| 1 | #!/usr/bin/make -s |
|---|
| 2 | # |
|---|
| 3 | # This file is designed to automatize the CA tasks such as: |
|---|
| 4 | # -> init : create the initial CA tree and the CA root certificate. |
|---|
| 5 | # -> newcsr: create a new private key and csr. $name and $email must be set. C, ST, L, O, OU may be overwitten (exemple: make newcsr C=FR) |
|---|
| 6 | # -> cert : sign a pending CSR and generate the certificate. $name must be provided. |
|---|
| 7 | # -> revoke: revoke a certificate. $name must be provided. |
|---|
| 8 | # -> gencrl: update/create the CRL. |
|---|
| 9 | # |
|---|
| 10 | # The file should be located in the directory STATIC_DIR as defined below. |
|---|
| 11 | # The DIR directory will contain the data of the CA. It might be placed in /var. |
|---|
| 12 | # The DIR should also be configured in openssl.cnf file under [ CA_default ]->dir. |
|---|
| 13 | # |
|---|
| 14 | # Here are the steps to install the CA scripts in default environment: |
|---|
| 15 | ## mkdir /etc/openssl-ca.static |
|---|
| 16 | ## cp Makefile openssl.cnf /etc/openssl-ca.static |
|---|
| 17 | # ( configure the default parameters of your CA in /etc/openssl-ca/openssl.cnf ) ## |
|---|
| 18 | ## mkdir /etc/openssl-ca |
|---|
| 19 | ## make -f /etc/openssl-ca.static/Makefile destroy force=y |
|---|
| 20 | ## cd /etc/openssl-ca |
|---|
| 21 | ## make init |
|---|
| 22 | ## make help |
|---|
| 23 | |
|---|
| 24 | DIR = /etc/openssl-ca |
|---|
| 25 | STATIC_DIR = /etc/openssl-ca.static |
|---|
| 26 | CONFIG = -config $(DIR)/openssl.cnf |
|---|
| 27 | |
|---|
| 28 | #Defaults for new CSR |
|---|
| 29 | C = JP |
|---|
| 30 | ST = Tokyo |
|---|
| 31 | L = Koganei |
|---|
| 32 | O = WIDE |
|---|
| 33 | OU = "AAA WG" |
|---|
| 34 | |
|---|
| 35 | #Values for the CA |
|---|
| 36 | CA_CN = chavroux.cowaddict.org |
|---|
| 37 | CA_mail = sdecugis@nict.go.jp |
|---|
| 38 | |
|---|
| 39 | #Disable "make destroy" |
|---|
| 40 | force = |
|---|
| 41 | |
|---|
| 42 | |
|---|
| 43 | # Default: print the help |
|---|
| 44 | all: help |
|---|
| 45 | |
|---|
| 46 | # Help message |
|---|
| 47 | help: |
|---|
| 48 | @echo "\n\ |
|---|
| 49 | Default values (can be overwritten on command-line):\n\ |
|---|
| 50 | [C=$(C)] [ST=$(ST)] [L=$(L)] [O=$(O)] [OU=$(OU)]\n\ |
|---|
| 51 | [CA_CN=$(CA_CN)] [CA_mail=$(CA_mail)]\n\n\ |
|---|
| 52 | Available commands:\n\ |
|---|
| 53 | make init\n\ |
|---|
| 54 | Creates the initial CA structure in $(DIR)\n\ |
|---|
| 55 | make gencrl\n\ |
|---|
| 56 | Regenerates the CRL. Should be run at least once a month.\n\ |
|---|
| 57 | make newcsr name=foo email=b@r\n\ |
|---|
| 58 | Create private key and csr in clients subdir (named foo.*)\n\ |
|---|
| 59 | make cert name=foo\n\ |
|---|
| 60 | Signs the CSR foo.csr and creates the certificate foo.cert.\n\ |
|---|
| 61 | make revoke name=foo\n\ |
|---|
| 62 | Revokes the certificate foo.cert and regenerates the CRL.\n\ |
|---|
| 63 | \n\ |
|---|
| 64 | Notes:\n\ |
|---|
| 65 | Content from public-www should be available from Internet. \n\ |
|---|
| 66 | The URL to CRL should be set in openssl.cnf.\n\ |
|---|
| 67 | A cron job should execute make gencrl once a month.\n\ |
|---|
| 68 | "; |
|---|
| 69 | |
|---|
| 70 | # Destroy the CA completly. Use with care. |
|---|
| 71 | destroy: |
|---|
| 72 | @if [ -z "$(force)" ]; then echo "Restart disabled, use: make destroy force=y"; exit 1; fi |
|---|
| 73 | @if [ ! -d $(STATIC_DIR) ]; then echo "Error in setup"; exit 1; fi |
|---|
| 74 | @echo "Removing everything (for debug purpose)..." |
|---|
| 75 | @rm -rf $(DIR)/* |
|---|
| 76 | @ln -sf $(STATIC_DIR)/Makefile $(DIR) |
|---|
| 77 | @ln -sf $(STATIC_DIR)/openssl.cnf $(DIR) |
|---|
| 78 | |
|---|
| 79 | |
|---|
| 80 | # Initialize the CA structure and keys. |
|---|
| 81 | init: |
|---|
| 82 | @if [ -d $(DIR)/private ]; then echo "CA already initialized."; exit 1; fi |
|---|
| 83 | @echo "Creating CA structure..." |
|---|
| 84 | @mkdir $(DIR)/crl |
|---|
| 85 | @mkdir $(DIR)/certs |
|---|
| 86 | @mkdir $(DIR)/newcerts |
|---|
| 87 | @mkdir $(DIR)/public-www |
|---|
| 88 | @mkdir $(DIR)/private |
|---|
| 89 | @chmod 700 $(DIR)/private |
|---|
| 90 | @mkdir $(DIR)/clients |
|---|
| 91 | @mkdir $(DIR)/clients/privkeys |
|---|
| 92 | @mkdir $(DIR)/clients/csr |
|---|
| 93 | @mkdir $(DIR)/clients/certs |
|---|
| 94 | @echo "01" > $(DIR)/serial |
|---|
| 95 | @touch $(DIR)/index.txt |
|---|
| 96 | @openssl req $(CONFIG) -new -batch -x509 -days 3650 -nodes -newkey rsa:2048 -out $(DIR)/public-www/cacert.pem \ |
|---|
| 97 | -keyout $(DIR)/private/cakey.pem -subj /C=$(C)/ST=$(ST)/L=$(L)/O=$(O)/OU=$(OU)/CN=$(CA_CN)/emailAddress=$(CA_mail) |
|---|
| 98 | @ln -s $(DIR)/public-www/cacert.pem $(DIR)/certs/`openssl x509 -noout -hash < $(DIR)/public-www/cacert.pem`.0 |
|---|
| 99 | @$(MAKE) -f $(DIR)/Makefile gencrl |
|---|
| 100 | |
|---|
| 101 | # Regenerate the Certificate Revocation List. |
|---|
| 102 | # This list should be available publicly |
|---|
| 103 | gencrl: |
|---|
| 104 | @openssl ca $(CONFIG) -gencrl -out $(DIR)/public-www/crl.pem |
|---|
| 105 | @ln -sf $(DIR)/public-www/crl.pem $(DIR)/crl/`openssl crl -noout -hash < $(DIR)/public-www/crl.pem`.r0 |
|---|
| 106 | |
|---|
| 107 | # Create a new private key and a CSR, in case the client does not provide the CSR by another mean. |
|---|
| 108 | # Usage is: make newcsr name=peer.client.fqdn email=admin@client.fqdn |
|---|
| 109 | newcsr: |
|---|
| 110 | @if [ -z "$(name)" -o -z "$(email)" ]; then echo "Please provide certificate name and email address: make newcsr name=mn.nautilus.org email=you@mail.com"; exit 1; fi |
|---|
| 111 | @if [ -e $(DIR)/clients/csr/$(name).csr ]; then echo "There is already a pending csr for this name."; exit 1; fi |
|---|
| 112 | @if [ ! -e $(DIR)/clients/privkeys/$(name).key.pem ]; \ |
|---|
| 113 | then echo "Generating a private key for $(name) ..."; \ |
|---|
| 114 | openssl genrsa -out $(DIR)/clients/privkeys/$(name).key.pem 1024; \ |
|---|
| 115 | fi; |
|---|
| 116 | @echo "Creating the CSR in $(DIR)/clients/csr/$(name).csr"; |
|---|
| 117 | @openssl req $(CONFIG) -new -batch -out $(DIR)/clients/csr/$(name).csr \ |
|---|
| 118 | -key $(DIR)/clients/privkeys/$(name).key.pem \ |
|---|
| 119 | -subj /C=$(C)/ST=$(ST)/L=$(L)/O=$(O)/OU=$(OU)/CN=$(name)/emailAddress=$(email) |
|---|
| 120 | |
|---|
| 121 | # Process a CSR to create a x509 certificate. The certificate is valid for 1 year. |
|---|
| 122 | # It should be sent to the client by any mean. |
|---|
| 123 | cert: |
|---|
| 124 | @if [ -z "$(name)" ]; then echo "name must be provided: make cert name=mn.n6.org"; exit 1; fi |
|---|
| 125 | @if [ ! -e $(DIR)/clients/csr/$(name).csr ]; then echo "Could not find CSR in $(DIR)/clients/csr/$(name).csr."; exit 1; fi |
|---|
| 126 | @if [ -e $(DIR)/clients/certs/$(name).cert ]; \ |
|---|
| 127 | then echo "Revoking old certificate..."; \ |
|---|
| 128 | $(MAKE) revoke name=$(name); \ |
|---|
| 129 | fi; |
|---|
| 130 | @openssl ca $(CONFIG) -in $(DIR)/clients/csr/$(name).csr \ |
|---|
| 131 | -out $(DIR)/clients/certs/$(name).cert \ |
|---|
| 132 | -batch |
|---|
| 133 | @ln -s $(DIR)/clients/certs/$(name).cert $(DIR)/certs/`openssl x509 -noout -hash < $(DIR)/clients/certs/$(name).cert`.0 |
|---|
| 134 | |
|---|
| 135 | # Revoke a certificate. |
|---|
| 136 | revoke: |
|---|
| 137 | @if [ -z "$(name)" ]; then echo "name must be provided: make revoke name=mn.n6.org"; exit 1; fi |
|---|
| 138 | @if [ ! -e $(DIR)/clients/certs/$(name).cert ]; \ |
|---|
| 139 | then echo "$(DIR)/clients/certs/$(name).cert not found"; \ |
|---|
| 140 | exit 1; \ |
|---|
| 141 | fi; |
|---|
| 142 | @openssl ca $(CONFIG) -revoke $(DIR)/clients/certs/$(name).cert; |
|---|
| 143 | @rm -f $(DIR)/certs/`openssl x509 -noout -hash < $(DIR)/clients/certs/$(name).cert`.0 |
|---|
| 144 | @$(MAKE) gencrl |
|---|
| 145 | |
|---|
| 146 | # End of file... |
|---|
