X-Git-Url: https://code.wpia.club/?a=blobdiff_plain;f=generateKeys.sh;h=d032a7b6aa832a6810acf28d41bda1af02cdfd9e;hb=33ef004d3397046e13bc94533c81ccc3261d6a9c;hp=adde5df70ab8bfc07e7c71352bce8c4cb8d08749;hpb=b0e4b0f69e273752f2d0291f25de0159ea08d60b;p=nre.git diff --git a/generateKeys.sh b/generateKeys.sh index adde5df..d032a7b 100755 --- a/generateKeys.sh +++ b/generateKeys.sh @@ -1,154 +1,68 @@ -#!/bin/sh +#!/bin/bash # this script generates a set of sample keys -DOMAIN="cacert.local" -KEYSIZE=4096 -PRIVATEPW="changeit" +set -e -[ -f config ] && . ./config - - -rm -Rf *.csr *.crt *.key *.pkcs12 *.ca *.crl +. structure +. commonFunctions +mkdir -p generated +cd generated ####### create various extensions files for the various certificate types ###### cat < ca.cnf -basicConstraints = CA:true -subjectKeyIdentifier = hash -keyUsage = keyCertSign, cRLSign -crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/root.crl -authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/root.crt -TESTCA +basicConstraints = critical,CA:true +keyUsage =critical, keyCertSign, cRLSign -cat < subca.cnf -basicConstraints = CA:true subjectKeyIdentifier = hash -keyUsage = keyCertSign, cRLSign -crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/root.crl -authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/root.crt -TESTCA +authorityKeyIdentifier = keyid:always -cat < req.cnf -basicConstraints = critical,CA:false -keyUsage = keyEncipherment, digitalSignature -extendedKeyUsage=serverAuth -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer:always -#crlDistributionPoints=URI:http://www.my.host/ca.crl -#authorityInfoAccess = OCSP;URI:http://ocsp.my.host/ +crlDistributionPoints=URI:http://g2.crl.${DOMAIN}/g2/root.crl +authorityInfoAccess = OCSP;URI:http://g2.ocsp.${DOMAIN},caIssuers;URI:http://g2.crt.${DOMAIN}/g2/root.crt TESTCA -cat < reqClient.cnf -basicConstraints = critical,CA:false -keyUsage = keyEncipherment, digitalSignature -extendedKeyUsage=clientAuth -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer:always -#crlDistributionPoints=URI:http://www.my.host/ca.crl -#authorityInfoAccess = OCSP;URI:http://ocsp.my.host/ -TESTCA - -cat < reqMail.cnf -basicConstraints = critical,CA:false -keyUsage = keyEncipherment, digitalSignature -extendedKeyUsage=emailProtection -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer:always -#crlDistributionPoints=URI:http://www.my.host/ca.crl -#authorityInfoAccess = OCSP;URI:http://ocsp.my.host/ -TESTCA - -genKey(){ #subj, internalName - openssl genrsa -out $2.key ${KEYSIZE} - openssl req -new -key $2.key -out $2.csr -subj "$1/O=Test Environment CA Ltd./OU=Test Environment CAs" -} +rootSign(){ # csr + POLICY=ca.cnf + if [[ "$1" != "root" ]] ; then + KNAME=$1 + POLICY=subca.cnf + . ../CAs/${KNAME} + cat < subca.cnf -genca(){ #subj, internalName - mkdir $2.ca +basicConstraints =critical, CA:true +keyUsage =critical, keyCertSign, cRLSign - genKey "$1" "$2.ca/key" - - mkdir $2.ca/newcerts - echo 01 > $2.ca/serial - touch $2.ca/db - echo unique_subject = no >$2.ca/db.attr +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always -} +crlDistributionPoints=URI:http://g2.crl.${DOMAIN}/g2/root.crl +authorityInfoAccess = OCSP;URI:http://g2.ocsp.${DOMAIN},caIssuers;URI:http://g2.crt.${DOMAIN}/g2/root.crt -caSign(){ # csr,ca,config - cd $2.ca - openssl ca -cert key.crt -keyfile key.key -in ../$1.csr -out ../$1.crt -days 365 -batch -config ../selfsign.config -extfile ../$3 - cd .. -} +certificatePolicies=@polsect -rootSign(){ # csr - caSign "$1.ca/key" root subca.cnf -} +[polsect] +policyIdentifier = 1.3.6.1.4.1.18506.9.${CPSID} +CPS.1="http://g2.cps.${DOMAIN}/g2/${KNAME}.cps" -genTimeCA(){ #csr,ca, - cat < timesubca.cnf -basicConstraints = CA:true -subjectKeyIdentifier = hash -keyUsage = keyCertSign, cRLSign -crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/$2.crl -authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/$2.crt TESTCA - caSign $1 $2 timesubca.cnf - rm timesubca.cnf -} - -genserver(){ #key, subject, config - openssl genrsa -out $1.key ${KEYSIZE} - openssl req -new -key $1.key -out $1.csr -subj "$2" - caSign $1 env15_1 "$3" - - openssl pkcs12 -inkey $1.key -in $1.crt -CAfile env.chain.crt -chain -name $1 -export -passout pass:changeit -out $1.pkcs12 - + fi + caSign "$1.ca/key" root $POLICY } # Generate the super Root CA genca "/CN=Cacert-gigi testCA" root -openssl x509 -req -days 365 -in root.ca/key.csr -signkey root.ca/key.key -out root.ca/key.crt -extfile ca.cnf +#echo openssl x509 -req $ROOT_VALIDITY -in root.ca/key.csr -signkey root.ca/key.key -out root.ca/key.crt -extfile ca.cnf +rootSign root # generate the various sub-CAs -genca "/CN=Environment" env -rootSign env -genca "/CN=Unassured" unassured -rootSign unassured -genca "/CN=Assured" assured -rootSign assured -genca "/CN=Codesigning" codesign -rootSign codesign -genca "/CN=Orga" orga -rootSign orga -genca "/CN=Orga sign" orgaSign -rootSign orgaSign - -genca "/CN=Environment 2015-1" env15_1 -genTimeCA env15_1.ca/key env -genKey "/CN=Unassured 2015-1" unassured15_1 -genTimeCA unassured15_1 unassured - -cat env15_1.ca/key.crt env.ca/key.crt root.ca/key.crt > env.chain.crt - -# generate environment-keys specific to gigi. -# first the server keys -genserver www "/CN=www.${DOMAIN}" req.cnf -genserver secure "/CN=secure.${DOMAIN}" req.cnf -genserver static "/CN=static.${DOMAIN}" req.cnf -genserver api "/CN=api.${DOMAIN}" req.cnf - -# then the email signing key -genserver mail "/emailAddress=support@${DOMAIN}" reqMail.cnf - -# then environment-keys for cassiopeia -genserver signer_client "/CN=CAcert signer handler 1" reqClient.cnf -genserver signer_server "/CN=CAcert signer 1" req.cnf - -rm ca.cnf subca.cnf req.cnf reqMail.cnf reqClient.cnf - -for local in www secure static api signer_client signer_server mail; do - openssl verify -CAfile root.ca/key.crt -untrusted env.chain.crt $local.crt +for ca in $STRUCT_CAS; do + . ../CAs/$ca + genca "/CN=$name" $ca + rootSign $ca done -rm env.chain.crt + +rm ca.cnf subca.cnf + + +