blob: 145c22c7a5ee3877fd0552cea0b2a5bafafa824e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
#
# Streamlined AAF Bootstrap initial Cert
# Removed Variables so it can be run for AutoDeployments
#
echo "Bootstrap AAF Certificate"
mkdir -p private certs newcerts
chmod 700 private
chmod 755 certs newcerts
touch index.txt
echo "unique_subject = no" > index.txt.attr
if [ ! -e ./serial ]; then
echo $(date +%s)_$(shuf -i 0-1000000 -n 1) > ./serial
fi
NAME=aaf.bootstrap
FQDN="${HOSTNAME:=$(hostname -f)}"
FQI=aaf@aaf.osaaf.org
SUBJECT="/CN=$FQDN/OU=$FQI`cat subject.aaf`"
SIGNER_P12=$1
SIGNER_KEY=/tmp/aaf_signer.key
SIGNER_CRT=/tmp/aaf_signer.crt
PASSPHRASE=$2
if [ "PASSPHRASE" = "" ]; then
PASSPHRASE="something easy"
fi
BOOTSTRAP_SAN=/tmp/$NAME.san
BOOTSTRAP_KEY=/tmp/$NAME.key
BOOTSTRAP_CSR=/tmp/$NAME.csr
BOOTSTRAP_CRT=/tmp/$NAME.crt
BOOTSTRAP_CHAIN=/tmp/$NAME.chain
BOOTSTRAP_P12=$NAME.p12
BOOTSTRAP_ISSUER=$NAME.issuer
# If Signer doesn't exist, create Self-Signed CA
if [ ! -e "$SIGNER_P12" ]; then
# Creating Signer CA
openssl req -config openssl.conf -x509 -sha256 -extensions v3_ca \
-newkey rsa:4096 -subj /CN="Signer$(cat subject.aaf)" \
-keyout $SIGNER_KEY -out $SIGNER_CRT -days 365 -passout stdin << EOF
$PASSPHRASE
EOF
# Move to P12 (Signer)
openssl pkcs12 -name RootCA -export -in $SIGNER_CRT -inkey $SIGNER_KEY -out $SIGNER_P12 -passin stdin -passout stdin << EOF
$PASSPHRASE
$PASSPHRASE
$PASSPHRASE
EOF
else
# Get Private key from P12
openssl pkcs12 -in $SIGNER_P12 -nocerts -nodes -passin stdin -passout stdin -out $SIGNER_KEY << EOF
$PASSPHRASE
$PASSPHRASE
EOF
# Get Cert from P12
openssl pkcs12 -in $SIGNER_P12 -clcerts -nokeys -passin stdin -out $SIGNER_CRT << EOF
$PASSPHRASE
EOF
fi
# SANS
cp san.conf $BOOTSTRAP_SAN
SANS=$FQDN
if [ "$FQDN" -ne "$HOSTNAME" ]; then
SANS="$SANS $HOSTNAME"
fi
for ROOT in $(cat san_root.aaf); do
SANS="$SANS $ROOT"
for C in service locate oauth gui cm hello; do
SANS="$SANS $C.$ROOT"
done
done
for C in service locate oauth gui cm hello; do
SANS="$SANS aaf-$C"
SANS="$SANS aaf-$C.onap"
done
NUM=1
for D in $SANS; do
echo "DNS.$NUM = $D" >> $BOOTSTRAP_SAN
NUM=$((NUM+1))
done
# Create CSR
openssl req -new -newkey rsa:2048 -nodes -keyout $BOOTSTRAP_KEY \
-out $BOOTSTRAP_CSR -outform PEM -subj "$SUBJECT" \
-passout stdin << EOF
$PASSPHRASE
EOF
echo Sign it
openssl ca -batch -config openssl.conf -extensions server_cert \
-cert $SIGNER_CRT -keyfile $SIGNER_KEY \
-policy policy_loose \
-days 365 \
-passin stdin \
-out $BOOTSTRAP_CRT \
-extfile $BOOTSTRAP_SAN \
-infiles $BOOTSTRAP_CSR << EOF
$PASSPHRASE
EOF
# Make a P12
# Add THIS Intermediate CA into chain
cat $BOOTSTRAP_CRT
cp $BOOTSTRAP_CRT $BOOTSTRAP_CHAIN
cat $SIGNER_CRT >> $BOOTSTRAP_CHAIN
cat $BOOTSTRAP_CHAIN
# Note: Openssl will pickup and load all Certs in the Chain file
#openssl pkcs12 -name $FQI -export -in $BOOTSTRAP_CRT -inkey $BOOTSTRAP_KEY -CAfile $SIGNER_CRT -out $BOOTSTRAP_P12 -passin stdin -passout stdin << EOF
openssl pkcs12 -name $FQI -export -in $BOOTSTRAP_CHAIN -inkey $BOOTSTRAP_KEY -out $BOOTSTRAP_P12 -passin stdin -passout stdin << EOF
$PASSPHRASE
$PASSPHRASE
$PASSPHRASE
EOF
# Make Issuer name
ISSUER=$(openssl x509 -subject -noout -in $SIGNER_CRT | cut -c 10-)
for I in ${ISSUER//\// }; do
if [ -n "$CADI_X509_ISSUER" ]; then
CADI_X509_ISSUER=", $CADI_X509_ISSUER"
fi
CADI_X509_ISSUER="$I$CADI_X509_ISSUER"
done
echo $CADI_X509_ISSUER > $BOOTSTRAP_ISSUER
# Cleanup
rm -f $BOOTSTRAP_SAN $BOOTSTRAP_KEY $BOOTSTRAP_CSR $BOOTSTRAP_CRT $SIGNER_KEY $SIGNER_CRT $BOOTSTRAP_CHAIN
|