summaryrefslogtreecommitdiffstats
path: root/conf/CA
diff options
context:
space:
mode:
Diffstat (limited to 'conf/CA')
-rw-r--r--conf/CA/README.txt38
-rw-r--r--conf/CA/clean.sh1
-rw-r--r--conf/CA/intermediate.sh57
-rw-r--r--conf/CA/manual.sh55
-rw-r--r--conf/CA/newca.sh57
-rw-r--r--conf/CA/openssl.conf131
-rw-r--r--conf/CA/p12.sh23
-rw-r--r--conf/CA/subject.aaf1
8 files changed, 363 insertions, 0 deletions
diff --git a/conf/CA/README.txt b/conf/CA/README.txt
new file mode 100644
index 00000000..0fd261f2
--- /dev/null
+++ b/conf/CA/README.txt
@@ -0,0 +1,38 @@
+#
+# NOTE: This README is "bash" capable. bash README.txt
+#
+# create simple but reasonable directory structure
+mkdir -p private certs newcerts
+chmod 700 private
+chmod 755 certs newcerts
+touch index.txt
+echo '01' > serial
+
+echo "IMPORTANT: If for any reason, you kill this process, type 'stty sane'"
+echo "Enter the PassPhrase for your Key: "
+`stty -echo`
+#read PASSPHRASE
+PASSPHRASE=HunkyDoryDickoryDock
+`stty echo`
+
+# Create a regaular rsa encrypted key
+openssl genrsa -aes256 -out private/ca.ekey -passout stdin 4096 << EOF
+$PASSPHRASE
+EOF
+
+# Move to a Java readable time, not this one is NOT Encrypted.
+openssl pkcs8 -in private/ca.ekey -topk8 -nocrypt -out private/ca.key -passin stdin << EOF
+$PASSPHRASE
+EOF
+chmod 400 private/ca.key private/ca.ekey
+
+# Generate a CA Certificate
+openssl req -config openssl.conf \
+ -key private/ca.key \
+ -new -x509 -days 7300 -sha256 -extensions v3_ca \
+ -out certs/ca.crt << EOF
+$PASSPHRASE
+EOF
+
+# All done, print result
+openssl x509 -text -noout -in certs/ca.crt
diff --git a/conf/CA/clean.sh b/conf/CA/clean.sh
new file mode 100644
index 00000000..3df61082
--- /dev/null
+++ b/conf/CA/clean.sh
@@ -0,0 +1 @@
+rm -Rf private certs newcerts index* serial* intermediateCAs
diff --git a/conf/CA/intermediate.sh b/conf/CA/intermediate.sh
new file mode 100644
index 00000000..b2071504
--- /dev/null
+++ b/conf/CA/intermediate.sh
@@ -0,0 +1,57 @@
+#
+# Initialize a manual Cert. This is NOT entered in Certman Records
+#
+ if [ -e intermediate.serial ]; then
+ ((SERIAL=`cat intermediate.serial` + 1))
+ else
+ SERIAL=1
+ fi
+ echo $SERIAL > intermediate.serial
+DIR=intermediate_$SERIAL
+
+mkdir -p $DIR/private $DIR/certs $DIR/newcerts
+chmod 700 $DIR/private
+chmod 755 $DIR/certs $DIR/newcerts
+touch $DIR/index.txt
+if [ ! -e $DIR/serial ]; then
+ echo '01' > $DIR/serial
+fi
+cp manual.sh p12.sh subject.aaf $DIR
+
+if [ "$1" == "" ]; then
+ CN=intermediateCA_$SERIAL
+else
+ CN=$1
+fi
+
+SUBJECT="/CN=$CN`cat subject.aaf`"
+echo $SUBJECT
+ echo "IMPORTANT: If for any reason, you kill this process, type 'stty sane'"
+ echo "Enter the PassPhrase for the Key for $CN: "
+ `stty -echo`
+ read PASSPHRASE
+ `stty echo`
+
+ # Create a regaular rsa encrypted key
+ openssl req -new -newkey rsa:4096 -sha256 -keyout $DIR/private/ca.key \
+ -out $DIR/$CN.csr -outform PEM -subj "$SUBJECT" \
+ -passout stdin << EOF
+$PASSPHRASE
+EOF
+
+ chmod 400 $DIR/private/$CN.key
+ openssl req -verify -text -noout -in $DIR/$CN.csr
+
+ # Sign it
+ openssl ca -config openssl.conf -extensions v3_intermediate_ca \
+ -cert certs/ca.crt -keyfile private/ca.key -out $DIR/certs/ca.crt \
+ -infiles $DIR/$CN.csr
+
+ openssl x509 -text -noout -in $DIR/certs/ca.crt
+
+
+ openssl verify -CAfile certs/ca.crt $DIR/certs/ca.crt
+
+
+
+
diff --git a/conf/CA/manual.sh b/conf/CA/manual.sh
new file mode 100644
index 00000000..bb891759
--- /dev/null
+++ b/conf/CA/manual.sh
@@ -0,0 +1,55 @@
+#
+# Initialize a manual Cert. This is NOT entered in Certman Records
+#
+echo "FQI (Fully Qualified Identity): "
+read FQI
+if [ "$1" = "" -o "$1" = "-local" ]; then
+ echo "Personal Certificate"
+ SUBJECT="/CN=$FQI/OU=V1`cat subject.aaf`"
+else
+ echo "Application Certificate"
+ SUBJECT="/CN=$1/OU=$FQI`cat subject.aaf`"
+ FQI=$1
+ shift
+fi
+echo $SUBJECT
+
+if [ -e $FQI.csr ]; then
+ SIGN_IT=true
+else
+ if [ "$1" = "-local" ]; then
+ echo "IMPORTANT: If for any reason, you kill this process, type 'stty sane'"
+ echo "Enter the PassPhrase for the Key for $FQI: "
+ `stty -echo`
+ read PASSPHRASE
+ `stty echo`
+
+ # remove any previous Private key
+ rm private/$FQI.key
+ # Create j regaular rsa encrypted key
+ openssl req -new -newkey rsa:2048 -sha256 -keyout private/$FQI.key \
+ -out $FQI.csr -outform PEM -subj "$SUBJECT" \
+ -passout stdin << EOF
+$PASSPHRASE
+EOF
+ chmod 400 private/$FQI.key
+ SIGN_IT=true
+ else
+ echo openssl req -newkey rsa:4096 -sha256 -keyout $FQI.key -out $FQI.csr -outform PEM -subj '"'$SUBJECT'"'
+ echo chmod 400 $FQI.key
+ echo "# All done, print result"
+ echo openssl req -verify -text -noout -in $FQI.csr
+ fi
+fi
+
+if [ "$SIGN_IT" = "true" ]; then
+ # Sign it
+ openssl ca -config ../openssl.conf -extensions server_cert -out $FQI.crt \
+ -cert certs/ca.crt -keyfile private/ca.key \
+ -policy policy_loose \
+ -infiles $FQI.csr
+fi
+
+
+
+
diff --git a/conf/CA/newca.sh b/conf/CA/newca.sh
new file mode 100644
index 00000000..5f49f38a
--- /dev/null
+++ b/conf/CA/newca.sh
@@ -0,0 +1,57 @@
+#
+# NOTE: This README is "bash" capable. bash README.txt
+#
+# create simple but reasonable directory structure
+mkdir -p private certs newcerts
+chmod 700 private
+chmod 755 certs newcerts
+touch index.txt
+if [ ! -e serial ]; then
+ echo '01' > serial
+fi
+
+if [ "$1" == "" ]; then
+ CN=$1
+else
+ CN=RootCA
+fi
+
+echo "IMPORTANT: If for any reason, you kill this process, type 'stty sane'"
+echo "Enter the PassPhrase for your Key: "
+`stty -echo`
+read PASSPHRASE
+`stty echo`
+
+if [ ! -e /private/ca.ekey ]; then
+ # Create a regaular rsa encrypted key
+ openssl genrsa -aes256 -out private/ca.ekey -passout stdin 4096 << EOF
+$PASSPHRASE
+EOF
+fi
+
+if [ ! -e /private/ca.key ]; then
+ # Move to a Java/Filesystem readable key. Note that this one is NOT Encrypted.
+ openssl pkcs8 -in private/ca.ekey -topk8 -nocrypt -out private/ca.key -passin stdin << EOF
+$PASSPHRASE
+EOF
+fi
+chmod 400 private/ca.key private/ca.ekey
+
+
+if [ -e subject.aaf ]; then
+ SUBJECT="-subj /CN=$CN`cat subject.aaf`"
+else
+ SUBJECT=""
+fi
+
+# Generate a CA Certificate
+openssl req -config openssl.conf \
+ -key private/ca.key \
+ -new -x509 -days 7300 -sha256 -extensions v3_ca \
+ $SUBJECT \
+ -out certs/ca.crt
+
+if [ -e certs/ca.crt ]; then
+ # All done, print result
+ openssl x509 -text -noout -in certs/ca.crt
+fi
diff --git a/conf/CA/openssl.conf b/conf/CA/openssl.conf
new file mode 100644
index 00000000..528c14d2
--- /dev/null
+++ b/conf/CA/openssl.conf
@@ -0,0 +1,131 @@
+# OpenSSL root CA configuration file.
+# Copy to `/opt/app/osaaf/CA/openssl.cnf`.
+
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir = .
+certs = $dir/certs
+crl_dir = $dir/crl
+new_certs_dir = $dir/newcerts
+database = $dir/index.txt
+serial = $dir/serial
+RANDFILE = $dir/private/.rand
+
+# The root key and root certificate.
+private_key = $dir/private/ca.key
+certificate = $dir/certs/ca.crt
+
+# For certificate revocation lists.
+crlnumber = $dir/crlnumber
+crl = $dir/crl/ca.crl.pem
+crl_extensions = crl_ext
+default_crl_days = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md = sha256
+
+name_opt = ca_default
+cert_opt = ca_default
+default_days = 60
+preserve = no
+policy = policy_strict
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName = match
+stateOrProvinceName = optional
+organizationName = match
+organizationalUnitName = supplied
+commonName = supplied
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits = 2048
+distinguished_name = req_distinguished_name
+string_mask = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName = Country Name (2 letter code)
+stateOrProvinceName = State or Province Name
+localityName = Locality Name
+0.organizationName = Organization Name
+organizationalUnitName = Organizational Unit Name
+commonName = Common Name
+emailAddress = Email Address
+
+# Optionally, specify some defaults.
+countryName_default =
+stateOrProvinceName_default =
+localityName_default =
+0.organizationName_default =
+organizationalUnitName_default =
+emailAddress_default =
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server, client
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment, nonRepudiation
+extendedKeyUsage = serverAuth, clientAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning
diff --git a/conf/CA/p12.sh b/conf/CA/p12.sh
new file mode 100644
index 00000000..f490b187
--- /dev/null
+++ b/conf/CA/p12.sh
@@ -0,0 +1,23 @@
+#
+# Create a p12 file from local certs
+#
+echo "FQI (Fully Qualified Identity): "
+read FQI
+
+if [ "$1" = "" ]; then
+ MACH=$FQI
+else
+ MACH=$1
+fi
+
+# Add Cert AND Intermediate CAs (Clients will have Root CAs (or not))
+ cat $MACH.crt > $MACH.chain
+ for CA in `ls intermediateCAs`; do
+ cat "intermediateCAs/$CA" >> $MACH.chain
+ done
+
+ # Make a pkcs12 keystore, a jks keystore and a pem keystore
+ rm -f $MACH.p12
+ # Note: Openssl will pickup and load all Certs in the Chain file
+ openssl pkcs12 -name $FQI -export -in $MACH.chain -inkey private/$MACH.key -out $MACH.p12
+
diff --git a/conf/CA/subject.aaf b/conf/CA/subject.aaf
new file mode 100644
index 00000000..b7227e19
--- /dev/null
+++ b/conf/CA/subject.aaf
@@ -0,0 +1 @@
+/OU=OSAAF/O=ONAP/C=US