Initial commit
Change-Id: I6a4444e3c193dae437cd7929f4c39aba7b749efa
diff --git a/contrib/PKI/ca_script/Makefile b/contrib/PKI/ca_script/Makefile
new file mode 100644
index 0000000..70476d4
--- /dev/null
+++ b/contrib/PKI/ca_script/Makefile
@@ -0,0 +1,149 @@
+#!/usr/bin/make -s
+#
+# This file is designed to automatize the CA tasks such as:
+# -> init : create the initial CA tree and the CA root certificate.
+# -> newcsr: create a new private key and csr. $name and $email must be set. C, ST, L, O, OU may be overwitten (example: make newcsr C=FR)
+# -> cert : sign a pending CSR and generate the certificate. $name must be provided.
+# -> revoke: revoke a certificate. $name must be provided.
+# -> gencrl: update/create the CRL.
+#
+# The file should be located in the directory STATIC_DIR as defined below.
+# The DIR directory will contain the data of the CA. It might be placed in /var.
+# The DIR should also be configured in openssl.cnf file under [ CA_default ]->dir.
+#
+# Here are the steps to install the CA scripts in default environment:
+## mkdir /etc/openssl-ca.static
+## cp Makefile openssl.cnf /etc/openssl-ca.static
+# ( configure the default parameters of your CA in /etc/openssl-ca/openssl.cnf ) ##
+## mkdir /etc/openssl-ca
+## make -f /etc/openssl-ca.static/Makefile destroy force=y
+## cd /etc/openssl-ca
+## make init
+## make help
+
+DIR = /home/thedoc/testbed.aaa/ca
+STATIC_DIR = /home/thedoc/testbed.aaa/ca
+CONFIG = -config $(DIR)/openssl.cnf
+
+#Defaults for new CSR
+C = JP
+ST = Tokyo
+L = Koganei
+O = WIDE
+OU = "AAA WG"
+
+#Default lifetime
+DAYS = 365
+
+#Values for the CA
+CA_CN = mgr.testbed.aaa
+CA_mail = sdecugis@freediameter.net
+
+#Disable "make destroy"
+force =
+
+
+# Default: print the help
+all: help
+
+# Help message
+help:
+ @echo "\n\
+Default values (can be overwritten on command-line):\n\
+ [C=$(C)] [ST=$(ST)] [L=$(L)] [O=$(O)] [OU=$(OU)]\n\
+ [CA_CN=$(CA_CN)] [CA_mail=$(CA_mail)]\n\n\
+Available commands:\n\
+ make init\n\
+ Creates the initial CA structure in $(DIR)\n\
+ make gencrl\n\
+ Regenerates the CRL. Should be run at least once a month.\n\
+ make newcsr name=foo email=b@r [type=ca]\n\
+ Create private key and csr in clients subdir (named foo.*)\n\
+ make cert name=foo\n\
+ Signs the CSR foo.csr and creates the certificate foo.cert.\n\
+ make revoke name=foo\n\
+ Revokes the certificate foo.cert and regenerates the CRL.\n\
+\n\
+Notes:\n\
+ Content from public-www should be available from Internet. \n\
+ The URL to CRL should be set in openssl.cnf.\n\
+ A cron job should execute make gencrl once a month.\n\
+";
+
+# Destroy the CA completely. Use with care.
+destroy:
+ @if [ -z "$(force)" ]; then echo "Restart disabled, use: make destroy force=y"; exit 1; fi
+ @if [ ! -d $(STATIC_DIR) ]; then echo "Error in setup"; exit 1; fi
+ @echo "Removing everything (for debug purpose)..."
+ @rm -rf $(DIR)/*
+ @ln -sf $(STATIC_DIR)/Makefile $(DIR)
+ @ln -sf $(STATIC_DIR)/openssl.cnf $(DIR)
+
+# Initialize the CA structure and keys.
+init:
+ @if [ -d $(DIR)/private ]; then echo "CA already initialized."; exit 1; fi
+ @echo "Creating CA structure..."
+ @mkdir $(DIR)/crl
+ @mkdir $(DIR)/certs
+ @mkdir $(DIR)/newcerts
+ @mkdir $(DIR)/public-www
+ @mkdir $(DIR)/private
+ @chmod 700 $(DIR)/private
+ @mkdir $(DIR)/clients
+ @mkdir $(DIR)/clients/privkeys
+ @mkdir $(DIR)/clients/csr
+ @mkdir $(DIR)/clients/certs
+ @echo "01" > $(DIR)/serial
+ @touch $(DIR)/index.txt
+ @openssl req $(CONFIG) -new -batch -x509 -days 3650 -nodes -newkey rsa:2048 -out $(DIR)/public-www/cacert.pem \
+ -keyout $(DIR)/private/cakey.pem -subj /C=$(C)/ST=$(ST)/L=$(L)/O=$(O)/OU=$(OU)/CN=$(CA_CN)/emailAddress=$(CA_mail)
+ @ln -s $(DIR)/public-www/cacert.pem $(DIR)/certs/`openssl x509 -noout -hash < $(DIR)/public-www/cacert.pem`.0
+ @$(MAKE) -f $(DIR)/Makefile gencrl
+
+# Regenerate the Certificate Revocation List.
+# This list should be available publicly
+gencrl:
+ @openssl ca $(CONFIG) -gencrl -out $(DIR)/public-www/crl.pem
+ @ln -sf $(DIR)/public-www/crl.pem $(DIR)/crl/`openssl crl -noout -hash < $(DIR)/public-www/crl.pem`.r0
+
+# Create a new private key and a CSR, in case the client does not provide the CSR by another mean.
+# Usage is: make newcsr name=peer.client.fqdn email=admin@client.fqdn
+newcsr:
+ @if [ -z "$(name)" -o -z "$(email)" ]; then echo "Please provide certificate name and email address: make newcsr name=mn.nautilus.org email=you@mail.com"; exit 1; fi
+ @if [ -e $(DIR)/clients/csr/$(name).csr ]; then echo "There is already a pending csr for this name."; exit 1; fi
+ @if [ ! -e $(DIR)/clients/privkeys/$(name).key.pem ]; \
+ then echo "Generating a private key for $(name) ..."; \
+ openssl genrsa -out $(DIR)/clients/privkeys/$(name).key.pem 1024; \
+ fi;
+ @echo "Creating the CSR in $(DIR)/clients/csr/$(name).csr";
+ @openssl req $(CONFIG) -new -batch -out $(DIR)/clients/csr/$(name).csr \
+ -key $(DIR)/clients/privkeys/$(name).key.pem \
+ -subj /C=$(C)/ST=$(ST)/L=$(L)/O=$(O)/OU=$(OU)/CN=$(name)/emailAddress=$(email)
+
+# Process a CSR to create a x509 certificate. The certificate is valid for 1 year.
+# It should be sent to the client by any mean.
+cert:
+ @if [ -z "$(name)" ]; then echo "name must be provided: make cert name=mn.n6.org"; exit 1; fi
+ @if [ ! -e $(DIR)/clients/csr/$(name).csr ]; then echo "Could not find CSR in $(DIR)/clients/csr/$(name).csr."; exit 1; fi
+ @if [ -e $(DIR)/clients/certs/$(name).cert ]; \
+ then echo "Revoking old certificate..."; \
+ $(MAKE) revoke name=$(name); \
+ fi;
+ @openssl ca $(CONFIG) -in $(DIR)/clients/csr/$(name).csr \
+ -out $(DIR)/clients/certs/$(name).cert \
+ -days $(DAYS) \
+ -batch
+ @ln -s $(DIR)/clients/certs/$(name).cert $(DIR)/certs/`openssl x509 -noout -hash < $(DIR)/clients/certs/$(name).cert`.0
+
+# Revoke a certificate.
+revoke:
+ @if [ -z "$(name)" ]; then echo "name must be provided: make revoke name=mn.n6.org"; exit 1; fi
+ @if [ ! -e $(DIR)/clients/certs/$(name).cert ]; \
+ then echo "$(DIR)/clients/certs/$(name).cert not found"; \
+ exit 1; \
+ fi;
+ @openssl ca $(CONFIG) -revoke $(DIR)/clients/certs/$(name).cert;
+ @rm -f $(DIR)/certs/`openssl x509 -noout -hash < $(DIR)/clients/certs/$(name).cert`.0
+ @$(MAKE) gencrl
+
+# End of file...