diff options
| author | Erich Eckner <git@eckner.net> | 2019-09-02 11:47:33 +0200 |
|---|---|---|
| committer | Erich Eckner <git@eckner.net> | 2019-09-02 12:03:10 +0200 |
| commit | ff7a3622bc6b8002a2ca6c8c26668f4e1daa70df (patch) | |
| tree | ab4993267e075f24c0d3717bb05b28772fbb1728 | |
| parent | 4b146b607885a0a0543c68ee553f7a6c64e1fe30 (diff) | |
| download | simple-pki-ff7a3622bc6b8002a2ca6c8c26668f4e1daa70df.tar.xz | |
sign-ca functional
| -rw-r--r-- | Makefile | 6 | ||||
| -rw-r--r-- | etc/.gitignore | 2 | ||||
| -rw-r--r-- | etc/ca-ssl.conf.in (renamed from etc/ca.conf.in) | 0 | ||||
| -rw-r--r-- | etc/ca.conf (renamed from ca.conf) | 6 | ||||
| -rw-r--r-- | etc/server-ssl.conf (renamed from etc/server.conf) | 0 | ||||
| -rwxr-xr-x | sign-ca.in | 96 |
6 files changed, 61 insertions, 49 deletions
@@ -27,13 +27,13 @@ MANDIR = /usr/share/man VERSION = 0.0 -all: rotate-keys rotate-keys.service sign-ca sign-ca.service sign-request etc/ca.conf +all: rotate-keys rotate-keys.service sign-ca sign-ca.service sign-request etc/ca-ssl.conf %: %.in sed " \ s/#VERSION#/$(VERSION)/; \ - s@#BINDIR#@$(BINDIR)@; \ - s@#ETCDIR#@$(ETCDIR)@; \ + s@#BINDIR#@$(BINDIR)@g; \ + s@#ETCDIR#@$(ETCDIR)@g; \ s@#HELPTEXT#\(\s\+\)#@ --help \1display this help and exit\n --version\1display version and exit@; \ " $< > $@ [ "$@" = "sign-ca" ] && chmod +x "$@" || true diff --git a/etc/.gitignore b/etc/.gitignore index ebd5f03..a7a2421 100644 --- a/etc/.gitignore +++ b/etc/.gitignore @@ -1 +1 @@ -ca.conf +ca-ssl.conf diff --git a/etc/ca.conf.in b/etc/ca-ssl.conf.in index 78d211f..78d211f 100644 --- a/etc/ca.conf.in +++ b/etc/ca-ssl.conf.in @@ -1,10 +1,6 @@ #!/bin/bash -# details of the ca -ca_name='eckner-ca' -ca_subject_prefix='/C=DE/ST=Thuringia/L=Jena/O=Eckner/OU=Net' - -# generate new ca key/cert afther this many days +# how long do we keep the old signature of the root-ca (days) ca_min_duration=60 # which system user owns the ca diff --git a/etc/server.conf b/etc/server-ssl.conf index 337a7a4..337a7a4 100644 --- a/etc/server.conf +++ b/etc/server-ssl.conf @@ -1,11 +1,9 @@ #!/bin/bash -# generate new ca certificate, roll over the old one(s) +# generate new ca certificates, roll over the old one(s) set -e -key_dir='#ETCDIR#/simple-pki/keys' - if [ -r '#ETCDIR#/simple-pki/ca.conf' ]; then . '#ETCDIR#/simple-pki/ca.conf' fi @@ -15,54 +13,72 @@ if [ -n "${ca_user}" ] \ exec su "${ca_user}" -c "$0" fi -if [ -f "${key_dir}/${ca_name}.key.new" ] \ -&& [ -f "${key_dir}/${ca_name}.crt.new" ]; then - if [ "$(stat -c%Y "${key_dir}/${ca_name}.key.new")" -lt "$(($(date +%s)-60*60*24*ca_min_duration))" ] \ - || [ ! -f "${key_dir}/${ca_name}.key" ] \ - || [ "$(stat -c%Y "${key_dir}/${ca_name}.crt.new")" -lt "$(($(date +%s)-60*60*24*ca_min_duration))" ] \ - || [ ! -f "${key_dir}/${ca_name}.crt" ]; then - mv "${key_dir}/${ca_name}.key"{.new,} - mv "${key_dir}/${ca_name}.crt"{.new,} +for ca in root signing; do + mkdir -p '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/private' '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db' '#ETCDIR#/simple-pki/crl' '#ETCDIR#/simple-pki/certs' + chmod 700 '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/private' + if [ ! -f '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db/'"${ca}"'-ca.db' ]; then + cp /dev/null '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db/'"${ca}"'-ca.db' + cp /dev/null '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db/'"${ca}"'-ca.db.attr' + echo 01 > '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db/'"${ca}"'-ca.crt.srl' + echo 01 > '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db/'"${ca}"'-ca.crl.srl' fi -fi +done -if [ ! -f "${key_dir}/${ca_name}.key.new" ] \ -|| [ ! -f "${key_dir}/${ca_name}.crt.new" ]; then - openssl req -new \ - -newkey rsa:4096 -sha256 \ - -keyout "${key_dir}/${ca_name}.key.new" \ - -out "${key_dir}/${ca_name}.csr.new" \ - -nodes \ - -subj "${ca_subject_prefix}"'/CN=Certification Authority' \ - -addext 'subjectKeyIdentifier = hash' \ - -addext 'basicConstraints = critical, CA:true' \ - -addext 'keyUsage = keyCertSign, cRLSign' - if [ -f "${key_dir}/${ca_name}.key" ]; then - previous_key="${key_dir}/${ca_name}.key" +if [ -f '#ETCDIR#/simple-pki/ca/root-ca.crt' ]; then + if [ ! -f '#ETCDIR#/simple-pki/ca/root-ca.crt.old' ] \ + || [ "$(stat -c%Y '#ETCDIR#/simple-pki/ca/root-ca.crt.old')" -lt "$(($(date +%s)-60*60*24*ca_min_duration))" ]; then + mv \ + '#ETCDIR#/simple-pki/ca/root-ca.crt' \ + '#ETCDIR#/simple-pki/ca/root-ca.crt.old' else - previous_key="${key_dir}/${ca_name}.key.new" + >&2 echo 'nothing to do: "old" root certificate is too new' + exit fi - openssl req -x509 \ - -sha256 \ - -in "${key_dir}/${ca_name}.csr.new" \ - -key "${previous_key}" \ - -out "${key_dir}/${ca_name}.crt.new" \ - -days 365 -nodes \ - -addext 'subjectKeyIdentifier = hash' \ - -addext 'authorityKeyIdentifier = keyid:always, issuer' \ - -addext 'basicConstraints = critical, CA:true' \ - -addext 'keyUsage = keyCertSign, cRLSign' - rm "${key_dir}/${ca_name}.csr.new" fi +if [ -f '#ETCDIR#/simple-pki/ca/signing-ca.crt' ]; then + mv \ + '#ETCDIR#/simple-pki/ca/signing-ca.crt' \ + '#ETCDIR#/simple-pki/ca/signing-ca.crt.old' +fi + +CA=root-ca openssl req -new \ + -config '#ETCDIR#/simple-pki/ca-ssl.conf' \ + -out '#ETCDIR#/simple-pki/ca/root-ca.csr' \ + -keyout '#ETCDIR#/simple-pki/ca/root-ca/private/root-ca.key' + +CA=root-ca openssl ca -batch -name root_ca -selfsign \ + -config '#ETCDIR#/simple-pki/ca-ssl.conf' \ + -in '#ETCDIR#/simple-pki/ca/root-ca.csr' \ + -out '#ETCDIR#/simple-pki/ca/root-ca.crt' \ + -extensions root_ca_ext + +CA=signing-ca openssl req -new \ + -config '#ETCDIR#/simple-pki/ca-ssl.conf' \ + -out '#ETCDIR#/simple-pki/ca/signing-ca.csr' \ + -keyout '#ETCDIR#/simple-pki/ca/signing-ca/private/signing-ca.key' + +CA=root-ca openssl ca -batch -name root_ca \ + -config '#ETCDIR#/simple-pki/ca-ssl.conf' \ + -in '#ETCDIR#/simple-pki/ca/signing-ca.csr' \ + -out '#ETCDIR#/simple-pki/ca/signing-ca.crt' \ + -extensions signing_ca_ext + +rm \ + '#ETCDIR#/simple-pki/ca/root-ca.csr' \ + '#ETCDIR#/simple-pki/ca/signing-ca.csr' + rsync --ignore-missing-args \ - "${key_dir}/${ca_name}.crt"{.new,} \ + '#ETCDIR#/simple-pki/ca/root-ca.crt'{,.old} \ "${remote_host}:${remote_dir}/" ( - cd "${key_dir}" + cd '#ETCDIR#/simple-pki/ca/' find . -maxdepth 1 \ - -type f \( -name "${ca_name}"'.crt' -o -name "${ca_name}"'.crt.new' \) \ + -type f \( \ + -name root-ca.crt -o \ + -name root-ca.crt.old \ + \) \ -printf '%TY-%Tm-%TdT%TT ' \ -exec sha512sum {} \; \ | sed ' |