Mercurial > hg > freeDiameter
annotate contrib/PKI/ca_script2/Makefile @ 1551:2fe434590a8f
ca Makefile: portability improvements
use -f with ln -s to avoid errors
use printf instead of echo for portable \n
| author | Luke Mewburn <luke@mewburn.net> |
|---|---|
| date | Wed, 08 Jul 2020 16:55:24 +1000 |
| parents | 54c4d3e840ff |
| children |
| rev | line source |
|---|---|
| 44 | 1 #!/usr/bin/make -s |
| 2 # | |
| 45 | 3 # This file is inspired from freeDiameter's contrib/ca_script and |
| 4 # improved to handle multiple CA in a hierarchical fashion. | |
|
46
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
5 # Warning: the directory structure is flat, does not reflect the CA hierarchy |
| 44 | 6 |
| 45 | 7 SCRIPT_DIR = . |
|
46
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
8 DATA_DIR = ./ca_data |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
9 |
| 45 | 10 CONFIG = -config $(SCRIPT_DIR)/openssl.cnf |
| 11 REMAKE = $(MAKE) -f $(SCRIPT_DIR)/Makefile | |
| 44 | 12 |
|
46
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
13 #Disable "make destroy" -- overwrite on command line |
| 44 | 14 force = |
| 15 | |
|
46
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
16 #RSA key sizes, can be overwritten on command line |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
17 cakeysize = 2048 |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
18 keysize = 1024 |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
19 |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
20 # Save current date |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
21 DATE=`date +%Y%m%d-%H%M%S` |
| 44 | 22 |
| 23 # Default: print the help | |
| 24 all: help | |
| 25 | |
| 26 # Help message | |
| 27 help: | |
|
1551
2fe434590a8f
ca Makefile: portability improvements
Luke Mewburn <luke@mewburn.net>
parents:
870
diff
changeset
|
28 @printf -- "\n\ |
| 44 | 29 Available commands:\n\ |
| 45 | 30 make init topca=name\n\ |
| 31 Creates the initial top-level CA structure\n\ | |
|
46
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
32 make newca name=newcaname ca=parentca\n\ |
| 45 | 33 Creates a new sub-CA that can be used for certificates later.\n\ |
|
46
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
34 make newcert name=foo ca=parentca\n\ |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
35 Create private key and csr, then issue the certificate (named foo.*)\n\ |
|
394
fb9ed45f9217
New command to generate the pcks12 file directly
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
338
diff
changeset
|
36 make p12 name=foo ca=parentca\n\ |
|
fb9ed45f9217
New command to generate the pcks12 file directly
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
338
diff
changeset
|
37 Same as newcert, but additionnaly creates a pkcs12 file to ship client certificate to Windows or Mac\n\ |
|
338
6c3ca941f836
Added a 'ship' command
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
327
diff
changeset
|
38 make ship name=foo ca=parentca\n\ |
|
394
fb9ed45f9217
New command to generate the pcks12 file directly
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
338
diff
changeset
|
39 Create an archive with the data for the client (useful for freeDiameter peers)\n\ |
|
46
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
40 make revoke name=foo ca=parentca\n\ |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
41 Revokes the certificate foo.cert issued by parentca and regenerates the CRL.\n\ |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
42 make gencrl ca=caname\n\ |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
43 Regenerates the CRL of CA caname. Should be run periodically.\n\ |
| 44 | 44 \n\ |
| 45 "; | |
|
870
54c4d3e840ff
Remove unnecessary whitespace from Makefiles.
Thomas Klausner <tk@giga.or.at>
parents:
394
diff
changeset
|
46 |
|
54c4d3e840ff
Remove unnecessary whitespace from Makefiles.
Thomas Klausner <tk@giga.or.at>
parents:
394
diff
changeset
|
47 # Destroy the CA hierarchy completely. Use with care. |
| 44 | 48 destroy: |
| 45 | 49 @if [ -z "$(force)" ]; then echo "Destroy disabled, use: make destroy force=y"; exit 1; fi |
| 50 @if [ ! -d $(SCRIPT_DIR) ]; then echo "Error in setup"; exit 1; fi | |
| 44 | 51 @echo "Removing everything (for debug purpose)..." |
| 45 | 52 @rm -rf $(DATA_DIR)/* |
| 44 | 53 |
| 45 | 54 # Initialize the CA structure |
| 55 structure: | |
| 56 @if [ -z "$(caname)" ]; then echo "Internal error: caname is missing"; exit 1; fi | |
| 57 @if [ -d $(DATA_DIR)/$(caname) ]; then echo "CA $(caname) already exists."; exit 1; fi | |
|
46
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
58 # Creating CA structure |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
59 @mkdir -p $(DATA_DIR)/$(caname) |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
60 @mkdir $(DATA_DIR)/$(caname)/public |
|
145
71c79b41791c
Better handle the CRL hierarchy
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
144
diff
changeset
|
61 @mkdir $(DATA_DIR)/$(caname)/public/crl |
| 45 | 62 @mkdir $(DATA_DIR)/$(caname)/private |
| 63 @chmod 700 $(DATA_DIR)/$(caname)/private | |
| 64 @mkdir $(DATA_DIR)/$(caname)/clients | |
| 65 @echo "01" > $(DATA_DIR)/$(caname)/serial | |
|
46
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
66 @echo "01" > $(DATA_DIR)/$(caname)/crlnumber |
| 45 | 67 @touch $(DATA_DIR)/$(caname)/index.txt |
|
870
54c4d3e840ff
Remove unnecessary whitespace from Makefiles.
Thomas Klausner <tk@giga.or.at>
parents:
394
diff
changeset
|
68 |
| 45 | 69 # Initialize the top-level CA structure and keys. |
| 70 init: | |
|
46
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
71 @if [ -z "$(topca)" ]; then echo "Please specify the name of the root CA. Ex: make init topca=rootca.testbed.aaa"; exit 1; fi |
| 45 | 72 # Create the folder hierarchy |
| 73 @$(REMAKE) structure caname=$(topca) | |
| 74 # Generate the self-signed certificate | |
|
274
c8e57b3ca75f
Updated script to avoid 1 month valid root certs
thedoc@morbier.koganei.wide.ad.jp
parents:
151
diff
changeset
|
75 @CA_ROOT_DIR=$(DATA_DIR)/$(topca) openssl req $(CONFIG) -new -batch -x509 -days 3650 -nodes -newkey rsa:$(cakeysize) -out $(DATA_DIR)/$(topca)/public/cacert.pem \ |
|
c8e57b3ca75f
Updated script to avoid 1 month valid root certs
thedoc@morbier.koganei.wide.ad.jp
parents:
151
diff
changeset
|
76 -keyout $(DATA_DIR)/$(topca)/private/cakey.pem -extensions ca_cert -subj /CN=$(topca) |
|
46
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
77 @ln -s cacert.pem $(DATA_DIR)/$(topca)/public/`openssl x509 -noout -hash < $(DATA_DIR)/$(topca)/public/cacert.pem`.0 |
|
143
6f7fc8efbb9f
Fix way to create the hierarchy
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
46
diff
changeset
|
78 @touch $(DATA_DIR)/$(topca)/public/cachain.pem |
|
6f7fc8efbb9f
Fix way to create the hierarchy
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
46
diff
changeset
|
79 @ln -s ../../$(topca)/public/cacert.pem $(DATA_DIR)/$(topca)/public/caroot.pem |
| 45 | 80 @$(REMAKE) gencrl ca=$(topca) |
| 81 | |
| 82 # Create a secondary CA | |
| 83 newca: | |
|
46
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
84 @if [ -z "$(name)" -o -z "$(ca)" ]; then echo "Missing parameter. Ex: make newca name=subca.testbed.aaa ca=rootca.testbed.aaa"; exit 1; fi |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
85 @if [ ! -e $(DATA_DIR)/$(ca)/private/cakey.pem ]; then echo "The parent CA $(ca) does not exist."; exit 1; fi |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
86 @if [ ! -d $(DATA_DIR)/$(name) ]; then $(REMAKE) structure caname=$(name); fi |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
87 # Generate the private key and CSR for the new CA if needed |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
88 @if [ ! -e $(DATA_DIR)/$(name)/private/cakey.pem ]; then \ |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
89 openssl genrsa -out $(DATA_DIR)/$(name)/private/cakey.pem $(cakeysize) ; fi |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
90 @if [ ! -e $(DATA_DIR)/$(name)/private/cacsr.pem ]; then \ |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
91 CA_ROOT_DIR=$(DATA_DIR)/$(name) openssl req $(CONFIG) -new -batch -out $(DATA_DIR)/$(name)/private/cacsr.pem \ |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
92 -key $(DATA_DIR)/$(name)/private/cakey.pem \ |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
93 -subj /CN=$(name) -reqexts v3_req_ca; fi |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
94 # Revoke a previous certificate for this CA if any |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
95 @if [ -e $(DATA_DIR)/$(name)/public/cacert.pem ]; then \ |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
96 echo "Revoking previous certificate ..."; \ |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
97 $(REMAKE) revoke name=$(name) ca=$(ca); \ |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
98 mv $(DATA_DIR)/$(name)/public/cacert.pem $(DATA_DIR)/$(name)/public/cacert-$(DATE).pem; fi |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
99 # Issue the new CA certificate |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
100 @CA_ROOT_DIR=$(DATA_DIR)/$(ca) openssl ca $(CONFIG) -in $(DATA_DIR)/$(name)/private/cacsr.pem \ |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
101 -out $(DATA_DIR)/$(name)/public/cacert.pem \ |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
102 -batch -extensions ca_cert |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
103 # Hash and link to parent |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
104 @ln -s cacert.pem $(DATA_DIR)/$(ca)/public/`openssl x509 -noout -hash < $(DATA_DIR)/$(name)/public/cacert.pem`.0 |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
105 @rm -f $(DATA_DIR)/$(name)/parent |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
106 @ln -s ../$(ca) $(DATA_DIR)/$(name)/parent |
|
151
e36b368fe4da
Try reverse order for CA chain
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
150
diff
changeset
|
107 @cat $(DATA_DIR)/$(name)/public/cacert.pem $(DATA_DIR)/$(ca)/public/cachain.pem > $(DATA_DIR)/$(name)/public/cachain.pem |
|
143
6f7fc8efbb9f
Fix way to create the hierarchy
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
46
diff
changeset
|
108 @ln -s ../../$(ca)/public/caroot.pem $(DATA_DIR)/$(name)/public/caroot.pem |
| 149 | 109 @for CRLFILE in `cd $(DATA_DIR)/$(ca)/public/crl && ls -1`; do ln -sf ../../../$(ca)/public/crl/$$CRLFILE $(DATA_DIR)/$(name)/public/crl/$$CRLFILE; done |
| 144 | 110 @$(REMAKE) gencrl ca=$(name) |
| 44 | 111 |
|
46
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
112 # Create a new certificate for use in TLS communications and other terminal usages |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
113 newcert: |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
114 @if [ -z "$(name)" -o -z "$(ca)" ]; then echo "Missing parameter. Ex: make newcert name=service.testbed.aaa ca=ca.testbed.aaa"; exit 1; fi |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
115 @if [ ! -e $(DATA_DIR)/$(ca)/private/cakey.pem ]; then echo "The parent CA $(ca) does not exist."; exit 1; fi |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
116 @if [ ! -d $(DATA_DIR)/$(ca)/clients/$(name) ]; then mkdir $(DATA_DIR)/$(ca)/clients/$(name); fi |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
117 # Create a private key if needed |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
118 @if [ ! -e $(DATA_DIR)/$(ca)/clients/$(name)/privkey.pem ]; then \ |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
119 openssl genrsa -out $(DATA_DIR)/$(ca)/clients/$(name)/privkey.pem $(keysize); fi |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
120 # Create a CSR if needed |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
121 @if [ ! -e $(DATA_DIR)/$(ca)/clients/$(name)/csr.pem ]; then \ |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
122 CA_ROOT_DIR=$(DATA_DIR)/$(ca) openssl req $(CONFIG) -new -batch -out $(DATA_DIR)/$(ca)/clients/$(name)/csr.pem \ |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
123 -key $(DATA_DIR)/$(ca)/clients/$(name)/privkey.pem \ |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
124 -subj /CN=$(name); fi |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
125 # Revoke a previous certificate if any |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
126 @if [ -e $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem ]; then \ |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
127 $(REMAKE) revoke name=$(name) ca=$(ca); \ |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
128 mv $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem $(DATA_DIR)/$(ca)/clients/$(name)/cert-$(DATE).pem; fi |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
129 # Now sign the new certificate with the CA key |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
130 @CA_ROOT_DIR=$(DATA_DIR)/$(ca) openssl ca $(CONFIG) -in $(DATA_DIR)/$(ca)/clients/$(name)/csr.pem \ |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
131 -out $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem \ |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
132 -batch |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
133 # Hash |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
134 @ln -sf `cat $(DATA_DIR)/$(ca)/serial.old`.pem $(DATA_DIR)/$(ca)/public/`openssl x509 -noout -hash < $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem`.0 |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
135 # Compiled informations for the client |
|
143
6f7fc8efbb9f
Fix way to create the hierarchy
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
46
diff
changeset
|
136 @cat $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem $(DATA_DIR)/$(ca)/public/cachain.pem > $(DATA_DIR)/$(ca)/clients/$(name)/certchain.pem |
|
145
71c79b41791c
Better handle the CRL hierarchy
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
144
diff
changeset
|
137 @ln -sf ../../public/crl $(DATA_DIR)/$(ca)/clients/$(name)/crl |
|
143
6f7fc8efbb9f
Fix way to create the hierarchy
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
46
diff
changeset
|
138 @ln -sf ../../public/caroot.pem $(DATA_DIR)/$(ca)/clients/$(name)/ca.pem |
| 44 | 139 |
|
394
fb9ed45f9217
New command to generate the pcks12 file directly
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
338
diff
changeset
|
140 # Create a PKCS#12 file containing the client's information |
|
fb9ed45f9217
New command to generate the pcks12 file directly
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
338
diff
changeset
|
141 p12: newcert |
|
fb9ed45f9217
New command to generate the pcks12 file directly
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
338
diff
changeset
|
142 # Create the PKCS#12 file |
|
fb9ed45f9217
New command to generate the pcks12 file directly
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
338
diff
changeset
|
143 @cat $(DATA_DIR)/$(ca)/clients/$(name)/privkey.pem \ |
|
fb9ed45f9217
New command to generate the pcks12 file directly
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
338
diff
changeset
|
144 $(DATA_DIR)/$(ca)/clients/$(name)/certchain.pem \ |
|
fb9ed45f9217
New command to generate the pcks12 file directly
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
338
diff
changeset
|
145 $(DATA_DIR)/$(ca)/clients/$(name)/ca.pem \ |
|
fb9ed45f9217
New command to generate the pcks12 file directly
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
338
diff
changeset
|
146 | openssl pkcs12 -export -out $(DATA_DIR)/$(ca)/clients/$(name)/$(name).p12 |
|
fb9ed45f9217
New command to generate the pcks12 file directly
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
338
diff
changeset
|
147 @echo "Client certificate is created in $(DATA_DIR)/$(ca)/clients/$(name)/$(name).p12" |
|
fb9ed45f9217
New command to generate the pcks12 file directly
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
338
diff
changeset
|
148 |
|
338
6c3ca941f836
Added a 'ship' command
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
327
diff
changeset
|
149 # Create an archive to send the data to the client node |
|
6c3ca941f836
Added a 'ship' command
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
327
diff
changeset
|
150 ship: |
|
6c3ca941f836
Added a 'ship' command
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
327
diff
changeset
|
151 @if [ -z "$(name)" -o -z "$(ca)" ]; then echo "Missing parameter. Ex: make ship name=service.testbed.aaa ca=ca.testbed.aaa"; exit 1; fi |
|
6c3ca941f836
Added a 'ship' command
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
327
diff
changeset
|
152 @if [ ! -e $(DATA_DIR)/$(ca)/private/cakey.pem ]; then echo "The parent CA $(ca) does not exist."; exit 1; fi |
|
6c3ca941f836
Added a 'ship' command
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
327
diff
changeset
|
153 @if [ ! -e $(DATA_DIR)/$(ca)/clients/$(name)/privkey.pem ]; then echo "The client $(name) does not exist, use 'make newcert' first."; exit 1; fi |
|
6c3ca941f836
Added a 'ship' command
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
327
diff
changeset
|
154 # Ship the data |
|
6c3ca941f836
Added a 'ship' command
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
327
diff
changeset
|
155 @tar -c -C $(DATA_DIR)/$(ca)/clients/$(name) -z -f $(ca)_$(name).tar.gz -h . |
|
6c3ca941f836
Added a 'ship' command
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
327
diff
changeset
|
156 @echo "The files have been packaged into archive: $(ca)_$(name).tar.gz" |
|
6c3ca941f836
Added a 'ship' command
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
327
diff
changeset
|
157 |
|
46
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
158 # Revoke a certificate |
| 44 | 159 revoke: |
|
46
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
160 @if [ -z "$(name)" -o -z "$(ca)" ]; then echo "Missing parameter. Ex: make revoke name=service.testbed.aaa ca=ca.testbed.aaa"; exit 1; fi |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
161 @if [ ! -e $(DATA_DIR)/$(ca)/private/cakey.pem ]; then echo "The parent CA $(ca) does not exist."; exit 1; fi |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
162 @if [ ! -e $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem ]; \ |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
163 then echo "$(DATA_DIR)/$(ca)/clients/$(name)/cert.pem not found"; \ |
| 44 | 164 exit 1; \ |
| 165 fi; | |
|
46
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
166 # Revoke the certificate |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
167 @CA_ROOT_DIR=$(DATA_DIR)/$(ca) openssl ca $(CONFIG) -revoke $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem; |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
168 @$(REMAKE) gencrl ca=$(ca) |
|
870
54c4d3e840ff
Remove unnecessary whitespace from Makefiles.
Thomas Klausner <tk@giga.or.at>
parents:
394
diff
changeset
|
169 |
|
46
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
170 # Regenerate the Certificate Revocation List. |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
171 gencrl: |
|
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
172 @if [ -z "$(ca)" ]; then echo "Missing parameter. Ex: make gencrl ca=ca.testbed.aaa"; exit 1; fi |
| 147 | 173 # Create the CRL |
|
145
71c79b41791c
Better handle the CRL hierarchy
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
144
diff
changeset
|
174 @CA_ROOT_DIR=$(DATA_DIR)/$(ca) openssl ca $(CONFIG) -gencrl -out $(DATA_DIR)/$(ca)/public/crl/$(ca).pem |
|
1551
2fe434590a8f
ca Makefile: portability improvements
Luke Mewburn <luke@mewburn.net>
parents:
870
diff
changeset
|
175 @ln -f -s crl/$(ca).pem $(DATA_DIR)/$(ca)/public/local.pem |
|
2fe434590a8f
ca Makefile: portability improvements
Luke Mewburn <luke@mewburn.net>
parents:
870
diff
changeset
|
176 @ln -f -s local.pem $(DATA_DIR)/$(ca)/public/`openssl crl -noout -hash < $(DATA_DIR)/$(ca)/public/crl/$(ca).pem`.r0 |
|
46
5719368fe1ff
Simplified structure
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
45
diff
changeset
|
177 |
| 44 | 178 # End of file... |