Navigation


source: freeDiameter/contrib/ca_script/Makefile @ 19:9f28243f5d53

Last change on this file since 19:9f28243f5d53 was 19:9f28243f5d53, checked in by Sebastien Decugis <sdecugis@nict.go.jp>, 12 years ago

Fix a small bug, adapt default conf

File size: 5.7 KB
Line 
1#!/usr/bin/make -s
2#
3# This file is designed to automatize the CA tasks such as:
4#  -> init  : create the initial CA tree and the CA root certificate.
5#  -> newcsr: create a new private key and csr. $name and $email must be set. C, ST, L, O, OU may be overwitten (exemple: make newcsr C=FR)
6#  -> cert  : sign a pending CSR and generate the certificate. $name must be provided.
7#  -> revoke: revoke a certificate. $name must be provided.
8#  -> gencrl: update/create the CRL.
9#
10# The file should be located in the directory STATIC_DIR as defined below.
11# The DIR directory will contain the data of the CA. It might be placed in /var.
12# The DIR should also be configured in openssl.cnf file under [ CA_default ]->dir.
13#
14# Here are the steps to install the CA scripts in default environment:
15## mkdir /etc/openssl-ca.static
16## cp Makefile openssl.cnf /etc/openssl-ca.static
17# ( configure the default parameters of your CA in /etc/openssl-ca/openssl.cnf ) ##
18## mkdir /etc/openssl-ca
19## make -f /etc/openssl-ca.static/Makefile destroy force=y
20## cd /etc/openssl-ca
21## make init
22## make help
23
24DIR = /etc/openssl-ca
25STATIC_DIR = /etc/openssl-ca.static
26CONFIG = -config $(DIR)/openssl.cnf
27
28#Defaults for new CSR
29C = JP
30ST = Tokyo
31L = Koganei
32O = WIDE
33OU = "AAA WG"
34
35#Values for the CA
36CA_CN = chavroux.cowaddict.org
37CA_mail = sdecugis@nict.go.jp
38
39#Disable "make destroy"
40force = 
41
42
43# Default: print the help
44all:    help
45
46# Help message
47help:
48        @echo "\n\
49Default values (can be overwritten on command-line):\n\
50   [C=$(C)] [ST=$(ST)] [L=$(L)] [O=$(O)] [OU=$(OU)]\n\
51   [CA_CN=$(CA_CN)] [CA_mail=$(CA_mail)]\n\n\
52Available commands:\n\
53   make init\n\
54       Creates the initial CA structure in $(DIR)\n\
55   make gencrl\n\
56       Regenerates the CRL. Should be run at least once a month.\n\
57   make newcsr name=foo email=b@r\n\
58       Create private key and csr in clients subdir (named foo.*)\n\
59   make cert name=foo\n\
60       Signs the CSR foo.csr and creates the certificate foo.cert.\n\
61   make revoke name=foo\n\
62       Revokes the certificate foo.cert and regenerates the CRL.\n\
63\n\
64Notes:\n\
65   Content from public-www should be available from Internet. \n\
66   The URL to CRL should be set in openssl.cnf.\n\
67   A cron job should execute make gencrl once a month.\n\
68";
69       
70# Destroy the CA completly. Use with care.
71destroy:
72        @if [ -z "$(force)" ]; then echo "Restart disabled, use: make destroy force=y"; exit 1; fi
73        @if [ ! -d $(STATIC_DIR) ]; then echo "Error in setup"; exit 1; fi
74        @echo "Removing everything (for debug purpose)..."
75        @rm -rf $(DIR)/*
76        @ln -sf $(STATIC_DIR)/Makefile $(DIR)
77        @ln -sf $(STATIC_DIR)/openssl.cnf $(DIR)
78       
79
80# Initialize the CA structure and keys.
81init:
82        @if [ -d $(DIR)/private ]; then echo "CA already initialized."; exit 1; fi
83        @echo "Creating CA structure..."
84        @mkdir $(DIR)/crl
85        @mkdir $(DIR)/certs
86        @mkdir $(DIR)/newcerts
87        @mkdir $(DIR)/public-www
88        @mkdir $(DIR)/private
89        @chmod 700 $(DIR)/private
90        @mkdir $(DIR)/clients
91        @mkdir $(DIR)/clients/privkeys
92        @mkdir $(DIR)/clients/csr
93        @mkdir $(DIR)/clients/certs
94        @echo "01" > $(DIR)/serial
95        @touch $(DIR)/index.txt
96        @openssl req $(CONFIG) -new -batch -x509 -days 3650 -nodes -newkey rsa:2048 -out $(DIR)/public-www/cacert.pem \
97                -keyout $(DIR)/private/cakey.pem -subj /C=$(C)/ST=$(ST)/L=$(L)/O=$(O)/OU=$(OU)/CN=$(CA_CN)/emailAddress=$(CA_mail)
98        @ln -s $(DIR)/public-www/cacert.pem $(DIR)/certs/`openssl x509 -noout -hash < $(DIR)/public-www/cacert.pem`.0
99        @$(MAKE) -f $(DIR)/Makefile gencrl
100
101# Regenerate the Certificate Revocation List.
102# This list should be available publicly
103gencrl:
104        @openssl ca $(CONFIG) -gencrl -out $(DIR)/public-www/crl.pem
105        @ln -sf $(DIR)/public-www/crl.pem $(DIR)/crl/`openssl crl -noout -hash < $(DIR)/public-www/crl.pem`.r0
106
107# Create a new private key and a CSR, in case the client does not provide the CSR by another mean.
108# Usage is: make newcsr name=peer.client.fqdn email=admin@client.fqdn
109newcsr:
110        @if [ -z "$(name)" -o -z "$(email)" ]; then echo "Please provide certificate name and email address: make newcsr name=mn.nautilus.org email=you@mail.com"; exit 1; fi
111        @if [ -e $(DIR)/clients/csr/$(name).csr ]; then echo "There is already a pending csr for this name."; exit 1; fi
112        @if [ ! -e $(DIR)/clients/privkeys/$(name).key.pem ]; \
113                then echo "Generating a private key for $(name) ..."; \
114                openssl genrsa -out $(DIR)/clients/privkeys/$(name).key.pem 1024; \
115                fi;
116        @echo "Creating the CSR in $(DIR)/clients/csr/$(name).csr";
117        @openssl req $(CONFIG) -new -batch -out $(DIR)/clients/csr/$(name).csr \
118                -key $(DIR)/clients/privkeys/$(name).key.pem \
119                -subj /C=$(C)/ST=$(ST)/L=$(L)/O=$(O)/OU=$(OU)/CN=$(name)/emailAddress=$(email)
120
121# Process a CSR to create a x509 certificate. The certificate is valid for 1 year.
122# It should be sent to the client by any mean.
123cert:
124        @if [ -z "$(name)" ]; then echo "name must be provided: make cert name=mn.n6.org"; exit 1; fi
125        @if [ ! -e $(DIR)/clients/csr/$(name).csr ]; then echo "Could not find CSR in $(DIR)/clients/csr/$(name).csr."; exit 1; fi
126        @if [ -e $(DIR)/clients/certs/$(name).cert ]; \
127                then echo "Revoking old certificate..."; \
128                $(MAKE) revoke name=$(name); \
129                fi;
130        @openssl ca $(CONFIG) -in $(DIR)/clients/csr/$(name).csr \
131                -out $(DIR)/clients/certs/$(name).cert \
132                -batch
133        @ln -s $(DIR)/clients/certs/$(name).cert $(DIR)/certs/`openssl x509 -noout -hash < $(DIR)/clients/certs/$(name).cert`.0
134
135# Revoke a certificate.
136revoke:
137        @if [ -z "$(name)" ]; then echo "name must be provided: make revoke name=mn.n6.org"; exit 1; fi
138        @if [ ! -e $(DIR)/clients/certs/$(name).cert ]; \
139                then echo "$(DIR)/clients/certs/$(name).cert not found"; \
140                exit 1; \
141                fi;
142        @openssl ca $(CONFIG) -revoke $(DIR)/clients/certs/$(name).cert;
143        @rm -f $(DIR)/certs/`openssl x509 -noout -hash < $(DIR)/clients/certs/$(name).cert`.0
144        @$(MAKE) gencrl
145       
146# End of file...
Note: See TracBrowser for help on using the repository browser.