From: Felix Dörre Date: Fri, 3 Apr 2015 19:20:27 +0000 (+0200) Subject: adding general (simple) structure and profiles X-Git-Url: https://code.wpia.club/?p=nre.git;a=commitdiff_plain;h=b0e4b0f69e273752f2d0291f25de0159ea08d60b adding general (simple) structure and profiles --- b0e4b0f69e273752f2d0291f25de0159ea08d60b diff --git a/.gitignore b/.gitignore new file mode 100755 index 0000000..e3f159d --- /dev/null +++ b/.gitignore @@ -0,0 +1,11 @@ +*.csr +*.crt +*.key +*.pkcs12 +*.ca +*.crl +config + + +# Editor files +*~ diff --git a/generateKeys.sh b/generateKeys.sh new file mode 100755 index 0000000..adde5df --- /dev/null +++ b/generateKeys.sh @@ -0,0 +1,154 @@ +#!/bin/sh +# this script generates a set of sample keys +DOMAIN="cacert.local" +KEYSIZE=4096 +PRIVATEPW="changeit" + +[ -f config ] && . ./config + + +rm -Rf *.csr *.crt *.key *.pkcs12 *.ca *.crl + + +####### create various extensions files for the various certificate types ###### +cat < ca.cnf +basicConstraints = CA:true +subjectKeyIdentifier = hash +keyUsage = keyCertSign, cRLSign +crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/root.crl +authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/root.crt +TESTCA + +cat < subca.cnf +basicConstraints = CA:true +subjectKeyIdentifier = hash +keyUsage = keyCertSign, cRLSign +crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/root.crl +authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/root.crt +TESTCA + +cat < req.cnf +basicConstraints = critical,CA:false +keyUsage = keyEncipherment, digitalSignature +extendedKeyUsage=serverAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +#crlDistributionPoints=URI:http://www.my.host/ca.crl +#authorityInfoAccess = OCSP;URI:http://ocsp.my.host/ +TESTCA + +cat < reqClient.cnf +basicConstraints = critical,CA:false +keyUsage = keyEncipherment, digitalSignature +extendedKeyUsage=clientAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +#crlDistributionPoints=URI:http://www.my.host/ca.crl +#authorityInfoAccess = OCSP;URI:http://ocsp.my.host/ +TESTCA + +cat < reqMail.cnf +basicConstraints = critical,CA:false +keyUsage = keyEncipherment, digitalSignature +extendedKeyUsage=emailProtection +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +#crlDistributionPoints=URI:http://www.my.host/ca.crl +#authorityInfoAccess = OCSP;URI:http://ocsp.my.host/ +TESTCA + +genKey(){ #subj, internalName + openssl genrsa -out $2.key ${KEYSIZE} + openssl req -new -key $2.key -out $2.csr -subj "$1/O=Test Environment CA Ltd./OU=Test Environment CAs" + +} + +genca(){ #subj, internalName + mkdir $2.ca + + genKey "$1" "$2.ca/key" + + mkdir $2.ca/newcerts + echo 01 > $2.ca/serial + touch $2.ca/db + echo unique_subject = no >$2.ca/db.attr + +} + +caSign(){ # csr,ca,config + cd $2.ca + openssl ca -cert key.crt -keyfile key.key -in ../$1.csr -out ../$1.crt -days 365 -batch -config ../selfsign.config -extfile ../$3 + cd .. +} + +rootSign(){ # csr + caSign "$1.ca/key" root subca.cnf +} + +genTimeCA(){ #csr,ca, + cat < timesubca.cnf +basicConstraints = CA:true +subjectKeyIdentifier = hash +keyUsage = keyCertSign, cRLSign +crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/$2.crl +authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/$2.crt +TESTCA + caSign $1 $2 timesubca.cnf + rm timesubca.cnf +} + +genserver(){ #key, subject, config + openssl genrsa -out $1.key ${KEYSIZE} + openssl req -new -key $1.key -out $1.csr -subj "$2" + caSign $1 env15_1 "$3" + + openssl pkcs12 -inkey $1.key -in $1.crt -CAfile env.chain.crt -chain -name $1 -export -passout pass:changeit -out $1.pkcs12 + +} + + +# Generate the super Root CA +genca "/CN=Cacert-gigi testCA" root +openssl x509 -req -days 365 -in root.ca/key.csr -signkey root.ca/key.key -out root.ca/key.crt -extfile ca.cnf + +# generate the various sub-CAs +genca "/CN=Environment" env +rootSign env +genca "/CN=Unassured" unassured +rootSign unassured +genca "/CN=Assured" assured +rootSign assured +genca "/CN=Codesigning" codesign +rootSign codesign +genca "/CN=Orga" orga +rootSign orga +genca "/CN=Orga sign" orgaSign +rootSign orgaSign + +genca "/CN=Environment 2015-1" env15_1 +genTimeCA env15_1.ca/key env +genKey "/CN=Unassured 2015-1" unassured15_1 +genTimeCA unassured15_1 unassured + +cat env15_1.ca/key.crt env.ca/key.crt root.ca/key.crt > env.chain.crt + +# generate environment-keys specific to gigi. +# first the server keys +genserver www "/CN=www.${DOMAIN}" req.cnf +genserver secure "/CN=secure.${DOMAIN}" req.cnf +genserver static "/CN=static.${DOMAIN}" req.cnf +genserver api "/CN=api.${DOMAIN}" req.cnf + +# then the email signing key +genserver mail "/emailAddress=support@${DOMAIN}" reqMail.cnf + +# then environment-keys for cassiopeia +genserver signer_client "/CN=CAcert signer handler 1" reqClient.cnf +genserver signer_server "/CN=CAcert signer 1" req.cnf + +rm ca.cnf subca.cnf req.cnf reqMail.cnf reqClient.cnf + +for local in www secure static api signer_client signer_server mail; do + openssl verify -CAfile root.ca/key.crt -untrusted env.chain.crt $local.crt +done +rm env.chain.crt diff --git a/profiles/0001-client.cfg b/profiles/0001-client.cfg new file mode 100644 index 0000000..6e88e3a --- /dev/null +++ b/profiles/0001-client.cfg @@ -0,0 +1,4 @@ +ca=unassured +ku=digitalSignature, keyEncipherment, keyAgreement +eku=clientAuth +days=732 diff --git a/profiles/0002-mail.cfg b/profiles/0002-mail.cfg new file mode 100644 index 0000000..8a2cdff --- /dev/null +++ b/profiles/0002-mail.cfg @@ -0,0 +1,4 @@ +ca=unassured +ku=digitalSignature, keyEncipherment, keyAgreement +eku=emailProtection +days=732 diff --git a/profiles/0003-client-mail.cfg b/profiles/0003-client-mail.cfg new file mode 100644 index 0000000..861d069 --- /dev/null +++ b/profiles/0003-client-mail.cfg @@ -0,0 +1,4 @@ +ca=unassured +ku=digitalSignature, keyEncipherment, keyAgreement +eku=clientAuth, emailProtection +days=732 diff --git a/profiles/0004-server.cfg b/profiles/0004-server.cfg new file mode 100644 index 0000000..e8f931d --- /dev/null +++ b/profiles/0004-server.cfg @@ -0,0 +1,4 @@ +ca=unassured +ku=digitalSignature, keyEncipherment, keyAgreement +eku=serverAuth +days=732 diff --git a/profiles/0005-client-a.cfg b/profiles/0005-client-a.cfg new file mode 100644 index 0000000..1d8cc2e --- /dev/null +++ b/profiles/0005-client-a.cfg @@ -0,0 +1,4 @@ +ca=assured +ku=digitalSignature, keyEncipherment, keyAgreement +eku=clientAuth +days=732 diff --git a/profiles/0006-mail-a.cfg b/profiles/0006-mail-a.cfg new file mode 100644 index 0000000..911c3db --- /dev/null +++ b/profiles/0006-mail-a.cfg @@ -0,0 +1,4 @@ +ca=assured +ku=digitalSignature, keyEncipherment, keyAgreement +eku=emailProtection +days=732 diff --git a/profiles/0007-client-mail-a.cfg b/profiles/0007-client-mail-a.cfg new file mode 100644 index 0000000..34a7e98 --- /dev/null +++ b/profiles/0007-client-mail-a.cfg @@ -0,0 +1,4 @@ +ca=assured +ku=digitalSignature, keyEncipherment, keyAgreement +eku=clientAuth, emailProtection +days=732 diff --git a/profiles/0008-server-a.cfg b/profiles/0008-server-a.cfg new file mode 100644 index 0000000..6bdb7c7 --- /dev/null +++ b/profiles/0008-server-a.cfg @@ -0,0 +1,4 @@ +ca=assured +ku=digitalSignature, keyEncipherment, keyAgreement +eku=serverAuth +days=732 diff --git a/profiles/0009-code-a.cfg b/profiles/0009-code-a.cfg new file mode 100644 index 0000000..39f3e48 --- /dev/null +++ b/profiles/0009-code-a.cfg @@ -0,0 +1,4 @@ +ca=codesign +ku=digitalSignature, keyEncipherment, keyAgreement +eku=codeSigning, msCodeInd, msCodeCom +days=732 diff --git a/profiles/0010-client-orga.cfg b/profiles/0010-client-orga.cfg new file mode 100644 index 0000000..85228bc --- /dev/null +++ b/profiles/0010-client-orga.cfg @@ -0,0 +1,4 @@ +ca=orga +ku=digitalSignature, keyEncipherment, keyAgreement +eku=clientAuth +days=732 diff --git a/profiles/0011-mail-orga.cfg b/profiles/0011-mail-orga.cfg new file mode 100644 index 0000000..e2cd318 --- /dev/null +++ b/profiles/0011-mail-orga.cfg @@ -0,0 +1,4 @@ +ca=orga +ku=digitalSignature, keyEncipherment, keyAgreement +eku=emailProtection +days=732 diff --git a/profiles/0012-client-mail-orga.cfg b/profiles/0012-client-mail-orga.cfg new file mode 100644 index 0000000..9444004 --- /dev/null +++ b/profiles/0012-client-mail-orga.cfg @@ -0,0 +1,4 @@ +ca=orga +ku=digitalSignature, keyEncipherment, keyAgreement +eku=clientAuth, emailProtection +days=732 diff --git a/profiles/0013-server-orga.cfg b/profiles/0013-server-orga.cfg new file mode 100644 index 0000000..303c9c2 --- /dev/null +++ b/profiles/0013-server-orga.cfg @@ -0,0 +1,4 @@ +ca=orga +ku=digitalSignature, keyEncipherment, keyAgreement +eku=serverAuth +days=732 diff --git a/profiles/0014-code-orga.cfg b/profiles/0014-code-orga.cfg new file mode 100644 index 0000000..e1ddea2 --- /dev/null +++ b/profiles/0014-code-orga.cfg @@ -0,0 +1,4 @@ +ca=orgaSign +ku=digitalSignature, keyEncipherment, keyAgreement +eku=codeSigning, msCodeInd, msCodeCom +days=732 diff --git a/selfsign.config b/selfsign.config new file mode 100755 index 0000000..e4d389f --- /dev/null +++ b/selfsign.config @@ -0,0 +1,20 @@ +[ca] +default_ca=ca1 + +[ca1] +new_certs_dir=newcerts +database=db +serial=serial +default_md=sha256 +policy=ca1_pol + + +[ca1_pol] +commonName = optional +subjectAltName = optional +organizationName = optional +organizationalUnitName = optional +emailAddress = optional +countryName = optional +stateOrProvinceName = optional +localityName = optional