Changeset 45:7ecc7152123b in freeDiameter for contrib
- Timestamp:
- Nov 26, 2009, 6:31:48 PM (14 years ago)
- Branch:
- default
- Phase:
- public
- Location:
- contrib/ca_script2
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
contrib/ca_script2/Makefile
r44 r45 1 1 #!/usr/bin/make -s 2 2 # 3 # This file is designed to automatize the CA tasks such as: 4 # -> init : create the initial CA tree and the CA root certificate. 5 # -> newcsr: create a new private key and csr. $name and $email must be set. C, ST, L, O, OU may be overwitten (exemple: make newcsr C=FR) 6 # -> cert : sign a pending CSR and generate the certificate. $name must be provided. 7 # -> revoke: revoke a certificate. $name must be provided. 8 # -> gencrl: update/create the CRL. 9 # 10 # The file should be located in the directory STATIC_DIR as defined below. 11 # The DIR directory will contain the data of the CA. It might be placed in /var. 12 # The DIR should also be configured in openssl.cnf file under [ CA_default ]->dir. 13 # 14 # Here are the steps to install the CA scripts in default environment: 15 ## mkdir /etc/openssl-ca.static 16 ## cp Makefile openssl.cnf /etc/openssl-ca.static 17 # ( configure the default parameters of your CA in /etc/openssl-ca/openssl.cnf ) ## 18 ## mkdir /etc/openssl-ca 19 ## make -f /etc/openssl-ca.static/Makefile destroy force=y 20 ## cd /etc/openssl-ca 21 ## make init 22 ## make help 3 # This file is inspired from freeDiameter's contrib/ca_script and 4 # improved to handle multiple CA in a hierarchical fashion. 23 5 24 DIR = /home/thedoc/testbed.aaa/ca 25 STATIC_DIR = /home/thedoc/testbed.aaa/ca 26 CONFIG = -config $(DIR)/openssl.cnf 27 28 #Defaults for new CSR 29 C = JP 30 ST = Tokyo 31 L = Koganei 32 O = WIDE 33 OU = "AAA WG" 34 35 #Default lifetime 36 DAYS = 365 37 38 #Values for the CA 39 CA_CN = mgr.testbed.aaa 40 CA_mail = sdecugis@nict.go.jp 6 SCRIPT_DIR = . 7 CONFIG = -config $(SCRIPT_DIR)/openssl.cnf 8 REMAKE = $(MAKE) -f $(SCRIPT_DIR)/Makefile 9 DATA_DIR = ./test 41 10 42 11 #Disable "make destroy" … … 50 19 help: 51 20 @echo "\n\ 52 Default values (can be overwritten on command-line):\n\53 [C=$(C)] [ST=$(ST)] [L=$(L)] [O=$(O)] [OU=$(OU)]\n\54 [CA_CN=$(CA_CN)] [CA_mail=$(CA_mail)]\n\n\55 21 Available commands:\n\ 56 make init \n\57 Creates the initial CA structure in $(DIR)\n\58 make gencrl\n\59 Regenerates the CRL. Should be run at least once a month.\n\60 make newcsr name=foo email=b@r [type=ca]\n\22 make init topca=name\n\ 23 Creates the initial top-level CA structure\n\ 24 make new_ca name=caname\n\ 25 Creates a new sub-CA that can be used for certificates later.\n\ 26 make newcsr name=foo ca=bar\n\ 61 27 Create private key and csr in clients subdir (named foo.*)\n\ 62 make cert name=foo\n\ 63 Signs the CSR foo.csr and creates the certificate foo.cert.\n\ 64 make revoke name=foo\n\ 65 Revokes the certificate foo.cert and regenerates the CRL.\n\ 28 make cert name=foo ca=bar\n\ 29 Signs the CSR foo.csr and creates the certificate foo.cert (signed by bar).\n\ 30 make revoke name=foo ca=bar\n\ 31 Revokes the certificate foo.cert issued by bar and regenerates the CRL.\n\ 32 make gencrl ca=bar\n\ 33 Regenerates the CRL for CA bar. Should be run at least once a month.\n\ 66 34 \n\ 67 Notes:\n\68 Content from public-www should be available from Internet. \n\69 The URL to CRL should be set in openssl.cnf.\n\70 A cron job should execute make gencrl once a month.\n\71 35 "; 72 36 73 # Destroy the CA completly. Use with care.37 # Destroy the CA hierarchy completly. Use with care. 74 38 destroy: 75 @if [ -z "$(force)" ]; then echo " Restartdisabled, use: make destroy force=y"; exit 1; fi76 @if [ ! -d $(S TATIC_DIR) ]; then echo "Error in setup"; exit 1; fi39 @if [ -z "$(force)" ]; then echo "Destroy disabled, use: make destroy force=y"; exit 1; fi 40 @if [ ! -d $(SCRIPT_DIR) ]; then echo "Error in setup"; exit 1; fi 77 41 @echo "Removing everything (for debug purpose)..." 78 @rm -rf $(DIR)/* 79 @ln -sf $(STATIC_DIR)/Makefile $(DIR) 80 @ln -sf $(STATIC_DIR)/openssl.cnf $(DIR) 42 @rm -rf $(DATA_DIR)/* 43 44 # Initialize the CA structure 45 structure: 46 @if [ -z "$(caname)" ]; then echo "Internal error: caname is missing"; exit 1; fi 47 @if [ -d $(DATA_DIR)/$(caname) ]; then echo "CA $(caname) already exists."; exit 1; fi 48 @echo "Creating CA structure..." 49 @mkdir $(DATA_DIR)/$(caname)/crl 50 @mkdir $(DATA_DIR)/$(caname)/certs 51 @mkdir $(DATA_DIR)/$(caname)/newcerts 52 @mkdir $(DATA_DIR)/$(caname)/public-www 53 @mkdir $(DATA_DIR)/$(caname)/private 54 @chmod 700 $(DATA_DIR)/$(caname)/private 55 @mkdir $(DATA_DIR)/$(caname)/clients 56 @mkdir $(DATA_DIR)/$(caname)/clients/privkeys 57 @mkdir $(DATA_DIR)/$(caname)/clients/csr 58 @mkdir $(DATA_DIR)/$(caname)/clients/certs 59 @echo "01" > $(DATA_DIR)/$(caname)/serial 60 @touch $(DATA_DIR)/$(caname)/index.txt 81 61 62 # Initialize the top-level CA structure and keys. 63 init: 64 @if [ -z "$(topca)" ]; then echo "Please specify the name of the CA in as topca=name.testbed.aaa"; exit 1; fi 65 # Create the folder hierarchy 66 @$(REMAKE) structure caname=$(topca) 67 # Generate the self-signed certificate 68 @CA_ROOT_DIR=$(DATA_DIR)/$(topca) openssl req $(CONFIG) -new -batch -x509 -nodes -newkey rsa:2048 -out $(DATA_DIR)/$(topca)/public-www/cacert.pem \ 69 -keyout $(DATA_DIR)/$(topca)/private/cakey.pem -subj /CN=$(topca) 70 # Add the certificate hash 71 @ln -s $(DATA_DIR)/$(topca)/public-www/cacert.pem $(DATA_DIR)/$(topca)/certs/`openssl x509 -noout -hash < $(DATA_DIR)/$(topca)/public-www/cacert.pem`.0 72 @$(REMAKE) gencrl ca=$(topca) 82 73 83 # Initialize the CA structure and keys. 84 init: 85 @if [ -d $(DIR)/private ]; then echo "CA already initialized."; exit 1; fi 86 @echo "Creating CA structure..." 87 @mkdir $(DIR)/crl 88 @mkdir $(DIR)/certs 89 @mkdir $(DIR)/newcerts 90 @mkdir $(DIR)/public-www 91 @mkdir $(DIR)/private 92 @chmod 700 $(DIR)/private 93 @mkdir $(DIR)/clients 94 @mkdir $(DIR)/clients/privkeys 95 @mkdir $(DIR)/clients/csr 96 @mkdir $(DIR)/clients/certs 97 @echo "01" > $(DIR)/serial 98 @touch $(DIR)/index.txt 99 @openssl req $(CONFIG) -new -batch -x509 -days 3650 -nodes -newkey rsa:2048 -out $(DIR)/public-www/cacert.pem \ 100 -keyout $(DIR)/private/cakey.pem -subj /C=$(C)/ST=$(ST)/L=$(L)/O=$(O)/OU=$(OU)/CN=$(CA_CN)/emailAddress=$(CA_mail) 101 @ln -s $(DIR)/public-www/cacert.pem $(DIR)/certs/`openssl x509 -noout -hash < $(DIR)/public-www/cacert.pem`.0 102 @$(MAKE) -f $(DIR)/Makefile gencrl 74 # Create a secondary CA 75 newca: 76 77 78 79 ############ 80 # En dessous ce n est pas fini... 81 82 103 83 104 84 # Regenerate the Certificate Revocation List. -
contrib/ca_script2/openssl.cnf
r44 r45 1 # 2 # OpenSSL example configuration file. 3 # This is mostly being used for generation of certificate requests. 4 # 1 # Note: for this file to be working, an environment var CA_ROOT_DIR = directory 2 # must be defined and pointing to the CA top-level directory. 5 3 6 # This definition stops the following lines choking if HOME isn't7 # defined.8 4 HOME = . 9 5 RANDFILE = $ENV::HOME/.rnd 10 6 11 # Extra OBJECT IDENTIFIER info:12 #oid_file = $ENV::HOME/.oid13 7 oid_section = new_oids 14 15 # To use this configuration file with the "-extfile" option of the16 # "openssl x509" utility, name here the section containing the17 # X.509v3 extensions to use:18 # extensions =19 # (Alternatively, use a configuration file that has only20 # X.509v3 extensions in its main [= default] section.)21 8 22 9 [ new_oids ] 23 10 24 # We can add new OIDs in here for use by 'ca' and 'req'. 25 # Add a simple OID like this: 26 # testoid1=1.2.3.4 27 # Or use config file substitution like this: 28 # testoid2=${testoid1}.5.6 11 12 #################################################################### 13 [ req ] 14 default_bits = 1024 15 # default_keyfile = privkey.pem 16 string_mask = utf8only 17 18 distinguished_name = req_distinguished_name 19 attributes = req_attributes 20 req_extensions = v3_req # overwrite with -reqexts 21 x509_extensions = ca_cert # overwrite with -extensions; used for self-signed keys only 22 23 [ req_distinguished_name ] 24 countryName = Country Name (2 letter code) 25 countryName_default = JP 26 countryName_min = 2 27 countryName_max = 2 28 stateOrProvinceName = State or Province Name (full name) 29 stateOrProvinceName_default = Tokyo 30 localityName = Locality Name (eg, city) 31 localityName_default = Koganei 32 0.organizationName = Organization Name (eg, company) 33 0.organizationName_default = WIDE 34 1.organizationName = Second Organization Name (eg, company) 35 1.organizationName_default = NICT 36 organizationalUnitName = Organizational Unit Name (eg, section) 37 organizationalUnitName_default = AAA WG testbed 38 39 [ req_attributes ] 40 challengePassword = A challenge password 41 challengePassword_min = 0 42 challengePassword_max = 20 43 unstructuredName = An optional company name 44 45 [ v3_req ] 46 # Extensions to add to a certificate request 47 basicConstraints = CA:FALSE 48 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 49 50 [ v3_req_ca ] 51 # Extensions to add to a certificate request for CA 52 basicConstraints = CA:TRUE 53 29 54 30 55 #################################################################### … … 32 57 default_ca = CA_default # The default ca section 33 58 34 ####################################################################35 59 [ CA_default ] 36 60 37 dir = /etc/openssl-ca# Where everything is kept61 dir = $ENV::CA_ROOT_DIR # Where everything is kept 38 62 certs = $dir/certs # Where the issued certs are kept 39 63 crl_dir = $dir/crl # Where the issued crl are kept … … 45 69 certificate = $dir/public-www/cacert.pem # The CA certificate 46 70 serial = $dir/serial # The current serial number 47 # crlnumber = $dir/crlnumber # the current crl number 48 # must be commented out to leave a V1 CRL 71 crlnumber = $dir/crlnumber # the current crl number 49 72 crl = $dir/public-www/crl.pem # The current CRL 50 private_key = $dir/private/cakey.pem# The private key 51 RANDFILE = $dir/private/.rand # private random number file 52 73 private_key = $dir/private/cakey.pem # The private key 53 74 x509_extensions = usr_cert # The extentions to add to the cert 54 55 # Comment out the following two lines for the "traditional" 56 # (and highly broken) format. 75 # overwrite with -extensions 57 76 name_opt = ca_default # Subject Name options 58 77 cert_opt = ca_default # Certificate field options 78 crl_extensions = crl_ext 59 79 60 # Extension copying option: use with caution. 61 # copy_extensions = copy 62 63 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 64 # so this is commented out by default to leave a V1 CRL. 65 # crlnumber must also be commented out to leave a V1 CRL. 66 # crl_extensions = crl_ext 67 68 default_days = 365 # how long to certify for 69 default_crl_days= 30 # how long before next CRL 80 default_days = 3650 # how long to certify for 81 default_crl_days= 365 # how long before next CRL 70 82 default_md = sha1 # which md to use. 71 83 preserve = no # keep passed DN ordering 72 84 73 # A few difference way of specifying how similar the request should look 74 # For type CA, the listed attributes must be the same, and the optional 75 # and supplied fields are just that :-) 76 # policy = policy_match 85 # We accept to sign anything, but a real deployment would limit to proper domain etc... 77 86 policy = policy_anything 78 87 79 # For the CA policy80 [ policy_match ]81 countryName = match82 stateOrProvinceName = match83 organizationName = match84 organizationalUnitName = optional85 commonName = supplied86 emailAddress = optional87 88 # For the 'anything' policy89 # At this point in time, you must list all acceptable 'object'90 # types.91 88 [ policy_anything ] 92 89 countryName = optional … … 98 95 emailAddress = optional 99 96 100 ####################################################################101 [ req ]102 default_bits = 1024103 default_keyfile = privkey.pem104 distinguished_name = req_distinguished_name105 attributes = req_attributes106 x509_extensions = v3_ca # The extentions to add to the self signed cert107 108 # Passwords for private keys if not present they will be prompted for109 # input_password = fdsecret110 # output_password = fdsecret111 112 # This sets a mask for permitted string types. There are several options.113 # default: PrintableString, T61String, BMPString.114 # pkix : PrintableString, BMPString.115 # utf8only: only UTF8Strings.116 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).117 # MASK:XXXX a literal mask value.118 # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings119 # so use this option with caution!120 string_mask = utf8only121 122 # req_extensions = v3_req # The extensions to add to a certificate request123 124 [ req_distinguished_name ]125 countryName = Country Name (2 letter code)126 countryName_default = JP127 countryName_min = 2128 countryName_max = 2129 130 stateOrProvinceName = State or Province Name (full name)131 stateOrProvinceName_default = Tokyo132 133 localityName = Locality Name (eg, city)134 localityName_default = Koganei135 136 0.organizationName = Organization Name (eg, company)137 0.organizationName_default = WIDE138 139 # we can do this but it is not needed normally :-)140 1.organizationName = Second Organization Name (eg, company)141 1.organizationName_default = NICT142 143 organizationalUnitName = Organizational Unit Name (eg, section)144 organizationalUnitName_default = AAA WG145 146 commonName = Common Name (i.e. Diameter Agent hostname)147 commonName_max = 64148 149 emailAddress = Email Address (i.e. Diameter agent administrator)150 emailAddress_max = 64151 152 # SET-ex3 = SET extension number 3153 154 [ req_attributes ]155 challengePassword = A challenge password156 challengePassword_min = 0157 challengePassword_max = 20158 159 unstructuredName = An optional company name160 161 97 [ usr_cert ] 162 163 # These extensions are added when 'ca' signs a request.164 165 # This goes against PKIX guidelines but some CAs do it and some software166 # requires this to avoid interpreting an end user certificate as a CA.167 168 98 basicConstraints=CA:FALSE 169 170 # Here are some examples of the usage of nsCertType. If it is omitted171 # the certificate can be used for anything *except* object signing.172 173 # This is OK for an SSL server.174 # nsCertType = server175 176 # For an object signing certificate this would be used.177 # nsCertType = objsign178 179 # For normal client use this is typical180 # nsCertType = client, email181 182 # and for everything including object signing:183 # nsCertType = client, email, objsign184 185 99 # This is typical in keyUsage for a client certificate. 186 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment 187 188 # This will be displayed in Netscape's comment listbox. 189 nsComment = "OpenSSL Generated Certificate" 190 191 # PKIX recommendations harmless if included in all certificates. 100 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 192 101 subjectKeyIdentifier=hash 193 102 authorityKeyIdentifier=keyid,issuer 194 103 195 # This stuff is for subjectAltName and issuerAltname. 196 # Import the email address. 197 # subjectAltName=email:copy 198 # An alternative to produce certificates that aren't 199 # deprecated according to PKIX. 200 # subjectAltName=email:move 201 202 # Copy subject details 203 # issuerAltName=issuer:copy 204 205 #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 206 #nsBaseUrl 207 #nsRevocationUrl 208 #nsRenewalUrl 209 #nsCaPolicyUrl 210 #nsSslServerName 211 212 [ v3_req ] 213 214 # Extensions to add to a certificate request 215 216 basicConstraints = CA:FALSE 217 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 218 219 [ v3_ca ] 220 221 104 [ ca_cert ] 222 105 # Extensions for a typical CA 223 224 225 # PKIX recommendation.226 227 106 subjectKeyIdentifier=hash 228 229 107 authorityKeyIdentifier=keyid:always,issuer:always 230 231 # This is what PKIX recommends but some broken software chokes on critical 232 # extensions. 233 #basicConstraints = critical,CA:true 234 # So we do this instead. 235 basicConstraints = CA:true 236 237 # Key usage: this is typical for a CA certificate. However since it will 238 # prevent it being used as an test self-signed certificate it is best 239 # left out by default. 240 # keyUsage = cRLSign, keyCertSign 241 242 # Some might want this also 243 # nsCertType = sslCA, emailCA 244 245 # Include email address in subject alt name: another PKIX recommendation 108 basicConstraints = critical,CA:true # Remove "critical," in case of problems 109 keyUsage = cRLSign, keyCertSign 246 110 # subjectAltName=email:copy 247 111 # Copy issuer details 248 112 # issuerAltName=issuer:copy 249 113 250 # DER hex encoding of an extension: beware experts only!251 # obj=DER:02:03252 # Where 'obj' is a standard or added object253 # You can even override a supported extension:254 # basicConstraints= critical, DER:30:03:01:01:FF255 256 114 [ crl_ext ] 257 258 115 # CRL extensions. 259 116 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 260 261 117 # issuerAltName=issuer:copy 262 118 authorityKeyIdentifier=keyid:always,issuer:always 263 119 264 [ proxy_cert_ext ]265 # These extensions should be added when creating a proxy certificate266 120 267 # This goes against PKIX guidelines but some CAs do it and some software268 # requires this to avoid interpreting an end user certificate as a CA.269 270 basicConstraints=CA:FALSE271 272 # Here are some examples of the usage of nsCertType. If it is omitted273 # the certificate can be used for anything *except* object signing.274 275 # This is OK for an SSL server.276 # nsCertType = server277 278 # For an object signing certificate this would be used.279 # nsCertType = objsign280 281 # For normal client use this is typical282 # nsCertType = client, email283 284 # and for everything including object signing:285 # nsCertType = client, email, objsign286 287 # This is typical in keyUsage for a client certificate.288 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment289 290 # This will be displayed in Netscape's comment listbox.291 nsComment = "OpenSSL Generated Certificate"292 293 # PKIX recommendations harmless if included in all certificates.294 subjectKeyIdentifier=hash295 authorityKeyIdentifier=keyid,issuer:always296 297 # This stuff is for subjectAltName and issuerAltname.298 # Import the email address.299 # subjectAltName=email:copy300 # An alternative to produce certificates that aren't301 # deprecated according to PKIX.302 # subjectAltName=email:move303 304 # Copy subject details305 # issuerAltName=issuer:copy306 307 #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem308 #nsBaseUrl309 #nsRevocationUrl310 #nsRenewalUrl311 #nsCaPolicyUrl312 #nsSslServerName313 314 # This really needs to be in place for it to be a proxy certificate.315 proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
Note: See TracChangeset
for help on using the changeset viewer.