[Keys] a certificate structure that looks like the planned future.
authorFelix Dörre <felix@dogcraft.de>
Tue, 5 Aug 2014 00:18:59 +0000 (02:18 +0200)
committerFelix Dörre <felix@dogcraft.de>
Tue, 5 Aug 2014 15:57:13 +0000 (17:57 +0200)
Therefore updated:
- signer to take same default ca
- trustore generation
- privateKeys pkcs12 generatien. (for including the cert chain)
...

keys/.gitignore
keys/generateKeys.sh
keys/generateTruststore.sh
keys/selfsign.config
util/org/cacert/gigi/util/SimpleSigner.java

index 9fe39e3e7a858d3d62aaedd2d6d4ac9d695cba2d..9d5b0c261b0dd0f55976ea3dda4e732ef5ecd6e7 100644 (file)
@@ -1,9 +1,13 @@
+#generated keys
 *.crt
 *.csr
 *.key
 *.pkcs12
-testca
+*.ca
+*.crl
 csr
 crt
-testca.crl
+
+# user specific generation config
 config
+
index f0c2649220048f0efa8cf0f712bf1ef890d7c256..e316cb6087f98a792a7d84417e96fa3c590da03c 100755 (executable)
 # this script generates a set of sample keys
 DOMAIN="cacert.local"
 KEYSIZE=4096
+PRIVATEPW="changeit"
+
 [ -f config ] && . config
 
 
-rm -Rf *.csr *.crt *.key *.pkcs12 testca
+rm -Rf *.csr *.crt *.key *.pkcs12 *.ca *.crl
+
+
+####### create various extensions files for the various certificate types ######
+cat <<TESTCA > test_ca.cnf
+subjectKeyIdentifier = hash
+#extendedKeyUsage = critical
+basicConstraints = CA:true
+keyUsage = digitalSignature, nonRepudiation, keyCertSign, cRLSign
+TESTCA
+
+cat <<TESTCA > test_subca.cnf
+subjectKeyIdentifier = hash
+#extendedKeyUsage = critical,
+basicConstraints = CA:true
+keyUsage = digitalSignature, nonRepudiation, keyCertSign, cRLSign
+TESTCA
 
-openssl genrsa -out testca.key ${KEYSIZE}
-openssl req -new -key testca.key -out testca.csr -subj "/CN=local cacert-gigi testCA" -config selfsign.config
-openssl x509 -req -days 365 -in testca.csr -signkey testca.key -out testca.crt
+cat <<TESTCA > test_req.cnf
+basicConstraints = critical,CA:false
+keyUsage = keyEncipherment, digitalSignature
+extendedKeyUsage=serverAuth
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+#crlDistributionPoints=URI:http://www.my.host/ca.crl
+#authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
+TESTCA
 
-mkdir testca
-mkdir testca/newcerts
-echo 01 > testca/serial
-touch testca/db
-echo unique_subject = no >testca/db.attr
+cat <<TESTCA > test_reqMail.cnf
+basicConstraints = critical,CA:false
+keyUsage = keyEncipherment, digitalSignature
+extendedKeyUsage=emailProtection
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+#crlDistributionPoints=URI:http://www.my.host/ca.crl
+#authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
+TESTCA
 
-genserver(){
 
-openssl genrsa -out $1.key ${KEYSIZE}
-openssl req -new -key $1.key -out $1.csr -subj "/CN=$1.${DOMAIN}" -config selfsign.config
-openssl ca -cert testca.crt -keyfile testca.key -in $1.csr -out $1.crt -days 356 -batch -config selfsign.config
+function genca(){ #subj, internalName
 
-openssl pkcs12 -inkey $1.key -in $1.crt -name $1 -export -passout pass:changeit -out $1.pkcs12
+    openssl genrsa -out $2.key ${KEYSIZE}
+    openssl req -new -key $2.key -out $2.csr -subj "$1/O=Test Environment CA Ltd./OU=Test Environment CAs"
+    
+    mkdir $2.ca
+    mkdir $2.ca/newcerts
+    echo 01 > $2.ca/serial
+    touch $2.ca/db
+    echo unique_subject = no >$2.ca/db.attr
+
+}
+
+function caSign(){ # key,ca,config
+    pushd $2.ca
+    openssl ca -cert ../$2.crt -keyfile ../$2.key -in ../$1.csr -out ../$1.crt -days 365 -batch -config ../selfsign.config -extfile ../$3
+    popd
+}
 
-keytool -importkeystore -noprompt -srckeystore $1.pkcs12 -destkeystore         ../config/keystore.pkcs12 -srcstoretype pkcs12 -deststoretype pkcs12 -srcstorepass "changeit" -deststorepass "changeit"
+function rootSign(){ # key
+    caSign $1 root test_subca.cnf
+}
 
+function genserver(){ #key, subject, config
+    openssl genrsa -out $1.key ${KEYSIZE}
+    openssl req -new -key $1.key -out $1.csr -subj "$2" -config selfsign.config
+    caSign $1 env "$3"
+    
+    openssl pkcs12 -inkey $1.key -in $1.crt -CAfile env.chain.crt -chain -name $1 -export -passout pass:changeit -out $1.pkcs12
+    
+    keytool -importkeystore -noprompt -srckeystore $1.pkcs12 -destkeystore ../config/keystore.pkcs12 -srcstoretype pkcs12 -deststoretype pkcs12 -srcstorepass "changeit" -deststorepass "$PRIVATEPW"
 }
 
-genserver www
-genserver secure
-genserver static
-genserver api
 
-keytool -list -keystore ../config/keystore.pkcs12 -storetype pkcs12 -storepass "changeit"
+# Generate the super Root CA
+genca "/CN=Cacert-gigi testCA" root
+openssl x509 -req -days 365 -in root.csr -signkey root.key -out root.crt -extfile test_ca.cnf
+
+# generate the various sub-CAs
+genca "/CN=Environment" env
+rootSign env
+genca "/CN=Unassured" unassured
+rootSign unassured
+genca "/CN=Assured" assured
+rootSign assured
+genca "/CN=Codesigning" codesign
+rootSign codesign
+genca "/CN=Timestamping" timestamp
+rootSign timestamp
+genca "/CN=Orga" orga
+rootSign orga
+genca "/CN=Orga sign" orgaSign
+rootSign orgaSign
+
+
+cat env.crt root.crt > env.chain.crt
+
+# generate orga-keys specific to gigi.
+# first the server keys
+genserver www "/CN=www.${DOMAIN}" test_req.cnf
+genserver secure "/CN=secure.${DOMAIN}" test_req.cnf
+genserver static "/CN=static.${DOMAIN}" test_req.cnf
+genserver api "/CN=api.${DOMAIN}" test_req.cnf
+
+# then the email signing key
+genserver mail "/emailAddress=support@${DOMAIN}" test_reqMail.cnf
+
+keytool -list -keystore ../config/keystore.pkcs12 -storetype pkcs12 -storepass "$PRIVATEPW"
+
+rm test_ca.cnf test_subca.cnf test_req.cnf test_reqMail.cnf
+rm env.chain.crt
index a51481de3d8130058bbff0fef857ad947a5e6e67..0c5aedc2c2d575b8b5e2b501ffb6a928200dcbb0 100755 (executable)
@@ -1,11 +1,20 @@
-#!/bin/sh
+#!/bin/bash
 # this script imports the cacert root certs
 
+rm -f ../config/cacerts.jks
+
 #wget -N http://www.cacert.org/certs/root.crt
 #wget -N http://www.cacert.org/certs/class3.crt
 
 #keytool -importcert -keystore ../config/cacerts.jks -file root.crt -alias root -storepass "changeit" $1
 #keytool -importcert -keystore ../config/cacerts.jks -file class3.crt -alias class3 -storepass "changeit" $1
-keytool -importcert -keystore ../config/cacerts.jks -file testca.crt -alias own -storepass "changeit" $1
+
+function import(){
+  keytool -importcert -keystore ../config/cacerts.jks -file "$1.crt" -alias own -storepass "changeit" -alias "$1" $2
+}
+
+import root -noprompt
+import assured
+import unassured
 
 keytool -list -keystore ../config/cacerts.jks -storepass "changeit"
index 1b98363a30c5f2c644c81c8dffb0e6f918abe3cf..2e3ea576c5008bf0dc038babd9e4cd601a9d2cab 100644 (file)
@@ -3,8 +3,6 @@ distinguished_name=dn
 #req_extensions=ext
 
 [dn]
-commonName = cn
-
 [ext]
 subjectAltName=
 
@@ -12,9 +10,9 @@ subjectAltName=
 default_ca=ca1
 
 [ca1]
-new_certs_dir=testca/newcerts
-database=testca/db
-serial=testca/serial
+new_certs_dir=newcerts
+database=db
+serial=serial
 default_md=sha256
 email_in_dn=salat
 policy=ca1_pol
@@ -33,3 +31,6 @@ extendedKeyUsage        = clientAuth, serverAuth, nsSGC, msSGC
 [ca1_pol]
 commonName              = optional
 subjectAltName          = optional
+organizationName       = optional
+organizationalUnitName = optional
+emailAddress           = optional
\ No newline at end of file
index 5144e5724db7f09635b3b21aa7c9d81e7adc8ef5..9752dbf3d1c137271ac47cfb97fd865335e6e3ab 100644 (file)
@@ -123,17 +123,17 @@ public class SimpleSigner {
             String[] call = new String[] {
                     "openssl", "ca",//
                     "-cert",
-                    "testca.crt",//
+                    "../unassured.crt",//
                     "-keyfile",
-                    "testca.key",//
+                    "../unassured.key",//
                     "-revoke",
-                    "../" + crt.getPath(),//
+                    "../../" + crt.getPath(),//
                     "-batch",//
                     "-config",
-                    "selfsign.config"
+                    "../selfsign.config"
 
             };
-            Process p1 = Runtime.getRuntime().exec(call, null, new File("keys"));
+            Process p1 = Runtime.getRuntime().exec(call, null, new File("keys/unassured.ca"));
             System.out.println("revoking: " + crt.getPath());
             if (p1.waitFor() == 0) {
                 worked = true;
@@ -154,19 +154,19 @@ public class SimpleSigner {
         String[] call = new String[] {
                 "openssl", "ca",//
                 "-cert",
-                "testca.crt",//
+                "../unassured.crt",//
                 "-keyfile",
-                "testca.key",//
+                "../unassured.key",//
                 "-gencrl",//
                 "-crlhours",//
                 "12",//
                 "-out",
-                "testca.crl",//
+                "../unassured.crl",//
                 "-config",
-                "selfsign.config"
+                "../selfsign.config"
 
         };
-        Process p1 = Runtime.getRuntime().exec(call, null, new File("keys"));
+        Process p1 = Runtime.getRuntime().exec(call, null, new File("keys/unassured.ca"));
         if (p1.waitFor() != 0) {
             System.out.println("Error while generating crl.");
         }
@@ -211,31 +211,31 @@ public class SimpleSigner {
             String[] call = new String[] {
                     "openssl", "ca",//
                     "-in",
-                    "../" + csrname,//
+                    "../../" + csrname,//
                     "-cert",
-                    "testca.crt",//
+                    "../unassured.crt",//
                     "-keyfile",
-                    "testca.key",//
+                    "../unassured.key",//
                     "-out",
-                    "../" + crt.getPath(),//
+                    "../../" + crt.getPath(),//
                     "-days",
                     "356",//
                     "-batch",//
                     "-md",
                     rs.getString("md"),//
                     "-extfile",
-                    f.getName(),//
+                    "../" + f.getName(),//
 
                     "-subj",
                     rs.getString("subject"),//
                     "-config",
-                    "selfsign.config"//
+                    "../selfsign.config"//
 
             };
             if (ct == CSRType.SPKAC) {
                 call[2] = "-spkac";
             }
-            Process p1 = Runtime.getRuntime().exec(call, null, new File("keys"));
+            Process p1 = Runtime.getRuntime().exec(call, null, new File("keys/unassured.ca"));
 
             int waitFor = p1.waitFor();
             f.delete();