#!/bin/bash # # ACME PKI (Certificate) Bootstrap v1.3 # # This script will generate all the files necessary to build a certificate chain of trust # using a CA, CA Intermediate, Server, and Client certificates. After the bootstrap the other # helper scripts will generate new client/server certificates # # source this file to include the functions . res/libs/pki_funcs.sh PARAM1=$1 usage() { echo echo "This application will generate all the files necessary to build a certificate chain of trust" echo "using a CA, CA Intermediate, Server, and Client certificates. All the files are put into" echo "pki lifecyle package" echo " -put the .cnf config files into the ./cnf directory" echo echo "Usage: pki_bootstrap <.cnf file (minus the .cnf)>" echo echo "Example: pki_bootstrap org.acme.xyz" exit 1 } # # Grab the latest serial # from the file, auto-increment # get_serial_ca() { SERIAL=`head "res/cfg/SERIAL"` if [[ -z $SERIAL ]]; then SERIAL=11111 echo_block "WARN: no file 'SERIAL' found, using default 11111 as the serial # for CA" fi } # # CA generation requires .cnf files # create CA directory # create bash variables to CA # restore script back to original path # app_init() { if [[ -n $PARAM1 ]]; then # need to know the location of the configuration file (expected to be in same dir path as this script) CA_CNF="$CD_ROOT/res/cnf/ca.cnf" # handle the case of having the ".cnf" extension or not if [[ ${PARAM1: -4} == .cnf ]]; then ORG_URL=${PARAM1%.*} S_CNF=${PARAM1} echo "ASDF: ${ORG_URL}, ${S_CNF}" else ORG_URL=$PARAM1 S_CNF="${PARAM1}.cnf" echo "ZXCV: ${ORG_URL}, ${S_CNF}" fi FQ_S_CNF="${CD_ROOT}/res/cnf/${S_CNF}" if [[ ! -f $FQ_S_CNF ]] || [[ ! -f $CA_CNF ]]; then usage fi else usage fi } # # Generate a new Certificate Authority # Create a new LifeCycle package # # IN: UNIQ_ID_CA, SERIAL # gen_lifecycle() { get_serial_ca echo_block "SERIAL == ${SERIAL}" # Organize # # create a unique path for the server certificate UNIQ_DIR_LC=`date +%Y-%m-%d.%H_%M_%S` UNIQ_DIR_LC="pki-lifecycle_${UNIQ_DIR_LC}" mkdir -p "${UNIQ_DIR_LC}" cd "${UNIQ_DIR_LC}" FQ_DIR_LC=`pwd` # create CA unique dir UNIQ_ID_CA="${SERIAL}.${ORG_URL}" CA_DIR="ca_${UNIQ_ID_CA}" mkdir $CA_DIR cd $CA_DIR FQ_CA_DIR=`pwd` FQ_CA_CERT="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.crt.pem" FQ_CA_KEYS="${FQ_CA_DIR}/ca_${UNIQ_ID_CA}.keys.pem" # initialize the functions lib pki_func_init $FQ_CA_CERT $FQ_CA_KEYS "${CD_ROOT}/res/cnf" # generate a new CA gen_ca $UNIQ_ID_CA $SERIAL # go back to original dir cd .. cd .. } # # # cp_lifecycle_docs() { RES="${CD_ROOT}/res" mkdir -p "${UNIQ_DIR_LC}/cfg" cp -r $CD_ROOT/res $CD_ROOT/$UNIQ_DIR_LC/ cp $RES/libs/gen_ca-i.sh $CD_ROOT/$UNIQ_DIR_LC/ cp $RES/docs/README_LC $CD_ROOT/$UNIQ_DIR_LC/README cp $RES/docs/SERIAL_LC $CD_ROOT/$UNIQ_DIR_LC/cfg/SERIAL cp $RES/libs/pki_funcs.sh $CD_ROOT/$UNIQ_DIR_LC/cfg/ cp "${RES}/cnf/${ORG_URL}.cnf" $CD_ROOT/$UNIQ_DIR_LC/cfg/ cp "${RES}/cnf/ca.cnf" $CD_ROOT/$UNIQ_DIR_LC/cfg/ cp $CD_ROOT/$UNIQ_DIR_LC/"ca_${UNIQ_ID_CA}"/ca_*.crt.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.crt.pem cp $CD_ROOT/$UNIQ_DIR_LC/"ca_${UNIQ_ID_CA}"/ca_*.keys.pem $CD_ROOT/$UNIQ_DIR_LC/cfg/ca.keys.pem } # # Generate Lifecycle CA Intermediates # gen_lc_ca_i() { cd $FQ_DIR_LC # generate new CA-I ca-i_gen_pki $ORG_URL 1001 2 # ca-i_gen_pki $ORG_URL 2001 5 # ca-i_gen_pki $ORG_URL 3001 8 } main() { CD_ROOT=`pwd` # generate new CA # create new PKI Lifecycle Package app_init gen_lifecycle cp_lifecycle_docs # gen some CAs gen_lc_ca_i # make sure we return to root execution path cd "${CD_ROOT}" } # ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** # # main execution begins here (because all the functions have to be defined) # # ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** ***** main # ***** ***** ***** ***** # # # # ***** ***** ***** *****