]> WPIA git - nre.git/blob - generateInfra.sh
projects / nre.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
upd: find libfaketime platform independently
[nre.git] / generateInfra.sh
1 #!/bin/bash
2 #
3 set -e
4
5 [ "$1" == "" ] && echo "Usage: $0 <year>" && exit 1
6 year=$1
7
8 . structure
9 . commonFunctions
10
11 cd generated
12
13 CRL="
14 crlDistributionPoints=URI:http://g2.crl.${DOMAIN}/g2/$year/env-1.crl
15 authorityInfoAccess = OCSP;URI:http://g2.ocsp.${DOMAIN},caIssuers;URI:http://g2.crt.${DOMAIN}/g2/$year/env-1.crt"
16
17 cat <<TESTCA > req.cnf
18 basicConstraints = critical,CA:false
19 keyUsage = keyEncipherment, digitalSignature
20 extendedKeyUsage=serverAuth
21
22 subjectKeyIdentifier = hash
23 authorityKeyIdentifier = keyid:always
24 $CRL
25 TESTCA
26
27 cat <<TESTCA > reqClient.cnf
28 basicConstraints = critical,CA:false
29 keyUsage = keyEncipherment, digitalSignature
30 extendedKeyUsage=clientAuth
31
32 subjectKeyIdentifier = hash
33 authorityKeyIdentifier = keyid:always
34 $CRL
35 TESTCA
36
37 cat <<TESTCA > reqMail.cnf
38 basicConstraints = critical,CA:false
39 keyUsage = keyEncipherment, digitalSignature
40 extendedKeyUsage=emailProtection
41
42 subjectKeyIdentifier = hash
43 authorityKeyIdentifier = keyid:always
44 $CRL
45 TESTCA
46
47 genserver(){ #key, subject, config
48     openssl genrsa -out $1.key ${KEYSIZE}
49     openssl req -new -key $1.key -out $1.csr -subj "$2"
50     caSign $1 $year/ca/env_${year}_1 "$3" "${year}${points[1]}" "$((${year} + 2))${points[1]}"
51     
52     TZ=UTC LD_PRELOAD=`ls /usr/lib/*/faketime/libfaketime.so.1` FAKETIME="${year}-01-01 00:00:00" openssl pkcs12 -inkey $1.key -in $1.crt -CAfile env.chain.crt -chain -name $1 -export -passout pass:changeit -out $1.pkcs12 -name "$4"
53     
54 }
55
56 mkdir -p $year/keys
57
58 cat $year/ca/env_${year}_1.ca/key.crt env.ca/key.crt root.ca/key.crt > env.chain.crt
59
60 # generate environment-keys specific to gigi.
61 # first the server keys
62 genserver $year/keys/www "/CN=www.${DOMAIN}" req.cnf www
63 genserver $year/keys/secure "/CN=secure.${DOMAIN}" req.cnf secure
64 genserver $year/keys/static "/CN=static.${DOMAIN}" req.cnf static
65 genserver $year/keys/api "/CN=api.${DOMAIN}" req.cnf api
66
67 # then the email signing key
68 genserver $year/keys/mail "/emailAddress=support@${DOMAIN}" reqMail.cnf mail
69
70 # then environment-keys for cassiopeia
71 genserver $year/keys/signer_client "/CN=CAcert signer handler 1" reqClient.cnf signer_client
72 genserver $year/keys/signer_server "/CN=CAcert signer 1" req.cnf signer_server
73
74 rm req.cnf reqMail.cnf reqClient.cnf
75
76
77 rm env.chain.crt
WPIA Root Certificate Generation Procedure