j3g
/
pki-bootstrap_pub
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

merge into: j3g:ver3.2
Branches Tags
j3g:a
j3g:master
j3g:ver3.3
j3g:ver3.2
j3g:c_server
...
pull from: j3g:a
Branches Tags
j3g:a
j3g:master
j3g:ver3.3
j3g:ver3.2
j3g:c_server

9 Commits
ver3.2 ... a

Author SHA1 Message Date
JohnE 171bc44728 MOD: updated docs 2018-10-04 12:20:45 -07:00
JohnE 2ec57697cb MOD: documentation updates 2018-09-17 21:40:34 -07:00
JohnE da07fd1845 MOD: docs update 2018-09-17 10:38:56 -07:00
JohnE ab056455ec NEW: new p12 extractor application, doc updates 2018-09-14 09:29:17 -07:00
JohnE fdfb893a5f FIX: fixed the serial # back to 101 as we want to keep it vanilla in the repo 2018-09-10 20:13:47 -07:00
JohnE 5366ef101d FIN: refactoring complete, serial #s are all coherent, distinguished names (DN) is strong with both CA-I serial #s and client/server serial #s 2018-09-10 19:09:48 -07:00
JohnE 03d003b151 WIP: working to get docs and features in congruent 2018-09-08 13:01:50 -07:00
JohnE ffd416b5d1 WIP: bugs exist...arrrg 2018-08-29 01:17:34 -07:00
JohnE 23ea416acf MOD: refactoring to allow for auto-gen of serial #s and fixing unique id 2018-08-28 16:25:19 -07:00
22 changed files with 929 additions and 367 deletions
Show Stats Expand all files Collapse all files

5
.gitignore vendored
View File

@ -1,12 +1,9 @@
#
pki-lifecycle_*
# Project specific files
sftp-config.json
.DS_Store
**/var/
**/cert_gen/acme.xyz_fl/
pki-lifecycle_*
# Byte-compiled / optimized / DLL files
__pycache__/

10
README
View File

@ -31,13 +31,17 @@ There are two main applications contained in this project.
VERSIONS
---------------------
Ver 3.2 - MOB Hub PKI Lifecycle
ver 3.3 - MOB Hub CA-I Package
* updated applications to be more modular
* each CA-I package has
ver 3.2 - MOB Hub PKI Lifecycle
* PKI Lifecycle
- generate certificates during the CA's lifecycle
Ver 3.1 - MOB Hub PKI Bootstrap
ver 3.1 - MOB Hub PKI Bootstrap
* PKI Bootstrap
- generate an entire chain-of-trust
Ver 3.0 - CA Intermediate Support
ver 3.0 - CA Intermediate Support
* requires openssl (does not require ipsec)
* CA Intermediate support
-root CA can be generated with 5-10yr expiration, put into cold-storage

52
docs/ccc_ss Normal file
View File

@ -0,0 +1,52 @@
[[[ StrongSwan Code Command & Control ]]]
[[ Networking ]]
# VPN UDP service (StrongSwan ipsec)
$ nc -zuv 192.168.123.129 500
$ nc -zuv 192.168.123.129 4500
# view all network services
$ netstat -pntul
# openconnect VPN client (only works for https, cisco style VPN (not IKEv2) )
$ openconnect -v -c clients/porkypig\@acme.xyz_2018-04-23.21_48_11/porkypig\@acme.xyz.p12 192.168.123.129:500
[[ Service ]]
$ sudo ipsec statusall | start | stop
[[ Android ]]
# install certificates
Settings -> Security -> Credential Storage -> Install from SD
"ca.crt.pem", "client_s.p12"
# alias the multi-connections
alias adb1='adb -s 192.168.123.131'
alias adb2='adb -s 192.168.123.132'
# connect to android IP
$ adb connect 192.168.123.131
$ adb connect 192.168.123.132
# execute commands to the connected android
$ adb -s 192.168.123.132 push client_s.p12 /data/media/0/Download/
$ adb -s 192.168.123.131 shell
# restarting adb as root
$ adb -s 192.168.123.132 root
$ adb -s 192.168.123.132 shell
# push the .p12 file to the Downloads folder of the user storage
$ adb push client_s.p12 /data/media/0/Download/
$ adb push ca_i.crt.pem /data/media/0/Download/
# using the alias, push the apk, then install
$ adb2 push strongSwan-1.9.6.apk /data/local/tmp/ss.apk
$ adb2 shell pm install "/data/local/tmp/ss.apk"

23
docs/elphdt Normal file
View File

@ -0,0 +1,23 @@
[[ modify elphdt ]]
From what I am seeing it appears as though the directory “/certs” is mounted from the NAS. I will need to add the new certificates to the NAS and they will be accessed from the “/certs” directory.
I will generate a new certificate chain with the PKI Bootstrap applicaiton. I will copy the new “CA Intermediate package” to this location:
/certs/cai/09-2018/
It will contain the CA Intermediates and the server certificates.
Looking at elphdt, there is a file .gitlab-ci.yml: this file contains the “CI/CD configuration”. In the file the there are two global variables that are significant:
GITLAB_CI_CERTIFICATE_DIRECTORY_CA_PREFIX: /certs/acme.xyz/CA/ACME_06-2018_ca'
GITLAB_CI_CERTIFICATE_DIRECTORY_SERVER: /certs/acme.xyz/servers/192.168.2.1_2018-06-13.10_11_38'
I will modify these variables to point to the new locations (this can be done for each build type):
GITLAB_CI_CERTIFICATE_DIRECTORY_CA_PREFIX: /certs/acme.xyz/CA/ACME_06-2018_ca'
GITLAB_CI_CERTIFICATE_DIRECTORY_SERVER: /certs/acme.xyz/servers/192.168.2.1_2018-06-13.10_11_38'
This solution will work fine for now. And in the future we can worry about generating a new server certificate for each MOB Hub.

63
docs/ipsec_conf Normal file
View File

@ -0,0 +1,63 @@
# ipsec.conf - strongSwan IPsec configuration file
config setup
# uniqueids=never
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
ca acme
cacert=ca.crt.pem
auto=add
# this is the default rekey time
# rekeytime = lifetime - (margintime + random(0, margintime * rekeyfuzz)) authby=pubkey
# https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey#ipseconf-Formula
conn %default
# crypto settings
keyexchange=ikev2
authby=pubkey
ike=aes128-sha256-modp2048,aes256-sha256-modp4096,aes256-sha256-modp2048!
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes128-sha256-modp1024,aes256-sha256-modp1536!
# tunnel processing info
type=tunnel
fragmentation=yes
forceencaps=yes # force to encrypt UDP also
dpdaction=clear # dead-peer detection to clear any "dangling" connections
dpddelay=300s
rekey=no #TODO check this out
# ikelifetime=60m
# keylife=20m
# rekeymargin=3m
# keyingtries=1
#
# tunneling config
# If left|rightcert is configured the identity has to be confirmed by the
# certificate, that is, it has to match the full subject DN or one of the
# subjectAltName extensions contained in the certificate
left=192.168.123.129 # attempting to bind to this specific IP
leftid=@s.acme.xyz # the client needs to be configured for the "server id" of this string
leftsubnet=0.0.0.0/0 # required or the right IP's aren't routing to each other...
# standard user connection
conn mob-standard
# tunneling config
leftcert=server_s.acme.xyz_s.crt.pem
right=%any
rightca="C=OO, O=ACME, OU=ACME Standard, CN=s.i.acme.xyz"
# virstual IP address pool
rightsourceip=10.10.10.0/24
rightdns=192.168.123.129
auto=add
# maintenance role connection that will have elevated priveledges
# this configuration can be used with a "maintenance tablet" to update a MOB Hub
conn mob-maintenance
# tunneling config
leftcert=server_s.acme.xyz_m.crt.pem
right=%any
rightca="C=OO, O=ACME, OU=ACME Maintenance, CN=m.i.acme.xyz"
# virstual IP address pool
rightsourceip=10.10.11.0/24
rightdns=192.168.123.129
auto=add

81
docs/pki_agile
View File

@ -3,40 +3,84 @@
[[ WORKING ]]
* PKI Bootstrap: cp lifecycle functions
* .p12 file using on strongswan (works, kind of)
* PKI Bootstrap slide deck
-request a meeting to go over the PKI and show the slide deck
* research gitlab CI
-install gitlab in docker
-configure CI
-try to have it run pki bootstrap??
[[ BACKLOG ]]
[ current ]
* auto-increment SERIAL
* create certificate installation guide
* create a ("CA-I package") zip file for distribution (folder: ca_i_4321.skunkworks.acme.xyz.zip)
* add CA password??
* create Andriod certificate installation guide
-copy file to sd, select .p12 file, password="password"
* remove client .p12 password (have no password)
[ misc ]
* can I install certificates from an android application??
-can I used knox to install certificates??
* create GUI for cert gen process (electron+crypto-interface)
* add tool for .p12 file extractor for MH provisioning
* add havegd (make sure there is adequite entropy)
[ ver 1.4 ]
* create new "certificate bootstrap" with .cfg parameters for CA ".mil" strings
* create new CA generation script that also reads .cfg
[ ver 3.5 : xdev bootstrap chain-of-trust ]
* select bootstrap generation computer (beaglebone, raspi)
-create PKI Lifecycle package for "navy.mil"
-sneakernet two CA-I
* create a "navy-prod" branch
-change strings from "acme.xyz" to ".mil"
-make any other sensitive specific changes
* create a "navy-dev" branch
* create a "navy-int" branch (integration branch, similar to a beta branch)
* integrate into the build
-modify CI global variables (for each build)
-certs are generated BEFORE pulled into image (not part of build process)
-modify cert gen on NAS (looks for files in mount dir)
[ ver 3.6 ]
[[ COMPLETED ]]
[ ver 3.4 ]
* testing multiple CA-I compatibility
-"103.cai.skunkworks.acme.xyz" -worked
-"104.cai.skunkworks.acme.xyz" -worked
* test "104.cai.skunkworks.acme.xyz"
-load client certificate onto different tablet -worked
[ ver 3.3 ]
* SERIOUS refactoring to focus on local execution with default configs and SERIAL # incrementation
* configuration defaults generated so that the CA-I package is all automated
* gen_client.sh modified run with config defaults
* gen_server.sh modified to run with config defaults
* gen_client.sh will generate # of certs
* gen_server.sh will generate # of certs
* auto-increment SERIAL
* CA FQDN saved to config file
* CA-I FQDN saved to config file
* added certificate generation count to PKI Bootstrap application
* added certificate generation count to cai_gen application
[ ver 3.2 ]
* create new CA-I generation script that uses a CA
-also packages .p12 for distrobution (use random high quality password)
[ bootstrap cert chain-of-trust ]
* select bootstrap generation cpu (beaglebone, raspi)
* change strings from "acme.xyz" to ".mil"
* generate bootstrap
-sneakernet two CA-I
[ ver 1.5 ]
* added resources directory
* added files to be copied during CA-I package creation
@ -53,7 +97,6 @@ PKI Lifecycle Package
[[ COMPLETED ]]

28
docs/ss_cfg Normal file
View File

@ -0,0 +1,28 @@
j3g@ubuntu-16:~$ sudo ipsec statusall
[sudo] password for j3g:
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-116-generic, x86_64):
uptime: 9 hours, since Sep 11 14:12:51 2018
malloc: sbrk 1486848, mmap 0, used 370000, free 1116848
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Virtual IP pools (size/online/offline):
10.10.10.0/30: 2/0/0
10.10.11.0/30: 2/0/0
Listening IP addresses:
192.168.123.129
Connections:
standard: 192.168.123.129...%any IKEv2, dpddelay=300s
standard: local: [s.acme.xyz] uses public key authentication
standard: cert: "C=OO, O=ACME, OU=ACME Standard, CN=s.acme.xyz"
standard: remote: uses public key authentication
standard: ca: "C=OO, O=ACME, OU=ACME Standard, CN=s.i.acme.xyz"
standard: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
maintenance: 192.168.123.129...%any IKEv2, dpddelay=300s
maintenance: local: [s.acme.xyz] uses public key authentication
maintenance: cert: "C=OO, O=ACME, OU=ACME Maintenance, CN=s.acme.xyz"
maintenance: remote: uses public key authentication
maintenance: ca: "C=OO, O=ACME, OU=ACME Maintenance, CN=m.i.acme.xyz"
maintenance: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (0 up, 0 connecting):
none

172
src/pki_bootstrap/README
View File

@ -1,24 +1,180 @@
===============================================
Certificate Authority (CA) Generation
CA Intermediate Generation and Distribution
Version 3.x
===============================================
===============================================
Certificate Authority (CA) Generation
CA Intermediate Generation and Distribution
Version 3.x
===============================================
-------------
INTRO
-------------
The PKI Bootstrap application will generate a new "PKI Lifecycle" package. The PKI Lifecycle
package holds a new Certificate Authority (CA) and a complete certificate chain-of-trust. The
PKI Lifecycle package has a life of 5-10 years. Each package has embedded programs to generate new
certificate authority intermediate (CA I), client, and server certificates.
-------------
USAGE
-------------
This application will generate all the files necessary to build a certificate chain of trust
using a CA, CA Intermediate, Server, and Client certificates. All the files are put into a
PKI Lifecycle package
-put the .cnf config files into the ./cnf directory
Usage: pki_bootstrap <.cnf file (minus the .cnf)>
Example: pki_bootstrap org.acme.xyz
[ .cnf files ]
.cnf file is required for the domain name. The .cnf file is found in the ./res/cnf directory
└── res
├── cnf
│   ├── 192.168.1.3.cnf
│   ├── ca.cnf
│   ├── skunkworks.acme.xyz.cnf
│   └── vpn.backchannel.es.cnf
-------------
FEATURES
-------------
-----------------------
APPLICATION DESIGN
-----------------------
The ./res directory contains all the resources for the application. The resources include:
readme files, configuration files, and application files.
The PKI Bootstrap application directory structure is the following:
├── README
├── pki_bootstrap.sh
└── res
├── cfg
│   └── SERIAL
├── cnf
│   ├── 192.168.1.3.cnf
│   ├── ca.cnf
│   ├── skunkworks.acme.xyz.cnf
│   └── vpn.backchannel.es.cnf
├── docs
│   ├── README_C
│   ├── README_CAI
│   ├── README_LC
│   ├── README_S
│   ├── SERIAL
│   └── SERIAL_LC
└── libs
├── gen_ca-i.sh
├── gen_client.sh
├── gen_server.sh
└── pki_funcs.sh
-------------------------
PKI Lifecycle Package
-------------------------
The PKI Lifecycle packagee is a complete certificate chain of trust with a root self-signed
certificate. The package contains all the configuration and data inforomation to generate
Certificate Authority Intermediate packages.
The PKI Lifecycle packge is NOT to be removed from the generation system. It should be
protected as it contains the root CA. The package contains the root CA, configuration files,
and the a copy of the resources directory.
The PKI Lifecycle package structure is the following:
├── README
├── ca
│   ├── 101.ca.skunkworks.acme.xyz.crt.pem
│   ├── 101.ca.skunkworks.acme.xyz.keys.pem
│   └── 101.ca.skunkworks.acme.xyz_cert.info.txt
├── cfg
│   ├── SERIAL
│   ├── UNIQ_ID_CA
│   ├── UNIQ_ID_CA-I
│   ├── ca.cnf
│   ├── ca.crt.pem
│   ├── ca.keys.pem
│   ├── pki_funcs.sh
│   └── skunkworks.acme.xyz.cnf
├── distribution
│   └── 101.cai.skunkworks.acme.xyz
├── gen_ca-i.sh
└── res
├── cfg
├── cnf
├── docs
└── libs
----------------
CA-I Package
----------------
The CA-I package contains a complete certifate chain of trust using a certificate authority
intermediate. The CA intermediate has permission to sign certificates. Included in the packages
is a client and server certificate generation applications that run on Bash linux. The CA intermediate
can be used with 3rd party applications to generate certificates.
The CA-I package structure is the following:
├── distribution
│   └── 101.cai.skunkworks.acme.xyz
│   ├── README
│   ├── ca-i
│   │   ├── data
│   │   │   ├── 101.ca.skunkworks.acme.xyz.crt.pem
│   │   │   ├── 101.cai.skunkworks.acme.xyz.crt.pem
│   │   │   ├── 101.cai.skunkworks.acme.xyz.csr.pem
│   │   │   └── 101.cai.skunkworks.acme.xyz.keys.pem
│   │   ├── distro
│   │   │   ├── 101.cai.skunkworks.acme.xyz.p12
│   │   │   └── ca_cert-chain_101.cai.skunkworks.acme.xyz.crts.pem
│   │   └── docs
│   │   ├── 101.ca.skunkworks.acme.xyz_cert.info.txt
│   │   └── 101.cai.skunkworks.acme.xyz.crt.info.txt
│   ├── clients
│   │   ├── README
│   │   ├── cfg
│   │   │   ├── SERIAL
│   │   │   ├── UNIQ_ID_CA
│   │   │   ├── UNIQ_ID_CA-I
│   │   │   ├── ca-i.crt.pem
│   │   │   ├── ca-i.keys.pem
│   │   │   ├── ca_cert-chain.crts.pem
│   │   │   ├── cert.cnf
│   │   │   └── pki_funcs.sh
│   │   ├── data
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.crt.pem
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.csr.pem
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.keys.pem
│   │   ├── distro
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.p12
│   │   ├── docs
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.info.txt
│   │   └── gen_client.sh
│   └── servers
│   ├── README
│   ├── cfg
│   │   ├── SERIAL
│   │   ├── UNIQ_ID_CA
│   │   ├── UNIQ_ID_CA-I
│   │   ├── ca-i.crt.pem
│   │   ├── ca-i.keys.pem
│   │   ├── ca_cert-chain.crts.pem
│   │   ├── cert.cnf
│   │   └── pki_funcs.sh
│   ├── data
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.crt.pem
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.csr.pem
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.keys.pem
│   ├── distro
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.p12
│   ├── docs
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.crt.info.txt
│   └── gen_server.sh

114
src/pki_bootstrap/pki_bootstrap.sh
View File

@ -11,17 +11,20 @@
. res/libs/pki_funcs.sh
PARAM1=$1
PARAM2=$2
usage() {
echo
echo "This application will generate all the files necessary to build a certificate chain of trust"
echo "using a CA, CA Intermediate, Server, and Client certificates. All the files are put into"
echo "pki lifecyle package"
echo " -put the .cnf config files into the ./cnf directory"
echo "using a CA, CA Intermediate, Server, and Client certificates. All the files are put into a"
echo "PKI Lifecycle package. A .cnf file is required for the domain. The domain url should match"
echo "the .cnf file name. Put the .cnf config file into the .res/cnf/ directory"
echo
echo "Usage: pki_bootstrap <.cnf file (minus the .cnf)>"
echo "Usage: pki_bootstrap <.cnf file (minus the .cnf)> [# of CA-I to generate]"
echo
echo "Example: pki_bootstrap org.acme.xyz"
echo " pki_bootstrap org.acme.xyz 5"
echo
exit 1
}
@ -29,18 +32,18 @@ usage() {
# Grab the latest serial # from the file, auto-increment
#
get_serial_ca() {
SERIAL=`head "res/cfg/SERIAL"`
SERIAL=`head res/cfg/SERIAL`
if [[ -z $SERIAL ]]; then
SERIAL=11111
echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA"
else
PLUS1=$((SERIAL+1))
echo $PLUS1 > res/cfg/SERIAL
fi
}
#
# CA generation requires .cnf files
# create CA directory
# create bash variables to CA
# restore script back to original path
#
app_init() {
if [[ -n $PARAM1 ]]; then
@ -51,11 +54,9 @@ app_init() {
if [[ ${PARAM1: -4} == .cnf ]]; then
ORG_URL=${PARAM1%.*}
S_CNF=${PARAM1}
echo "ASDF: ${ORG_URL}, ${S_CNF}"
else
ORG_URL=$PARAM1
S_CNF="${PARAM1}.cnf"
echo "ZXCV: ${ORG_URL}, ${S_CNF}"
fi
FQ_S_CNF="${CD_ROOT}/res/cnf/${S_CNF}"
@ -73,64 +74,95 @@ app_init() {
#
# IN: UNIQ_ID_CA, SERIAL
#
gen_lifecycle() {
mk_lifecycle_pkg() {
get_serial_ca
echo_block "SERIAL == ${SERIAL}"
# Organize
#
# create a unique path for the server certificate
UNIQ_DIR_LC=`date +%Y-%m-%d.%H_%M_%S`
UNIQ_DIR_LC="pki-lifecycle_${UNIQ_DIR_LC}"
mkdir -p "${UNIQ_DIR_LC}"
cd "${UNIQ_DIR_LC}"
FQ_DIR_LC=`pwd`
FQ_DIR_LC="${FQ_DIR_LC}/${UNIQ_DIR_LC}"
# create CA unique dir
UNIQ_ID_CA="${SERIAL}.${ORG_URL}"
CA_DIR="ca_${UNIQ_ID_CA}"
mkdir $CA_DIR
cd $CA_DIR
FQ_CA_DIR=`pwd`
FQ_CA_CERT="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.crt.pem"
FQ_CA_KEYS="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.keys.pem"
UNIQ_ID_CA="${SERIAL}.ca.${ORG_URL}"
mkdir -p "${UNIQ_DIR_LC}/ca"
cd "${UNIQ_DIR_LC}"
# initialize the functions lib
pki_func_init $FQ_CA_CERT $FQ_CA_KEYS "${CD_ROOT}/res/cnf"
# generate a new CA
gen_ca $UNIQ_ID_CA $SERIAL
# go back to original dir
cd ..
cd ..
}
#
#
#
cp_lifecycle_docs() {
# resource files to be copied to the PKI Lifecycle Package
RES="${CD_ROOT}/res"
mkdir -p "${UNIQ_DIR_LC}/cfg"
cp -r $CD_ROOT/res $CD_ROOT/$UNIQ_DIR_LC/
cp $RES/libs/gen_ca-i.sh $CD_ROOT/$UNIQ_DIR_LC/
cp $RES/docs/README_LC $CD_ROOT/$UNIQ_DIR_LC/README
cp $RES/docs/SERIAL_LC $CD_ROOT/$UNIQ_DIR_LC/cfg/SERIAL
cp $RES/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/cfg/
cp "${RES}/cnf/${ORG_URL}.cnf" $CD_ROOT/$UNIQ_DIR_LC/cfg/
cp "${RES}/cnf/ca.cnf" $CD_ROOT/$UNIQ_DIR_LC/cfg/
cp $CD_ROOT/$UNIQ_DIR_LC/"ca_${UNIQ_ID_CA}"/ca_*.crt.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.crt.pem
cp $CD_ROOT/$UNIQ_DIR_LC/"ca_${UNIQ_ID_CA}"/ca_*.keys.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.keys.pem
echo $UNIQ_ID_CA > $CD_ROOT/$UNIQ_DIR_LC/cfg/UNIQ_ID_CA
cp -r $CD_ROOT/res $CD_ROOT/$UNIQ_DIR_LC/
cp $RES/libs/gen_ca-i.sh $CD_ROOT/$UNIQ_DIR_LC/
cp $RES/docs/README_LC $CD_ROOT/$UNIQ_DIR_LC/README
cp $RES/docs/SERIAL_LC $CD_ROOT/$UNIQ_DIR_LC/cfg/SERIAL
cp $RES/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/cfg/
cp $RES/cnf/$ORG_URL.cnf $CD_ROOT/$UNIQ_DIR_LC/cfg/
cp $RES/cnf/ca.cnf $CD_ROOT/$UNIQ_DIR_LC/cfg/
# CA certs
cp $CD_ROOT/$UNIQ_DIR_LC/ca/*.crt.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.crt.pem
cp $CD_ROOT/$UNIQ_DIR_LC/ca/*.keys.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.keys.pem
}
#
# Generate Lifecycle CA Intermediates
#
gen_lc_ca_i() {
gen_lc_cai() {
cd $FQ_DIR_LC
# generate new CA-I
ca-i_gen_pki $ORG_URL 1001 2
# ca-i_gen_pki $ORG_URL 2001 5
# ca-i_gen_pki $ORG_URL 3001 8
if [[ -n $PARAM2 ]]; then
COUNT=$(($PARAM2-1))
else
COUNT=1
fi
for NUM in $(seq 0 $COUNT)
do
ca-i_gen_pki $ORG_URL 5
done
}
# ***** ***** ***** ***** *****
#
# CERTIFICATE AUTHORITY (CA)
#
# ***** ***** ***** ***** *****
# This function will generate a CA Intermediate
# IN: UNIQ_ID_CA, SERIAL
#
gen_ca() {
UNIQ_ID_CA=$1
SERIAL=$2
echo_block "Create CA (${UNIQ_ID_CA})"
# encrypt the key
#openssl genrsa -aes256 -password "pass:password" -out ca.keys.pem 4096
# key un-protected
openssl genrsa -out "ca/${UNIQ_ID_CA}.keys.pem" 4096
#
# Create Certificate (valid for 10 years, after the entire chain of trust expires)
openssl req -config $CD_ROOT/res/cnf/ca.cnf -new -x509 -sha256 -days 3650 -extensions v3_ca \
-subj "/C=OO/O=ACME/CN=${UNIQ_ID_CA}" -set_serial ${SERIAL} \
-key ca/${UNIQ_ID_CA}.keys.pem -out ca/${UNIQ_ID_CA}.crt.pem
# verify certificate (output to text file for review)
openssl x509 -noout -text -in ca/${UNIQ_ID_CA}.crt.pem > ca/${UNIQ_ID_CA}_cert.info.txt
}
@ -140,11 +172,11 @@ main() {
# generate new CA
# create new PKI Lifecycle Package
app_init
gen_lifecycle
mk_lifecycle_pkg
cp_lifecycle_docs
# gen some CAs
gen_lc_ca_i
gen_lc_cai
# make sure we return to root execution path
cd "${CD_ROOT}"

40
src/pki_bootstrap/res/docs/README_C
View File

@ -8,15 +8,49 @@
-------------
INTRO
-------------
This application will generate new client certificates. The certificate chain is also included
(CA certificate & CA-I certificate).
This application will generate new client certificates. The certificates can be used with any
VPN client service. The certificate chain is also included (CA certificate & CA-I certificate).
-------------
USAGE
-------------
Generate a new client certificate
./ gen_client.sh
usage: gen_client.sh <# to generate>
example: gen_client.sh 2
-----------------------
APPLICATION DESIGN
-----------------------
The ./clients directory contains the files needed to generate client certificates. The directory
is portable and will operate properly if moved to another linux system. The ./client/cfg contains
configuration files that are used by the client generation application. The configuation files
do not need to be edited and they provide information congruent with the CA and server. The
./clients/data directory contains the raw data (in .pem) of the certificates generated. The
./clients/distro contains the files to be distributed and installed on clients. The ./clients/docs
directory contains certificate information in plain text format.
├── README
├── cfg
│   ├── SERIAL
│   ├── UNIQ_ID_CA
│   ├── UNIQ_ID_CA-I
│   ├── ca-i.crt.pem
│   ├── ca-i.keys.pem
│   ├── ca_cert-chain.crts.pem
│   ├── cert.cnf
│   └── pki_funcs.sh
├── data
│   ├── 1001.client.101.cai.skunkworks.acme.xyz.crt.pem
│   ├── 1001.client.101.cai.skunkworks.acme.xyz.csr.pem
│   ├── 1001.client.101.cai.skunkworks.acme.xyz.keys.pem
├── distro
│   ├── 1001.client.101.cai.skunkworks.acme.xyz.p12
├── docs
│   ├── 1001.client.101.cai.skunkworks.acme.xyz.info.txt
└── gen_client.sh

112
src/pki_bootstrap/res/docs/README_CAI
View File

@ -1,21 +1,123 @@
============================
CA Intermediate README
===================
CA Intermediate
Version 3.1
============================
===================
-------------
INTRO
-------------
This application will generate new client certificates. The certificates can be used with any
VPN client service. The certificate chain is also included (CA certificate & CA-I certificate).
This application will generate new Certificate Authority Intermediate packages to be distributed
to organizations for external usage.
The CA-I package contains a complete certifate chain of trust using a certificate authority
intermediate. The CA intermediate has permission to sign certificates. Included in the package
is client and server certificate generation applications that run on Bash linux. The CA intermediate
can be used with 3rd party applications to generate certificates.
-------------
USAGE
-------------
Generate a new CA Intermediate certificate
This program will generate a new certificate authority (CA) intermediate
It requires a CA certificate to sign a CA Intermediate
Requires the file "ca.pem" that is used to sign the certificates
usage: gen_ca-i.sh <Org URL> [# of client/server certs]
example: gen_ca-i.sh skunkworks.acme.xyz \
10 (optional) \
-----------------------
APPLICATION DESIGN
-----------------------
The CA-I package contains all the files needed to generate certificates. The ./ca-i directory
contains the certificate authority files. The ./ca-i/data directory contains all the raw ca
files. The ./ca-i/distro directory contains the files to be distributed and installed on clients.
The .p12 files contins the CA certificate, and client certificates. The ./ca-i/docs directory
contains certificate information in plain text format.
The ./clients directory contains the files needed to generate client certificates. The directory
is portable and will operate properly if moved to another linux system. The ./client/cfg contains
configuration files that are used by the client generation application. The configuation files
do not need to be edited and they provide information congruent with the CA and server. The
./clients/data directory contains the raw data (in .pem) of the certificates generated. The
./clients/distro contains the files to be distributed and installed on clients. The ./clients/docs
directory contains certificate information in plain text format.
The ./servers directory contains the files needed to generate server certificates. The directory
is portable and will operate properly if moved to another linux system. The ./server/cfg contains
configuration files that are used by the server generation application. The configuation files
do not need to be edited and they provide information congruent with the CA and server. The
./servers/data directory contains the raw data (in .pem) of the certificates generated. The
./servers/distro contains the files to be distributed and installed on servers. The ./servers/docs
directory contains certificate information in plain text format.
----------------
CA-I Package
----------------
The CA-I package structure is the following:
├── distribution
│   └── 101.cai.skunkworks.acme.xyz
│   ├── README
│   ├── ca-i
│   │   ├── data
│   │   │   ├── 101.ca.skunkworks.acme.xyz.crt.pem
│   │   │   ├── 101.cai.skunkworks.acme.xyz.crt.pem
│   │   │   ├── 101.cai.skunkworks.acme.xyz.csr.pem
│   │   │   └── 101.cai.skunkworks.acme.xyz.keys.pem
│   │   ├── distro
│   │   │   ├── 101.cai.skunkworks.acme.xyz.p12
│   │   │   └── ca_cert-chain_101.cai.skunkworks.acme.xyz.crts.pem
│   │   └── docs
│   │   ├── 101.ca.skunkworks.acme.xyz_cert.info.txt
│   │   └── 101.cai.skunkworks.acme.xyz.crt.info.txt
│   ├── clients
│   │   ├── README
│   │   ├── cfg
│   │   │   ├── SERIAL
│   │   │   ├── UNIQ_ID_CA
│   │   │   ├── UNIQ_ID_CA-I
│   │   │   ├── ca-i.crt.pem
│   │   │   ├── ca-i.keys.pem
│   │   │   ├── ca_cert-chain.crts.pem
│   │   │   ├── cert.cnf
│   │   │   └── pki_funcs.sh
│   │   ├── data
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.crt.pem
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.csr.pem
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.keys.pem
│   │   ├── distro
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.p12
│   │   ├── docs
│   │   │   ├── 1001.client.101.cai.skunkworks.acme.xyz.info.txt
│   │   └── gen_client.sh
│   └── servers
│   ├── README
│   ├── cfg
│   │   ├── SERIAL
│   │   ├── UNIQ_ID_CA
│   │   ├── UNIQ_ID_CA-I
│   │   ├── ca-i.crt.pem
│   │   ├── ca-i.keys.pem
│   │   ├── ca_cert-chain.crts.pem
│   │   ├── cert.cnf
│   │   └── pki_funcs.sh
│   ├── data
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.crt.pem
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.csr.pem
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.keys.pem
│   ├── distro
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.p12
│   ├── docs
│   │   ├── 5001.server.101.cai.skunkworks.acme.xyz.crt.info.txt
│   └── gen_server.sh

39
src/pki_bootstrap/res/docs/README_S
View File

@ -8,14 +8,49 @@
-------------
INTRO
-------------
This application will generate new server certificates. The certificate chain is also included
(CA certificate & CA-I certificate).
This application will generate new server certificates to be used with a VPN service.
-------------
USAGE
-------------
Generate a new server certificate
./ gen_server.sh
usage: gen_server.sh <# to generate>
example: gen_server.sh 2
-----------------------
APPLICATION DESIGN
-----------------------
The ./servers directory contains the files needed to generate server certificates. The directory
is portable and will operate properly if moved to another linux system. The ./server/cfg contains
configuration files that are used by the server generation application. The configuation files
do not need to be edited and they provide information congruent with the CA and server. The
./servers/data directory contains the raw data (in .pem) of the certificates generated. The
./servers/distro contains the files to be distributed and installed on servers. The ./servers/docs
directory contains certificate information in plain text format.
├── README
├── cfg
│   ├── SERIAL
│   ├── UNIQ_ID_CA
│   ├── UNIQ_ID_CA-I
│   ├── ca-i.crt.pem
│   ├── ca-i.keys.pem
│   ├── ca_cert-chain.crts.pem
│   ├── cert.cnf
│   └── pki_funcs.sh
├── data
│   ├── 5001.server.101.cai.skunkworks.acme.xyz.crt.pem
│   ├── 5001.server.101.cai.skunkworks.acme.xyz.csr.pem
│   ├── 5001.server.101.cai.skunkworks.acme.xyz.keys.pem
├── distro
│   ├── 5001.server.101.cai.skunkworks.acme.xyz.p12
├── docs
│   ├── 5001.server.101.cai.skunkworks.acme.xyz.crt.info.txt
└── gen_server.sh

0
src/pki_bootstrap/res/docs/SERIAL → src/pki_bootstrap/res/docs/SERIAL_C
View File

1
src/pki_bootstrap/res/docs/SERIAL_S Normal file
View File

@ -0,0 +1 @@
5001

58
src/pki_bootstrap/res/libs/gen_ca-i.sh
View File

@ -3,17 +3,12 @@
# Create CA Intermediate
#
#
# This function will generate a CA Intermediate
# IN: UNIQ_ID_CA, SERIAL
#
# source this file to include the functions
. cfg/pki_funcs.sh
PARAM1=$1
PARAM2=$2
PARAM3=$3
usage() {
echo
@ -23,39 +18,44 @@ usage() {
echo "It requires a CA certificate used to sign CA Intermediate"
echo "Requires the file \"ca.pem\" that is used to sign the certificates"
echo
echo " usage: gen_ca-i.sh <Org URL> <Serial>"
echo " usage: gen_ca-i.sh <Org URL> [# of client/server certs]"
echo
echo " example: gen_ca-i.sh skunkworks.acme.xyz"
echo " 10052"
echo " example: gen_ca-i.sh skunkworks.acme.xyz \\"
echo " 10 (optional)"
echo
exit 1
}
error_no_ca_file() {
echo_block "ERROR: missing ca.crt.pem, ca.keys.pem"
usage
}
main() {
CDD=`pwd`
FQ_CA_KEYS="${CDD}/cfg/ca.keys.pem"
FQ_CA_CRT="${CDD}/cfg/ca.crt.pem"
if [[ ! -f $FQ_CA_KEYS ]] || [[ ! -f $FQ_CA_CRT ]]; then
error_no_ca_file
fi
if [[ -n $PARAM1 ]] && [[ -n $PARAM2 ]]; then
pki_func_init $FQ_CA_CRT $FQ_CA_KEYS "${CDD}/cfg"
if [[ -z $PARAM3 ]]; then
PARAM3=5
check_params() {
# the parameter must be the URL (not the filename, .cnf)
if [[ -n $PARAM1 ]]; then
if [[ ${PARAM1: -4} == .cnf ]]; then
if [[ ! -f "cfg/${PARAM1}" ]]; then
echo_block "ERROR: file cfg/${PARAM1} is missing"
usage
else
PARAM1=${PARAM1%.*}
fi
else
if [[ ! -f "cfg/${PARAM1}.cnf" ]]; then
echo_block "ERROR: file cfg/${PARAM1}.cnf is missing"
usage
fi
fi
ca-i_gen_pki $PARAM1 $PARAM2 $PARAM3
else
usage
fi
if [[ -z $PARAM2 ]]; then
PARAM2=5
fi
}
main() {
# uses global variables: $PARAM1 $PARAM2 $PARAM3
check_cai_pkg
check_params
ca-i_gen_pki $PARAM1 $PARAM2
}
main

44
src/pki_bootstrap/res/libs/gen_client.sh
View File

@ -3,54 +3,34 @@
# Create Client Certificates
#
#
# This function will generate a Client cert
# IN: UNIQ_ID, SERIAL
#
# source this file to include the functions
. cfg/pki_funcs.sh
PARAM1=$1
PARAM2=$2
PARAM3=$3
usage() {
echo
echo "Generate a new Client certificate"
echo "Generate a new client certificate"
echo
echo " usage: gen_client.sh <# to generate>"
echo
echo "Generate a new certificate"
echo " usage: gen_client.sh <Org URL> <Serial #>"
echo
echo " example: gen_client.sh skunkworks.acme.xyz \\"
echo " 10052 \\"
echo " example: gen_client.sh 2"
echo
exit 1
}
main() {
if [[ ! -f cfg/ca-i.crt.pem ]] || [[ ! -f cfg/ca-i.keys.pem ]]; then
echo_block "ERROR: file cfg/ca-i.crt.pem cfg/ca-i.keys.pem is missing"
usage
fi
if [[ ! -f cfg/SERIAL ]]; then
echo_block "ERROR: file cfg/SERIAL is missing"
usage
fi
if [[ -n $PARAM1 ]] && [[ -n $PARAM2 ]]; then
UNIQ_ID="${PARAM2}.${PARAM1}"
if [[ -f "distro/client_${UNIQ_ID}.p12" ]]; then
echo_block "ERROR: certifate <<distro/client_${UNIQ_ID}.p12>> already exists"
usage
fi
gen_client $PARAM1 $PARAM2
else
check_params() {
if [[ -z $PARAM1 ]]; then
usage
fi
}
main() {
# uses global variables: $PARAM1
check_cai_pkg
check_params
gen_client $PARAM1
}
main

48
src/pki_bootstrap/res/libs/gen_server.sh
View File

@ -3,58 +3,34 @@
# Create Server Certificates
#
#
# This function will generate a Server cert
# IN: UNIQ_ID, SERIAL
#
# source this file to include the functions
. cfg/pki_funcs.sh
PARAM1=$1
PARAM2=$2
PARAM3=$3
usage() {
echo
echo "Generate a new Server certificate"
echo "Generate a new server certificate"
echo
echo " usage: gen_server.sh <# to generate>"
echo
echo "Generate a new certificate"
echo " usage: gen_server.sh <Org URL> <Serial #>"
echo
echo " example: gen_server.sh skunkworks.acme.xyz \\"
echo " 10052 \\"
echo " example: gen_server.sh 2"
echo
exit 1
}
main() {
if [[ ! -f cfg/ca-i.crt.pem ]] || [[ ! -f cfg/ca-i.keys.pem ]]; then
echo_block "ERROR: file cfg/ca-i.crt.pem cfg/ca-i.keys.pem is missing"
usage
fi
if [[ ! -f cfg/SERIAL ]]; then
echo_block "ERROR: file cfg/SERIAL is missing"
usage
fi
if [[ -n $PARAM1 ]] && [[ -n $PARAM2 ]]; then
UNIQ_ID="${PARAM2}.${PARAM1}"
if [[ -f "distro/server_${UNIQ_ID}.p12" ]]; then
echo_block "ERROR: certifate <<distro/server_${UNIQ_ID}.p12>> already exists"
usage
fi
if [[ ! -f "cfg/${PARAM1}.cnf" ]]; then
echo_block "ERROR: configuration file <<cfg/${PARAM1}.cnf>> is missing"
usage
fi
gen_server $PARAM1 $PARAM2
else
check_params() {
if [[ -z $PARAM1 ]]; then
usage
fi
}
main() {
# uses global variables: $PARAM1
check_cai_pkg
check_params
gen_server $PARAM1
}
main

353
src/pki_bootstrap/res/libs/pki_funcs.sh
View File

@ -3,20 +3,6 @@
# all main functions to generate a PKI certificate chain
#
#
# Set the CA variables
#
pki_func_init() {
if [[ -n $1 ]] || [[ -n $2 ]] || [[ -n $3 ]]; then
FQ_CA_CERT=$1
FQ_CA_KEYS=$2
CNF_PATH=$3
APP_INIT=1
else
APP_INIT=0
fi
}
#
# print text wrapped in a block
#
@ -31,41 +17,30 @@ echo_block() {
# Grab the latest serial # from the file, auto-increment
#
get_serial() {
SERIAL=`head "cfg/SERIAL"`
SERIAL=`head cfg/SERIAL`
if [[ -z $SERIAL ]]; then
SERIAL=11111
echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA"
else
PLUS1=$((SERIAL+1))
echo $PLUS1 > cfg/SERIAL
fi
}
# ***** ***** ***** ***** *****
#
# CERTIFICATE AUTHORITY (CA)
# check the integrity of the CA-I package
#
# ***** ***** ***** ***** *****
# This function will generate a CA Intermediate
# IN: UNIQ_ID_CA, SERIAL
#
gen_ca() {
UNIQ_ID_CA=$1
SERIAL=$2
echo_block "Create CA (${UNIQ_ID_CA})"
# encrypt the key
#openssl genrsa -aes256 -out ca.keys.pem 4096
#openssl genrsa -aes256 -password "pass:password" -out ca.keys.pem 4096
# key un-protected
openssl genrsa -out "ca_${UNIQ_ID_CA}.keys.pem" 4096
#
# Create Certificate (valid for 10 years, after the entire chain of trust expires)
openssl req -config $CNF_PATH/ca.cnf -new -x509 -sha256 -days 3650 -extensions v3_ca \
-subj "/C=OO/O=ACME/CN=root.${UNIQ_ID_CA}" -set_serial ${SERIAL} \
-key ca_${UNIQ_ID_CA}.keys.pem -out ca_${UNIQ_ID_CA}.crt.pem
# verify certificate (output to text file for review)
openssl x509 -noout -text -in ca_${UNIQ_ID_CA}.crt.pem > ca_${UNIQ_ID_CA}_cert.info.txt
check_cai_pkg() {
if [[ ! -f cfg/ca.keys.pem ]] || [[ ! -f cfg/ca.crt.pem ]]; then
if [[ ! -f cfg/ca-i.keys.pem ]] || [[ ! -f cfg/ca-i.crt.pem ]]; then
echo_block "ERROR: missing a config file: cfg/ca.crt.pem, cfg/ca.keys.pem, cfg/ca-i.crt.pem, cfg/ca-i.keys.pem"
usage
fi
fi
if [[ ! -f cfg/SERIAL ]]; then
echo_block "ERROR: file cfg/SERIAL is missing"
usage
fi
}
#
@ -80,215 +55,227 @@ gen_ca() {
# - generate server certificates
# - generate client certificates
#
# INPUT: BASE SERIAL #, LOOP NUM
#
# Requires: FQ_CA_CERT, FQ_CA_KEYS
# INPUT: ORG URL, SERIAL #, LOOP NUM
#
ca-i_gen_pki() {
CDD=`pwd`
ORG_URL=$1
SERIAL_O=$2
NUM_CERTS=$(($3-1))
NUM_CERTS=$2
# create unique directory
UNIQ_ID_CAI="${SERIAL_O}.${ORG_URL}"
mkdir -p "distribution/ca_i_${UNIQ_ID_CAI}"
cd "distribution/ca_i_${UNIQ_ID_CAI}"
get_serial
UNIQ_ID_CAI="${SERIAL}.cai.${ORG_URL}"
mkdir -p "distribution/${UNIQ_ID_CAI}"
# Create CA Intermediate
ca-i_gen_cert $ORG_URL $SERIAL_O
# generate CA Intermediate
ca-i_gen_cert $UNIQ_ID_CAI
# create directories, copy files, before generating client/server
ca-i_create_shell
__ca-i_create_pkg
__ca-i_gen_client
# the client & server applications need to execute in their perspective directories
cd $CDD/distribution/$UNIQ_ID_CAI/clients
gen_client $NUM_CERTS
__ca-i_gen_server
cd $CDD/distribution/$UNIQ_ID_CAI/servers
gen_server $NUM_CERTS
# return to last path
cd $CDD
}
#
# Client Certificates
#
__ca-i_gen_client() {
# create directories
mkdir -p clients/data
mkdir -p clients/distro
mkdir -p clients/docs
cd clients
for NUM in $(seq 0 $NUM_CERTS)
do
gen_client $ORG_URL $((SERIAL_O+NUM))
done
cd ..
}
#
# Server Certificates
#
__ca-i_gen_server() {
# create directories
mkdir -p servers/data
mkdir -p servers/distro
mkdir -p servers/docs
cd servers
for NUM in $(seq 0 $NUM_CERTS)
do
gen_server $ORG_URL $((SERIAL_O+NUM))
done
cd ..
}
# This function will generate a CA Intermediate
#
# Requires: CNF file, CA cert, CA key
#
# IN: UNIQ_ID_CA, SERIAL
#
ca-i_gen_cert() {
ORG_URL=$1
SERIAL=$2
UNIQ_ID="${SERIAL}.${ORG_URL}"
echo_block "Create CA Intermediate (${UNIQ_ID})"
openssl genrsa -out "ca_i_${UNIQ_ID}.keys.pem" 4096
# Create Cert Signing Request (CSR)
openssl req -config "${CNF_PATH}/ca.cnf" -new -sha256 \
-subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID}" \
-key "ca_i_${UNIQ_ID}.keys.pem" -out "ca_i_${UNIQ_ID}.csr.pem"
# Create Certificate (valid for ~2 years, after the entire chain of trust expires)
# CA signs Intermediate
openssl x509 -req -days 750 -extfile "${CNF_PATH}/ca.cnf" -extensions v3_ca_i \
-CA $FQ_CA_CERT -CAkey $FQ_CA_KEYS -set_serial ${SERIAL} \
-in "ca_i_${UNIQ_ID}.csr.pem" -out "ca_i_${UNIQ_ID}.crt.pem"
# Package the Certificate Authority Certificates for distro (windoze needs this)
openssl pkcs12 -export -password "pass:password" -inkey "ca_i_${UNIQ_ID}.keys.pem" \
-name "CA Intermediate Mobile Provision" -certfile $FQ_CA_CERT \
-in "ca_i_${UNIQ_ID}.crt.pem" -out "ca_i_${UNIQ_ID}.p12"
# verify certificate (output to text file for review)
openssl x509 -noout -text -in "ca_i_${UNIQ_ID}.crt.pem" > "ca_i_${UNIQ_ID}.crt.info.txt"
# create certifiate chain
cat $FQ_CA_CERT "ca_i_${UNIQ_ID}.crt.pem" > "ca_cert-chain_${UNIQ_ID}.crts.pem"
}
#
# Copies all applcations to the Lifecycle package
# organize the ca-i directory
# order matters: move these files last because they were copied above
#
ca-i_create_shell() {
__ca-i_create_pkg() {
DEST_DIR="${CDD}/distribution/${UNIQ_ID}"
DEST_DIR="${CDD}/distribution/ca_i_${UNIQ_ID_CAI}"
echo $UNIQ_ID > cfg/UNIQ_ID_CA-I
# client
mkdir -p clients/cfg
#
# Client
#
# create directories
mkdir -p $DEST_DIR/clients/data
mkdir -p $DEST_DIR/clients/distro
mkdir -p $DEST_DIR/clients/docs
mkdir -p $DEST_DIR/clients/cfg
# copy resource files
cp $CDD/res/libs/gen_client.sh $DEST_DIR/clients/
cp $CDD/res/libs/pki_funcs.sh $DEST_DIR/clients/cfg
cp $CDD/res/docs/README_C $DEST_DIR/clients/README
cp $CDD/res/docs/SERIAL $DEST_DIR/clients/cfg/
cp "${CDD}/cfg/${ORG_URL}.cnf" $DEST_DIR/clients/cfg/
cp $CDD/res/docs/SERIAL_C $DEST_DIR/clients/cfg/SERIAL
cp "${CDD}/cfg/${ORG_URL}.cnf" $DEST_DIR/clients/cfg/cert.cnf
# generated files
cp $DEST_DIR/ca_i*.crt.pem $DEST_DIR/clients/cfg/ca-i.crt.pem
cp $DEST_DIR/ca_i*.keys.pem $DEST_DIR/clients/cfg/ca-i.keys.pem
cp $DEST_DIR/ca_cert-chain*.pem $DEST_DIR/clients/cfg/ca_cert-chain.crts.pem
cp $UNIQ_ID_CAI.crt.pem $DEST_DIR/clients/cfg/ca-i.crt.pem
cp $UNIQ_ID_CAI.keys.pem $DEST_DIR/clients/cfg/ca-i.keys.pem
cp ca_cert-chain*.pem $DEST_DIR/clients/cfg/ca_cert-chain.crts.pem
cp cfg/UNIQ_ID_CA-I $DEST_DIR/clients/cfg/
cp cfg/UNIQ_ID_CA $DEST_DIR/clients/cfg/
# server
mkdir -p servers/cfg
#
# Server
#
# create directories
mkdir -p $DEST_DIR/servers/data
mkdir -p $DEST_DIR/servers/distro
mkdir -p $DEST_DIR/servers/docs
mkdir -p $DEST_DIR/servers/cfg
# copy resource files
cp $CDD/res/libs/gen_server.sh $DEST_DIR/servers/
cp $CDD/res/libs/pki_funcs.sh $DEST_DIR/servers/cfg/
cp $CDD/res/docs/README_S $DEST_DIR/servers/README
cp $CDD/res/docs/SERIAL $DEST_DIR/servers/cfg/
cp "${CDD}/cfg/${ORG_URL}.cnf" $DEST_DIR/servers/cfg/
cp $CDD/res/docs/SERIAL_S $DEST_DIR/servers/cfg/SERIAL
cp "${CDD}/cfg/${ORG_URL}.cnf" $DEST_DIR/servers/cfg/cert.cnf
# generated files
cp $DEST_DIR/ca_i*.crt.pem $DEST_DIR/servers/cfg/ca-i.crt.pem
cp $DEST_DIR/ca_i*.keys.pem $DEST_DIR/servers/cfg/ca-i.keys.pem
cp $DEST_DIR/ca_cert-chain*.pem $DEST_DIR/servers/cfg/ca_cert-chain.crts.pem
cp $UNIQ_ID_CAI.crt.pem $DEST_DIR/servers/cfg/ca-i.crt.pem
cp $UNIQ_ID_CAI.keys.pem $DEST_DIR/servers/cfg/ca-i.keys.pem
cp ca_cert-chain*.pem $DEST_DIR/servers/cfg/ca_cert-chain.crts.pem
cp cfg/UNIQ_ID_CA-I $DEST_DIR/servers/cfg/
cp cfg/UNIQ_ID_CA $DEST_DIR/servers/cfg/
#
# CA-I
mkdir -p ca-i/data
mkdir -p ca-i/docs
mkdir -p ca-i/distro
cp $CDD/res/docs/README_CAI $DEST_DIR/README
cp $CDD/ca_*/ca_*.crt.pem $DEST_DIR/ca-i/data/
cp $CDD/ca_*/ca_*.info.txt $DEST_DIR/ca-i/docs/
#
# create directories
mkdir -p $DEST_DIR/ca-i/data
mkdir -p $DEST_DIR/ca-i/docs
mkdir -p $DEST_DIR/ca-i/distro
# copy resource files
cp $CDD/res/docs/README_CAI $DEST_DIR/README
cp $CDD/ca/*.crt.pem $DEST_DIR/ca-i/data/
cp $CDD/ca/*.info.txt $DEST_DIR/ca-i/docs/
# generated files
mv $DEST_DIR/ca_i*.pem $DEST_DIR/ca-i/data/
mv $DEST_DIR/ca_i*.info.txt $DEST_DIR/ca-i/docs/
mv $DEST_DIR/ca_i*.p12 $DEST_DIR/ca-i/distro
mv $DEST_DIR/ca_cert-chain*.pem $DEST_DIR/ca-i/distro
mv $UNIQ_ID_CAI*.pem $DEST_DIR/ca-i/data/
mv $UNIQ_ID_CAI.crt.info.txt $DEST_DIR/ca-i/docs/
mv $UNIQ_ID_CAI.p12 $DEST_DIR/ca-i/distro
mv ca_cert-chain*.pem $DEST_DIR/ca-i/distro
}
# This function will generate a CA Intermediate
#
# Requires: CNF file, CA cert, CA key
#
# IN: UNIQ_ID_CA
#
ca-i_gen_cert() {
UNIQ_ID=$1
DEST_DIR="."
UNIQ_ID="${SERIAL}.cai.${ORG_URL}"
echo_block "Create CA Intermediate (${UNIQ_ID})"
openssl genrsa -out "${DEST_DIR}/${UNIQ_ID}.keys.pem" 4096
# Create Cert Signing Request (CSR)
openssl req -config "cfg/ca.cnf" -new -sha256 \
-subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID}" \
-key "${DEST_DIR}/${UNIQ_ID}.keys.pem" -out "${DEST_DIR}/${UNIQ_ID}.csr.pem"
# Create Certificate (valid for ~2 years, after the entire chain of trust expires)
# CA signs Intermediate
openssl x509 -req -days 750 -extfile "cfg/ca.cnf" -extensions v3_ca_i \
-CA cfg/ca.crt.pem -CAkey cfg/ca.keys.pem -set_serial ${SERIAL} \
-in "${DEST_DIR}/${UNIQ_ID}.csr.pem" -out "${DEST_DIR}/${UNIQ_ID}.crt.pem"
# Package the Certificate Authority Certificates for distro (windoze needs this)
openssl pkcs12 -export -password "pass:password" -inkey "${DEST_DIR}/${UNIQ_ID}.keys.pem" \
-name "CA Intermediate Mobile Provision" -certfile cfg/ca.crt.pem \
-in "${DEST_DIR}/${UNIQ_ID}.crt.pem" -out "${DEST_DIR}/${UNIQ_ID}.p12"
# verify certificate (output to text file for review)
openssl x509 -noout -text -in "${DEST_DIR}/${UNIQ_ID}.crt.pem" > "${DEST_DIR}/${UNIQ_ID}.crt.info.txt"
# create certifiate chain
cat cfg/ca.crt.pem "${DEST_DIR}/${UNIQ_ID}.crt.pem" > "${DEST_DIR}/ca_cert-chain_${UNIQ_ID}.crts.pem"
}
get_uniq_ids() {
UNIQ_ID_CA=`head cfg/UNIQ_ID_CA`
UNIQ_ID_CAI=`head cfg/UNIQ_ID_CA-I`
}
gen_client() {
COUNT=$(($1-1))
get_uniq_ids
for NUM in $(seq 0 $COUNT)
do
get_serial
UNIQ_ID="${SERIAL}.client.${UNIQ_ID_CAI}"
gen_client_cert $UNIQ_ID
done
}
#
# Generate a Client Certificate
# IN: UNIQ_ID, UNIQ_ID_CAI, SERIAL
# IN: UNIQ_ID, SERIAL
#
gen_client() {
ORG_URL=$1
SERIAL=$2
UNIQ_ID="${SERIAL}.${ORG_URL}"
CERT_CHAIN="cfg/ca_cert-chain.crts.pem"
gen_client_cert() {
UNIQ_ID=$1
echo_block "Generate Client Certificates (${UNIQ_ID})"
openssl genrsa -out "data/client_${UNIQ_ID}.keys.pem" 4096
openssl genrsa -out "data/${UNIQ_ID}.keys.pem" 4096
openssl req -new -key "data/client_${UNIQ_ID}.keys.pem" \
-subj "/C=OO/O=ACME/OU=ACME Standard/CN=client_${UNIQ_ID}" \
-out "data/client_${UNIQ_ID}.csr.pem"
openssl req -new -key "data/${UNIQ_ID}.keys.pem" \
-subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \
-out "data/${UNIQ_ID}.csr.pem"
# CA Intermediate signs Client
openssl x509 -req -days 365 \
-CA "cfg/ca-i.crt.pem" -CAkey "cfg/ca-i.keys.pem" -set_serial ${SERIAL} \
-in "data/client_${UNIQ_ID}.csr.pem" -out "data/client_${UNIQ_ID}.crt.pem"
-in "data/${UNIQ_ID}.csr.pem" -out "data/${UNIQ_ID}.crt.pem"
# Package the Certificates
openssl pkcs12 -export -password "pass:password" -inkey "data/client_${UNIQ_ID}.keys.pem" \
-name "Client ${UNIQ_ID} VPN Certificate" -certfile $CERT_CHAIN -caname "client_${UNIQ_ID}@acme.xyz" \
-in "data/client_${UNIQ_ID}.crt.pem" -out "distro/client_${UNIQ_ID}.p12"
openssl pkcs12 -export -password "pass:password" -inkey "data/${UNIQ_ID}.keys.pem" \
-name "Client ${UNIQ_ID} VPN Certificate" -certfile "cfg/ca_cert-chain.crts.pem" -caname "${UNIQ_ID}@acme.xyz" \
-in "data/${UNIQ_ID}.crt.pem" -out "distro/${UNIQ_ID}.p12"
# verify certificate (output to text file for review)
openssl x509 -noout -text -in "data/client_${UNIQ_ID}.crt.pem" > "docs/client_${UNIQ_ID}.info.txt"
openssl x509 -noout -text -in "data/${UNIQ_ID}.crt.pem" > "docs/${UNIQ_ID}.info.txt"
}
gen_server() {
COUNT=$(($1-1))
get_uniq_ids
for NUM in $(seq 0 $COUNT)
do
get_serial
UNIQ_ID="${SERIAL}.server.${UNIQ_ID_CAI}"
gen_server_cert $UNIQ_ID
done
}
#
# Generate a Server Certificate
# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
# IN: UNIQ_ID, SERIAL
#
gen_server() {
ORG_URL=$1
SERIAL=$2
UNIQ_ID="${SERIAL}.${ORG_URL}"
CERT_CHAIN="cfg/ca_cert-chain.crts.pem"
gen_server_cert() {
UNIQ_ID=$1
echo_block "Generate Server Certificates (${UNIQ_ID})"
openssl genrsa -out "data/server_${UNIQ_ID}.keys.pem" 4096
openssl genrsa -out "data/${UNIQ_ID}.keys.pem" 4096
openssl req -new -config "cfg/${ORG_URL}.cnf" -key "data/server_${UNIQ_ID}.keys.pem" \
openssl req -new -config "cfg/cert.cnf" -key "data/${UNIQ_ID}.keys.pem" \
-subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \
-out "data/server_${UNIQ_ID}.csr.pem"
-out "data/${UNIQ_ID}.csr.pem"
# CA Intermediate signs Server
openssl x509 -req -days 365 -extfile "cfg/${ORG_URL}.cnf" -extensions v3_server \
openssl x509 -req -days 365 -extfile "cfg/cert.cnf" -extensions v3_server \
-CA "cfg/ca-i.crt.pem" -CAkey "cfg/ca-i.keys.pem" -set_serial ${SERIAL} \
-in "data/server_${UNIQ_ID}.csr.pem" -out "data/server_${UNIQ_ID}.crt.pem"
-in "data/${UNIQ_ID}.csr.pem" -out "data/${UNIQ_ID}.crt.pem"
# Package the Certificates
openssl pkcs12 -export -password "pass:password" -inkey "data/server_${UNIQ_ID}.keys.pem" \
-name "Server ${UNIQ_ID} VPN Certificate" -certfile $CERT_CHAIN -caname "server_${UNIQ_ID}@acme.xyz" \
-in "data/server_${UNIQ_ID}.crt.pem" -out "distro/server_${UNIQ_ID}.p12"
openssl pkcs12 -export -password "pass:password" -inkey "data/${UNIQ_ID}.keys.pem" \
-name "Server ${UNIQ_ID} VPN Certificate" -certfile "cfg/ca_cert-chain.crts.pem" -caname "${UNIQ_ID}@acme.xyz" \
-in "data/${UNIQ_ID}.crt.pem" -out "distro/${UNIQ_ID}.p12"
# verify certificate (output to text file for review)
openssl x509 -noout -text -in "data/server_${UNIQ_ID}.crt.pem" > "docs/server_${UNIQ_ID}.crt.info.txt"
openssl x509 -noout -text -in "data/${UNIQ_ID}.crt.pem" > "docs/${UNIQ_ID}.crt.info.txt"
}

1
src/sandbox/SERIAL Normal file
View File

@ -0,0 +1 @@
2010

37
src/sandbox/p12ext.sh Normal file
View File

@ -0,0 +1,37 @@
#!/bin/bash
#
# Extract the ca certificate, user certificate, user keys from the p12 package
#
#
# -clcerts (only output client certificates (not CA certificates))
# -cacerts (only output CA certificates (not client certificates))
# -nocerts (no certificates at all will be output)
# -nokeys (no private keys will be output)
#
#
if [[ -n $1 ]]; then
echo
else
echo
echo "This script will copy the certificates and keys to the strongswan configuration paths"
echo
echo "Usage: p12ext <file> [password]"
echo
echo "Example: p12ext file.p12"
echo
exit 1
fi
# create a unique path for the server certificate
UNIQ_DIR_LC=`date +%Y-%m-%d.%H_%M_%S`
UNIQ_DIR_LC="p12ext_${UNIQ_DIR_LC}"
mkdir $UNIQ_DIR_LC
# keys
openssl pkcs12 -nodes -nocerts -password "pass:password" -in $1 -out $UNIQ_DIR_LC/user.keys.pem
# certificate
openssl pkcs12 -nodes -clcerts -nokeys -password "pass:password" -in $1 -out $UNIQ_DIR_LC/user.crt.pem
# CA
openssl pkcs12 -nodes -cacerts -nokeys -password "pass:password" -in $1 -out $UNIQ_DIR_LC/ca-chain.crt.pem

11
src/sandbox/serial.sh Executable file
View File

@ -0,0 +1,11 @@
#!/bin/bash
SERIAL=`head SERIAL`
if [[ -z $SERIAL ]]; then
SERIAL=11111
echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA"
else
PLUS1=$((SERIAL+1))
echo $PLUS1 > SERIAL
fi