Mercurial > hg > freeDiameter
changeset 45:7ecc7152123b
Work in progress
author | Sebastien Decugis <sdecugis@nict.go.jp> |
---|---|
date | Thu, 26 Nov 2009 18:31:48 +0900 |
parents | 8daaeae043c1 |
children | 5719368fe1ff |
files | contrib/ca_script2/Makefile contrib/ca_script2/openssl.cnf |
diffstat | 2 files changed, 116 insertions(+), 331 deletions(-) [+] |
line wrap: on
line diff
--- a/contrib/ca_script2/Makefile Thu Nov 26 16:34:51 2009 +0900 +++ b/contrib/ca_script2/Makefile Thu Nov 26 18:31:48 2009 +0900 @@ -1,43 +1,12 @@ #!/usr/bin/make -s # -# This file is designed to automatize the CA tasks such as: -# -> init : create the initial CA tree and the CA root certificate. -# -> newcsr: create a new private key and csr. $name and $email must be set. C, ST, L, O, OU may be overwitten (exemple: make newcsr C=FR) -# -> cert : sign a pending CSR and generate the certificate. $name must be provided. -# -> revoke: revoke a certificate. $name must be provided. -# -> gencrl: update/create the CRL. -# -# The file should be located in the directory STATIC_DIR as defined below. -# The DIR directory will contain the data of the CA. It might be placed in /var. -# The DIR should also be configured in openssl.cnf file under [ CA_default ]->dir. -# -# Here are the steps to install the CA scripts in default environment: -## mkdir /etc/openssl-ca.static -## cp Makefile openssl.cnf /etc/openssl-ca.static -# ( configure the default parameters of your CA in /etc/openssl-ca/openssl.cnf ) ## -## mkdir /etc/openssl-ca -## make -f /etc/openssl-ca.static/Makefile destroy force=y -## cd /etc/openssl-ca -## make init -## make help +# This file is inspired from freeDiameter's contrib/ca_script and +# improved to handle multiple CA in a hierarchical fashion. -DIR = /home/thedoc/testbed.aaa/ca -STATIC_DIR = /home/thedoc/testbed.aaa/ca -CONFIG = -config $(DIR)/openssl.cnf - -#Defaults for new CSR -C = JP -ST = Tokyo -L = Koganei -O = WIDE -OU = "AAA WG" - -#Default lifetime -DAYS = 365 - -#Values for the CA -CA_CN = mgr.testbed.aaa -CA_mail = sdecugis@nict.go.jp +SCRIPT_DIR = . +CONFIG = -config $(SCRIPT_DIR)/openssl.cnf +REMAKE = $(MAKE) -f $(SCRIPT_DIR)/Makefile +DATA_DIR = ./test #Disable "make destroy" force = @@ -49,57 +18,68 @@ # Help message help: @echo "\n\ -Default values (can be overwritten on command-line):\n\ - [C=$(C)] [ST=$(ST)] [L=$(L)] [O=$(O)] [OU=$(OU)]\n\ - [CA_CN=$(CA_CN)] [CA_mail=$(CA_mail)]\n\n\ Available commands:\n\ - make init\n\ - Creates the initial CA structure in $(DIR)\n\ - make gencrl\n\ - Regenerates the CRL. Should be run at least once a month.\n\ - make newcsr name=foo email=b@r [type=ca]\n\ + make init topca=name\n\ + Creates the initial top-level CA structure\n\ + make new_ca name=caname\n\ + Creates a new sub-CA that can be used for certificates later.\n\ + make newcsr name=foo ca=bar\n\ Create private key and csr in clients subdir (named foo.*)\n\ - make cert name=foo\n\ - Signs the CSR foo.csr and creates the certificate foo.cert.\n\ - make revoke name=foo\n\ - Revokes the certificate foo.cert and regenerates the CRL.\n\ + make cert name=foo ca=bar\n\ + Signs the CSR foo.csr and creates the certificate foo.cert (signed by bar).\n\ + make revoke name=foo ca=bar\n\ + Revokes the certificate foo.cert issued by bar and regenerates the CRL.\n\ + make gencrl ca=bar\n\ + Regenerates the CRL for CA bar. Should be run at least once a month.\n\ \n\ -Notes:\n\ - Content from public-www should be available from Internet. \n\ - The URL to CRL should be set in openssl.cnf.\n\ - A cron job should execute make gencrl once a month.\n\ "; -# Destroy the CA completly. Use with care. +# Destroy the CA hierarchy completly. Use with care. destroy: - @if [ -z "$(force)" ]; then echo "Restart disabled, use: make destroy force=y"; exit 1; fi - @if [ ! -d $(STATIC_DIR) ]; then echo "Error in setup"; exit 1; fi + @if [ -z "$(force)" ]; then echo "Destroy disabled, use: make destroy force=y"; exit 1; fi + @if [ ! -d $(SCRIPT_DIR) ]; then echo "Error in setup"; exit 1; fi @echo "Removing everything (for debug purpose)..." - @rm -rf $(DIR)/* - @ln -sf $(STATIC_DIR)/Makefile $(DIR) - @ln -sf $(STATIC_DIR)/openssl.cnf $(DIR) - + @rm -rf $(DATA_DIR)/* -# Initialize the CA structure and keys. -init: - @if [ -d $(DIR)/private ]; then echo "CA already initialized."; exit 1; fi +# Initialize the CA structure +structure: + @if [ -z "$(caname)" ]; then echo "Internal error: caname is missing"; exit 1; fi + @if [ -d $(DATA_DIR)/$(caname) ]; then echo "CA $(caname) already exists."; exit 1; fi @echo "Creating CA structure..." - @mkdir $(DIR)/crl - @mkdir $(DIR)/certs - @mkdir $(DIR)/newcerts - @mkdir $(DIR)/public-www - @mkdir $(DIR)/private - @chmod 700 $(DIR)/private - @mkdir $(DIR)/clients - @mkdir $(DIR)/clients/privkeys - @mkdir $(DIR)/clients/csr - @mkdir $(DIR)/clients/certs - @echo "01" > $(DIR)/serial - @touch $(DIR)/index.txt - @openssl req $(CONFIG) -new -batch -x509 -days 3650 -nodes -newkey rsa:2048 -out $(DIR)/public-www/cacert.pem \ - -keyout $(DIR)/private/cakey.pem -subj /C=$(C)/ST=$(ST)/L=$(L)/O=$(O)/OU=$(OU)/CN=$(CA_CN)/emailAddress=$(CA_mail) - @ln -s $(DIR)/public-www/cacert.pem $(DIR)/certs/`openssl x509 -noout -hash < $(DIR)/public-www/cacert.pem`.0 - @$(MAKE) -f $(DIR)/Makefile gencrl + @mkdir $(DATA_DIR)/$(caname)/crl + @mkdir $(DATA_DIR)/$(caname)/certs + @mkdir $(DATA_DIR)/$(caname)/newcerts + @mkdir $(DATA_DIR)/$(caname)/public-www + @mkdir $(DATA_DIR)/$(caname)/private + @chmod 700 $(DATA_DIR)/$(caname)/private + @mkdir $(DATA_DIR)/$(caname)/clients + @mkdir $(DATA_DIR)/$(caname)/clients/privkeys + @mkdir $(DATA_DIR)/$(caname)/clients/csr + @mkdir $(DATA_DIR)/$(caname)/clients/certs + @echo "01" > $(DATA_DIR)/$(caname)/serial + @touch $(DATA_DIR)/$(caname)/index.txt + +# Initialize the top-level CA structure and keys. +init: + @if [ -z "$(topca)" ]; then echo "Please specify the name of the CA in as topca=name.testbed.aaa"; exit 1; fi + # Create the folder hierarchy + @$(REMAKE) structure caname=$(topca) + # Generate the self-signed certificate + @CA_ROOT_DIR=$(DATA_DIR)/$(topca) openssl req $(CONFIG) -new -batch -x509 -nodes -newkey rsa:2048 -out $(DATA_DIR)/$(topca)/public-www/cacert.pem \ + -keyout $(DATA_DIR)/$(topca)/private/cakey.pem -subj /CN=$(topca) + # Add the certificate hash + @ln -s $(DATA_DIR)/$(topca)/public-www/cacert.pem $(DATA_DIR)/$(topca)/certs/`openssl x509 -noout -hash < $(DATA_DIR)/$(topca)/public-www/cacert.pem`.0 + @$(REMAKE) gencrl ca=$(topca) + +# Create a secondary CA +newca: + + + +############ +# En dessous ce n est pas fini... + + # Regenerate the Certificate Revocation List. # This list should be available publicly
--- a/contrib/ca_script2/openssl.cnf Thu Nov 26 16:34:51 2009 +0900 +++ b/contrib/ca_script2/openssl.cnf Thu Nov 26 18:31:48 2009 +0900 @@ -1,40 +1,64 @@ -# -# OpenSSL example configuration file. -# This is mostly being used for generation of certificate requests. -# +# Note: for this file to be working, an environment var CA_ROOT_DIR = directory +# must be defined and pointing to the CA top-level directory. -# This definition stops the following lines choking if HOME isn't -# defined. HOME = . RANDFILE = $ENV::HOME/.rnd -# Extra OBJECT IDENTIFIER info: -#oid_file = $ENV::HOME/.oid oid_section = new_oids -# To use this configuration file with the "-extfile" option of the -# "openssl x509" utility, name here the section containing the -# X.509v3 extensions to use: -# extensions = -# (Alternatively, use a configuration file that has only -# X.509v3 extensions in its main [= default] section.) - [ new_oids ] -# We can add new OIDs in here for use by 'ca' and 'req'. -# Add a simple OID like this: -# testoid1=1.2.3.4 -# Or use config file substitution like this: -# testoid2=${testoid1}.5.6 + +#################################################################### +[ req ] +default_bits = 1024 +# default_keyfile = privkey.pem +string_mask = utf8only + +distinguished_name = req_distinguished_name +attributes = req_attributes +req_extensions = v3_req # overwrite with -reqexts +x509_extensions = ca_cert # overwrite with -extensions; used for self-signed keys only + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = JP +countryName_min = 2 +countryName_max = 2 +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Tokyo +localityName = Locality Name (eg, city) +localityName_default = Koganei +0.organizationName = Organization Name (eg, company) +0.organizationName_default = WIDE +1.organizationName = Second Organization Name (eg, company) +1.organizationName_default = NICT +organizationalUnitName = Organizational Unit Name (eg, section) +organizationalUnitName_default = AAA WG testbed + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 0 +challengePassword_max = 20 +unstructuredName = An optional company name + +[ v3_req ] +# Extensions to add to a certificate request +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_req_ca ] +# Extensions to add to a certificate request for CA +basicConstraints = CA:TRUE + #################################################################### [ ca ] default_ca = CA_default # The default ca section -#################################################################### [ CA_default ] -dir = /etc/openssl-ca # Where everything is kept +dir = $ENV::CA_ROOT_DIR # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. @@ -44,50 +68,23 @@ certificate = $dir/public-www/cacert.pem # The CA certificate serial = $dir/serial # The current serial number -# crlnumber = $dir/crlnumber # the current crl number - # must be commented out to leave a V1 CRL +crlnumber = $dir/crlnumber # the current crl number crl = $dir/public-www/crl.pem # The current CRL -private_key = $dir/private/cakey.pem# The private key -RANDFILE = $dir/private/.rand # private random number file - +private_key = $dir/private/cakey.pem # The private key x509_extensions = usr_cert # The extentions to add to the cert - -# Comment out the following two lines for the "traditional" -# (and highly broken) format. + # overwrite with -extensions name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options - -# Extension copying option: use with caution. -# copy_extensions = copy +crl_extensions = crl_ext -# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs -# so this is commented out by default to leave a V1 CRL. -# crlnumber must also be commented out to leave a V1 CRL. -# crl_extensions = crl_ext - -default_days = 365 # how long to certify for -default_crl_days= 30 # how long before next CRL +default_days = 3650 # how long to certify for +default_crl_days= 365 # how long before next CRL default_md = sha1 # which md to use. preserve = no # keep passed DN ordering -# A few difference way of specifying how similar the request should look -# For type CA, the listed attributes must be the same, and the optional -# and supplied fields are just that :-) -# policy = policy_match +# We accept to sign anything, but a real deployment would limit to proper domain etc... policy = policy_anything -# For the CA policy -[ policy_match ] -countryName = match -stateOrProvinceName = match -organizationName = match -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -# For the 'anything' policy -# At this point in time, you must list all acceptable 'object' -# types. [ policy_anything ] countryName = optional stateOrProvinceName = optional @@ -97,219 +94,27 @@ commonName = supplied emailAddress = optional -#################################################################### -[ req ] -default_bits = 1024 -default_keyfile = privkey.pem -distinguished_name = req_distinguished_name -attributes = req_attributes -x509_extensions = v3_ca # The extentions to add to the self signed cert - -# Passwords for private keys if not present they will be prompted for -# input_password = fdsecret -# output_password = fdsecret - -# This sets a mask for permitted string types. There are several options. -# default: PrintableString, T61String, BMPString. -# pkix : PrintableString, BMPString. -# utf8only: only UTF8Strings. -# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). -# MASK:XXXX a literal mask value. -# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings -# so use this option with caution! -string_mask = utf8only - -# req_extensions = v3_req # The extensions to add to a certificate request - -[ req_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_default = JP -countryName_min = 2 -countryName_max = 2 - -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Tokyo - -localityName = Locality Name (eg, city) -localityName_default = Koganei - -0.organizationName = Organization Name (eg, company) -0.organizationName_default = WIDE - -# we can do this but it is not needed normally :-) -1.organizationName = Second Organization Name (eg, company) -1.organizationName_default = NICT - -organizationalUnitName = Organizational Unit Name (eg, section) -organizationalUnitName_default = AAA WG - -commonName = Common Name (i.e. Diameter Agent hostname) -commonName_max = 64 - -emailAddress = Email Address (i.e. Diameter agent administrator) -emailAddress_max = 64 - -# SET-ex3 = SET extension number 3 - -[ req_attributes ] -challengePassword = A challenge password -challengePassword_min = 0 -challengePassword_max = 20 - -unstructuredName = An optional company name - [ usr_cert ] - -# These extensions are added when 'ca' signs a request. - -# This goes against PKIX guidelines but some CAs do it and some software -# requires this to avoid interpreting an end user certificate as a CA. - basicConstraints=CA:FALSE - -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. - -# This is OK for an SSL server. -# nsCertType = server - -# For an object signing certificate this would be used. -# nsCertType = objsign - -# For normal client use this is typical -# nsCertType = client, email - -# and for everything including object signing: -# nsCertType = client, email, objsign - # This is typical in keyUsage for a client certificate. -# keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -# This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" - -# PKIX recommendations harmless if included in all certificates. +keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -# subjectAltName=email:copy -# An alternative to produce certificates that aren't -# deprecated according to PKIX. -# subjectAltName=email:move - -# Copy subject details -# issuerAltName=issuer:copy - -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName - -[ v3_req ] - -# Extensions to add to a certificate request - -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -[ v3_ca ] - - +[ ca_cert ] # Extensions for a typical CA - - -# PKIX recommendation. - subjectKeyIdentifier=hash - authorityKeyIdentifier=keyid:always,issuer:always - -# This is what PKIX recommends but some broken software chokes on critical -# extensions. -#basicConstraints = critical,CA:true -# So we do this instead. -basicConstraints = CA:true - -# Key usage: this is typical for a CA certificate. However since it will -# prevent it being used as an test self-signed certificate it is best -# left out by default. -# keyUsage = cRLSign, keyCertSign - -# Some might want this also -# nsCertType = sslCA, emailCA - -# Include email address in subject alt name: another PKIX recommendation +basicConstraints = critical,CA:true # Remove "critical," in case of problems +keyUsage = cRLSign, keyCertSign # subjectAltName=email:copy # Copy issuer details # issuerAltName=issuer:copy -# DER hex encoding of an extension: beware experts only! -# obj=DER:02:03 -# Where 'obj' is a standard or added object -# You can even override a supported extension: -# basicConstraints= critical, DER:30:03:01:01:FF - [ crl_ext ] - # CRL extensions. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. - # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always -[ proxy_cert_ext ] -# These extensions should be added when creating a proxy certificate -# This goes against PKIX guidelines but some CAs do it and some software -# requires this to avoid interpreting an end user certificate as a CA. - -basicConstraints=CA:FALSE - -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. - -# This is OK for an SSL server. -# nsCertType = server - -# For an object signing certificate this would be used. -# nsCertType = objsign - -# For normal client use this is typical -# nsCertType = client, email - -# and for everything including object signing: -# nsCertType = client, email, objsign - -# This is typical in keyUsage for a client certificate. -# keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -# This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" - -# PKIX recommendations harmless if included in all certificates. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always - -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -# subjectAltName=email:copy -# An alternative to produce certificates that aren't -# deprecated according to PKIX. -# subjectAltName=email:move - -# Copy subject details -# issuerAltName=issuer:copy - -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName - -# This really needs to be in place for it to be a proxy certificate. -proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo