Fix root CA expiration
Make order-only prereqs the norm
Change-Id: Ibd1af1f6204f5368160fdaabf4f5a79358eb4a52
diff --git a/.gitignore b/.gitignore
index 8bd7ca5..b59f6ba 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,4 @@
*.csr
*.key
*_pki
+openvpn
diff --git a/Makefile b/Makefile
index e1f3d2b..fda2966 100644
--- a/Makefile
+++ b/Makefile
@@ -7,6 +7,9 @@
#
# NOTE: This makefile makes heavy use of Automatic Variables
# https://www.gnu.org/software/make/manual/html_node/Automatic-Variables.html
+# and order-only prerequisites
+# https://www.gnu.org/software/make/manual/html_node/Prerequisite-Types.html
+# Please review and understand this documentation before making changes
SHELL = bash -eu -o pipefail
@@ -28,6 +31,7 @@
ROOT_CA_NAME ?= root_ca
ROOT_CA_PASSPHRASE ?= "TestingRootCAPassPhrase"
ROOT_CA_SUBJECT ?= /C=US/ST=California/L=Menlo Park/O=ONF/OU=Infra/CN=ONF Test Root CA
+ROOT_EXPIRATION_DAYS ?= 1825
# intermediate CA
IM_CA_NAME ?= im_ca
@@ -38,7 +42,7 @@
# leaf certs
LEAF_EXPIRATION_DAYS ?= 730
-LEAF_PURPOSE ?= server_cert_ext # alternatively, use client_cert_ext
+LEAF_PURPOSE ?= server_cert_ext # alternatively, use client_cert_ext for client certs
LEAF_SUBJECT_PARTIAL ?= /C=US/ST=California/L=Menlo Park/O=ONF/OU=Infra/CN=
LEAF_KEYPAIR ?= core
LEAF_SAN ?= DNS:core.example.com,DNS:core.example.net
@@ -128,13 +132,13 @@
-passout file:$(BASE_DIR)/$(ROOT_CA_NAME)/private/ca_passphrase \
-out $@ $(KEY_SIZE)
-# validity time on root CA is set in the .cnf file
-$(BASE_DIR)/$(ROOT_CA_NAME)/ca.pem: $(BASE_DIR)/$(ROOT_CA_NAME)/private/ca_key.pem
+$(BASE_DIR)/$(ROOT_CA_NAME)/ca.pem: | $(BASE_DIR)/$(ROOT_CA_NAME)/private/ca_key.pem
@echo "## Creating self-signed root CA cert: $@"
BASE_DIR=$(BASE_DIR) CA_NAME=$(ROOT_CA_NAME) openssl req -config $(OPENSSL_CNF) \
-extensions root_ca_ext \
-new -x509 -sha256 \
- -key $< \
+ -days $(ROOT_EXPIRATION_DAYS) \
+ -key $(@D)/private/ca_key.pem \
-passin file:$(BASE_DIR)/$(ROOT_CA_NAME)/private/ca_passphrase \
-subj "$(ROOT_CA_SUBJECT)" \
-out $@
@@ -148,29 +152,29 @@
$(BASE_DIR)/$(IM_CA_NAME)/private/ca_passphrase: | $(BASE_DIR)/$(IM_CA_NAME)
@echo $(IM_CA_PASSPHRASE) > $@
-$(BASE_DIR)/$(IM_CA_NAME)/private/ca_key.pem: $(BASE_DIR)/$(IM_CA_NAME)/private/ca_passphrase
+$(BASE_DIR)/$(IM_CA_NAME)/private/ca_key.pem: | $(BASE_DIR)/$(IM_CA_NAME)/private/ca_passphrase
@echo "## Creating intermediate CA private key: $@"
BASE_DIR=$(BASE_DIR) CA_NAME=$(IM_CA_NAME) openssl genrsa -aes256 \
-passout file:$(@D)/ca_passphrase \
-out $@ $(KEY_SIZE)
-$(BASE_DIR)/$(IM_CA_NAME)/private/im_ca.csr: $(BASE_DIR)/$(IM_CA_NAME)/private/ca_key.pem
+$(BASE_DIR)/$(IM_CA_NAME)/private/im_ca.csr: | $(BASE_DIR)/$(IM_CA_NAME)/private/ca_key.pem
@echo "## Creating intermediate CA signing request $@ from $<"
BASE_DIR=$(BASE_DIR) CA_NAME=$(IM_CA_NAME) openssl req -config $(OPENSSL_CNF) \
-new -sha256 \
- -key $< \
+ -key $(@D)/ca_key.pem \
-passin file:$(@D)/ca_passphrase \
-subj "$(IM_CA_SUBJECT)" \
-out $@
-$(BASE_DIR)/$(IM_CA_NAME)/ca.pem: $(BASE_DIR)/$(IM_CA_NAME)/private/im_ca.csr | $(BASE_DIR)/$(ROOT_CA_NAME)/ca.pem
+$(BASE_DIR)/$(IM_CA_NAME)/ca.pem: | $(BASE_DIR)/$(IM_CA_NAME)/private/im_ca.csr $(BASE_DIR)/$(ROOT_CA_NAME)/ca.pem
@echo "## Signing $< with root CA key to create intermediate CA cert: $@"
BASE_DIR=$(BASE_DIR) CA_NAME=$(ROOT_CA_NAME) openssl ca -config $(OPENSSL_CNF) \
-extensions im_ca_ext \
-notext -batch -md sha256 \
-days $(IM_EXPIRATION_DAYS) \
-passin file:$(BASE_DIR)/$(ROOT_CA_NAME)/private/ca_passphrase \
- -in $< \
+ -in $(@D)/private/im_ca.csr \
-out $@
@echo "## Creating chain with Root CA and IM CA: $@"
cat $@ $(BASE_DIR)/$(ROOT_CA_NAME)/ca.pem > $(@D)/chain.pem
@@ -185,20 +189,20 @@
$(BASE_DIR)/certout:
mkdir -p $@
-$(BASE_DIR)/certout/%.key: $(BASE_DIR)/certout
+$(BASE_DIR)/certout/%.key: | $(BASE_DIR)/certout
@echo "## Creating leaf private key: $@"
openssl genrsa -out $@ $(KEY_SIZE)
-$(BASE_DIR)/certout/%.csr: $(BASE_DIR)/certout/%.key
+$(BASE_DIR)/certout/%.csr: | $(BASE_DIR)/certout/%.key
@echo "## Creating signing request $@ from $<"
BASE_DIR=$(BASE_DIR) CA_NAME=$(IM_CA_NAME) openssl req -config $(OPENSSL_CNF) \
-new -sha256 \
- -key $< \
+ -key $(@D)/$(*F).key \
-subj "$(LEAF_SUBJECT_PARTIAL)$*" \
-addext "subjectAltName = $(LEAF_SAN)" \
-out $@
-$(BASE_DIR)/certout/%.pem: $(BASE_DIR)/certout/%.csr | $(BASE_DIR)/$(IM_CA_NAME)/ca.pem
+$(BASE_DIR)/certout/%.pem: | $(BASE_DIR)/certout/%.csr $(BASE_DIR)/$(IM_CA_NAME)/ca.pem
@echo "## Signing $< with IM CA key to create signed leaf cert: $@"
BASE_DIR=$(BASE_DIR) CA_NAME=$(IM_CA_NAME) openssl ca -config $(OPENSSL_CNF) \
-extensions $(LEAF_PURPOSE) \
@@ -206,7 +210,7 @@
-notext -batch -md sha256 \
-days $(LEAF_EXPIRATION_DAYS) \
-passin file:$(BASE_DIR)/$(IM_CA_NAME)/private/ca_passphrase \
- -in $< \
+ -in $(@D)/$(*F).csr \
-out $@
@echo "## Creating bundle with IM CA and Leaf: $(basename $@)_bundle.pem"
cat $@ $(BASE_DIR)/$(IM_CA_NAME)/ca.pem > $(basename $@)_bundle.pem
diff --git a/mkopenvpn.sh b/mkopenvpn.sh
new file mode 100755
index 0000000..3c0a04d
--- /dev/null
+++ b/mkopenvpn.sh
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+set -xeu -o pipefail
+
+VPN_USER=$1
+
+VPN_SITE=${VPN_SITE:-example}
+
+export IM_CA_NAME=openvpn_ca
+export LEAF_PURPOSE=client_cert_ext
+
+export LEAF_KEYPAIR=${VPN_USER}
+export LEAF_EMAIL=${LEAF_EMAIL:-"${VPN_USER}@opennetworking.org"}
+export LEAF_SAN="email:${LEAF_EMAIL}"
+
+make onf_pki/certout/${VPN_USER}.pem
+
+# build config
+VPN_CONFIG=openvpn/${VPN_USER}_${VPN_SITE}.ovpn
+cat openvpn/generic_${VPN_SITE}.ovpn > $VPN_CONFIG
+
+cat << EOKEY >> $VPN_CONFIG
+
+# client key
+<key>
+EOKEY
+
+# add key
+cat onf_pki/certout/${VPN_USER}.key >> $VPN_CONFIG
+
+cat << EOCERT >> $VPN_CONFIG
+</key>
+
+# client cert
+<cert>
+EOCERT
+
+# add pem
+cat onf_pki/certout/${VPN_USER}.pem >> $VPN_CONFIG
+
+cat << EOF >> $VPN_CONFIG
+</cert>
+EOF