ]
[[ COMPLETED ]]
[ ver 3.4 ]
* testing multiple CA-I compatibility
-"103.cai.skunkworks.acme.xyz" -worked
-"104.cai.skunkworks.acme.xyz" -worked
* test "104.cai.skunkworks.acme.xyz"
-load client certificate onto different tablet -worked
[ ver 3.3 ]
* SERIOUS refactoring to focus on local execution with default configs and SERIAL # incrementation
* configuration defaults generated so that the CA-I package is all automated
* gen_client.sh modified run with config defaults
* gen_server.sh modified to run with config defaults
* gen_client.sh will generate # of certs
* gen_server.sh will generate # of certs
* auto-increment SERIAL
* CA FQDN saved to config file
* CA-I FQDN saved to config file
* added certificate generation count to PKI Bootstrap application
* added certificate generation count to cai_gen application
[ ver 3.2 ]
* create new CA-I generation script that uses a CA * create new CA-I generation script that uses a CA
-also packages .p12 for distrobution (use random high quality password) -also packages .p12 for distrobution (use random high quality password)
* added resources directory
* added files to be copied during CA-I package creation
[ bootstrap cert chain-of-trust ]
* select bootstrap generation cpu (beaglebone, raspi)
* change strings from "acme.xyz" to ".mil"
* generate bootstrap
-sneakernet two CA-I
[ ver 1.5 ]
@ -53,7 +97,6 @@ PKI Lifecycle Package
[[ COMPLETED ]]

28
docs/ss_cfg Normal file
View File

@ -0,0 +1,28 @@
j3g@ubuntu-16:~$ sudo ipsec statusall
[sudo] password for j3g:
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-116-generic, x86_64):
uptime: 9 hours, since Sep 11 14:12:51 2018
malloc: sbrk 1486848, mmap 0, used 370000, free 1116848
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Virtual IP pools (size/online/offline):
10.10.10.0/30: 2/0/0
10.10.11.0/30: 2/0/0
Listening IP addresses:
192.168.123.129
Connections:
standard: 192.168.123.129...%any IKEv2, dpddelay=300s
standard: local: [s.acme.xyz] uses public key authentication
standard: cert: "C=OO, O=ACME, OU=ACME Standard, CN=s.acme.xyz"
standard: remote: uses public key authentication
standard: ca: "C=OO, O=ACME, OU=ACME Standard, CN=s.i.acme.xyz"
standard: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
maintenance: 192.168.123.129...%any IKEv2, dpddelay=300s
maintenance: local: [s.acme.xyz] uses public key authentication
maintenance: cert: "C=OO, O=ACME, OU=ACME Maintenance, CN=s.acme.xyz"
maintenance: remote: uses public key authentication
maintenance: ca: "C=OO, O=ACME, OU=ACME Maintenance, CN=m.i.acme.xyz"
maintenance: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (0 up, 0 connecting):
none

172
src/pki_bootstrap/README
View File

@ -1,24 +1,180 @@
===============================================
Certificate Authority (CA) Generation ===============================================
CA Intermediate Generation and Distribution Certificate Authority (CA) Generation
Version 3.x CA Intermediate Generation and Distribution
=============================================== Version 3.x
===============================================
------------- -------------
INTRO INTRO
------------- -------------
The PKI Bootstrap application will generate a new "PKI Lifecycle" package. The PKI Lifecycle
package holds a new Certificate Authority (CA) and a complete certificate chain-of-trust. The
PKI Lifecycle package has a life of 5-10 years. Each package has embedded programs to generate new
certificate authority intermediate (CA I), client, and server certificates.
------------- -------------
USAGE USAGE
------------- -------------
This application will generate all the files necessary to build a certificate chain of trust
using a CA, CA Intermediate, Server, and Client certificates. All the files are put into a
PKI Lifecycle package
-put the .cnf config files into the ./cnf directory
Usage: pki_bootstrap <.cnf file (minus the .cnf)>
Example: pki_bootstrap org.acme.xyz
[ .cnf files ]
.cnf file is required for the domain name. The .cnf file is found in the ./res/cnf directory
└── res
├── cnf
│   ├── 192.168.1.3.cnf
│   ├── ca.cnf
│   ├── skunkworks.acme.xyz.cnf
│   └── vpn.backchannel.es.cnf
------------- -----------------------
FEATURES APPLICATION DESIGN
------------- -----------------------
The ./res directory contains all the resources for the application. The resources include:
readme files, configuration files, and application files.
The PKI Bootstrap application directory structure is the following:
├── README
├── pki_bootstrap.sh
└── res
├── cfg
│   └── SERIAL
├── cnf
│   ├── 192.168.1.3.cnf
│   ├── ca.cnf
│   ├── skunkworks.acme.xyz.cnf
│   └── vpn.backchannel.es.cnf
├── docs
│   ├── README_C
│   ├── README_CAI
│   ├── README_LC
│   ├── README_S
│   ├── SERIAL
│   └── SERIAL_LC
└── libs
├── gen_ca-i.sh
├── gen_client.sh
├── gen_server.sh
└── pki_funcs.sh
-------------------------
PKI Lifecycle Package
-------------------------
The PKI Lifecycle packagee is a complete certificate chain of trust with a root self-signed
certificate. The package contains all the configuration and data inforomation to generate
Certificate Authority Intermediate packages.
The PKI Lifecycle packge is NOT to be removed from the generation system. It should be
protected as it contains the root CA. The package contains the root CA, configuration files,
and the a copy of the resources directory.
The PKI Lifecycle package structure is the following:
├── README
├── ca
│   ├── 101.ca.skunkworks.acme.xyz.crt.pem
│   ├── 101.ca.skunkworks.acme.xyz.keys.pem
│   └── 101.ca.skunkworks.acme.xyz_cert.info.txt
├── cfg
│   ├── SERIAL
│   ├── UNIQ_ID_CA
│   ├── UNIQ_ID_CA-I
│   ├── ca.cnf
│   ├── ca.crt.pem
│   ├── ca.keys.pem
│   ├── pki_funcs.sh
│   └── skunkworks.acme.xyz.cnf
├── distribution
│   └── 101.cai.skunkworks.acme.xyz
├── gen_ca-i.sh
└── res
├── cfg
├── cnf
├── docs
└── libs
----------------
CA-I Package
----------------
The CA-I package contains a complete certifate chain of trust using a certificate authority
intermediate. The CA intermediate has permission to sign certificates. Included in the packages
is a client and server certificate generation applications that run on Bash linux. The CA intermediate
can be used with 3rd party applications to generate certificates.
The CA-I package structure is the following:
├── distribution
│   └── 101.cai.skunkworks.acme.xyz
│   ├── README
│   ├── ca-i
│   │   ├── data
│   │   │   ├── 101.ca.skunkworks.acme.xyz.crt.pem
│   │   │   ├── 101.cai.skunkworks.acme.xyz.crt.pem
│   │   │   ├── 101.cai.skunkworks.acme.xyz.csr.pem
│   │   │   └── 101.cai.skunkworks.acme.xyz.keys.pem
│   │   ├── distro
│   │   │   ├── 101.cai.skunkworks.acme.xyz.p12
│   │   │   └── ca_cert-chain_101.cai.skunkworks.acme.xyz.crts.pem
│   │   └── docs
│   │   ├── 101.ca.skunkworks.acme.xyz_cert.info.txt
│   │   └── 101.cai.skunkworks.acme.xyz.crt.info.txt
│   ├── clients
│   │   ├── README
│   │   ├── cfg
│   │   │   ├── SERIAL
│   │   │   ├── UNIQ_ID_CA
│   │   │   ├── UNIQ_ID_CA-I
│   │   │   ├── ca-i.crt.pem
│   │   │   ├── ca-i.keys.pem
│   │   │   ├── ca_cert-chain.crts.pem
│   │   │   ├── cert.cnf
│   │   │   └── pki_funcs.sh
│   │   ├── data
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.crt.pem
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.csr.pem
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.keys.pem
│   │   ├── distro
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.p12
│   │   ├── docs
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.info.txt
│   │   └── gen_client.sh
│   └── servers
│   ├── README
│   ├── cfg
│   │   ├── SERIAL
│   │   ├── UNIQ_ID_CA
│   │   ├── UNIQ_ID_CA-I
│   │   ├── ca-i.crt.pem
│   │   ├── ca-i.keys.pem
│   │   ├── ca_cert-chain.crts.pem
│   │   ├── cert.cnf
│   │   └── pki_funcs.sh
│   ├── data
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.crt.pem
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.csr.pem
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.keys.pem
│   ├── distro
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.p12
│   ├── docs
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.crt.info.txt
│   └── gen_server.sh

114
src/pki_bootstrap/pki_bootstrap.sh
View File

@ -11,17 +11,20 @@
. res/libs/pki_funcs.sh . res/libs/pki_funcs.sh
PARAM1=$1 PARAM1=$1
PARAM2=$2
usage() { usage() {
echo echo
echo "This application will generate all the files necessary to build a certificate chain of trust" echo "This application will generate all the files necessary to build a certificate chain of trust"
echo "using a CA, CA Intermediate, Server, and Client certificates. All the files are put into" echo "using a CA, CA Intermediate, Server, and Client certificates. All the files are put into a"
echo "pki lifecyle package" echo "PKI Lifecycle package. A .cnf file is required for the domain. The domain url should match"
echo " -put the .cnf config files into the ./cnf directory" echo "the .cnf file name. Put the .cnf config file into the .res/cnf/ directory"
echo echo
echo "Usage: pki_bootstrap <.cnf file (minus the .cnf)>" echo "Usage: pki_bootstrap <.cnf file (minus the .cnf)> [# of CA-I to generate]"
echo echo
echo "Example: pki_bootstrap org.acme.xyz" echo "Example: pki_bootstrap org.acme.xyz"
echo " pki_bootstrap org.acme.xyz 5"
echo
exit 1 exit 1
} }
@ -29,18 +32,18 @@ usage() {
# Grab the latest serial # from the file, auto-increment # Grab the latest serial # from the file, auto-increment
# #
get_serial_ca() { get_serial_ca() {
SERIAL=`head "res/cfg/SERIAL"` SERIAL=`head res/cfg/SERIAL`
if [[ -z $SERIAL ]]; then if [[ -z $SERIAL ]]; then
SERIAL=11111 SERIAL=11111
echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA" echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA"
else
PLUS1=$((SERIAL+1))
echo $PLUS1 > res/cfg/SERIAL
fi fi
} }
# #
# CA generation requires .cnf files # CA generation requires .cnf files
# create CA directory
# create bash variables to CA
# restore script back to original path
# #
app_init() { app_init() {
if [[ -n $PARAM1 ]]; then if [[ -n $PARAM1 ]]; then
@ -51,11 +54,9 @@ app_init() {
if [[ ${PARAM1: -4} == .cnf ]]; then if [[ ${PARAM1: -4} == .cnf ]]; then
ORG_URL=${PARAM1%.*} ORG_URL=${PARAM1%.*}
S_CNF=${PARAM1} S_CNF=${PARAM1}
echo "ASDF: ${ORG_URL}, ${S_CNF}"
else else
ORG_URL=$PARAM1 ORG_URL=$PARAM1
S_CNF="${PARAM1}.cnf" S_CNF="${PARAM1}.cnf"
echo "ZXCV: ${ORG_URL}, ${S_CNF}"
fi fi
FQ_S_CNF="${CD_ROOT}/res/cnf/${S_CNF}" FQ_S_CNF="${CD_ROOT}/res/cnf/${S_CNF}"
@ -73,64 +74,95 @@ app_init() {
# #
# IN: UNIQ_ID_CA, SERIAL # IN: UNIQ_ID_CA, SERIAL
# #
gen_lifecycle() { mk_lifecycle_pkg() {
get_serial_ca get_serial_ca
echo_block "SERIAL == ${SERIAL}"
# Organize # Organize
# #
# create a unique path for the server certificate # create a unique path for the server certificate
UNIQ_DIR_LC=`date +%Y-%m-%d.%H_%M_%S` UNIQ_DIR_LC=`date +%Y-%m-%d.%H_%M_%S`
UNIQ_DIR_LC="pki-lifecycle_${UNIQ_DIR_LC}" UNIQ_DIR_LC="pki-lifecycle_${UNIQ_DIR_LC}"
mkdir -p "${UNIQ_DIR_LC}"
cd "${UNIQ_DIR_LC}"
FQ_DIR_LC=`pwd` FQ_DIR_LC=`pwd`
FQ_DIR_LC="${FQ_DIR_LC}/${UNIQ_DIR_LC}"
# create CA unique dir # create CA unique dir
UNIQ_ID_CA="${SERIAL}.${ORG_URL}" UNIQ_ID_CA="${SERIAL}.ca.${ORG_URL}"
CA_DIR="ca_${UNIQ_ID_CA}" mkdir -p "${UNIQ_DIR_LC}/ca"
mkdir $CA_DIR cd "${UNIQ_DIR_LC}"
cd $CA_DIR
FQ_CA_DIR=`pwd`
FQ_CA_CERT="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.crt.pem"
FQ_CA_KEYS="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.keys.pem"
# initialize the functions lib
pki_func_init $FQ_CA_CERT $FQ_CA_KEYS "${CD_ROOT}/res/cnf"
# generate a new CA # generate a new CA
gen_ca $UNIQ_ID_CA $SERIAL gen_ca $UNIQ_ID_CA $SERIAL
# go back to original dir # go back to original dir
cd .. cd ..
cd ..
} }
# #
# #
# #
cp_lifecycle_docs() { cp_lifecycle_docs() {
# resource files to be copied to the PKI Lifecycle Package
RES="${CD_ROOT}/res" RES="${CD_ROOT}/res"
mkdir -p "${UNIQ_DIR_LC}/cfg" mkdir -p "${UNIQ_DIR_LC}/cfg"
cp -r $CD_ROOT/res $CD_ROOT/$UNIQ_DIR_LC/ echo $UNIQ_ID_CA > $CD_ROOT/$UNIQ_DIR_LC/cfg/UNIQ_ID_CA
cp $RES/libs/gen_ca-i.sh $CD_ROOT/$UNIQ_DIR_LC/ cp -r $CD_ROOT/res $CD_ROOT/$UNIQ_DIR_LC/
cp $RES/docs/README_LC $CD_ROOT/$UNIQ_DIR_LC/README cp $RES/libs/gen_ca-i.sh $CD_ROOT/$UNIQ_DIR_LC/
cp $RES/docs/SERIAL_LC $CD_ROOT/$UNIQ_DIR_LC/cfg/SERIAL cp $RES/docs/README_LC $CD_ROOT/$UNIQ_DIR_LC/README
cp $RES/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/cfg/ cp $RES/docs/SERIAL_LC $CD_ROOT/$UNIQ_DIR_LC/cfg/SERIAL
cp "${RES}/cnf/${ORG_URL}.cnf" $CD_ROOT/$UNIQ_DIR_LC/cfg/ cp $RES/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/cfg/
cp "${RES}/cnf/ca.cnf" $CD_ROOT/$UNIQ_DIR_LC/cfg/ cp $RES/cnf/$ORG_URL.cnf $CD_ROOT/$UNIQ_DIR_LC/cfg/
cp $CD_ROOT/$UNIQ_DIR_LC/"ca_${UNIQ_ID_CA}"/ca_*.crt.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.crt.pem cp $RES/cnf/ca.cnf $CD_ROOT/$UNIQ_DIR_LC/cfg/
cp $CD_ROOT/$UNIQ_DIR_LC/"ca_${UNIQ_ID_CA}"/ca_*.keys.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.keys.pem
# CA certs
cp $CD_ROOT/$UNIQ_DIR_LC/ca/*.crt.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.crt.pem
cp $CD_ROOT/$UNIQ_DIR_LC/ca/*.keys.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.keys.pem
} }
# #
# Generate Lifecycle CA Intermediates # Generate Lifecycle CA Intermediates
# #
gen_lc_ca_i() { gen_lc_cai() {
cd $FQ_DIR_LC cd $FQ_DIR_LC
# generate new CA-I
ca-i_gen_pki $ORG_URL 1001 2 if [[ -n $PARAM2 ]]; then
# ca-i_gen_pki $ORG_URL 2001 5 COUNT=$(($PARAM2-1))
# ca-i_gen_pki $ORG_URL 3001 8 else
COUNT=1
fi
for NUM in $(seq 0 $COUNT)
do
ca-i_gen_pki $ORG_URL 5
done
}
# ***** ***** ***** ***** *****
#
# CERTIFICATE AUTHORITY (CA)
#
# ***** ***** ***** ***** *****
# This function will generate a CA Intermediate
# IN: UNIQ_ID_CA, SERIAL
#
gen_ca() {
UNIQ_ID_CA=$1
SERIAL=$2
echo_block "Create CA (${UNIQ_ID_CA})"
# encrypt the key
#openssl genrsa -aes256 -password "pass:password" -out ca.keys.pem 4096
# key un-protected
openssl genrsa -out "ca/${UNIQ_ID_CA}.keys.pem" 4096
#
# Create Certificate (valid for 10 years, after the entire chain of trust expires)
openssl req -config $CD_ROOT/res/cnf/ca.cnf -new -x509 -sha256 -days 3650 -extensions v3_ca \
-subj "/C=OO/O=ACME/CN=${UNIQ_ID_CA}" -set_serial ${SERIAL} \
-key ca/${UNIQ_ID_CA}.keys.pem -out ca/${UNIQ_ID_CA}.crt.pem
# verify certificate (output to text file for review)
openssl x509 -noout -text -in ca/${UNIQ_ID_CA}.crt.pem > ca/${UNIQ_ID_CA}_cert.info.txt
} }
@ -140,11 +172,11 @@ main() {
# generate new CA # generate new CA
# create new PKI Lifecycle Package # create new PKI Lifecycle Package
app_init app_init
gen_lifecycle mk_lifecycle_pkg
cp_lifecycle_docs cp_lifecycle_docs
# gen some CAs # gen some CAs
gen_lc_ca_i gen_lc_cai
# make sure we return to root execution path # make sure we return to root execution path
cd "${CD_ROOT}" cd "${CD_ROOT}"

2
src/pki_bootstrap/res/cfg/SERIAL
View File

@ -1 +1 @@
101 101

40
src/pki_bootstrap/res/docs/README_C
View File

@ -8,15 +8,49 @@
------------- -------------
INTRO INTRO
------------- -------------
This application will generate new client certificates. The certificate chain is also included
(CA certificate & CA-I certificate).
This application will generate new client certificates. The certificates can be used with any
VPN client service. The certificate chain is also included (CA certificate & CA-I certificate).
------------- -------------
USAGE USAGE
------------- -------------
Generate a new client certificate
./ gen_client.sh usage: gen_client.sh <# to generate>
example: gen_client.sh 2
-----------------------
APPLICATION DESIGN
-----------------------
The ./clients directory contains the files needed to generate client certificates. The directory
is portable and will operate properly if moved to another linux system. The ./client/cfg contains
configuration files that are used by the client generation application. The configuation files
do not need to be edited and they provide information congruent with the CA and server. The
./clients/data directory contains the raw data (in .pem) of the certificates generated. The
./clients/distro contains the files to be distributed and installed on clients. The ./clients/docs
directory contains certificate information in plain text format.
├── README
├── cfg
│   ├── SERIAL
│   ├── UNIQ_ID_CA
│   ├── UNIQ_ID_CA-I
│   ├── ca-i.crt.pem
│   ├── ca-i.keys.pem
│   ├── ca_cert-chain.crts.pem
│   ├── cert.cnf
│   └── pki_funcs.sh
├── data
│   ├── 1001.client.101.cai.skunkworks.acme.xyz.crt.pem
│   ├── 1001.client.101.cai.skunkworks.acme.xyz.csr.pem
│   ├── 1001.client.101.cai.skunkworks.acme.xyz.keys.pem
├── distro
│   ├── 1001.client.101.cai.skunkworks.acme.xyz.p12
├── docs
│   ├── 1001.client.101.cai.skunkworks.acme.xyz.info.txt
└── gen_client.sh

112
src/pki_bootstrap/res/docs/README_CAI
View File

@ -1,21 +1,123 @@
============================ ===================
CA Intermediate README CA Intermediate
Version 3.1 Version 3.1
============================ ===================
------------- -------------
INTRO INTRO
------------- -------------
This application will generate new client certificates. The certificates can be used with any This application will generate new Certificate Authority Intermediate packages to be distributed
VPN client service. The certificate chain is also included (CA certificate & CA-I certificate). to organizations for external usage.
The CA-I package contains a complete certifate chain of trust using a certificate authority
intermediate. The CA intermediate has permission to sign certificates. Included in the package
is client and server certificate generation applications that run on Bash linux. The CA intermediate
can be used with 3rd party applications to generate certificates.
------------- -------------
USAGE USAGE
------------- -------------
Generate a new CA Intermediate certificate
This program will generate a new certificate authority (CA) intermediate
It requires a CA certificate to sign a CA Intermediate
Requires the file "ca.pem" that is used to sign the certificates
usage: gen_ca-i.sh <Org URL> [# of client/server certs]
example: gen_ca-i.sh skunkworks.acme.xyz \
10 (optional) \
-----------------------
APPLICATION DESIGN
-----------------------
The CA-I package contains all the files needed to generate certificates. The ./ca-i directory
contains the certificate authority files. The ./ca-i/data directory contains all the raw ca
files. The ./ca-i/distro directory contains the files to be distributed and installed on clients.
The .p12 files contins the CA certificate, and client certificates. The ./ca-i/docs directory
contains certificate information in plain text format.
The ./clients directory contains the files needed to generate client certificates. The directory
is portable and will operate properly if moved to another linux system. The ./client/cfg contains
configuration files that are used by the client generation application. The configuation files
do not need to be edited and they provide information congruent with the CA and server. The
./clients/data directory contains the raw data (in .pem) of the certificates generated. The
./clients/distro contains the files to be distributed and installed on clients. The ./clients/docs
directory contains certificate information in plain text format.
The ./servers directory contains the files needed to generate server certificates. The directory
is portable and will operate properly if moved to another linux system. The ./server/cfg contains
configuration files that are used by the server generation application. The configuation files
do not need to be edited and they provide information congruent with the CA and server. The
./servers/data directory contains the raw data (in .pem) of the certificates generated. The
./servers/distro contains the files to be distributed and installed on servers. The ./servers/docs
directory contains certificate information in plain text format.
----------------
CA-I Package
----------------
The CA-I package structure is the following:
├── distribution
│   └── 101.cai.skunkworks.acme.xyz
│   ├── README
│   ├── ca-i
│   │   ├── data
│   │   │   ├── 101.ca.skunkworks.acme.xyz.crt.pem
│   │   │   ├── 101.cai.skunkworks.acme.xyz.crt.pem
│   │   │   ├── 101.cai.skunkworks.acme.xyz.csr.pem
│   │   │   └── 101.cai.skunkworks.acme.xyz.keys.pem
│   │   ├── distro
│   │   │   ├── 101.cai.skunkworks.acme.xyz.p12
│   │   │   └── ca_cert-chain_101.cai.skunkworks.acme.xyz.crts.pem
│   │   └── docs
│   │   ├── 101.ca.skunkworks.acme.xyz_cert.info.txt
│   │   └── 101.cai.skunkworks.acme.xyz.crt.info.txt
│   ├── clients
│   │   ├── README
│   │   ├── cfg
│   │   │   ├── SERIAL
│   │   │   ├── UNIQ_ID_CA
│   │   │   ├── UNIQ_ID_CA-I
│   │   │   ├── ca-i.crt.pem
│   │   │   ├── ca-i.keys.pem
│   │   │   ├── ca_cert-chain.crts.pem
│   │   │   ├── cert.cnf
│   │   │   └── pki_funcs.sh
│   │   ├── data
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.crt.pem
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.csr.pem
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.keys.pem
│   │   ├── distro
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.p12
│   │   ├── docs
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.info.txt
│   │   └── gen_client.sh
│   └── servers
│   ├── README
│   ├── cfg
│   │   ├── SERIAL
│   │   ├── UNIQ_ID_CA
│   │   ├── UNIQ_ID_CA-I
│   │   ├── ca-i.crt.pem
│   │   ├── ca-i.keys.pem
│   │   ├── ca_cert-chain.crts.pem
│   │   ├── cert.cnf
│   │   └── pki_funcs.sh
│   ├── data
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.crt.pem
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.csr.pem
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.keys.pem
│   ├── distro
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.p12
│   ├── docs
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.crt.info.txt
│   └── gen_server.sh

39
src/pki_bootstrap/res/docs/README_S
View File

@ -8,14 +8,49 @@
------------- -------------
INTRO INTRO
------------- -------------
This application will generate new server certificates. The certificate chain is also included
(CA certificate & CA-I certificate).
This application will generate new server certificates to be used with a VPN service.
------------- -------------
USAGE USAGE
------------- -------------
Generate a new server certificate
./ gen_server.sh usage: gen_server.sh <# to generate>
example: gen_server.sh 2
-----------------------
APPLICATION DESIGN
-----------------------
The ./servers directory contains the files needed to generate server certificates. The directory
is portable and will operate properly if moved to another linux system. The ./server/cfg contains
configuration files that are used by the server generation application. The configuation files
do not need to be edited and they provide information congruent with the CA and server. The
./servers/data directory contains the raw data (in .pem) of the certificates generated. The
./servers/distro contains the files to be distributed and installed on servers. The ./servers/docs
directory contains certificate information in plain text format.
├── README
├── cfg
│   ├── SERIAL
│   ├── UNIQ_ID_CA
│   ├── UNIQ_ID_CA-I
│   ├── ca-i.crt.pem
│   ├── ca-i.keys.pem
│   ├── ca_cert-chain.crts.pem
│   ├── cert.cnf
│   └── pki_funcs.sh
├── data
│   ├── 5001.server.101.cai.skunkworks.acme.xyz.crt.pem
│   ├── 5001.server.101.cai.skunkworks.acme.xyz.csr.pem
│   ├── 5001.server.101.cai.skunkworks.acme.xyz.keys.pem
├── distro
│   ├── 5001.server.101.cai.skunkworks.acme.xyz.p12
├── docs
│   ├── 5001.server.101.cai.skunkworks.acme.xyz.crt.info.txt
└── gen_server.sh

0
src/pki_bootstrap/res/docs/SERIAL → src/pki_bootstrap/res/docs/SERIAL_C
View File

1
src/pki_bootstrap/res/docs/SERIAL_S Normal file
View File

@ -0,0 +1 @@
5001

58
src/pki_bootstrap/res/libs/gen_ca-i.sh
View File

@ -3,17 +3,12 @@
# Create CA Intermediate # Create CA Intermediate
# #
# #
# This function will generate a CA Intermediate
# IN: UNIQ_ID_CA, SERIAL
#
# source this file to include the functions # source this file to include the functions
. cfg/pki_funcs.sh . cfg/pki_funcs.sh
PARAM1=$1 PARAM1=$1
PARAM2=$2 PARAM2=$2
PARAM3=$3
usage() { usage() {
echo echo
@ -23,39 +18,44 @@ usage() {
echo "It requires a CA certificate used to sign CA Intermediate" echo "It requires a CA certificate used to sign CA Intermediate"
echo "Requires the file \"ca.pem\" that is used to sign the certificates" echo "Requires the file \"ca.pem\" that is used to sign the certificates"
echo echo
echo " usage: gen_ca-i.sh <Org URL> <Serial>" echo " usage: gen_ca-i.sh <Org URL> [# of client/server certs]"
echo echo
echo " example: gen_ca-i.sh skunkworks.acme.xyz" echo " example: gen_ca-i.sh skunkworks.acme.xyz \\"
echo " 10052" echo " 10 (optional)"
echo echo
exit 1 exit 1
} }
error_no_ca_file() { check_params() {
echo_block "ERROR: missing ca.crt.pem, ca.keys.pem" # the parameter must be the URL (not the filename, .cnf)
usage if [[ -n $PARAM1 ]]; then
} if [[ ${PARAM1: -4} == .cnf ]]; then
if [[ ! -f "cfg/${PARAM1}" ]]; then
echo_block "ERROR: file cfg/${PARAM1} is missing"
main() { usage
CDD=`pwd` else
FQ_CA_KEYS="${CDD}/cfg/ca.keys.pem" PARAM1=${PARAM1%.*}
FQ_CA_CRT="${CDD}/cfg/ca.crt.pem" fi
if [[ ! -f $FQ_CA_KEYS ]] || [[ ! -f $FQ_CA_CRT ]]; then else
error_no_ca_file if [[ ! -f "cfg/${PARAM1}.cnf" ]]; then
fi echo_block "ERROR: file cfg/${PARAM1}.cnf is missing"
usage
if [[ -n $PARAM1 ]] && [[ -n $PARAM2 ]]; then fi
pki_func_init $FQ_CA_CRT $FQ_CA_KEYS "${CDD}/cfg"
if [[ -z $PARAM3 ]]; then
PARAM3=5
fi fi
ca-i_gen_pki $PARAM1 $PARAM2 $PARAM3
else else
usage usage
fi fi
if [[ -z $PARAM2 ]]; then
PARAM2=5
fi
}
main() {
# uses global variables: $PARAM1 $PARAM2 $PARAM3
check_cai_pkg
check_params
ca-i_gen_pki $PARAM1 $PARAM2
} }
main main

44
src/pki_bootstrap/res/libs/gen_client.sh
View File

@ -3,54 +3,34 @@
# Create Client Certificates # Create Client Certificates
# #
# #
# This function will generate a Client cert
# IN: UNIQ_ID, SERIAL
#
# source this file to include the functions # source this file to include the functions
. cfg/pki_funcs.sh . cfg/pki_funcs.sh
PARAM1=$1 PARAM1=$1
PARAM2=$2
PARAM3=$3
usage() { usage() {
echo echo
echo "Generate a new Client certificate" echo "Generate a new client certificate"
echo echo
echo " usage: gen_client.sh <# to generate>"
echo echo
echo "Generate a new certificate" echo " example: gen_client.sh 2"
echo " usage: gen_client.sh <Org URL> <Serial #>"
echo
echo " example: gen_client.sh skunkworks.acme.xyz \\"
echo " 10052 \\"
echo echo
exit 1 exit 1
} }
check_params() {
main() { if [[ -z $PARAM1 ]]; then
if [[ ! -f cfg/ca-i.crt.pem ]] || [[ ! -f cfg/ca-i.keys.pem ]]; then
echo_block "ERROR: file cfg/ca-i.crt.pem cfg/ca-i.keys.pem is missing"
usage
fi
if [[ ! -f cfg/SERIAL ]]; then
echo_block "ERROR: file cfg/SERIAL is missing"
usage
fi
if [[ -n $PARAM1 ]] && [[ -n $PARAM2 ]]; then
UNIQ_ID="${PARAM2}.${PARAM1}"
if [[ -f "distro/client_${UNIQ_ID}.p12" ]]; then
echo_block "ERROR: certifate <<distro/client_${UNIQ_ID}.p12>> already exists"
usage
fi
gen_client $PARAM1 $PARAM2
else
usage usage
fi fi
} }
main() {
# uses global variables: $PARAM1
check_cai_pkg
check_params
gen_client $PARAM1
}
main main

48
src/pki_bootstrap/res/libs/gen_server.sh
View File

@ -3,58 +3,34 @@
# Create Server Certificates # Create Server Certificates
# #
# #
# This function will generate a Server cert
# IN: UNIQ_ID, SERIAL
#
# source this file to include the functions # source this file to include the functions
. cfg/pki_funcs.sh . cfg/pki_funcs.sh
PARAM1=$1 PARAM1=$1
PARAM2=$2
PARAM3=$3
usage() { usage() {
echo echo
echo "Generate a new Server certificate" echo "Generate a new server certificate"
echo echo
echo " usage: gen_server.sh <# to generate>"
echo echo
echo "Generate a new certificate" echo " example: gen_server.sh 2"
echo " usage: gen_server.sh <Org URL> <Serial #>"
echo
echo " example: gen_server.sh skunkworks.acme.xyz \\"
echo " 10052 \\"
echo echo
exit 1 exit 1
} }
check_params() {
main() { if [[ -z $PARAM1 ]]; then
if [[ ! -f cfg/ca-i.crt.pem ]] || [[ ! -f cfg/ca-i.keys.pem ]]; then
echo_block "ERROR: file cfg/ca-i.crt.pem cfg/ca-i.keys.pem is missing"
usage
fi
if [[ ! -f cfg/SERIAL ]]; then
echo_block "ERROR: file cfg/SERIAL is missing"
usage
fi
if [[ -n $PARAM1 ]] && [[ -n $PARAM2 ]]; then
UNIQ_ID="${PARAM2}.${PARAM1}"
if [[ -f "distro/server_${UNIQ_ID}.p12" ]]; then
echo_block "ERROR: certifate <<distro/server_${UNIQ_ID}.p12>> already exists"
usage
fi
if [[ ! -f "cfg/${PARAM1}.cnf" ]]; then
echo_block "ERROR: configuration file <<cfg/${PARAM1}.cnf>> is missing"
usage
fi
gen_server $PARAM1 $PARAM2
else
usage usage
fi fi
} }
main() {
# uses global variables: $PARAM1
check_cai_pkg
check_params
gen_server $PARAM1
}
main main

355
src/pki_bootstrap/res/libs/pki_funcs.sh
View File

@ -3,20 +3,6 @@
# all main functions to generate a PKI certificate chain # all main functions to generate a PKI certificate chain
# #
#
# Set the CA variables
#
pki_func_init() {
if [[ -n $1 ]] || [[ -n $2 ]] || [[ -n $3 ]]; then
FQ_CA_CERT=$1
FQ_CA_KEYS=$2
CNF_PATH=$3
APP_INIT=1
else
APP_INIT=0
fi
}
# #
# print text wrapped in a block # print text wrapped in a block
# #
@ -31,41 +17,30 @@ echo_block() {
# Grab the latest serial # from the file, auto-increment # Grab the latest serial # from the file, auto-increment
# #
get_serial() { get_serial() {
SERIAL=`head "cfg/SERIAL"` SERIAL=`head cfg/SERIAL`
if [[ -z $SERIAL ]]; then if [[ -z $SERIAL ]]; then
SERIAL=11111 SERIAL=11111
echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA" echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA"
else
PLUS1=$((SERIAL+1))
echo $PLUS1 > cfg/SERIAL
fi fi
} }
# ***** ***** ***** ***** *****
#
# CERTIFICATE AUTHORITY (CA)
#
# ***** ***** ***** ***** *****
# This function will generate a CA Intermediate
# IN: UNIQ_ID_CA, SERIAL
# #
gen_ca() { # check the integrity of the CA-I package
UNIQ_ID_CA=$1 #
SERIAL=$2 check_cai_pkg() {
if [[ ! -f cfg/ca.keys.pem ]] || [[ ! -f cfg/ca.crt.pem ]]; then
echo_block "Create CA (${UNIQ_ID_CA})" if [[ ! -f cfg/ca-i.keys.pem ]] || [[ ! -f cfg/ca-i.crt.pem ]]; then
echo_block "ERROR: missing a config file: cfg/ca.crt.pem, cfg/ca.keys.pem, cfg/ca-i.crt.pem, cfg/ca-i.keys.pem"
# encrypt the key usage
#openssl genrsa -aes256 -out ca.keys.pem 4096 fi
#openssl genrsa -aes256 -password "pass:password" -out ca.keys.pem 4096 fi
if [[ ! -f cfg/SERIAL ]]; then
# key un-protected echo_block "ERROR: file cfg/SERIAL is missing"
openssl genrsa -out "ca_${UNIQ_ID_CA}.keys.pem" 4096 usage
# fi
# Create Certificate (valid for 10 years, after the entire chain of trust expires)
openssl req -config $CNF_PATH/ca.cnf -new -x509 -sha256 -days 3650 -extensions v3_ca \
-subj "/C=OO/O=ACME/CN=root.${UNIQ_ID_CA}" -set_serial ${SERIAL} \
-key ca_${UNIQ_ID_CA}.keys.pem -out ca_${UNIQ_ID_CA}.crt.pem
# verify certificate (output to text file for review)
openssl x509 -noout -text -in ca_${UNIQ_ID_CA}.crt.pem > ca_${UNIQ_ID_CA}_cert.info.txt
} }
# #
@ -80,215 +55,227 @@ gen_ca() {
# - generate server certificates # - generate server certificates
# - generate client certificates # - generate client certificates
# #
# INPUT: BASE SERIAL #, LOOP NUM # INPUT: ORG URL, SERIAL #, LOOP NUM
#
# Requires: FQ_CA_CERT, FQ_CA_KEYS
# #
ca-i_gen_pki() { ca-i_gen_pki() {
CDD=`pwd` CDD=`pwd`
ORG_URL=$1 ORG_URL=$1
SERIAL_O=$2 NUM_CERTS=$2
NUM_CERTS=$(($3-1))
# create unique directory # create unique directory
UNIQ_ID_CAI="${SERIAL_O}.${ORG_URL}" get_serial
mkdir -p "distribution/ca_i_${UNIQ_ID_CAI}" UNIQ_ID_CAI="${SERIAL}.cai.${ORG_URL}"
cd "distribution/ca_i_${UNIQ_ID_CAI}" mkdir -p "distribution/${UNIQ_ID_CAI}"
# Create CA Intermediate # generate CA Intermediate
ca-i_gen_cert $ORG_URL $SERIAL_O ca-i_gen_cert $UNIQ_ID_CAI
# create directories, copy files, before generating client/server # create directories, copy files, before generating client/server
ca-i_create_shell __ca-i_create_pkg
__ca-i_gen_client # the client & server applications need to execute in their perspective directories
cd $CDD/distribution/$UNIQ_ID_CAI/clients
gen_client $NUM_CERTS
__ca-i_gen_server cd $CDD/distribution/$UNIQ_ID_CAI/servers
gen_server $NUM_CERTS
# return to last path # return to last path
cd $CDD cd $CDD
} }
#
# Client Certificates
#
__ca-i_gen_client() {
# create directories
mkdir -p clients/data
mkdir -p clients/distro
mkdir -p clients/docs
cd clients
for NUM in $(seq 0 $NUM_CERTS)
do
gen_client $ORG_URL $((SERIAL_O+NUM))
done
cd ..
}
#
# Server Certificates
#
__ca-i_gen_server() {
# create directories
mkdir -p servers/data
mkdir -p servers/distro
mkdir -p servers/docs
cd servers
for NUM in $(seq 0 $NUM_CERTS)
do
gen_server $ORG_URL $((SERIAL_O+NUM))
done
cd ..
}
# This function will generate a CA Intermediate
#
# Requires: CNF file, CA cert, CA key
#
# IN: UNIQ_ID_CA, SERIAL
#
ca-i_gen_cert() {
ORG_URL=$1
SERIAL=$2
UNIQ_ID="${SERIAL}.${ORG_URL}"
echo_block "Create CA Intermediate (${UNIQ_ID})"
openssl genrsa -out "ca_i_${UNIQ_ID}.keys.pem" 4096
# Create Cert Signing Request (CSR)
openssl req -config "${CNF_PATH}/ca.cnf" -new -sha256 \
-subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID}" \
-key "ca_i_${UNIQ_ID}.keys.pem" -out "ca_i_${UNIQ_ID}.csr.pem"
# Create Certificate (valid for ~2 years, after the entire chain of trust expires)
# CA signs Intermediate
openssl x509 -req -days 750 -extfile "${CNF_PATH}/ca.cnf" -extensions v3_ca_i \
-CA $FQ_CA_CERT -CAkey $FQ_CA_KEYS -set_serial ${SERIAL} \
-in "ca_i_${UNIQ_ID}.csr.pem" -out "ca_i_${UNIQ_ID}.crt.pem"
# Package the Certificate Authority Certificates for distro (windoze needs this)
openssl pkcs12 -export -password "pass:password" -inkey "ca_i_${UNIQ_ID}.keys.pem" \
-name "CA Intermediate Mobile Provision" -certfile $FQ_CA_CERT \
-in "ca_i_${UNIQ_ID}.crt.pem" -out "ca_i_${UNIQ_ID}.p12"
# verify certificate (output to text file for review)
openssl x509 -noout -text -in "ca_i_${UNIQ_ID}.crt.pem" > "ca_i_${UNIQ_ID}.crt.info.txt"
# create certifiate chain
cat $FQ_CA_CERT "ca_i_${UNIQ_ID}.crt.pem" > "ca_cert-chain_${UNIQ_ID}.crts.pem"
}
# #
# Copies all applcations to the Lifecycle package # Copies all applcations to the Lifecycle package
# organize the ca-i directory # organize the ca-i directory
# order matters: move these files last because they were copied above # order matters: move these files last because they were copied above
# #
ca-i_create_shell() { __ca-i_create_pkg() {
DEST_DIR="${CDD}/distribution/${UNIQ_ID}"
DEST_DIR="${CDD}/distribution/ca_i_${UNIQ_ID_CAI}" echo $UNIQ_ID > cfg/UNIQ_ID_CA-I
# client #
mkdir -p clients/cfg # Client
#
# create directories
mkdir -p $DEST_DIR/clients/data
mkdir -p $DEST_DIR/clients/distro
mkdir -p $DEST_DIR/clients/docs
mkdir -p $DEST_DIR/clients/cfg
# copy resource files
cp $CDD/res/libs/gen_client.sh $DEST_DIR/clients/ cp $CDD/res/libs/gen_client.sh $DEST_DIR/clients/
cp $CDD/res/libs/pki_funcs.sh $DEST_DIR/clients/cfg cp $CDD/res/libs/pki_funcs.sh $DEST_DIR/clients/cfg
cp $CDD/res/docs/README_C $DEST_DIR/clients/README cp $CDD/res/docs/README_C $DEST_DIR/clients/README
cp $CDD/res/docs/SERIAL $DEST_DIR/clients/cfg/ cp $CDD/res/docs/SERIAL_C $DEST_DIR/clients/cfg/SERIAL
cp "${CDD}/cfg/${ORG_URL}.cnf" $DEST_DIR/clients/cfg/ cp "${CDD}/cfg/${ORG_URL}.cnf" $DEST_DIR/clients/cfg/cert.cnf
# generated files # generated files
cp $DEST_DIR/ca_i*.crt.pem $DEST_DIR/clients/cfg/ca-i.crt.pem cp $UNIQ_ID_CAI.crt.pem $DEST_DIR/clients/cfg/ca-i.crt.pem
cp $DEST_DIR/ca_i*.keys.pem $DEST_DIR/clients/cfg/ca-i.keys.pem cp $UNIQ_ID_CAI.keys.pem $DEST_DIR/clients/cfg/ca-i.keys.pem
cp $DEST_DIR/ca_cert-chain*.pem $DEST_DIR/clients/cfg/ca_cert-chain.crts.pem cp ca_cert-chain*.pem $DEST_DIR/clients/cfg/ca_cert-chain.crts.pem
cp cfg/UNIQ_ID_CA-I $DEST_DIR/clients/cfg/
cp cfg/UNIQ_ID_CA $DEST_DIR/clients/cfg/
# server #
mkdir -p servers/cfg # Server
#
# create directories
mkdir -p $DEST_DIR/servers/data
mkdir -p $DEST_DIR/servers/distro
mkdir -p $DEST_DIR/servers/docs
mkdir -p $DEST_DIR/servers/cfg
# copy resource files
cp $CDD/res/libs/gen_server.sh $DEST_DIR/servers/ cp $CDD/res/libs/gen_server.sh $DEST_DIR/servers/
cp $CDD/res/libs/pki_funcs.sh $DEST_DIR/servers/cfg/ cp $CDD/res/libs/pki_funcs.sh $DEST_DIR/servers/cfg/
cp $CDD/res/docs/README_S $DEST_DIR/servers/README cp $CDD/res/docs/README_S $DEST_DIR/servers/README
cp $CDD/res/docs/SERIAL $DEST_DIR/servers/cfg/ cp $CDD/res/docs/SERIAL_S $DEST_DIR/servers/cfg/SERIAL
cp "${CDD}/cfg/${ORG_URL}.cnf" $DEST_DIR/servers/cfg/ cp "${CDD}/cfg/${ORG_URL}.cnf" $DEST_DIR/servers/cfg/cert.cnf
# generated files # generated files
cp $DEST_DIR/ca_i*.crt.pem $DEST_DIR/servers/cfg/ca-i.crt.pem cp $UNIQ_ID_CAI.crt.pem $DEST_DIR/servers/cfg/ca-i.crt.pem
cp $DEST_DIR/ca_i*.keys.pem $DEST_DIR/servers/cfg/ca-i.keys.pem cp $UNIQ_ID_CAI.keys.pem $DEST_DIR/servers/cfg/ca-i.keys.pem
cp $DEST_DIR/ca_cert-chain*.pem $DEST_DIR/servers/cfg/ca_cert-chain.crts.pem cp ca_cert-chain*.pem $DEST_DIR/servers/cfg/ca_cert-chain.crts.pem
cp cfg/UNIQ_ID_CA-I $DEST_DIR/servers/cfg/
cp cfg/UNIQ_ID_CA $DEST_DIR/servers/cfg/
#
# CA-I # CA-I
mkdir -p ca-i/data #
mkdir -p ca-i/docs # create directories
mkdir -p ca-i/distro mkdir -p $DEST_DIR/ca-i/data
cp $CDD/res/docs/README_CAI $DEST_DIR/README mkdir -p $DEST_DIR/ca-i/docs
cp $CDD/ca_*/ca_*.crt.pem $DEST_DIR/ca-i/data/ mkdir -p $DEST_DIR/ca-i/distro
cp $CDD/ca_*/ca_*.info.txt $DEST_DIR/ca-i/docs/ # copy resource files
cp $CDD/res/docs/README_CAI $DEST_DIR/README
cp $CDD/ca/*.crt.pem $DEST_DIR/ca-i/data/
cp $CDD/ca/*.info.txt $DEST_DIR/ca-i/docs/
# generated files # generated files
mv $DEST_DIR/ca_i*.pem $DEST_DIR/ca-i/data/ mv $UNIQ_ID_CAI*.pem $DEST_DIR/ca-i/data/
mv $DEST_DIR/ca_i*.info.txt $DEST_DIR/ca-i/docs/ mv $UNIQ_ID_CAI.crt.info.txt $DEST_DIR/ca-i/docs/
mv $DEST_DIR/ca_i*.p12 $DEST_DIR/ca-i/distro mv $UNIQ_ID_CAI.p12 $DEST_DIR/ca-i/distro
mv $DEST_DIR/ca_cert-chain*.pem $DEST_DIR/ca-i/distro mv ca_cert-chain*.pem $DEST_DIR/ca-i/distro
}
# This function will generate a CA Intermediate
#
# Requires: CNF file, CA cert, CA key
#
# IN: UNIQ_ID_CA
#
ca-i_gen_cert() {
UNIQ_ID=$1
DEST_DIR="."
UNIQ_ID="${SERIAL}.cai.${ORG_URL}"
echo_block "Create CA Intermediate (${UNIQ_ID})"
openssl genrsa -out "${DEST_DIR}/${UNIQ_ID}.keys.pem" 4096
# Create Cert Signing Request (CSR)
openssl req -config "cfg/ca.cnf" -new -sha256 \
-subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID}" \
-key "${DEST_DIR}/${UNIQ_ID}.keys.pem" -out "${DEST_DIR}/${UNIQ_ID}.csr.pem"
# Create Certificate (valid for ~2 years, after the entire chain of trust expires)
# CA signs Intermediate
openssl x509 -req -days 750 -extfile "cfg/ca.cnf" -extensions v3_ca_i \
-CA cfg/ca.crt.pem -CAkey cfg/ca.keys.pem -set_serial ${SERIAL} \
-in "${DEST_DIR}/${UNIQ_ID}.csr.pem" -out "${DEST_DIR}/${UNIQ_ID}.crt.pem"
# Package the Certificate Authority Certificates for distro (windoze needs this)
openssl pkcs12 -export -password "pass:password" -inkey "${DEST_DIR}/${UNIQ_ID}.keys.pem" \
-name "CA Intermediate Mobile Provision" -certfile cfg/ca.crt.pem \
-in "${DEST_DIR}/${UNIQ_ID}.crt.pem" -out "${DEST_DIR}/${UNIQ_ID}.p12"
# verify certificate (output to text file for review)
openssl x509 -noout -text -in "${DEST_DIR}/${UNIQ_ID}.crt.pem" > "${DEST_DIR}/${UNIQ_ID}.crt.info.txt"
# create certifiate chain
cat cfg/ca.crt.pem "${DEST_DIR}/${UNIQ_ID}.crt.pem" > "${DEST_DIR}/ca_cert-chain_${UNIQ_ID}.crts.pem"
}
get_uniq_ids() {
UNIQ_ID_CA=`head cfg/UNIQ_ID_CA`
UNIQ_ID_CAI=`head cfg/UNIQ_ID_CA-I`
}
gen_client() {
COUNT=$(($1-1))
get_uniq_ids
for NUM in $(seq 0 $COUNT)
do
get_serial
UNIQ_ID="${SERIAL}.client.${UNIQ_ID_CAI}"
gen_client_cert $UNIQ_ID
done
} }
# #
# Generate a Client Certificate # Generate a Client Certificate
# IN: UNIQ_ID, UNIQ_ID_CAI, SERIAL # IN: UNIQ_ID, SERIAL
# #
gen_client() { gen_client_cert() {
ORG_URL=$1 UNIQ_ID=$1
SERIAL=$2
UNIQ_ID="${SERIAL}.${ORG_URL}"
CERT_CHAIN="cfg/ca_cert-chain.crts.pem"
echo_block "Generate Client Certificates (${UNIQ_ID})" echo_block "Generate Client Certificates (${UNIQ_ID})"
openssl genrsa -out "data/client_${UNIQ_ID}.keys.pem" 4096 openssl genrsa -out "data/${UNIQ_ID}.keys.pem" 4096
openssl req -new -key "data/client_${UNIQ_ID}.keys.pem" \ openssl req -new -key "data/${UNIQ_ID}.keys.pem" \
-subj "/C=OO/O=ACME/OU=ACME Standard/CN=client_${UNIQ_ID}" \ -subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \
-out "data/client_${UNIQ_ID}.csr.pem" -out "data/${UNIQ_ID}.csr.pem"
# CA Intermediate signs Client # CA Intermediate signs Client
openssl x509 -req -days 365 \ openssl x509 -req -days 365 \
-CA "cfg/ca-i.crt.pem" -CAkey "cfg/ca-i.keys.pem" -set_serial ${SERIAL} \ -CA "cfg/ca-i.crt.pem" -CAkey "cfg/ca-i.keys.pem" -set_serial ${SERIAL} \
-in "data/client_${UNIQ_ID}.csr.pem" -out "data/client_${UNIQ_ID}.crt.pem" -in "data/${UNIQ_ID}.csr.pem" -out "data/${UNIQ_ID}.crt.pem"
# Package the Certificates # Package the Certificates
openssl pkcs12 -export -password "pass:password" -inkey "data/client_${UNIQ_ID}.keys.pem" \ openssl pkcs12 -export -password "pass:password" -inkey "data/${UNIQ_ID}.keys.pem" \
-name "Client ${UNIQ_ID} VPN Certificate" -certfile $CERT_CHAIN -caname "client_${UNIQ_ID}@acme.xyz" \ -name "Client ${UNIQ_ID} VPN Certificate" -certfile "cfg/ca_cert-chain.crts.pem" -caname "${UNIQ_ID}@acme.xyz" \
-in "data/client_${UNIQ_ID}.crt.pem" -out "distro/client_${UNIQ_ID}.p12" -in "data/${UNIQ_ID}.crt.pem" -out "distro/${UNIQ_ID}.p12"
# verify certificate (output to text file for review) # verify certificate (output to text file for review)
openssl x509 -noout -text -in "data/client_${UNIQ_ID}.crt.pem" > "docs/client_${UNIQ_ID}.info.txt" openssl x509 -noout -text -in "data/${UNIQ_ID}.crt.pem" > "docs/${UNIQ_ID}.info.txt"
}
gen_server() {
COUNT=$(($1-1))
get_uniq_ids
for NUM in $(seq 0 $COUNT)
do
get_serial
UNIQ_ID="${SERIAL}.server.${UNIQ_ID_CAI}"
gen_server_cert $UNIQ_ID
done
} }
# #
# Generate a Server Certificate # Generate a Server Certificate
# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL # IN: UNIQ_ID, SERIAL
# #
gen_server() { gen_server_cert() {
ORG_URL=$1 UNIQ_ID=$1
SERIAL=$2
UNIQ_ID="${SERIAL}.${ORG_URL}"
CERT_CHAIN="cfg/ca_cert-chain.crts.pem"
echo_block "Generate Server Certificates (${UNIQ_ID})" echo_block "Generate Server Certificates (${UNIQ_ID})"
openssl genrsa -out "data/server_${UNIQ_ID}.keys.pem" 4096 openssl genrsa -out "data/${UNIQ_ID}.keys.pem" 4096
openssl req -new -config "cfg/${ORG_URL}.cnf" -key "data/server_${UNIQ_ID}.keys.pem" \ openssl req -new -config "cfg/cert.cnf" -key "data/${UNIQ_ID}.keys.pem" \
-subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \ -subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \
-out "data/server_${UNIQ_ID}.csr.pem" -out "data/${UNIQ_ID}.csr.pem"
# CA Intermediate signs Server # CA Intermediate signs Server
openssl x509 -req -days 365 -extfile "cfg/${ORG_URL}.cnf" -extensions v3_server \ openssl x509 -req -days 365 -extfile "cfg/cert.cnf" -extensions v3_server \
-CA "cfg/ca-i.crt.pem" -CAkey "cfg/ca-i.keys.pem" -set_serial ${SERIAL} \ -CA "cfg/ca-i.crt.pem" -CAkey "cfg/ca-i.keys.pem" -set_serial ${SERIAL} \
-in "data/server_${UNIQ_ID}.csr.pem" -out "data/server_${UNIQ_ID}.crt.pem" -in "data/${UNIQ_ID}.csr.pem" -out "data/${UNIQ_ID}.crt.pem"
# Package the Certificates # Package the Certificates
openssl pkcs12 -export -password "pass:password" -inkey "data/server_${UNIQ_ID}.keys.pem" \ openssl pkcs12 -export -password "pass:password" -inkey "data/${UNIQ_ID}.keys.pem" \
-name "Server ${UNIQ_ID} VPN Certificate" -certfile $CERT_CHAIN -caname "server_${UNIQ_ID}@acme.xyz" \ -name "Server ${UNIQ_ID} VPN Certificate" -certfile "cfg/ca_cert-chain.crts.pem" -caname "${UNIQ_ID}@acme.xyz" \
-in "data/server_${UNIQ_ID}.crt.pem" -out "distro/server_${UNIQ_ID}.p12" -in "data/${UNIQ_ID}.crt.pem" -out "distro/${UNIQ_ID}.p12"
# verify certificate (output to text file for review) # verify certificate (output to text file for review)
openssl x509 -noout -text -in "data/server_${UNIQ_ID}.crt.pem" > "docs/server_${UNIQ_ID}.crt.info.txt" openssl x509 -noout -text -in "data/${UNIQ_ID}.crt.pem" > "docs/${UNIQ_ID}.crt.info.txt"
} }

1
src/sandbox/SERIAL Normal file
View File

@ -0,0 +1 @@
2010

37
src/sandbox/p12ext.sh Normal file
View File

@ -0,0 +1,37 @@
#!/bin/bash
#
# Extract the ca certificate, user certificate, user keys from the p12 package
#
#
# -clcerts (only output client certificates (not CA certificates))
# -cacerts (only output CA certificates (not client certificates))
# -nocerts (no certificates at all will be output)
# -nokeys (no private keys will be output)
#
#
if [[ -n $1 ]]; then
echo
else
echo
echo "This script will copy the certificates and keys to the strongswan configuration paths"
echo
echo "Usage: p12ext <file> [password]"
echo
echo "Example: p12ext file.p12"
echo
exit 1
fi
# create a unique path for the server certificate
UNIQ_DIR_LC=`date +%Y-%m-%d.%H_%M_%S`
UNIQ_DIR_LC="p12ext_${UNIQ_DIR_LC}"
mkdir $UNIQ_DIR_LC
# keys
openssl pkcs12 -nodes -nocerts -password "pass:password" -in $1 -out $UNIQ_DIR_LC/user.keys.pem
# certificate
openssl pkcs12 -nodes -clcerts -nokeys -password "pass:password" -in $1 -out $UNIQ_DIR_LC/user.crt.pem
# CA
openssl pkcs12 -nodes -cacerts -nokeys -password "pass:password" -in $1 -out $UNIQ_DIR_LC/ca-chain.crt.pem

11
src/sandbox/serial.sh Executable file
View File

@ -0,0 +1,11 @@
#!/bin/bash
SERIAL=`head SERIAL`
if [[ -z $SERIAL ]]; then
SERIAL=11111
echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA"
else
PLUS1=$((SERIAL+1))
echo $PLUS1 > SERIAL
fi