Changeset 45:7ecc7152123b in freeDiameter for contrib

Timestamp:

Nov 26, 2009, 6:31:48 PM (14 years ago)

Author:

Sebastien Decugis <sdecugis@nict.go.jp>

Branch:

default

Phase:

public

Message:

Work in progress

Location:

contrib/ca_script2

Files:

: 2 edited

Makefile (modified) (2 diffs)
openssl.cnf (modified) (4 diffs)

Legend:

: Unmodified
: Added
: Removed

contrib/ca_script2/Makefile

-                      r44
+                      r45
 #!/usr/bin/make -s
+#
+# This file is designed to automatize the CA tasks such as:
+#  -> init  : create the initial CA tree and the CA root certificate.
+#  -> newcsr: create a new private key and csr. $name and $email must be set. C, ST, L, O, OU may be overwitten (exemple: make newcsr C=FR)
+#  -> cert  : sign a pending CSR and generate the certificate. $name must be provided.
+#  -> revoke: revoke a certificate. $name must be provided.
+#  -> gencrl: update/create the CRL.
+#
+# The file should be located in the directory STATIC_DIR as defined below.
+# The DIR directory will contain the data of the CA. It might be placed in /var.
+# The DIR should also be configured in openssl.cnf file under [ CA_default ]->dir.
+#
+# Here are the steps to install the CA scripts in default environment:
+## mkdir /etc/openssl-ca.static
+## cp Makefile openssl.cnf /etc/openssl-ca.static
+# ( configure the default parameters of your CA in /etc/openssl-ca/openssl.cnf ) ##
+## mkdir /etc/openssl-ca
+## make -f /etc/openssl-ca.static/Makefile destroy force=y
+## cd /etc/openssl-ca
+## make init
+## make help
+# This file is inspired from freeDiameter's contrib/ca_script and
+# improved to handle multiple CA in a hierarchical fashion.
+DIR = /home/thedoc/testbed.aaa/ca
+STATIC_DIR = /home/thedoc/testbed.aaa/ca
+CONFIG = -config $(DIR)/openssl.cnf
+#Defaults for new CSR
+C = JP
+ST = Tokyo
+L = Koganei
+O = WIDE
+OU = "AAA WG"
+#Default lifetime
+DAYS = 365
+#Values for the CA
+CA_CN = mgr.testbed.aaa
+CA_mail = sdecugis@nict.go.jp
+SCRIPT_DIR = .
+CONFIG = -config $(SCRIPT_DIR)/openssl.cnf
+REMAKE = $(MAKE) -f $(SCRIPT_DIR)/Makefile
+DATA_DIR = ./test
 #Disable "make destroy"
 …
 help:
         @echo "\n\
-Default values (can be overwritten on command-line):\n\
-   [C=$(C)] [ST=$(ST)] [L=$(L)] [O=$(O)] [OU=$(OU)]\n\
-   [CA_CN=$(CA_CN)] [CA_mail=$(CA_mail)]\n\n\
 Available commands:\n\
    make init\n\
        Creates the initial CA structure in $(DIR)\n\
    make gencrl\n\
        Regenerates the CRL. Should be run at least once a month.\n\
    make newcsr name=foo email=b@r [type=ca]\n\
+   make init topca=name\n\
+       Creates the initial top-level CA structure\n\
+   make new_ca name=caname\n\
+       Creates a new sub-CA that can be used for certificates later.\n\
+   make newcsr name=foo ca=bar\n\
        Create private key and csr in clients subdir (named foo.*)\n\
+   make cert name=foo\n\
+       Signs the CSR foo.csr and creates the certificate foo.cert.\n\
+   make revoke name=foo\n\
+       Revokes the certificate foo.cert and regenerates the CRL.\n\
+   make cert name=foo ca=bar\n\
+       Signs the CSR foo.csr and creates the certificate foo.cert (signed by bar).\n\
+   make revoke name=foo ca=bar\n\
+       Revokes the certificate foo.cert issued by bar and regenerates the CRL.\n\
+   make gencrl ca=bar\n\
+       Regenerates the CRL for CA bar. Should be run at least once a month.\n\
 \n\
-Notes:\n\
-   Content from public-www should be available from Internet. \n\
-   The URL to CRL should be set in openssl.cnf.\n\
-   A cron job should execute make gencrl once a month.\n\
 ";
 # Destroy the CA completly. Use with care.
+# Destroy the CA hierarchy completly. Use with care.
 destroy:
         @if [ -z "$(force)" ]; then echo "Restart disabled, use: make destroy force=y"; exit 1; fi
         @if [ ! -d $(STATIC_DIR) ]; then echo "Error in setup"; exit 1; fi
+        @if [ -z "$(force)" ]; then echo "Destroy disabled, use: make destroy force=y"; exit 1; fi
+        @if [ ! -d $(SCRIPT_DIR) ]; then echo "Error in setup"; exit 1; fi
         @echo "Removing everything (for debug purpose)..."
+        @rm -rf $(DIR)/*
+        @ln -sf $(STATIC_DIR)/Makefile $(DIR)
+        @ln -sf $(STATIC_DIR)/openssl.cnf $(DIR)
+        @rm -rf $(DATA_DIR)/*
+# Initialize the CA structure
+structure:
+        @if [ -z "$(caname)" ]; then echo "Internal error: caname is missing"; exit 1; fi
+        @if [ -d $(DATA_DIR)/$(caname) ]; then echo "CA $(caname) already exists."; exit 1; fi
+        @echo "Creating CA structure..."
+        @mkdir $(DATA_DIR)/$(caname)/crl
+        @mkdir $(DATA_DIR)/$(caname)/certs
+        @mkdir $(DATA_DIR)/$(caname)/newcerts
+        @mkdir $(DATA_DIR)/$(caname)/public-www
+        @mkdir $(DATA_DIR)/$(caname)/private
+        @chmod 700 $(DATA_DIR)/$(caname)/private
+        @mkdir $(DATA_DIR)/$(caname)/clients
+        @mkdir $(DATA_DIR)/$(caname)/clients/privkeys
+        @mkdir $(DATA_DIR)/$(caname)/clients/csr
+        @mkdir $(DATA_DIR)/$(caname)/clients/certs
+        @echo "01" > $(DATA_DIR)/$(caname)/serial
+        @touch $(DATA_DIR)/$(caname)/index.txt
+# Initialize the top-level CA structure and keys.
+init:
+        @if [ -z "$(topca)" ]; then echo "Please specify the name of the CA in as topca=name.testbed.aaa"; exit 1; fi
+        # Create the folder hierarchy
+        @$(REMAKE) structure caname=$(topca)
+        # Generate the self-signed certificate
+        @CA_ROOT_DIR=$(DATA_DIR)/$(topca) openssl req $(CONFIG) -new -batch -x509 -nodes -newkey rsa:2048 -out $(DATA_DIR)/$(topca)/public-www/cacert.pem \
+                -keyout $(DATA_DIR)/$(topca)/private/cakey.pem -subj /CN=$(topca)
+        # Add the certificate hash
+        @ln -s $(DATA_DIR)/$(topca)/public-www/cacert.pem $(DATA_DIR)/$(topca)/certs/`openssl x509 -noout -hash < $(DATA_DIR)/$(topca)/public-www/cacert.pem`.0
+        @$(REMAKE) gencrl ca=$(topca)
+# Initialize the CA structure and keys.
+init:
+        @if [ -d $(DIR)/private ]; then echo "CA already initialized."; exit 1; fi
+        @echo "Creating CA structure..."
+        @mkdir $(DIR)/crl
+        @mkdir $(DIR)/certs
+        @mkdir $(DIR)/newcerts
+        @mkdir $(DIR)/public-www
+        @mkdir $(DIR)/private
+        @chmod 700 $(DIR)/private
+        @mkdir $(DIR)/clients
+        @mkdir $(DIR)/clients/privkeys
+        @mkdir $(DIR)/clients/csr
+        @mkdir $(DIR)/clients/certs
+        @echo "01" > $(DIR)/serial
+        @touch $(DIR)/index.txt
+        @openssl req $(CONFIG) -new -batch -x509 -days 3650 -nodes -newkey rsa:2048 -out $(DIR)/public-www/cacert.pem \
+                -keyout $(DIR)/private/cakey.pem -subj /C=$(C)/ST=$(ST)/L=$(L)/O=$(O)/OU=$(OU)/CN=$(CA_CN)/emailAddress=$(CA_mail)
+        @ln -s $(DIR)/public-www/cacert.pem $(DIR)/certs/`openssl x509 -noout -hash < $(DIR)/public-www/cacert.pem`.0
+        @$(MAKE) -f $(DIR)/Makefile gencrl
+# Create a secondary CA
+newca:
+############
+# En dessous ce n est pas fini...
 # Regenerate the Certificate Revocation List.

contrib/ca_script2/openssl.cnf

-                      r44
+                      r45
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+# Note: for this file to be working, an environment var CA_ROOT_DIR = directory
+# must be defined and pointing to the CA top-level directory.
-# This definition stops the following lines choking if HOME isn't
-# defined.
 HOME                    = .
 RANDFILE                = $ENV::HOME/.rnd
-# Extra OBJECT IDENTIFIER info:
-#oid_file               = $ENV::HOME/.oid
 oid_section             = new_oids
-# To use this configuration file with the "-extfile" option of the
-# "openssl x509" utility, name here the section containing the
-# X.509v3 extensions to use:
-# extensions            =
-# (Alternatively, use a configuration file that has only
-# X.509v3 extensions in its main [= default] section.)
 [ new_oids ]
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+####################################################################
+[ req ]
+default_bits            = 1024
+# default_keyfile       = privkey.pem
+string_mask             = utf8only
+distinguished_name      = req_distinguished_name
+attributes              = req_attributes
+req_extensions          = v3_req    # overwrite with -reqexts
+x509_extensions         = ca_cert   # overwrite with -extensions; used for self-signed keys only
+[ req_distinguished_name ]
+countryName                     = Country Name (2 letter code)
+countryName_default             = JP
+countryName_min                 = 2
+countryName_max                 = 2
+stateOrProvinceName             = State or Province Name (full name)
+stateOrProvinceName_default     = Tokyo
+localityName                    = Locality Name (eg, city)
+localityName_default            = Koganei
+.organizationName              = Organization Name (eg, company)
+.organizationName_default      = WIDE
+.organizationName              = Second Organization Name (eg, company)
+.organizationName_default      = NICT
+organizationalUnitName          = Organizational Unit Name (eg, section)
+organizationalUnitName_default  = AAA WG testbed
+[ req_attributes ]
+challengePassword               = A challenge password
+challengePassword_min           = 0
+challengePassword_max           = 20
+unstructuredName                = An optional company name
+[ v3_req ]
+# Extensions to add to a certificate request
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+[ v3_req_ca ]
+# Extensions to add to a certificate request for CA
+basicConstraints = CA:TRUE
 ####################################################################
 …
 default_ca      = CA_default            # The default ca section
-####################################################################
 [ CA_default ]
 dir             = /etc/openssl-ca       # Where everything is kept
+dir             = $ENV::CA_ROOT_DIR     # Where everything is kept
 certs           = $dir/certs            # Where the issued certs are kept
 crl_dir         = $dir/crl              # Where the issued crl are kept
 …
 certificate     = $dir/public-www/cacert.pem    # The CA certificate
 serial          = $dir/serial           # The current serial number
+# crlnumber     = $dir/crlnumber        # the current crl number
+                                        # must be commented out to leave a V1 CRL
+crlnumber       = $dir/crlnumber        # the current crl number
 crl             = $dir/public-www/crl.pem               # The current CRL
+private_key     = $dir/private/cakey.pem# The private key
+RANDFILE        = $dir/private/.rand    # private random number file
+private_key     = $dir/private/cakey.pem        # The private key
 x509_extensions = usr_cert              # The extentions to add to the cert
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+                                        # overwrite with -extensions
 name_opt        = ca_default            # Subject Name options
 cert_opt        = ca_default            # Certificate field options
+crl_extensions  = crl_ext
+# Extension copying option: use with caution.
+# copy_extensions = copy
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions        = crl_ext
+default_days    = 365                   # how long to certify for
+default_crl_days= 30                    # how long before next CRL
+default_days    = 3650                  # how long to certify for
+default_crl_days= 365                   # how long before next CRL
 default_md      = sha1                  # which md to use.
 preserve        = no                    # keep passed DN ordering
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+# policy                = policy_match
+# We accept to sign anything, but a real deployment would limit to proper domain etc...
 policy                  = policy_anything
-# For the CA policy
-[ policy_match ]
-countryName             = match
-stateOrProvinceName     = match
-organizationName        = match
-organizationalUnitName  = optional
-commonName              = supplied
-emailAddress            = optional
-# For the 'anything' policy
-# At this point in time, you must list all acceptable 'object'
-# types.
 [ policy_anything ]
 countryName             = optional
 …
 emailAddress            = optional
-####################################################################
-[ req ]
-default_bits            = 1024
-default_keyfile         = privkey.pem
-distinguished_name      = req_distinguished_name
-attributes              = req_attributes
-x509_extensions = v3_ca # The extentions to add to the self signed cert
-# Passwords for private keys if not present they will be prompted for
-# input_password = fdsecret
-# output_password = fdsecret
-# This sets a mask for permitted string types. There are several options.
-# default: PrintableString, T61String, BMPString.
-# pkix   : PrintableString, BMPString.
-# utf8only: only UTF8Strings.
-# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
-# MASK:XXXX a literal mask value.
-# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
-# so use this option with caution!
-string_mask = utf8only
-# req_extensions = v3_req # The extensions to add to a certificate request
-[ req_distinguished_name ]
-countryName                     = Country Name (2 letter code)
-countryName_default             = JP
-countryName_min                 = 2
-countryName_max                 = 2
-stateOrProvinceName             = State or Province Name (full name)
-stateOrProvinceName_default     = Tokyo
-localityName                    = Locality Name (eg, city)
-localityName_default            = Koganei
-.organizationName              = Organization Name (eg, company)
-.organizationName_default      = WIDE
-# we can do this but it is not needed normally :-)
-.organizationName              = Second Organization Name (eg, company)
-.organizationName_default      = NICT
-organizationalUnitName          = Organizational Unit Name (eg, section)
-organizationalUnitName_default  = AAA WG
-commonName                      = Common Name (i.e. Diameter Agent hostname)
-commonName_max                  = 64
-emailAddress                    = Email Address (i.e. Diameter agent administrator)
-emailAddress_max                = 64
-# SET-ex3                       = SET extension number 3
-[ req_attributes ]
-challengePassword               = A challenge password
-challengePassword_min           = 0
-challengePassword_max           = 20
-unstructuredName                = An optional company name
 [ usr_cert ]
-# These extensions are added when 'ca' signs a request.
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
 basicConstraints=CA:FALSE
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-# This is OK for an SSL server.
-# nsCertType                    = server
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-# For normal client use this is typical
-# nsCertType = client, email
-# and for everything including object signing:
-# nsCertType = client, email, objsign
 # This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+# This will be displayed in Netscape's comment listbox.
+nsComment                       = "OpenSSL Generated Certificate"
+# PKIX recommendations harmless if included in all certificates.
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+# Copy subject details
+# issuerAltName=issuer:copy
+#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+[ v3_req ]
+# Extensions to add to a certificate request
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+[ v3_ca ]
+[ ca_cert ]
 # Extensions for a typical CA
-# PKIX recommendation.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer:always
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+# Some might want this also
+# nsCertType = sslCA, emailCA
+# Include email address in subject alt name: another PKIX recommendation
+basicConstraints = critical,CA:true  # Remove "critical," in case of problems
+keyUsage = cRLSign, keyCertSign
 # subjectAltName=email:copy
 # Copy issuer details
 # issuerAltName=issuer:copy
-# DER hex encoding of an extension: beware experts only!
-# obj=DER:02:03
-# Where 'obj' is a standard or added object
-# You can even override a supported extension:
-# basicConstraints= critical, DER:30:03:01:01:FF
 [ crl_ext ]
 # CRL extensions.
 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
 # issuerAltName=issuer:copy
 authorityKeyIdentifier=keyid:always,issuer:always
-[ proxy_cert_ext ]
-# These extensions should be added when creating a proxy certificate
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-basicConstraints=CA:FALSE
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-# This is OK for an SSL server.
-# nsCertType                    = server
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-# For normal client use this is typical
-# nsCertType = client, email
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-# This will be displayed in Netscape's comment listbox.
-nsComment                       = "OpenSSL Generated Certificate"
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-# subjectAltName=email:copy
-# An alternative to produce certificates that aren't
-# deprecated according to PKIX.
-# subjectAltName=email:move
-# Copy subject details
-# issuerAltName=issuer:copy
-#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-# This really needs to be in place for it to be a proxy certificate.
-proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

Note: See TracChangeset for help on using the changeset viewer.

Navigation

Changeset 45:7ecc7152123b in freeDiameter for contrib

Legend:

contrib/ca_script2/Makefile

contrib/ca_script2/openssl.cnf

Download in other formats: