Navigation

Changeset 45:7ecc7152123b in freeDiameter for contrib/ca_script2/Makefile


Ignore:
Timestamp:
Nov 26, 2009, 6:31:48 PM (14 years ago)
Author:
Sebastien Decugis <sdecugis@nict.go.jp>
Branch:
default
Phase:
public
Message:

Work in progress

File:
1 edited

Legend:

Unmodified
Added
Removed

  • contrib/ca_script2/Makefile

    r44 r45  
    11#!/usr/bin/make -s
    22#
    3 # This file is designed to automatize the CA tasks such as:
    4 #  -> init  : create the initial CA tree and the CA root certificate.
    5 #  -> newcsr: create a new private key and csr. $name and $email must be set. C, ST, L, O, OU may be overwitten (exemple: make newcsr C=FR)
    6 #  -> cert  : sign a pending CSR and generate the certificate. $name must be provided.
    7 #  -> revoke: revoke a certificate. $name must be provided.
    8 #  -> gencrl: update/create the CRL.
    9 #
    10 # The file should be located in the directory STATIC_DIR as defined below.
    11 # The DIR directory will contain the data of the CA. It might be placed in /var.
    12 # The DIR should also be configured in openssl.cnf file under [ CA_default ]->dir.
    13 #
    14 # Here are the steps to install the CA scripts in default environment:
    15 ## mkdir /etc/openssl-ca.static
    16 ## cp Makefile openssl.cnf /etc/openssl-ca.static
    17 # ( configure the default parameters of your CA in /etc/openssl-ca/openssl.cnf ) ##
    18 ## mkdir /etc/openssl-ca
    19 ## make -f /etc/openssl-ca.static/Makefile destroy force=y
    20 ## cd /etc/openssl-ca
    21 ## make init
    22 ## make help
     3# This file is inspired from freeDiameter's contrib/ca_script and
     4# improved to handle multiple CA in a hierarchical fashion.
    235
    24 DIR = /home/thedoc/testbed.aaa/ca
    25 STATIC_DIR = /home/thedoc/testbed.aaa/ca
    26 CONFIG = -config $(DIR)/openssl.cnf
    27 
    28 #Defaults for new CSR
    29 C = JP
    30 ST = Tokyo
    31 L = Koganei
    32 O = WIDE
    33 OU = "AAA WG"
    34 
    35 #Default lifetime
    36 DAYS = 365
    37 
    38 #Values for the CA
    39 CA_CN = mgr.testbed.aaa
    40 CA_mail = sdecugis@nict.go.jp
     6SCRIPT_DIR = .
     7CONFIG = -config $(SCRIPT_DIR)/openssl.cnf
     8REMAKE = $(MAKE) -f $(SCRIPT_DIR)/Makefile
     9DATA_DIR = ./test
    4110
    4211#Disable "make destroy"
     
    5019help:
    5120        @echo "\n\
    52 Default values (can be overwritten on command-line):\n\
    53    [C=$(C)] [ST=$(ST)] [L=$(L)] [O=$(O)] [OU=$(OU)]\n\
    54    [CA_CN=$(CA_CN)] [CA_mail=$(CA_mail)]\n\n\
    5521Available commands:\n\
    56    make init\n\
    57        Creates the initial CA structure in $(DIR)\n\
    58    make gencrl\n\
    59        Regenerates the CRL. Should be run at least once a month.\n\
    60    make newcsr name=foo email=b@r [type=ca]\n\
     22   make init topca=name\n\
     23       Creates the initial top-level CA structure\n\
     24   make new_ca name=caname\n\
     25       Creates a new sub-CA that can be used for certificates later.\n\
     26   make newcsr name=foo ca=bar\n\
    6127       Create private key and csr in clients subdir (named foo.*)\n\
    62    make cert name=foo\n\
    63        Signs the CSR foo.csr and creates the certificate foo.cert.\n\
    64    make revoke name=foo\n\
    65        Revokes the certificate foo.cert and regenerates the CRL.\n\
     28   make cert name=foo ca=bar\n\
     29       Signs the CSR foo.csr and creates the certificate foo.cert (signed by bar).\n\
     30   make revoke name=foo ca=bar\n\
     31       Revokes the certificate foo.cert issued by bar and regenerates the CRL.\n\
     32   make gencrl ca=bar\n\
     33       Regenerates the CRL for CA bar. Should be run at least once a month.\n\
    6634\n\
    67 Notes:\n\
    68    Content from public-www should be available from Internet. \n\
    69    The URL to CRL should be set in openssl.cnf.\n\
    70    A cron job should execute make gencrl once a month.\n\
    7135";
    7236       
    73 # Destroy the CA completly. Use with care.
     37# Destroy the CA hierarchy completly. Use with care.
    7438destroy:
    75         @if [ -z "$(force)" ]; then echo "Restart disabled, use: make destroy force=y"; exit 1; fi
    76         @if [ ! -d $(STATIC_DIR) ]; then echo "Error in setup"; exit 1; fi
     39        @if [ -z "$(force)" ]; then echo "Destroy disabled, use: make destroy force=y"; exit 1; fi
     40        @if [ ! -d $(SCRIPT_DIR) ]; then echo "Error in setup"; exit 1; fi
    7741        @echo "Removing everything (for debug purpose)..."
    78         @rm -rf $(DIR)/*
    79         @ln -sf $(STATIC_DIR)/Makefile $(DIR)
    80         @ln -sf $(STATIC_DIR)/openssl.cnf $(DIR)
     42        @rm -rf $(DATA_DIR)/*
     43
     44# Initialize the CA structure
     45structure:
     46        @if [ -z "$(caname)" ]; then echo "Internal error: caname is missing"; exit 1; fi
     47        @if [ -d $(DATA_DIR)/$(caname) ]; then echo "CA $(caname) already exists."; exit 1; fi
     48        @echo "Creating CA structure..."
     49        @mkdir $(DATA_DIR)/$(caname)/crl
     50        @mkdir $(DATA_DIR)/$(caname)/certs
     51        @mkdir $(DATA_DIR)/$(caname)/newcerts
     52        @mkdir $(DATA_DIR)/$(caname)/public-www
     53        @mkdir $(DATA_DIR)/$(caname)/private
     54        @chmod 700 $(DATA_DIR)/$(caname)/private
     55        @mkdir $(DATA_DIR)/$(caname)/clients
     56        @mkdir $(DATA_DIR)/$(caname)/clients/privkeys
     57        @mkdir $(DATA_DIR)/$(caname)/clients/csr
     58        @mkdir $(DATA_DIR)/$(caname)/clients/certs
     59        @echo "01" > $(DATA_DIR)/$(caname)/serial
     60        @touch $(DATA_DIR)/$(caname)/index.txt
    8161       
     62# Initialize the top-level CA structure and keys.
     63init:
     64        @if [ -z "$(topca)" ]; then echo "Please specify the name of the CA in as topca=name.testbed.aaa"; exit 1; fi
     65        # Create the folder hierarchy
     66        @$(REMAKE) structure caname=$(topca)
     67        # Generate the self-signed certificate
     68        @CA_ROOT_DIR=$(DATA_DIR)/$(topca) openssl req $(CONFIG) -new -batch -x509 -nodes -newkey rsa:2048 -out $(DATA_DIR)/$(topca)/public-www/cacert.pem \
     69                -keyout $(DATA_DIR)/$(topca)/private/cakey.pem -subj /CN=$(topca)
     70        # Add the certificate hash
     71        @ln -s $(DATA_DIR)/$(topca)/public-www/cacert.pem $(DATA_DIR)/$(topca)/certs/`openssl x509 -noout -hash < $(DATA_DIR)/$(topca)/public-www/cacert.pem`.0
     72        @$(REMAKE) gencrl ca=$(topca)
    8273
    83 # Initialize the CA structure and keys.
    84 init:
    85         @if [ -d $(DIR)/private ]; then echo "CA already initialized."; exit 1; fi
    86         @echo "Creating CA structure..."
    87         @mkdir $(DIR)/crl
    88         @mkdir $(DIR)/certs
    89         @mkdir $(DIR)/newcerts
    90         @mkdir $(DIR)/public-www
    91         @mkdir $(DIR)/private
    92         @chmod 700 $(DIR)/private
    93         @mkdir $(DIR)/clients
    94         @mkdir $(DIR)/clients/privkeys
    95         @mkdir $(DIR)/clients/csr
    96         @mkdir $(DIR)/clients/certs
    97         @echo "01" > $(DIR)/serial
    98         @touch $(DIR)/index.txt
    99         @openssl req $(CONFIG) -new -batch -x509 -days 3650 -nodes -newkey rsa:2048 -out $(DIR)/public-www/cacert.pem \
    100                 -keyout $(DIR)/private/cakey.pem -subj /C=$(C)/ST=$(ST)/L=$(L)/O=$(O)/OU=$(OU)/CN=$(CA_CN)/emailAddress=$(CA_mail)
    101         @ln -s $(DIR)/public-www/cacert.pem $(DIR)/certs/`openssl x509 -noout -hash < $(DIR)/public-www/cacert.pem`.0
    102         @$(MAKE) -f $(DIR)/Makefile gencrl
     74# Create a secondary CA
     75newca:
     76
     77
     78
     79############
     80# En dessous ce n est pas fini...
     81
     82
    10383
    10484# Regenerate the Certificate Revocation List.
Note: See TracChangeset for help on using the changeset viewer.