Changeset 45:7ecc7152123b in freeDiameter for contrib/ca_script2/Makefile
- Timestamp:
- Nov 26, 2009, 6:31:48 PM (14 years ago)
- Branch:
- default
- Phase:
- public
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
contrib/ca_script2/Makefile
r44 r45 1 1 #!/usr/bin/make -s 2 2 # 3 # This file is designed to automatize the CA tasks such as: 4 # -> init : create the initial CA tree and the CA root certificate. 5 # -> newcsr: create a new private key and csr. $name and $email must be set. C, ST, L, O, OU may be overwitten (exemple: make newcsr C=FR) 6 # -> cert : sign a pending CSR and generate the certificate. $name must be provided. 7 # -> revoke: revoke a certificate. $name must be provided. 8 # -> gencrl: update/create the CRL. 9 # 10 # The file should be located in the directory STATIC_DIR as defined below. 11 # The DIR directory will contain the data of the CA. It might be placed in /var. 12 # The DIR should also be configured in openssl.cnf file under [ CA_default ]->dir. 13 # 14 # Here are the steps to install the CA scripts in default environment: 15 ## mkdir /etc/openssl-ca.static 16 ## cp Makefile openssl.cnf /etc/openssl-ca.static 17 # ( configure the default parameters of your CA in /etc/openssl-ca/openssl.cnf ) ## 18 ## mkdir /etc/openssl-ca 19 ## make -f /etc/openssl-ca.static/Makefile destroy force=y 20 ## cd /etc/openssl-ca 21 ## make init 22 ## make help 3 # This file is inspired from freeDiameter's contrib/ca_script and 4 # improved to handle multiple CA in a hierarchical fashion. 23 5 24 DIR = /home/thedoc/testbed.aaa/ca 25 STATIC_DIR = /home/thedoc/testbed.aaa/ca 26 CONFIG = -config $(DIR)/openssl.cnf 27 28 #Defaults for new CSR 29 C = JP 30 ST = Tokyo 31 L = Koganei 32 O = WIDE 33 OU = "AAA WG" 34 35 #Default lifetime 36 DAYS = 365 37 38 #Values for the CA 39 CA_CN = mgr.testbed.aaa 40 CA_mail = sdecugis@nict.go.jp 6 SCRIPT_DIR = . 7 CONFIG = -config $(SCRIPT_DIR)/openssl.cnf 8 REMAKE = $(MAKE) -f $(SCRIPT_DIR)/Makefile 9 DATA_DIR = ./test 41 10 42 11 #Disable "make destroy" … … 50 19 help: 51 20 @echo "\n\ 52 Default values (can be overwritten on command-line):\n\53 [C=$(C)] [ST=$(ST)] [L=$(L)] [O=$(O)] [OU=$(OU)]\n\54 [CA_CN=$(CA_CN)] [CA_mail=$(CA_mail)]\n\n\55 21 Available commands:\n\ 56 make init \n\57 Creates the initial CA structure in $(DIR)\n\58 make gencrl\n\59 Regenerates the CRL. Should be run at least once a month.\n\60 make newcsr name=foo email=b@r [type=ca]\n\22 make init topca=name\n\ 23 Creates the initial top-level CA structure\n\ 24 make new_ca name=caname\n\ 25 Creates a new sub-CA that can be used for certificates later.\n\ 26 make newcsr name=foo ca=bar\n\ 61 27 Create private key and csr in clients subdir (named foo.*)\n\ 62 make cert name=foo\n\ 63 Signs the CSR foo.csr and creates the certificate foo.cert.\n\ 64 make revoke name=foo\n\ 65 Revokes the certificate foo.cert and regenerates the CRL.\n\ 28 make cert name=foo ca=bar\n\ 29 Signs the CSR foo.csr and creates the certificate foo.cert (signed by bar).\n\ 30 make revoke name=foo ca=bar\n\ 31 Revokes the certificate foo.cert issued by bar and regenerates the CRL.\n\ 32 make gencrl ca=bar\n\ 33 Regenerates the CRL for CA bar. Should be run at least once a month.\n\ 66 34 \n\ 67 Notes:\n\68 Content from public-www should be available from Internet. \n\69 The URL to CRL should be set in openssl.cnf.\n\70 A cron job should execute make gencrl once a month.\n\71 35 "; 72 36 73 # Destroy the CA completly. Use with care.37 # Destroy the CA hierarchy completly. Use with care. 74 38 destroy: 75 @if [ -z "$(force)" ]; then echo " Restartdisabled, use: make destroy force=y"; exit 1; fi76 @if [ ! -d $(S TATIC_DIR) ]; then echo "Error in setup"; exit 1; fi39 @if [ -z "$(force)" ]; then echo "Destroy disabled, use: make destroy force=y"; exit 1; fi 40 @if [ ! -d $(SCRIPT_DIR) ]; then echo "Error in setup"; exit 1; fi 77 41 @echo "Removing everything (for debug purpose)..." 78 @rm -rf $(DIR)/* 79 @ln -sf $(STATIC_DIR)/Makefile $(DIR) 80 @ln -sf $(STATIC_DIR)/openssl.cnf $(DIR) 42 @rm -rf $(DATA_DIR)/* 43 44 # Initialize the CA structure 45 structure: 46 @if [ -z "$(caname)" ]; then echo "Internal error: caname is missing"; exit 1; fi 47 @if [ -d $(DATA_DIR)/$(caname) ]; then echo "CA $(caname) already exists."; exit 1; fi 48 @echo "Creating CA structure..." 49 @mkdir $(DATA_DIR)/$(caname)/crl 50 @mkdir $(DATA_DIR)/$(caname)/certs 51 @mkdir $(DATA_DIR)/$(caname)/newcerts 52 @mkdir $(DATA_DIR)/$(caname)/public-www 53 @mkdir $(DATA_DIR)/$(caname)/private 54 @chmod 700 $(DATA_DIR)/$(caname)/private 55 @mkdir $(DATA_DIR)/$(caname)/clients 56 @mkdir $(DATA_DIR)/$(caname)/clients/privkeys 57 @mkdir $(DATA_DIR)/$(caname)/clients/csr 58 @mkdir $(DATA_DIR)/$(caname)/clients/certs 59 @echo "01" > $(DATA_DIR)/$(caname)/serial 60 @touch $(DATA_DIR)/$(caname)/index.txt 81 61 62 # Initialize the top-level CA structure and keys. 63 init: 64 @if [ -z "$(topca)" ]; then echo "Please specify the name of the CA in as topca=name.testbed.aaa"; exit 1; fi 65 # Create the folder hierarchy 66 @$(REMAKE) structure caname=$(topca) 67 # Generate the self-signed certificate 68 @CA_ROOT_DIR=$(DATA_DIR)/$(topca) openssl req $(CONFIG) -new -batch -x509 -nodes -newkey rsa:2048 -out $(DATA_DIR)/$(topca)/public-www/cacert.pem \ 69 -keyout $(DATA_DIR)/$(topca)/private/cakey.pem -subj /CN=$(topca) 70 # Add the certificate hash 71 @ln -s $(DATA_DIR)/$(topca)/public-www/cacert.pem $(DATA_DIR)/$(topca)/certs/`openssl x509 -noout -hash < $(DATA_DIR)/$(topca)/public-www/cacert.pem`.0 72 @$(REMAKE) gencrl ca=$(topca) 82 73 83 # Initialize the CA structure and keys. 84 init: 85 @if [ -d $(DIR)/private ]; then echo "CA already initialized."; exit 1; fi 86 @echo "Creating CA structure..." 87 @mkdir $(DIR)/crl 88 @mkdir $(DIR)/certs 89 @mkdir $(DIR)/newcerts 90 @mkdir $(DIR)/public-www 91 @mkdir $(DIR)/private 92 @chmod 700 $(DIR)/private 93 @mkdir $(DIR)/clients 94 @mkdir $(DIR)/clients/privkeys 95 @mkdir $(DIR)/clients/csr 96 @mkdir $(DIR)/clients/certs 97 @echo "01" > $(DIR)/serial 98 @touch $(DIR)/index.txt 99 @openssl req $(CONFIG) -new -batch -x509 -days 3650 -nodes -newkey rsa:2048 -out $(DIR)/public-www/cacert.pem \ 100 -keyout $(DIR)/private/cakey.pem -subj /C=$(C)/ST=$(ST)/L=$(L)/O=$(O)/OU=$(OU)/CN=$(CA_CN)/emailAddress=$(CA_mail) 101 @ln -s $(DIR)/public-www/cacert.pem $(DIR)/certs/`openssl x509 -noout -hash < $(DIR)/public-www/cacert.pem`.0 102 @$(MAKE) -f $(DIR)/Makefile gencrl 74 # Create a secondary CA 75 newca: 76 77 78 79 ############ 80 # En dessous ce n est pas fini... 81 82 103 83 104 84 # Regenerate the Certificate Revocation List.
Note: See TracChangeset
for help on using the changeset viewer.