Changeset 46:5719368fe1ff in freeDiameter for contrib
- Timestamp:
- Nov 27, 2009, 2:26:41 PM (14 years ago)
- Branch:
- default
- Phase:
- public
- Location:
- contrib/ca_script2
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
contrib/ca_script2/Makefile
r45 r46 3 3 # This file is inspired from freeDiameter's contrib/ca_script and 4 4 # improved to handle multiple CA in a hierarchical fashion. 5 # Warning: the directory structure is flat, does not reflect the CA hierarchy 5 6 6 7 SCRIPT_DIR = . 8 DATA_DIR = ./ca_data 9 7 10 CONFIG = -config $(SCRIPT_DIR)/openssl.cnf 8 11 REMAKE = $(MAKE) -f $(SCRIPT_DIR)/Makefile 9 DATA_DIR = ./test10 12 11 #Disable "make destroy" 13 #Disable "make destroy" -- overwrite on command line 12 14 force = 13 15 16 #RSA key sizes, can be overwritten on command line 17 cakeysize = 2048 18 keysize = 1024 19 20 # Save current date 21 DATE=`date +%Y%m%d-%H%M%S` 14 22 15 23 # Default: print the help … … 22 30 make init topca=name\n\ 23 31 Creates the initial top-level CA structure\n\ 24 make new _ca name=caname\n\32 make newca name=newcaname ca=parentca\n\ 25 33 Creates a new sub-CA that can be used for certificates later.\n\ 26 make newcsr name=foo ca=bar\n\ 27 Create private key and csr in clients subdir (named foo.*)\n\ 28 make cert name=foo ca=bar\n\ 29 Signs the CSR foo.csr and creates the certificate foo.cert (signed by bar).\n\ 30 make revoke name=foo ca=bar\n\ 31 Revokes the certificate foo.cert issued by bar and regenerates the CRL.\n\ 32 make gencrl ca=bar\n\ 33 Regenerates the CRL for CA bar. Should be run at least once a month.\n\ 34 make newcert name=foo ca=parentca\n\ 35 Create private key and csr, then issue the certificate (named foo.*)\n\ 36 make revoke name=foo ca=parentca\n\ 37 Revokes the certificate foo.cert issued by parentca and regenerates the CRL.\n\ 38 make gencrl ca=caname\n\ 39 Regenerates the CRL of CA caname. Should be run periodically.\n\ 34 40 \n\ 35 41 "; … … 46 52 @if [ -z "$(caname)" ]; then echo "Internal error: caname is missing"; exit 1; fi 47 53 @if [ -d $(DATA_DIR)/$(caname) ]; then echo "CA $(caname) already exists."; exit 1; fi 48 @echo "Creating CA structure..." 49 @mkdir $(DATA_DIR)/$(caname)/crl 50 @mkdir $(DATA_DIR)/$(caname)/certs 51 @mkdir $(DATA_DIR)/$(caname)/newcerts 52 @mkdir $(DATA_DIR)/$(caname)/public-www 54 # Creating CA structure 55 @mkdir -p $(DATA_DIR)/$(caname) 56 @mkdir $(DATA_DIR)/$(caname)/public 53 57 @mkdir $(DATA_DIR)/$(caname)/private 54 58 @chmod 700 $(DATA_DIR)/$(caname)/private 55 59 @mkdir $(DATA_DIR)/$(caname)/clients 56 @mkdir $(DATA_DIR)/$(caname)/clients/privkeys57 @mkdir $(DATA_DIR)/$(caname)/clients/csr58 @mkdir $(DATA_DIR)/$(caname)/clients/certs59 60 @echo "01" > $(DATA_DIR)/$(caname)/serial 61 @echo "01" > $(DATA_DIR)/$(caname)/crlnumber 60 62 @touch $(DATA_DIR)/$(caname)/index.txt 61 63 62 64 # Initialize the top-level CA structure and keys. 63 65 init: 64 @if [ -z "$(topca)" ]; then echo "Please specify the name of the CA in as topca=name.testbed.aaa"; exit 1; fi66 @if [ -z "$(topca)" ]; then echo "Please specify the name of the root CA. Ex: make init topca=rootca.testbed.aaa"; exit 1; fi 65 67 # Create the folder hierarchy 66 68 @$(REMAKE) structure caname=$(topca) 67 69 # Generate the self-signed certificate 68 @CA_ROOT_DIR=$(DATA_DIR)/$(topca) openssl req $(CONFIG) -new -batch -x509 -nodes -newkey rsa: 2048 -out $(DATA_DIR)/$(topca)/public-www/cacert.pem \70 @CA_ROOT_DIR=$(DATA_DIR)/$(topca) openssl req $(CONFIG) -new -batch -x509 -nodes -newkey rsa:$(cakeysize) -out $(DATA_DIR)/$(topca)/public/cacert.pem \ 69 71 -keyout $(DATA_DIR)/$(topca)/private/cakey.pem -subj /CN=$(topca) 70 # Add the certificate hash71 @ ln -s $(DATA_DIR)/$(topca)/public-www/cacert.pem $(DATA_DIR)/$(topca)/certs/`openssl x509 -noout -hash < $(DATA_DIR)/$(topca)/public-www/cacert.pem`.072 @ln -s cacert.pem $(DATA_DIR)/$(topca)/public/`openssl x509 -noout -hash < $(DATA_DIR)/$(topca)/public/cacert.pem`.0 73 @touch $(DATA_DIR)/$(topca)/public/parents.pem 72 74 @$(REMAKE) gencrl ca=$(topca) 73 75 74 76 # Create a secondary CA 75 77 newca: 78 @if [ -z "$(name)" -o -z "$(ca)" ]; then echo "Missing parameter. Ex: make newca name=subca.testbed.aaa ca=rootca.testbed.aaa"; exit 1; fi 79 @if [ ! -e $(DATA_DIR)/$(ca)/private/cakey.pem ]; then echo "The parent CA $(ca) does not exist."; exit 1; fi 80 @if [ ! -d $(DATA_DIR)/$(name) ]; then $(REMAKE) structure caname=$(name); fi 81 # Generate the private key and CSR for the new CA if needed 82 @if [ ! -e $(DATA_DIR)/$(name)/private/cakey.pem ]; then \ 83 openssl genrsa -out $(DATA_DIR)/$(name)/private/cakey.pem $(cakeysize) ; fi 84 @if [ ! -e $(DATA_DIR)/$(name)/private/cacsr.pem ]; then \ 85 CA_ROOT_DIR=$(DATA_DIR)/$(name) openssl req $(CONFIG) -new -batch -out $(DATA_DIR)/$(name)/private/cacsr.pem \ 86 -key $(DATA_DIR)/$(name)/private/cakey.pem \ 87 -subj /CN=$(name) -reqexts v3_req_ca; fi 88 # Revoke a previous certificate for this CA if any 89 @if [ -e $(DATA_DIR)/$(name)/public/cacert.pem ]; then \ 90 echo "Revoking previous certificate ..."; \ 91 $(REMAKE) revoke name=$(name) ca=$(ca); \ 92 mv $(DATA_DIR)/$(name)/public/cacert.pem $(DATA_DIR)/$(name)/public/cacert-$(DATE).pem; fi 93 # Issue the new CA certificate 94 @CA_ROOT_DIR=$(DATA_DIR)/$(ca) openssl ca $(CONFIG) -in $(DATA_DIR)/$(name)/private/cacsr.pem \ 95 -out $(DATA_DIR)/$(name)/public/cacert.pem \ 96 -batch -extensions ca_cert 97 # Hash and link to parent 98 @ln -s cacert.pem $(DATA_DIR)/$(ca)/public/`openssl x509 -noout -hash < $(DATA_DIR)/$(name)/public/cacert.pem`.0 99 @rm -f $(DATA_DIR)/$(name)/parent 100 @ln -s ../$(ca) $(DATA_DIR)/$(name)/parent 101 @cat $(DATA_DIR)/$(ca)/public/parents.pem $(DATA_DIR)/$(ca)/public/cacert.pem > $(DATA_DIR)/$(name)/public/parents.pem 76 102 103 # Create a new certificate for use in TLS communications and other terminal usages 104 newcert: 105 @if [ -z "$(name)" -o -z "$(ca)" ]; then echo "Missing parameter. Ex: make newcert name=service.testbed.aaa ca=ca.testbed.aaa"; exit 1; fi 106 @if [ ! -e $(DATA_DIR)/$(ca)/private/cakey.pem ]; then echo "The parent CA $(ca) does not exist."; exit 1; fi 107 @if [ ! -d $(DATA_DIR)/$(ca)/clients/$(name) ]; then mkdir $(DATA_DIR)/$(ca)/clients/$(name); fi 108 # Create a private key if needed 109 @if [ ! -e $(DATA_DIR)/$(ca)/clients/$(name)/privkey.pem ]; then \ 110 openssl genrsa -out $(DATA_DIR)/$(ca)/clients/$(name)/privkey.pem $(keysize); fi 111 # Create a CSR if needed 112 @if [ ! -e $(DATA_DIR)/$(ca)/clients/$(name)/csr.pem ]; then \ 113 CA_ROOT_DIR=$(DATA_DIR)/$(ca) openssl req $(CONFIG) -new -batch -out $(DATA_DIR)/$(ca)/clients/$(name)/csr.pem \ 114 -key $(DATA_DIR)/$(ca)/clients/$(name)/privkey.pem \ 115 -subj /CN=$(name); fi 116 # Revoke a previous certificate if any 117 @if [ -e $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem ]; then \ 118 $(REMAKE) revoke name=$(name) ca=$(ca); \ 119 mv $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem $(DATA_DIR)/$(ca)/clients/$(name)/cert-$(DATE).pem; fi 120 # Now sign the new certificate with the CA key 121 @CA_ROOT_DIR=$(DATA_DIR)/$(ca) openssl ca $(CONFIG) -in $(DATA_DIR)/$(ca)/clients/$(name)/csr.pem \ 122 -out $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem \ 123 -batch 124 # Hash 125 @ln -sf `cat $(DATA_DIR)/$(ca)/serial.old`.pem $(DATA_DIR)/$(ca)/public/`openssl x509 -noout -hash < $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem`.0 126 # Compiled informations for the client 127 @cat $(DATA_DIR)/$(ca)/public/parents.pem $(DATA_DIR)/$(ca)/public/cacert.pem > $(DATA_DIR)/$(ca)/clients/$(name)/ca.pem 128 @ln -sf ../../public/crl.pem $(DATA_DIR)/$(ca)/clients/$(name)/crl.pem 77 129 78 79 ############ 80 # En dessous ce n est pas fini... 81 82 83 84 # Regenerate the Certificate Revocation List. 85 # This list should be available publicly 86 gencrl: 87 @openssl ca $(CONFIG) -gencrl -out $(DIR)/public-www/crl.pem 88 @ln -sf $(DIR)/public-www/crl.pem $(DIR)/crl/`openssl crl -noout -hash < $(DIR)/public-www/crl.pem`.r0 89 90 # Create a new private key and a CSR, in case the client does not provide the CSR by another mean. 91 # Usage is: make newcsr name=peer.client.fqdn email=admin@client.fqdn 92 newcsr: 93 @if [ -z "$(name)" -o -z "$(email)" ]; then echo "Please provide certificate name and email address: make newcsr name=mn.nautilus.org email=you@mail.com"; exit 1; fi 94 @if [ -e $(DIR)/clients/csr/$(name).csr ]; then echo "There is already a pending csr for this name."; exit 1; fi 95 @if [ ! -e $(DIR)/clients/privkeys/$(name).key.pem ]; \ 96 then echo "Generating a private key for $(name) ..."; \ 97 openssl genrsa -out $(DIR)/clients/privkeys/$(name).key.pem 1024; \ 98 fi; 99 @echo "Creating the CSR in $(DIR)/clients/csr/$(name).csr"; 100 @openssl req $(CONFIG) -new -batch -out $(DIR)/clients/csr/$(name).csr \ 101 -key $(DIR)/clients/privkeys/$(name).key.pem \ 102 -subj /C=$(C)/ST=$(ST)/L=$(L)/O=$(O)/OU=$(OU)/CN=$(name)/emailAddress=$(email) 103 104 # Process a CSR to create a x509 certificate. The certificate is valid for 1 year. 105 # It should be sent to the client by any mean. 106 cert: 107 @if [ -z "$(name)" ]; then echo "name must be provided: make cert name=mn.n6.org"; exit 1; fi 108 @if [ ! -e $(DIR)/clients/csr/$(name).csr ]; then echo "Could not find CSR in $(DIR)/clients/csr/$(name).csr."; exit 1; fi 109 @if [ -e $(DIR)/clients/certs/$(name).cert ]; \ 110 then echo "Revoking old certificate..."; \ 111 $(MAKE) revoke name=$(name); \ 112 fi; 113 @openssl ca $(CONFIG) -in $(DIR)/clients/csr/$(name).csr \ 114 -out $(DIR)/clients/certs/$(name).cert \ 115 -days $(DAYS) \ 116 -batch 117 @ln -s $(DIR)/clients/certs/$(name).cert $(DIR)/certs/`openssl x509 -noout -hash < $(DIR)/clients/certs/$(name).cert`.0 118 119 # Revoke a certificate. 130 # Revoke a certificate 120 131 revoke: 121 @if [ -z "$(name)" ]; then echo "name must be provided: make revoke name=mn.n6.org"; exit 1; fi 122 @if [ ! -e $(DIR)/clients/certs/$(name).cert ]; \ 123 then echo "$(DIR)/clients/certs/$(name).cert not found"; \ 132 @if [ -z "$(name)" -o -z "$(ca)" ]; then echo "Missing parameter. Ex: make revoke name=service.testbed.aaa ca=ca.testbed.aaa"; exit 1; fi 133 @if [ ! -e $(DATA_DIR)/$(ca)/private/cakey.pem ]; then echo "The parent CA $(ca) does not exist."; exit 1; fi 134 @if [ ! -e $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem ]; \ 135 then echo "$(DATA_DIR)/$(ca)/clients/$(name)/cert.pem not found"; \ 124 136 exit 1; \ 125 137 fi; 126 @openssl ca $(CONFIG) -revoke $(DIR)/clients/certs/$(name).cert;127 @ rm -f $(DIR)/certs/`openssl x509 -noout -hash < $(DIR)/clients/certs/$(name).cert`.0128 @$( MAKE) gencrl138 # Revoke the certificate 139 @CA_ROOT_DIR=$(DATA_DIR)/$(ca) openssl ca $(CONFIG) -revoke $(DATA_DIR)/$(ca)/clients/$(name)/cert.pem; 140 @$(REMAKE) gencrl ca=$(ca) 129 141 142 # Regenerate the Certificate Revocation List. 143 gencrl: 144 @if [ -z "$(ca)" ]; then echo "Missing parameter. Ex: make gencrl ca=ca.testbed.aaa"; exit 1; fi 145 # Create the CRL (keep the old one?) 146 @CA_ROOT_DIR=$(DATA_DIR)/$(ca) openssl ca $(CONFIG) -gencrl -out $(DATA_DIR)/$(ca)/public/crl.pem 147 @ln -s crl.pem $(DATA_DIR)/$(ca)/public/`openssl crl -noout -hash < $(DATA_DIR)/$(ca)/public/crl.pem`.r0 148 130 149 # End of file... -
contrib/ca_script2/openssl.cnf
r45 r46 60 60 61 61 dir = $ENV::CA_ROOT_DIR # Where everything is kept 62 certs = $dir/ certs# Where the issued certs are kept63 crl_dir = $dir/ crl# Where the issued crl are kept62 certs = $dir/public # Where the issued certs are kept 63 crl_dir = $dir/public # Where the issued crl are kept 64 64 database = $dir/index.txt # database index file. 65 65 #unique_subject = no # Set to 'no' to allow creation of 66 66 # several ctificates with same subject. 67 new_certs_dir = $dir/ newcerts# default place for new certs.67 new_certs_dir = $dir/public # default place for new certs. 68 68 69 certificate = $dir/public -www/cacert.pem # The CA certificate69 certificate = $dir/public/cacert.pem # The CA certificate 70 70 serial = $dir/serial # The current serial number 71 71 crlnumber = $dir/crlnumber # the current crl number 72 crl = $dir/public -www/crl.pem # The current CRL72 crl = $dir/public/crl.pem # The current CRL 73 73 private_key = $dir/private/cakey.pem # The private key 74 74 x509_extensions = usr_cert # The extentions to add to the cert
Note: See TracChangeset
for help on using the changeset viewer.