Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1215 from t-woerner/fix_ca_less_to_use_X.509_v3
Fix ca-less test to use X.509 v3 certificates
- Loading branch information
Showing
5 changed files
with
151 additions
and
124 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
basicConstraints = CA:FALSE | ||
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment | ||
authorityKeyIdentifier = keyid,issuer | ||
subjectAltName = @alt_names | ||
|
||
[alt_names] | ||
DNS.1 = ${ENV::HOST_FQDN} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
basicConstraints = CA:FALSE | ||
keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement | ||
extendedKeyUsage = 1.3.6.1.5.2.3.5 | ||
subjectKeyIdentifier = hash | ||
authorityKeyIdentifier = keyid,issuer | ||
issuerAltName = issuer:copy | ||
subjectAltName = otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name | ||
|
||
[kdc_princ_name] | ||
realm = EXP:0,GeneralString:${ENV::REALM_NAME} | ||
principal_name = EXP:1,SEQUENCE:kdc_principal_seq | ||
|
||
[kdc_principal_seq] | ||
name_type = EXP:0,INTEGER:1 | ||
name_string = EXP:1,SEQUENCE:kdc_principals | ||
|
||
[kdc_principals] | ||
princ1 = GeneralString:krbtgt | ||
princ2 = GeneralString:${ENV::REALM_NAME} |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,153 +1,177 @@ | ||
#!/usr/bin/env bash | ||
|
||
ROOT_CA_DIR="certificates/root-ca" | ||
DIRSRV_CERTS_DIR="certificates/dirsrv" | ||
HTTPD_CERTS_DIR="certificates/httpd" | ||
PKINIT_CERTS_DIR="certificates/pkinit" | ||
CERTIFICATES="certificates" | ||
ROOT_CA_DIR="${CERTIFICATES}/root-ca" | ||
DIRSRV_CERTS_DIR="${CERTIFICATES}/dirsrv" | ||
HTTPD_CERTS_DIR="${CERTIFICATES}/httpd" | ||
PKINIT_CERTS_DIR="${CERTIFICATES}/pkinit" | ||
EXTENSIONS_CONF="${CERTIFICATES}/extensions.conf" | ||
PKINIT_EXTENSIONS_CONF="${CERTIFICATES}/pkinit-extensions.conf" | ||
PKCS12_PASSWORD="SomePKCS12password" | ||
|
||
# generate_ipa_pkcs12_certificate \ | ||
# $cert_name $ipa_fqdn $certs_dir $root_ca_cert $root_ca_private_key extensions_file extensions_name | ||
function generate_ipa_pkcs12_certificate { | ||
# create_ca \ | ||
# $domain_name | ||
function create_ca { | ||
|
||
cert_name=$1 | ||
ipa_fqdn=$2 | ||
certs_dir=$3 | ||
root_ca_cert=$4 | ||
root_ca_private_key=$5 | ||
extensions_file=$6 | ||
extensions_name=$7 | ||
|
||
# Generate CSR and private key | ||
openssl req -new -newkey rsa:4096 -nodes \ | ||
-subj "/C=US/ST=Test/L=Testing/O=Default/CN=${ipa_fqdn}" \ | ||
-keyout "${certs_dir}/private.key" \ | ||
-out "${certs_dir}/request.csr" | ||
|
||
# Sign CSR to generate PEM certificate | ||
if [ -z "${extensions_file}" ]; then | ||
openssl x509 -req -days 365 -sha256 \ | ||
-CAcreateserial \ | ||
-CA "${root_ca_cert}" \ | ||
-CAkey "${root_ca_private_key}" \ | ||
-in "${certs_dir}/request.csr" \ | ||
-out "${certs_dir}/cert.pem" | ||
else | ||
openssl x509 -req -days 365 -sha256 \ | ||
-CAcreateserial \ | ||
-CA "${ROOT_CA_DIR}/cert.pem" \ | ||
-CAkey "${ROOT_CA_DIR}/private.key" \ | ||
-extfile "${extensions_file}" \ | ||
-extensions "${extensions_name}" \ | ||
-in "${certs_dir}/request.csr" \ | ||
-out "${certs_dir}/cert.pem" | ||
domain_name=$1 | ||
if [ -z "${domain_name}" ]; then | ||
echo "ERROR: domain is not set" | ||
echo | ||
echo "usage: $0 ca <domain>" | ||
exit 0; | ||
fi | ||
realm=${domain_name^^} | ||
|
||
export REALM_NAME=${realm} | ||
|
||
# Create certificates folder structure | ||
mkdir -p "${ROOT_CA_DIR}" | ||
|
||
# Create root CA | ||
if [ ! -f "${ROOT_CA_DIR}/private.key" ]; then | ||
# create aes encrypted private key | ||
openssl genrsa -out "${ROOT_CA_DIR}/private.key" 4096 | ||
|
||
# create certificate, 1826 days = 5 years | ||
openssl req -x509 -new -nodes -sha256 -days 1826 \ | ||
-subj "/C=US/ST=Test/L=Testing/O=Default/CN=Test Root CA" \ | ||
-key "${ROOT_CA_DIR}/private.key" \ | ||
-out "${ROOT_CA_DIR}/cert.pem" | ||
fi | ||
} | ||
|
||
# create_host_pkcs12_certificate \ | ||
# $cert_name $certs_dir $root_ca_cert $extensions_file | ||
function create_host_pkcs12_certificate { | ||
|
||
cert_name=$1 | ||
certs_dir=$2 | ||
root_ca_cert=$3 | ||
extensions_file=$4 | ||
|
||
# Create CSR and private key | ||
openssl req -new -nodes -newkey rsa:4096 \ | ||
-subj "/C=US/ST=Test/L=Testing/O=Default/CN=${cert_name}" \ | ||
-keyout "${certs_dir}/private.key" \ | ||
-out "${certs_dir}/request.csr" | ||
|
||
# Sign CSR to create PEM certificate | ||
openssl x509 -req -days 1460 -sha256 -CAcreateserial \ | ||
-CAkey "${ROOT_CA_DIR}/private.key" \ | ||
-CA "${root_ca_cert}" \ | ||
-in "${certs_dir}/request.csr" \ | ||
-out "${certs_dir}/cert.pem" \ | ||
-extfile "${extensions_file}" | ||
|
||
# Convert certificate to PKCS12 format | ||
openssl pkcs12 -export \ | ||
-name "${cert_name}" \ | ||
-certfile "${root_ca_cert}" \ | ||
-in "${certs_dir}/cert.pem" \ | ||
-inkey "${certs_dir}/private.key" \ | ||
-passout "pass:${PKCS12_PASSWORD}" \ | ||
-out "${certs_dir}/cert.p12" | ||
-name "${cert_name}" \ | ||
-certfile "${root_ca_cert}" \ | ||
-passout "pass:${PKCS12_PASSWORD}" \ | ||
-inkey "${certs_dir}/private.key" \ | ||
-in "${certs_dir}/cert.pem" \ | ||
-out "${certs_dir}/cert.p12" | ||
} | ||
|
||
# generate_ipa_pkcs12_certificates $ipa_fqdn $ipa_domain | ||
function generate_ipa_pkcs12_certificates { | ||
# create_ipa_pkcs12_certificates \ | ||
# $host_fqdn $domain_name | ||
function create_host_certificates { | ||
|
||
host=$1 | ||
if [ -z "$host" ]; then | ||
echo "ERROR: ipa-host-fqdn is not set" | ||
host_fqdn=$1 | ||
if [ -z "${host_fqdn}" ]; then | ||
echo "ERROR: host-fqdn is not set" | ||
echo | ||
echo "usage: $0 create ipa-host-fqdn domain" | ||
echo "usage: $0 create <host-fqdn> [<domain>]" | ||
exit 0; | ||
fi | ||
|
||
domain=$2 | ||
if [ -z "$domain" ]; then | ||
echo "ERROR: domain is not set" | ||
domain_name=$2 | ||
[ -z "${domain_name}" ] && domain_name=${host_fqdn#*.*} | ||
if [ -z "${domain_name}" ]; then | ||
echo "ERROR: domain is not set and can not be created from host fqdn" | ||
echo | ||
echo "usage: $0 create ipa-host-fqdn domain" | ||
echo "usage: $0 create <host-fqdn> [<domain>]" | ||
exit 0; | ||
fi | ||
realm=${domain_name^^} | ||
|
||
# Generate certificates folder structure | ||
mkdir -p "${ROOT_CA_DIR}" | ||
mkdir -p "${DIRSRV_CERTS_DIR}/$host" | ||
mkdir -p "${HTTPD_CERTS_DIR}/$host" | ||
mkdir -p "${PKINIT_CERTS_DIR}/$host" | ||
export HOST_FQDN=${host_fqdn} | ||
export REALM_NAME=${realm} | ||
|
||
# Generate root CA | ||
if [ ! -f "${ROOT_CA_DIR}/private.key" ]; then | ||
openssl genrsa \ | ||
-out "${ROOT_CA_DIR}/private.key" 4096 | ||
|
||
openssl req -new -x509 -sha256 -nodes -days 3650 \ | ||
-subj "/C=US/ST=Test/L=Testing/O=Default" \ | ||
-key "${ROOT_CA_DIR}/private.key" \ | ||
-out "${ROOT_CA_DIR}/cert.pem" | ||
create_ca "${domain_name}" | ||
fi | ||
|
||
# Generate a certificate for the Directory Server | ||
if [ ! -f "${DIRSRV_CERTS_DIR}/$host/cert.pem" ]; then | ||
generate_ipa_pkcs12_certificate \ | ||
# Create certificates folder structure | ||
mkdir -p "${DIRSRV_CERTS_DIR}/${host_fqdn}" | ||
mkdir -p "${HTTPD_CERTS_DIR}/${host_fqdn}" | ||
mkdir -p "${PKINIT_CERTS_DIR}/${host_fqdn}" | ||
|
||
# Create a certificate for the Directory Server | ||
if [ ! -f "${DIRSRV_CERTS_DIR}/${host_fqdn}/cert.pem" ]; then | ||
create_host_pkcs12_certificate \ | ||
"dirsrv-cert" \ | ||
"$host" \ | ||
"${DIRSRV_CERTS_DIR}/$host" \ | ||
"${DIRSRV_CERTS_DIR}/${host_fqdn}" \ | ||
"${ROOT_CA_DIR}/cert.pem" \ | ||
"${ROOT_CA_DIR}/private.key" | ||
"${EXTENSIONS_CONF}" | ||
fi | ||
|
||
# Generate a certificate for the Apache server | ||
if [ ! -f "${HTTPD_CERTS_DIR}/$host/cert.pem" ]; then | ||
generate_ipa_pkcs12_certificate \ | ||
# Create a certificate for the Apache server | ||
if [ ! -f "${HTTPD_CERTS_DIR}/${host_fqdn}/cert.pem" ]; then | ||
create_host_pkcs12_certificate \ | ||
"httpd-cert" \ | ||
"$host" \ | ||
"${HTTPD_CERTS_DIR}/$host" \ | ||
"${HTTPD_CERTS_DIR}/${host_fqdn}" \ | ||
"${ROOT_CA_DIR}/cert.pem" \ | ||
"${ROOT_CA_DIR}/private.key" | ||
"${EXTENSIONS_CONF}" | ||
fi | ||
|
||
# Generate a certificate for the KDC PKINIT | ||
if [ ! -f "${PKINIT_CERTS_DIR}/$host/cert.pem" ]; then | ||
export REALM=${domain^^} | ||
|
||
generate_ipa_pkcs12_certificate \ | ||
# Create a certificate for the KDC PKINIT | ||
if [ ! -f "${PKINIT_CERTS_DIR}/${host_fqdn}/cert.pem" ]; then | ||
create_host_pkcs12_certificate \ | ||
"pkinit-cert" \ | ||
"$host" \ | ||
"${PKINIT_CERTS_DIR}/$host" \ | ||
"${PKINIT_CERTS_DIR}/${host_fqdn}" \ | ||
"${ROOT_CA_DIR}/cert.pem" \ | ||
"${ROOT_CA_DIR}/private.key" \ | ||
"${PKINIT_CERTS_DIR}/extensions.conf" \ | ||
"kdc_cert" | ||
"${PKINIT_EXTENSIONS_CONF}" | ||
fi | ||
} | ||
|
||
# delete_ipa_pkcs12_certificates $ipa_fqdn | ||
function delete_ipa_pkcs12_certificates { | ||
# delete_host_certificates \ | ||
# $host_fqdn | ||
function delete_host_certificates { | ||
|
||
host=$1 | ||
if [ -z "$host" ]; then | ||
echo "ERROR: ipa-host-fqdn is not set" | ||
host_fqdn=$1 | ||
if [ -z "${host_fqdn}" ]; then | ||
echo "ERROR: host-fqdn is not set" | ||
echo | ||
echo "usage: $0 delete ipa-host-fqdn" | ||
echo "usage: $0 delete <host-fqdn>" | ||
exit 0; | ||
fi | ||
|
||
rm -f certificates/*/"$host"/* | ||
rm -f "${ROOT_CA_DIR}"/* | ||
rm -rf certificates/*/"${host_fqdn}"/ | ||
} | ||
|
||
# cleanup \ | ||
# $host_fqdn | ||
function cleanup { | ||
|
||
rm -rf certificates/*/ | ||
} | ||
|
||
# Entrypoint | ||
case "$1" in | ||
ca) | ||
create_ca "$2" | ||
;; | ||
create) | ||
generate_ipa_pkcs12_certificates "$2" "$3" | ||
create_host_certificates "$2" "$3" | ||
;; | ||
delete) | ||
delete_ipa_pkcs12_certificates "$2" | ||
delete_host_certificates "$2" | ||
;; | ||
cleanup) | ||
cleanup | ||
;; | ||
*) | ||
echo $"Usage: $0 {create|delete}" | ||
echo $"Usage: $0 {create|delete|ca|cleanup}" | ||
;; | ||
esac |