Chetan Gaonker | 7f4bf74 | 2016-05-04 15:56:08 -0700 | [diff] [blame] | 1 | ###################################################################### |
| 2 | # |
| 3 | # Make file to be installed in /etc/raddb/certs to enable |
| 4 | # the easy creation of certificates. |
| 5 | # |
| 6 | # See the README file in this directory for more information. |
| 7 | # |
| 8 | # $Id: 0613df99502989a6d5751eb8b2088000c58cae98 $ |
| 9 | # |
| 10 | ###################################################################### |
| 11 | |
| 12 | DH_KEY_SIZE = 1024 |
| 13 | |
| 14 | # |
| 15 | # Set the passwords |
| 16 | # |
| 17 | PASSWORD_SERVER = `grep output_password server.cnf | sed 's/.*=//;s/^ *//'` |
| 18 | PASSWORD_CA = `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` |
| 19 | PASSWORD_CLIENT = `grep output_password client.cnf | sed 's/.*=//;s/^ *//'` |
| 20 | |
| 21 | USER_NAME = `grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//'` |
| 22 | CA_DEFAULT_DAYS = `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` |
| 23 | |
| 24 | ###################################################################### |
| 25 | # |
| 26 | # Make the necessary files, but not client certificates. |
| 27 | # |
| 28 | ###################################################################### |
| 29 | .PHONY: all |
| 30 | all: index.txt serial dh random server ca client |
| 31 | |
| 32 | .PHONY: client |
| 33 | client: client.pem |
| 34 | |
| 35 | .PHONY: ca |
| 36 | ca: ca.der |
| 37 | |
| 38 | .PHONY: server |
| 39 | server: server.pem server.vrfy |
| 40 | |
| 41 | ###################################################################### |
| 42 | # |
| 43 | # Diffie-Hellman parameters |
| 44 | # |
| 45 | ###################################################################### |
| 46 | dh: |
| 47 | openssl dhparam -out dh $(DH_KEY_SIZE) |
| 48 | |
| 49 | ###################################################################### |
| 50 | # |
| 51 | # Create a new self-signed CA certificate |
| 52 | # |
| 53 | ###################################################################### |
| 54 | ca.key ca.pem: ca.cnf |
| 55 | @[ -f index.txt ] || $(MAKE) index.txt |
| 56 | @[ -f serial ] || $(MAKE) serial |
| 57 | openssl req -new -x509 -keyout ca.key -out ca.pem \ |
| 58 | -days $(CA_DEFAULT_DAYS) -config ./ca.cnf |
| 59 | |
| 60 | ca.der: ca.pem |
| 61 | openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der |
| 62 | |
| 63 | ###################################################################### |
| 64 | # |
| 65 | # Create a new server certificate, signed by the above CA. |
| 66 | # |
| 67 | ###################################################################### |
| 68 | server.csr server.key: server.cnf |
| 69 | openssl req -new -out server.csr -keyout server.key -config ./server.cnf |
| 70 | |
| 71 | server.crt: server.csr ca.key ca.pem |
| 72 | openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf |
| 73 | |
| 74 | server.p12: server.crt |
| 75 | openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) |
| 76 | |
| 77 | server.pem: server.p12 |
| 78 | openssl pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) |
| 79 | |
| 80 | .PHONY: server.vrfy |
| 81 | server.vrfy: ca.pem |
| 82 | @openssl verify -CAfile ca.pem server.pem |
| 83 | |
| 84 | ###################################################################### |
| 85 | # |
| 86 | # Create a new client certificate, signed by the the above server |
| 87 | # certificate. |
| 88 | # |
| 89 | ###################################################################### |
| 90 | client.csr client.key: client.cnf |
| 91 | openssl req -new -out client.csr -keyout client.key -config ./client.cnf |
| 92 | |
| 93 | client.crt: client.csr ca.pem ca.key |
| 94 | openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf |
| 95 | |
| 96 | client.p12: client.crt |
| 97 | openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) |
| 98 | |
| 99 | client.pem: client.p12 |
| 100 | openssl pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) |
| 101 | cp client.pem $(USER_NAME).pem |
| 102 | |
| 103 | .PHONY: client.vrfy |
| 104 | client.vrfy: ca.pem client.pem |
| 105 | c_rehash . |
| 106 | openssl verify -CApath . client.pem |
| 107 | |
| 108 | ###################################################################### |
| 109 | # |
| 110 | # Miscellaneous rules. |
| 111 | # |
| 112 | ###################################################################### |
| 113 | index.txt: |
| 114 | @touch index.txt |
| 115 | |
| 116 | serial: |
| 117 | @echo '01' > serial |
| 118 | |
| 119 | random: |
| 120 | @if [ -c /dev/urandom ] ; then \ |
| 121 | ln -sf /dev/urandom random; \ |
| 122 | else \ |
| 123 | date > ./random; \ |
| 124 | fi |
| 125 | |
| 126 | print: |
| 127 | openssl x509 -text -in server.crt |
| 128 | |
| 129 | printca: |
| 130 | openssl x509 -text -in ca.pem |
| 131 | |
| 132 | clean: |
| 133 | @rm -f *~ *old client.csr client.key client.crt client.p12 client.pem |
| 134 | |
| 135 | # |
| 136 | # Make a target that people won't run too often. |
| 137 | # |
| 138 | destroycerts: |
| 139 | rm -f *~ dh *.csr *.crt *.p12 *.der *.pem *.key index.txt* \ |
| 140 | serial* random *\.0 *\.1 |