Navigation


source: freeDiameter/contrib/ca_script/Makefile @ 29:5ba91682f0bc

Last change on this file since 29:5ba91682f0bc was 29:5ba91682f0bc, checked in by Sebastien Decugis <sdecugis@nict.go.jp>, 11 years ago

Added a test for cnxctx (tbc) and fixed some bugs

File size: 5.7 KB
Line 
1#!/usr/bin/make -s
2#
3# This file is designed to automatize the CA tasks such as:
4#  -> init  : create the initial CA tree and the CA root certificate.
5#  -> newcsr: create a new private key and csr. $name and $email must be set. C, ST, L, O, OU may be overwitten (exemple: make newcsr C=FR)
6#  -> cert  : sign a pending CSR and generate the certificate. $name must be provided.
7#  -> revoke: revoke a certificate. $name must be provided.
8#  -> gencrl: update/create the CRL.
9#
10# The file should be located in the directory STATIC_DIR as defined below.
11# The DIR directory will contain the data of the CA. It might be placed in /var.
12# The DIR should also be configured in openssl.cnf file under [ CA_default ]->dir.
13#
14# Here are the steps to install the CA scripts in default environment:
15## mkdir /etc/openssl-ca.static
16## cp Makefile openssl.cnf /etc/openssl-ca.static
17# ( configure the default parameters of your CA in /etc/openssl-ca/openssl.cnf ) ##
18## mkdir /etc/openssl-ca
19## make -f /etc/openssl-ca.static/Makefile destroy force=y
20## cd /etc/openssl-ca
21## make init
22## make help
23
24DIR = /etc/openssl-ca
25STATIC_DIR = /etc/openssl-ca.static
26CONFIG = -config $(DIR)/openssl.cnf
27
28#Defaults for new CSR
29C = JP
30ST = Tokyo
31L = Koganei
32O = WIDE
33OU = "AAA WG"
34
35#Default lifetime
36DAYS = 365
37
38#Values for the CA
39CA_CN = chavroux.cowaddict.org
40CA_mail = sdecugis@nict.go.jp
41
42#Disable "make destroy"
43force = 
44
45
46# Default: print the help
47all:    help
48
49# Help message
50help:
51        @echo "\n\
52Default values (can be overwritten on command-line):\n\
53   [C=$(C)] [ST=$(ST)] [L=$(L)] [O=$(O)] [OU=$(OU)]\n\
54   [CA_CN=$(CA_CN)] [CA_mail=$(CA_mail)]\n\n\
55Available commands:\n\
56   make init\n\
57       Creates the initial CA structure in $(DIR)\n\
58   make gencrl\n\
59       Regenerates the CRL. Should be run at least once a month.\n\
60   make newcsr name=foo email=b@r\n\
61       Create private key and csr in clients subdir (named foo.*)\n\
62   make cert name=foo\n\
63       Signs the CSR foo.csr and creates the certificate foo.cert.\n\
64   make revoke name=foo\n\
65       Revokes the certificate foo.cert and regenerates the CRL.\n\
66\n\
67Notes:\n\
68   Content from public-www should be available from Internet. \n\
69   The URL to CRL should be set in openssl.cnf.\n\
70   A cron job should execute make gencrl once a month.\n\
71";
72       
73# Destroy the CA completly. Use with care.
74destroy:
75        @if [ -z "$(force)" ]; then echo "Restart disabled, use: make destroy force=y"; exit 1; fi
76        @if [ ! -d $(STATIC_DIR) ]; then echo "Error in setup"; exit 1; fi
77        @echo "Removing everything (for debug purpose)..."
78        @rm -rf $(DIR)/*
79        @ln -sf $(STATIC_DIR)/Makefile $(DIR)
80        @ln -sf $(STATIC_DIR)/openssl.cnf $(DIR)
81       
82
83# Initialize the CA structure and keys.
84init:
85        @if [ -d $(DIR)/private ]; then echo "CA already initialized."; exit 1; fi
86        @echo "Creating CA structure..."
87        @mkdir $(DIR)/crl
88        @mkdir $(DIR)/certs
89        @mkdir $(DIR)/newcerts
90        @mkdir $(DIR)/public-www
91        @mkdir $(DIR)/private
92        @chmod 700 $(DIR)/private
93        @mkdir $(DIR)/clients
94        @mkdir $(DIR)/clients/privkeys
95        @mkdir $(DIR)/clients/csr
96        @mkdir $(DIR)/clients/certs
97        @echo "01" > $(DIR)/serial
98        @touch $(DIR)/index.txt
99        @openssl req $(CONFIG) -new -batch -x509 -days 3650 -nodes -newkey rsa:2048 -out $(DIR)/public-www/cacert.pem \
100                -keyout $(DIR)/private/cakey.pem -subj /C=$(C)/ST=$(ST)/L=$(L)/O=$(O)/OU=$(OU)/CN=$(CA_CN)/emailAddress=$(CA_mail)
101        @ln -s $(DIR)/public-www/cacert.pem $(DIR)/certs/`openssl x509 -noout -hash < $(DIR)/public-www/cacert.pem`.0
102        @$(MAKE) -f $(DIR)/Makefile gencrl
103
104# Regenerate the Certificate Revocation List.
105# This list should be available publicly
106gencrl:
107        @openssl ca $(CONFIG) -gencrl -out $(DIR)/public-www/crl.pem
108        @ln -sf $(DIR)/public-www/crl.pem $(DIR)/crl/`openssl crl -noout -hash < $(DIR)/public-www/crl.pem`.r0
109
110# Create a new private key and a CSR, in case the client does not provide the CSR by another mean.
111# Usage is: make newcsr name=peer.client.fqdn email=admin@client.fqdn
112newcsr:
113        @if [ -z "$(name)" -o -z "$(email)" ]; then echo "Please provide certificate name and email address: make newcsr name=mn.nautilus.org email=you@mail.com"; exit 1; fi
114        @if [ -e $(DIR)/clients/csr/$(name).csr ]; then echo "There is already a pending csr for this name."; exit 1; fi
115        @if [ ! -e $(DIR)/clients/privkeys/$(name).key.pem ]; \
116                then echo "Generating a private key for $(name) ..."; \
117                openssl genrsa -out $(DIR)/clients/privkeys/$(name).key.pem 1024; \
118                fi;
119        @echo "Creating the CSR in $(DIR)/clients/csr/$(name).csr";
120        @openssl req $(CONFIG) -new -batch -out $(DIR)/clients/csr/$(name).csr \
121                -key $(DIR)/clients/privkeys/$(name).key.pem \
122                -subj /C=$(C)/ST=$(ST)/L=$(L)/O=$(O)/OU=$(OU)/CN=$(name)/emailAddress=$(email)
123
124# Process a CSR to create a x509 certificate. The certificate is valid for 1 year.
125# It should be sent to the client by any mean.
126cert:
127        @if [ -z "$(name)" ]; then echo "name must be provided: make cert name=mn.n6.org"; exit 1; fi
128        @if [ ! -e $(DIR)/clients/csr/$(name).csr ]; then echo "Could not find CSR in $(DIR)/clients/csr/$(name).csr."; exit 1; fi
129        @if [ -e $(DIR)/clients/certs/$(name).cert ]; \
130                then echo "Revoking old certificate..."; \
131                $(MAKE) revoke name=$(name); \
132                fi;
133        @openssl ca $(CONFIG) -in $(DIR)/clients/csr/$(name).csr \
134                -out $(DIR)/clients/certs/$(name).cert \
135                -days $(DAYS) \
136                -batch
137        @ln -s $(DIR)/clients/certs/$(name).cert $(DIR)/certs/`openssl x509 -noout -hash < $(DIR)/clients/certs/$(name).cert`.0
138
139# Revoke a certificate.
140revoke:
141        @if [ -z "$(name)" ]; then echo "name must be provided: make revoke name=mn.n6.org"; exit 1; fi
142        @if [ ! -e $(DIR)/clients/certs/$(name).cert ]; \
143                then echo "$(DIR)/clients/certs/$(name).cert not found"; \
144                exit 1; \
145                fi;
146        @openssl ca $(CONFIG) -revoke $(DIR)/clients/certs/$(name).cert;
147        @rm -f $(DIR)/certs/`openssl x509 -noout -hash < $(DIR)/clients/certs/$(name).cert`.0
148        @$(MAKE) gencrl
149       
150# End of file...
Note: See TracBrowser for help on using the repository browser.