summaryrefslogtreecommitdiffstats
path: root/conf
diff options
context:
space:
mode:
Diffstat (limited to 'conf')
-rw-r--r--conf/CA/README.txt38
-rw-r--r--conf/CA/cfg.pkcs113
-rw-r--r--conf/CA/clean.sh1
-rw-r--r--conf/CA/intermediate.sh57
-rw-r--r--conf/CA/manual.sh84
-rw-r--r--conf/CA/newIntermediate.sh60
-rw-r--r--conf/CA/newca.sh57
-rw-r--r--conf/CA/openssl.conf131
-rwxr-xr-xconf/CA/p11.sh39
-rw-r--r--conf/CA/p12.sh22
-rw-r--r--conf/CA/san.conf15
-rw-r--r--conf/CA/subject.aaf1
-rw-r--r--conf/CA/truststore.sh2
13 files changed, 510 insertions, 0 deletions
diff --git a/conf/CA/README.txt b/conf/CA/README.txt
new file mode 100644
index 00000000..0fd261f2
--- /dev/null
+++ b/conf/CA/README.txt
@@ -0,0 +1,38 @@
+#
+# NOTE: This README is "bash" capable. bash README.txt
+#
+# create simple but reasonable directory structure
+mkdir -p private certs newcerts
+chmod 700 private
+chmod 755 certs newcerts
+touch index.txt
+echo '01' > serial
+
+echo "IMPORTANT: If for any reason, you kill this process, type 'stty sane'"
+echo "Enter the PassPhrase for your Key: "
+`stty -echo`
+#read PASSPHRASE
+PASSPHRASE=HunkyDoryDickoryDock
+`stty echo`
+
+# Create a regaular rsa encrypted key
+openssl genrsa -aes256 -out private/ca.ekey -passout stdin 4096 << EOF
+$PASSPHRASE
+EOF
+
+# Move to a Java readable time, not this one is NOT Encrypted.
+openssl pkcs8 -in private/ca.ekey -topk8 -nocrypt -out private/ca.key -passin stdin << EOF
+$PASSPHRASE
+EOF
+chmod 400 private/ca.key private/ca.ekey
+
+# Generate a CA Certificate
+openssl req -config openssl.conf \
+ -key private/ca.key \
+ -new -x509 -days 7300 -sha256 -extensions v3_ca \
+ -out certs/ca.crt << EOF
+$PASSPHRASE
+EOF
+
+# All done, print result
+openssl x509 -text -noout -in certs/ca.crt
diff --git a/conf/CA/cfg.pkcs11 b/conf/CA/cfg.pkcs11
new file mode 100644
index 00000000..0c12c6bf
--- /dev/null
+++ b/conf/CA/cfg.pkcs11
@@ -0,0 +1,3 @@
+name = shsm
+library = /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
+slot = 0
diff --git a/conf/CA/clean.sh b/conf/CA/clean.sh
new file mode 100644
index 00000000..593a0a6c
--- /dev/null
+++ b/conf/CA/clean.sh
@@ -0,0 +1 @@
+rm -Rf private certs newcerts index* serial* intermediate.serial intermediate_*
diff --git a/conf/CA/intermediate.sh b/conf/CA/intermediate.sh
new file mode 100644
index 00000000..b2071504
--- /dev/null
+++ b/conf/CA/intermediate.sh
@@ -0,0 +1,57 @@
+#
+# Initialize a manual Cert. This is NOT entered in Certman Records
+#
+ if [ -e intermediate.serial ]; then
+ ((SERIAL=`cat intermediate.serial` + 1))
+ else
+ SERIAL=1
+ fi
+ echo $SERIAL > intermediate.serial
+DIR=intermediate_$SERIAL
+
+mkdir -p $DIR/private $DIR/certs $DIR/newcerts
+chmod 700 $DIR/private
+chmod 755 $DIR/certs $DIR/newcerts
+touch $DIR/index.txt
+if [ ! -e $DIR/serial ]; then
+ echo '01' > $DIR/serial
+fi
+cp manual.sh p12.sh subject.aaf $DIR
+
+if [ "$1" == "" ]; then
+ CN=intermediateCA_$SERIAL
+else
+ CN=$1
+fi
+
+SUBJECT="/CN=$CN`cat subject.aaf`"
+echo $SUBJECT
+ echo "IMPORTANT: If for any reason, you kill this process, type 'stty sane'"
+ echo "Enter the PassPhrase for the Key for $CN: "
+ `stty -echo`
+ read PASSPHRASE
+ `stty echo`
+
+ # Create a regaular rsa encrypted key
+ openssl req -new -newkey rsa:4096 -sha256 -keyout $DIR/private/ca.key \
+ -out $DIR/$CN.csr -outform PEM -subj "$SUBJECT" \
+ -passout stdin << EOF
+$PASSPHRASE
+EOF
+
+ chmod 400 $DIR/private/$CN.key
+ openssl req -verify -text -noout -in $DIR/$CN.csr
+
+ # Sign it
+ openssl ca -config openssl.conf -extensions v3_intermediate_ca \
+ -cert certs/ca.crt -keyfile private/ca.key -out $DIR/certs/ca.crt \
+ -infiles $DIR/$CN.csr
+
+ openssl x509 -text -noout -in $DIR/certs/ca.crt
+
+
+ openssl verify -CAfile certs/ca.crt $DIR/certs/ca.crt
+
+
+
+
diff --git a/conf/CA/manual.sh b/conf/CA/manual.sh
new file mode 100644
index 00000000..00a23ec8
--- /dev/null
+++ b/conf/CA/manual.sh
@@ -0,0 +1,84 @@
+#
+# Initialize a manual Cert. This is NOT entered in Certman Records
+#
+echo "FQI (Fully Qualified Identity): "
+read FQI
+if [ "$1" = "" -o "$1" = "-local" ]; then
+ echo "Personal Certificate"
+ SUBJECT="/CN=$FQI/OU=V1`cat subject.aaf`"
+ NAME=$FQI
+else
+ echo "Application Certificate"
+ SUBJECT="/CN=$1/OU=$FQI`cat subject.aaf`"
+ FQDN=$1
+ NAME=$FQDN
+ shift
+
+ echo "Enter any SANS, delimited by spaces: "
+ read SANS
+fi
+
+# Do SANs
+if [ "$SANS" = "" ]; then
+ echo no SANS
+ if [ -e $NAME.san ]; then
+ rm $NAME.san
+ fi
+ else
+ echo some SANS
+ cp ../san.conf $NAME.san
+ NUM=1
+ for D in $SANS; do
+ echo "DNS.$NUM = $D" >> $NAME.san
+ NUM=$((NUM+1))
+ done
+fi
+
+echo $SUBJECT
+
+if [ -e $NAME.csr ]; then
+ SIGN_IT=true
+else
+ if [ "$1" = "-local" ]; then
+ echo "IMPORTANT: If for any reason, you kill this process, type 'stty sane'"
+ echo "Enter the PassPhrase for the Key for $FQI: "
+ `stty -echo`
+ read PASSPHRASE
+ `stty echo`
+
+ # remove any previous Private key
+ rm private/$NAME.key
+ # Create j regaular rsa encrypted key
+ openssl req -new -newkey rsa:2048 -sha256 -keyout private/$NAME.key \
+ -out $NAME.csr -outform PEM -subj "$SUBJECT" \
+ -passout stdin << EOF
+$PASSPHRASE
+EOF
+ chmod 400 private/$NAME.key
+ SIGN_IT=true
+ else
+ echo openssl req -newkey rsa:2048 -sha256 -keyout $NAME.key -out $NAME.csr -outform PEM -subj '"'$SUBJECT'"'
+ echo chmod 400 $NAME.key
+ echo "# All done, print result"
+ echo openssl req -verify -text -noout -in $NAME.csr
+ fi
+fi
+
+if [ "$SIGN_IT" = "true" ]; then
+ # Sign it
+ if [ -e $NAME.san ]; then
+ openssl ca -config ../openssl.conf -extensions server_cert -out $NAME.crt \
+ -cert certs/ca.crt -keyfile private/ca.key \
+ -policy policy_loose \
+ -days 360 \
+ -extfile $NAME.san \
+ -infiles $NAME.csr
+ else
+ openssl ca -config ../openssl.conf -extensions server_cert -out $NAME.crt \
+ -cert certs/ca.crt -keyfile private/ca.key \
+ -policy policy_loose \
+ -days 360 \
+ -infiles $NAME.csr
+ fi
+fi
+
diff --git a/conf/CA/newIntermediate.sh b/conf/CA/newIntermediate.sh
new file mode 100644
index 00000000..88b524b9
--- /dev/null
+++ b/conf/CA/newIntermediate.sh
@@ -0,0 +1,60 @@
+#
+# Initialize an Intermediate CA Cert.
+#
+ if [ -e intermediate.serial ]; then
+ ((SERIAL=`cat intermediate.serial` + 1))
+ else
+ SERIAL=1
+ fi
+ echo $SERIAL > intermediate.serial
+DIR=intermediate_$SERIAL
+
+mkdir -p $DIR/private $DIR/certs $DIR/newcerts
+chmod 700 $DIR/private
+chmod 755 $DIR/certs $DIR/newcerts
+touch $DIR/index.txt
+if [ ! -e $DIR/serial ]; then
+ echo '01' > $DIR/serial
+fi
+cp manual.sh p12.sh subject.aaf cfg.pkcs11 p11.sh $DIR
+
+if [ "$1" == "" ]; then
+ CN=intermediateCA_$SERIAL
+else
+ CN=$1
+fi
+
+SUBJECT="/CN=$CN`cat subject.aaf`"
+echo $SUBJECT
+ echo "IMPORTANT: If for any reason, you kill this process, type 'stty sane'"
+ echo "Enter the PassPhrase for the Key for $CN: "
+ `stty -echo`
+ read PASSPHRASE
+ `stty echo`
+
+ # Create a regaular rsa encrypted key
+ openssl req -new -newkey rsa:2048 -sha256 -keyout $DIR/private/ca.key \
+ -out $DIR/$CN.csr -outform PEM -subj "$SUBJECT" \
+ -passout stdin << EOF
+$PASSPHRASE
+EOF
+
+ chmod 400 $DIR/private/$CN.key
+ openssl req -verify -text -noout -in $DIR/$CN.csr
+
+ # Sign it
+ openssl ca -config openssl.conf -extensions v3_intermediate_ca \
+ -cert certs/ca.crt -keyfile private/ca.key -out $DIR/certs/ca.crt \
+ -infiles $DIR/$CN.csr
+
+ openssl x509 -text -noout -in $DIR/certs/ca.crt
+
+
+ openssl verify -CAfile certs/ca.crt $DIR/certs/ca.crt
+
+
+# Create a Signer p12 script
+echo openssl pkcs12 -export -name aaf_$DIR \
+ -in certs/ca.crt -inkey private/ca.key \
+ -out aaf_$DIR.p12 >> $DIR/signerP12.sh
+
diff --git a/conf/CA/newca.sh b/conf/CA/newca.sh
new file mode 100644
index 00000000..5f49f38a
--- /dev/null
+++ b/conf/CA/newca.sh
@@ -0,0 +1,57 @@
+#
+# NOTE: This README is "bash" capable. bash README.txt
+#
+# create simple but reasonable directory structure
+mkdir -p private certs newcerts
+chmod 700 private
+chmod 755 certs newcerts
+touch index.txt
+if [ ! -e serial ]; then
+ echo '01' > serial
+fi
+
+if [ "$1" == "" ]; then
+ CN=$1
+else
+ CN=RootCA
+fi
+
+echo "IMPORTANT: If for any reason, you kill this process, type 'stty sane'"
+echo "Enter the PassPhrase for your Key: "
+`stty -echo`
+read PASSPHRASE
+`stty echo`
+
+if [ ! -e /private/ca.ekey ]; then
+ # Create a regaular rsa encrypted key
+ openssl genrsa -aes256 -out private/ca.ekey -passout stdin 4096 << EOF
+$PASSPHRASE
+EOF
+fi
+
+if [ ! -e /private/ca.key ]; then
+ # Move to a Java/Filesystem readable key. Note that this one is NOT Encrypted.
+ openssl pkcs8 -in private/ca.ekey -topk8 -nocrypt -out private/ca.key -passin stdin << EOF
+$PASSPHRASE
+EOF
+fi
+chmod 400 private/ca.key private/ca.ekey
+
+
+if [ -e subject.aaf ]; then
+ SUBJECT="-subj /CN=$CN`cat subject.aaf`"
+else
+ SUBJECT=""
+fi
+
+# Generate a CA Certificate
+openssl req -config openssl.conf \
+ -key private/ca.key \
+ -new -x509 -days 7300 -sha256 -extensions v3_ca \
+ $SUBJECT \
+ -out certs/ca.crt
+
+if [ -e certs/ca.crt ]; then
+ # All done, print result
+ openssl x509 -text -noout -in certs/ca.crt
+fi
diff --git a/conf/CA/openssl.conf b/conf/CA/openssl.conf
new file mode 100644
index 00000000..528c14d2
--- /dev/null
+++ b/conf/CA/openssl.conf
@@ -0,0 +1,131 @@
+# OpenSSL root CA configuration file.
+# Copy to `/opt/app/osaaf/CA/openssl.cnf`.
+
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir = .
+certs = $dir/certs
+crl_dir = $dir/crl
+new_certs_dir = $dir/newcerts
+database = $dir/index.txt
+serial = $dir/serial
+RANDFILE = $dir/private/.rand
+
+# The root key and root certificate.
+private_key = $dir/private/ca.key
+certificate = $dir/certs/ca.crt
+
+# For certificate revocation lists.
+crlnumber = $dir/crlnumber
+crl = $dir/crl/ca.crl.pem
+crl_extensions = crl_ext
+default_crl_days = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md = sha256
+
+name_opt = ca_default
+cert_opt = ca_default
+default_days = 60
+preserve = no
+policy = policy_strict
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName = match
+stateOrProvinceName = optional
+organizationName = match
+organizationalUnitName = supplied
+commonName = supplied
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits = 2048
+distinguished_name = req_distinguished_name
+string_mask = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName = Country Name (2 letter code)
+stateOrProvinceName = State or Province Name
+localityName = Locality Name
+0.organizationName = Organization Name
+organizationalUnitName = Organizational Unit Name
+commonName = Common Name
+emailAddress = Email Address
+
+# Optionally, specify some defaults.
+countryName_default =
+stateOrProvinceName_default =
+localityName_default =
+0.organizationName_default =
+organizationalUnitName_default =
+emailAddress_default =
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server, client
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment, nonRepudiation
+extendedKeyUsage = serverAuth, clientAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning
diff --git a/conf/CA/p11.sh b/conf/CA/p11.sh
new file mode 100755
index 00000000..fdc0a3f9
--- /dev/null
+++ b/conf/CA/p11.sh
@@ -0,0 +1,39 @@
+#
+# Import the keys and certs to pkcs11 based softhsm
+#
+
+if [ "$#" -ne 3 ]; then
+ echo "Usage: p11.sh <user pin> <so pin> <id>"
+ exit 1
+fi
+
+LIB_PATH=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
+
+mkdir -p p11key p11crt cacerts
+# Conver the keys and certs to DER format
+# key to der
+openssl rsa -in private/ca.key -outform DER -out p11key/cakey.der
+# cert to der
+cp certs/ca.crt cacerts
+DLIST=`ls -d intermediate_*`
+for DIR in $DLIST; do
+ cp $DIR/certs/ca.crt cacerts/$DIR.crt
+done
+for CA in `ls cacerts`; do
+ openssl x509 -in cacerts/$CA -outform DER -out p11crt/$CA
+done
+
+# create token directory
+mkdir /var/lib/softhsm/tokens
+# create slot
+softhsm2-util --init-token --slot 0 --label "ca token" --pin $1 --so-pin $2
+# import key into softhsm
+pkcs11-tool --module $LIB_PATH -l --pin $1 --write-object p11key/cakey.der --type privkey --id $3
+# import certs into softhsm
+for CRT in `ls cacerts`; do
+ pkcs11-tool --module $LIB_PATH -l --pin $1 --write-object p11crt/$CRT --type cert --id $3
+done
+
+rm -r p11key
+rm -r p11crt
+rm -r cacerts
diff --git a/conf/CA/p12.sh b/conf/CA/p12.sh
new file mode 100644
index 00000000..53184e2f
--- /dev/null
+++ b/conf/CA/p12.sh
@@ -0,0 +1,22 @@
+#
+# Create a p12 file from local certs
+#
+echo "FQI (Fully Qualified Identity): "
+read FQI
+
+if [ "$1" = "" ]; then
+ MACH=$FQI
+else
+ MACH=$1
+fi
+
+# Add Cert AND Intermediate CAs (Clients will have Root CAs (or not))
+ cat $MACH.crt > $MACH.chain
+ # Add THIS Intermediate CA into chain
+ cat "certs/ca.crt" >> $MACH.chain
+
+ # Make a pkcs12 keystore, a jks keystore and a pem keystore
+ rm -f $MACH.p12
+ # Note: Openssl will pickup and load all Certs in the Chain file
+ openssl pkcs12 -name $FQI -export -in $MACH.chain -inkey private/$MACH.key -out $MACH.p12
+
diff --git a/conf/CA/san.conf b/conf/CA/san.conf
new file mode 100644
index 00000000..de9f62f9
--- /dev/null
+++ b/conf/CA/san.conf
@@ -0,0 +1,15 @@
+# SAN Extension
+# Copy, then add DNS.1 = name, etc
+#
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server, client
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment, nonRepudiation
+extendedKeyUsage = serverAuth, clientAuth
+subjectAltName = @alt_names
+
+[ alt_names ]
diff --git a/conf/CA/subject.aaf b/conf/CA/subject.aaf
new file mode 100644
index 00000000..b7227e19
--- /dev/null
+++ b/conf/CA/subject.aaf
@@ -0,0 +1 @@
+/OU=OSAAF/O=ONAP/C=US
diff --git a/conf/CA/truststore.sh b/conf/CA/truststore.sh
new file mode 100644
index 00000000..397f7e70
--- /dev/null
+++ b/conf/CA/truststore.sh
@@ -0,0 +1,2 @@
+echo "FYI, by convention, truststore passwords are 'changeit', but you may add something more sophisticated"
+openssl pkcs12 -export -name AAF_Root_CA -in certs/ca.crt -inkey private/ca.key -out truststore.p12