diff options
-rw-r--r-- | .gitignore | 0 | ||||
-rw-r--r-- | conf/CA/README.txt | 38 | ||||
-rw-r--r-- | conf/CA/clean.sh | 1 | ||||
-rw-r--r-- | conf/CA/intermediate.sh | 57 | ||||
-rw-r--r-- | conf/CA/manual.sh | 55 | ||||
-rw-r--r-- | conf/CA/newca.sh | 57 | ||||
-rw-r--r-- | conf/CA/openssl.conf | 131 | ||||
-rw-r--r-- | conf/CA/p12.sh | 23 | ||||
-rw-r--r-- | conf/CA/subject.aaf | 1 |
9 files changed, 363 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/.gitignore diff --git a/conf/CA/README.txt b/conf/CA/README.txt new file mode 100644 index 00000000..0fd261f2 --- /dev/null +++ b/conf/CA/README.txt @@ -0,0 +1,38 @@ +# +# NOTE: This README is "bash" capable. bash README.txt +# +# create simple but reasonable directory structure +mkdir -p private certs newcerts +chmod 700 private +chmod 755 certs newcerts +touch index.txt +echo '01' > serial + +echo "IMPORTANT: If for any reason, you kill this process, type 'stty sane'" +echo "Enter the PassPhrase for your Key: " +`stty -echo` +#read PASSPHRASE +PASSPHRASE=HunkyDoryDickoryDock +`stty echo` + +# Create a regaular rsa encrypted key +openssl genrsa -aes256 -out private/ca.ekey -passout stdin 4096 << EOF +$PASSPHRASE +EOF + +# Move to a Java readable time, not this one is NOT Encrypted. +openssl pkcs8 -in private/ca.ekey -topk8 -nocrypt -out private/ca.key -passin stdin << EOF +$PASSPHRASE +EOF +chmod 400 private/ca.key private/ca.ekey + +# Generate a CA Certificate +openssl req -config openssl.conf \ + -key private/ca.key \ + -new -x509 -days 7300 -sha256 -extensions v3_ca \ + -out certs/ca.crt << EOF +$PASSPHRASE +EOF + +# All done, print result +openssl x509 -text -noout -in certs/ca.crt diff --git a/conf/CA/clean.sh b/conf/CA/clean.sh new file mode 100644 index 00000000..3df61082 --- /dev/null +++ b/conf/CA/clean.sh @@ -0,0 +1 @@ +rm -Rf private certs newcerts index* serial* intermediateCAs diff --git a/conf/CA/intermediate.sh b/conf/CA/intermediate.sh new file mode 100644 index 00000000..b2071504 --- /dev/null +++ b/conf/CA/intermediate.sh @@ -0,0 +1,57 @@ +# +# Initialize a manual Cert. This is NOT entered in Certman Records +# + if [ -e intermediate.serial ]; then + ((SERIAL=`cat intermediate.serial` + 1)) + else + SERIAL=1 + fi + echo $SERIAL > intermediate.serial +DIR=intermediate_$SERIAL + +mkdir -p $DIR/private $DIR/certs $DIR/newcerts +chmod 700 $DIR/private +chmod 755 $DIR/certs $DIR/newcerts +touch $DIR/index.txt +if [ ! -e $DIR/serial ]; then + echo '01' > $DIR/serial +fi +cp manual.sh p12.sh subject.aaf $DIR + +if [ "$1" == "" ]; then + CN=intermediateCA_$SERIAL +else + CN=$1 +fi + +SUBJECT="/CN=$CN`cat subject.aaf`" +echo $SUBJECT + echo "IMPORTANT: If for any reason, you kill this process, type 'stty sane'" + echo "Enter the PassPhrase for the Key for $CN: " + `stty -echo` + read PASSPHRASE + `stty echo` + + # Create a regaular rsa encrypted key + openssl req -new -newkey rsa:4096 -sha256 -keyout $DIR/private/ca.key \ + -out $DIR/$CN.csr -outform PEM -subj "$SUBJECT" \ + -passout stdin << EOF +$PASSPHRASE +EOF + + chmod 400 $DIR/private/$CN.key + openssl req -verify -text -noout -in $DIR/$CN.csr + + # Sign it + openssl ca -config openssl.conf -extensions v3_intermediate_ca \ + -cert certs/ca.crt -keyfile private/ca.key -out $DIR/certs/ca.crt \ + -infiles $DIR/$CN.csr + + openssl x509 -text -noout -in $DIR/certs/ca.crt + + + openssl verify -CAfile certs/ca.crt $DIR/certs/ca.crt + + + + diff --git a/conf/CA/manual.sh b/conf/CA/manual.sh new file mode 100644 index 00000000..bb891759 --- /dev/null +++ b/conf/CA/manual.sh @@ -0,0 +1,55 @@ +# +# Initialize a manual Cert. This is NOT entered in Certman Records +# +echo "FQI (Fully Qualified Identity): " +read FQI +if [ "$1" = "" -o "$1" = "-local" ]; then + echo "Personal Certificate" + SUBJECT="/CN=$FQI/OU=V1`cat subject.aaf`" +else + echo "Application Certificate" + SUBJECT="/CN=$1/OU=$FQI`cat subject.aaf`" + FQI=$1 + shift +fi +echo $SUBJECT + +if [ -e $FQI.csr ]; then + SIGN_IT=true +else + if [ "$1" = "-local" ]; then + echo "IMPORTANT: If for any reason, you kill this process, type 'stty sane'" + echo "Enter the PassPhrase for the Key for $FQI: " + `stty -echo` + read PASSPHRASE + `stty echo` + + # remove any previous Private key + rm private/$FQI.key + # Create j regaular rsa encrypted key + openssl req -new -newkey rsa:2048 -sha256 -keyout private/$FQI.key \ + -out $FQI.csr -outform PEM -subj "$SUBJECT" \ + -passout stdin << EOF +$PASSPHRASE +EOF + chmod 400 private/$FQI.key + SIGN_IT=true + else + echo openssl req -newkey rsa:4096 -sha256 -keyout $FQI.key -out $FQI.csr -outform PEM -subj '"'$SUBJECT'"' + echo chmod 400 $FQI.key + echo "# All done, print result" + echo openssl req -verify -text -noout -in $FQI.csr + fi +fi + +if [ "$SIGN_IT" = "true" ]; then + # Sign it + openssl ca -config ../openssl.conf -extensions server_cert -out $FQI.crt \ + -cert certs/ca.crt -keyfile private/ca.key \ + -policy policy_loose \ + -infiles $FQI.csr +fi + + + + diff --git a/conf/CA/newca.sh b/conf/CA/newca.sh new file mode 100644 index 00000000..5f49f38a --- /dev/null +++ b/conf/CA/newca.sh @@ -0,0 +1,57 @@ +# +# NOTE: This README is "bash" capable. bash README.txt +# +# create simple but reasonable directory structure +mkdir -p private certs newcerts +chmod 700 private +chmod 755 certs newcerts +touch index.txt +if [ ! -e serial ]; then + echo '01' > serial +fi + +if [ "$1" == "" ]; then + CN=$1 +else + CN=RootCA +fi + +echo "IMPORTANT: If for any reason, you kill this process, type 'stty sane'" +echo "Enter the PassPhrase for your Key: " +`stty -echo` +read PASSPHRASE +`stty echo` + +if [ ! -e /private/ca.ekey ]; then + # Create a regaular rsa encrypted key + openssl genrsa -aes256 -out private/ca.ekey -passout stdin 4096 << EOF +$PASSPHRASE +EOF +fi + +if [ ! -e /private/ca.key ]; then + # Move to a Java/Filesystem readable key. Note that this one is NOT Encrypted. + openssl pkcs8 -in private/ca.ekey -topk8 -nocrypt -out private/ca.key -passin stdin << EOF +$PASSPHRASE +EOF +fi +chmod 400 private/ca.key private/ca.ekey + + +if [ -e subject.aaf ]; then + SUBJECT="-subj /CN=$CN`cat subject.aaf`" +else + SUBJECT="" +fi + +# Generate a CA Certificate +openssl req -config openssl.conf \ + -key private/ca.key \ + -new -x509 -days 7300 -sha256 -extensions v3_ca \ + $SUBJECT \ + -out certs/ca.crt + +if [ -e certs/ca.crt ]; then + # All done, print result + openssl x509 -text -noout -in certs/ca.crt +fi diff --git a/conf/CA/openssl.conf b/conf/CA/openssl.conf new file mode 100644 index 00000000..528c14d2 --- /dev/null +++ b/conf/CA/openssl.conf @@ -0,0 +1,131 @@ +# OpenSSL root CA configuration file. +# Copy to `/opt/app/osaaf/CA/openssl.cnf`. + +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# Directory and file locations. +dir = . +certs = $dir/certs +crl_dir = $dir/crl +new_certs_dir = $dir/newcerts +database = $dir/index.txt +serial = $dir/serial +RANDFILE = $dir/private/.rand + +# The root key and root certificate. +private_key = $dir/private/ca.key +certificate = $dir/certs/ca.crt + +# For certificate revocation lists. +crlnumber = $dir/crlnumber +crl = $dir/crl/ca.crl.pem +crl_extensions = crl_ext +default_crl_days = 30 + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +name_opt = ca_default +cert_opt = ca_default +default_days = 60 +preserve = no +policy = policy_strict + +[ policy_strict ] +# The root CA should only sign intermediate certificates that match. +# See the POLICY FORMAT section of `man ca`. +countryName = match +stateOrProvinceName = optional +organizationName = match +organizationalUnitName = supplied +commonName = supplied + +[ policy_loose ] +# Allow the intermediate CA to sign a more diverse range of certificates. +# See the POLICY FORMAT section of the `ca` man page. +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 2048 +distinguished_name = req_distinguished_name +string_mask = utf8only + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +# Extension to add when the -x509 option is used. +x509_extensions = v3_ca + +[ req_distinguished_name ] +# See <https://en.wikipedia.org/wiki/Certificate_signing_request>. +countryName = Country Name (2 letter code) +stateOrProvinceName = State or Province Name +localityName = Locality Name +0.organizationName = Organization Name +organizationalUnitName = Organizational Unit Name +commonName = Common Name +emailAddress = Email Address + +# Optionally, specify some defaults. +countryName_default = +stateOrProvinceName_default = +localityName_default = +0.organizationName_default = +organizationalUnitName_default = +emailAddress_default = + +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ usr_cert ] +# Extensions for client certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = client, email +nsComment = "OpenSSL Generated Client Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection + +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server, client +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment, nonRepudiation +extendedKeyUsage = serverAuth, clientAuth + +[ crl_ext ] +# Extension for CRLs (`man x509v3_config`). +authorityKeyIdentifier=keyid:always + +[ ocsp ] +# Extension for OCSP signing certificates (`man ocsp`). +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, digitalSignature +extendedKeyUsage = critical, OCSPSigning diff --git a/conf/CA/p12.sh b/conf/CA/p12.sh new file mode 100644 index 00000000..f490b187 --- /dev/null +++ b/conf/CA/p12.sh @@ -0,0 +1,23 @@ +# +# Create a p12 file from local certs +# +echo "FQI (Fully Qualified Identity): " +read FQI + +if [ "$1" = "" ]; then + MACH=$FQI +else + MACH=$1 +fi + +# Add Cert AND Intermediate CAs (Clients will have Root CAs (or not)) + cat $MACH.crt > $MACH.chain + for CA in `ls intermediateCAs`; do + cat "intermediateCAs/$CA" >> $MACH.chain + done + + # Make a pkcs12 keystore, a jks keystore and a pem keystore + rm -f $MACH.p12 + # Note: Openssl will pickup and load all Certs in the Chain file + openssl pkcs12 -name $FQI -export -in $MACH.chain -inkey private/$MACH.key -out $MACH.p12 + diff --git a/conf/CA/subject.aaf b/conf/CA/subject.aaf new file mode 100644 index 00000000..b7227e19 --- /dev/null +++ b/conf/CA/subject.aaf @@ -0,0 +1 @@ +/OU=OSAAF/O=ONAP/C=US |