commit 0bb0583e544444e04b6cd96f2f70f39ace5d6492 Author: Samuel Aubertin Date: Sat Dec 23 14:10:48 2023 +0100 sync diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..f353e59 --- /dev/null +++ b/LICENSE @@ -0,0 +1,13 @@ +Copyright (c) 2023 Samuel 'sk4nz' AUBERTIN sk4nz@sk4.nz + +Permission to use, copy, modify, and distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.""'') diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..fdb8584 --- /dev/null +++ b/Makefile @@ -0,0 +1,174 @@ +# skz-pki - PKI management with OpenSSL +# Samuel 'sk4nz' AUBERTIN - 2019 +.PHONY: all clean banner epilogue revoke +# Run make, then add more USERS or SERVERS and re-make. +SERVERS = +USERS = + +include src/pki.mk +include src/root.mk +include src/intermediate.mk +include src/server.mk +include src/user.mk +include src/magic.mk + +all: banner dependencies $(addsuffix .cert.pem, $(SERVERS_LIST)) \ + $(addsuffix .cert.pem, $(USERS_LIST)) epilogue + +dependencies: + @which openssl > /dev/null || (echo -e "You need OpenSSL" && exit 1) + +banner: + @echo -e "\033[1mskz-pki - PKI management with OpenSSL" + @echo -e "Samuel 'sk4nz' Aubertin - 2019\033[0m\n" + +epilogue: + @echo -e "\033[3m[+] DONE [+]\033[0m" + +### CA ### +$(PKI_CERTS_CA_ROOT_DIR): + @echo -e "\033[3m[+] $@ [+]\033[0m" + @echo -en "\tCreating CA dirs : "; mkdir $@ $@/certs \ + $@/crl $@/newcerts $@/private && $(output) + @chmod ${PKI_PRIVATE_DIR_MODE} $@/private + +$(PKI_CA_PATH)/index.txt $(PKI_INTERMEDIATE_CA_PATH)/index.txt: | \ + $(PKI_CERTS_CA_ROOT_DIR) + @echo -en "\tCreating $@ : "; touch $@ && $(output) + +$(PKI_CA_PATH)/serial $(PKI_INTERMEDIATE_CA_PATH)/serial \ + $(PKI_INTERMEDIATE_CA_PATH)/crlnumber: | $(PKI_CERTS_CA_ROOT_DIR) + @echo -en "\tCreating $@ : "; cp src/serial $@ && $(output) + +$(PKI_CA_CONFIG): export PKI_CA_CONFIG_CONTENT:=${PKI_CA_CONFIG_CONTENT} +$(PKI_CA_CONFIG): + @echo -en "\tTemplating $@ : "; echo "$${PKI_CA_CONFIG_CONTENT}" > $@ && \ + $(output) + +$(PKI_INTERMEDIATE_CONFIG): export PKI_INTERMEDIATE_CA_CONFIG_CONTENT:=\ + ${PKI_INTERMEDIATE_CA_CONFIG_CONTENT} +$(PKI_INTERMEDIATE_CONFIG): + @echo -en "\tTemplating $@ : "; echo \ + "$${PKI_INTERMEDIATE_CA_CONFIG_CONTENT}" > $@ && $(output) + +$(PKI_CA_KEY): | $(PKI_CERTS_CA_ROOT_DIR) + @echo -en "\tGenerating $@ : "; openssl genrsa -out $@ \ + ${PKI_CA_KEY_STRENGTH} 2> /dev/null && $(output) + @chmod ${PKI_CA_KEY_MODE} $@ + +$(PKI_CA_CERT): $(PKI_CA_KEY) | \ + $(PKI_CA_CONFIG) $(PKI_CA_PATH)/index.txt $(PKI_CA_PATH)/serial + @echo -en "\tSelf-signing $@ : ";openssl req -config ${PKI_CA_CONFIG} \ + -subj "${PKI_CA_FIELDS}" -key ${PKI_CA_KEY} -new -x509 \ + -days ${PKI_CA_DAYS} -${PKI_HASH_TYPE} -extensions v3_ca -out $@ \ + 2> /dev/null && $(output) + @chmod ${PKI_CA_CERT_MODE} $@ + +### INTERMEDIATE CA ### +$(PKI_INTERMEDIATE_CA_ROOT_DIR): + @echo -e "\033[3m[+] $@ [+]\033[0m" + @echo -en "\tCreating Intermediate CA dirs : "; mkdir $@ $@/certs $@/crl \ + $@/csr $@/newcerts $@/private && $(output) + @chmod ${PKI_PRIVATE_DIR_MODE} $@/private + +$(PKI_INTERMEDIATE_KEY): | $(PKI_INTERMEDIATE_CA_ROOT_DIR) + @echo -en "\tGenerating $@ : "; openssl genrsa -out $@ \ + ${PKI_INTERMEDIATE_KEY_STRENGTH} 2> /dev/null && $(output) + @chmod ${PKI_INTERMEDIATE_KEY_MODE} $@ + +$(PKI_INTERMEDIATE_CSR): $(PKI_INTERMEDIATE_KEY) | $(PKI_INTERMEDIATE_CONFIG) \ + $(PKI_INTERMEDIATE_CA_PATH)/index.txt \ + $(PKI_INTERMEDIATE_CA_PATH)/serial $(PKI_INTERMEDIATE_CA_PATH)/crlnumber + @echo -en "\tEmitting intermediate CSR $@ : "; openssl req \ + -config ${PKI_INTERMEDIATE_CONFIG} -new -${PKI_HASH_TYPE} \ + -subj "${PKI_INTERMEDIATE_FIELDS}" -key ${PKI_INTERMEDIATE_KEY} -out \ + $@ && $(output) + @chmod ${PKI_INTERMEDIATE_CERT_MODE} $@ + +$(PKI_INTERMEDIATE_CERT): $(PKI_CA_CERT) $(PKI_INTERMEDIATE_CSR) + @echo -en "\tSigning intermediate $@ : "; openssl ca -batch -config \ + ${PKI_CA_CONFIG} -extensions v3_intermediate_ca -days \ + ${PKI_INTERMEDIATE_CERT_DAYS} -notext -md ${PKI_HASH_TYPE} \ + -in ${PKI_INTERMEDIATE_CSR} -out $@ 2> /dev/null && $(output) + @chmod ${PKI_INTERMEDIATE_CERT_MODE} $@ + @echo -en "\tVerifying $@ : "; openssl verify -CAfile ${PKI_CA_CERT} $@ \ + > /dev/null && $(output) + +$(PKI_INTERMEDIATE_CHAIN): $(PKI_INTERMEDIATE_CERT) $(PKI_CA_CERT) + @echo -en "\tCreating $@ : "; cat ${PKI_INTERMEDIATE_CERT} ${PKI_CA_CERT} \ + > $@ && $(output) + @chmod ${PKI_INTERMEDIATE_CHAIN_MODE} $@ + +### SERVERS ### +$(PKI_CERTS_MACHINE_ROOT_DIR) $(addprefix ${PKI_SERVER_CA_PATH},${SERVERS}) \ + $(PKI_CERTS_USER_ROOT_DIR) $(addprefix ${PKI_USER_CA_PATH},${USERS}): + @echo -en "\tCreating dirs $@ : "; mkdir $@ && $(output) + +$(PKI_SERVER_CONFIG): export PKI_SERVER_CONFIG_CONTENT:=\ + ${PKI_SERVER_CONFIG_CONTENT} +$(PKI_SERVER_CONFIG): | $(PKI_CERTS_MACHINE_ROOT_DIR) + @echo -en "\tTemplating $@ : "; echo "$${PKI_SERVER_CONFIG_CONTENT}" > $@ \ + && $(output) + +$(addsuffix .key.pem, $(SERVERS_LIST)): | $(PKI_SERVER_CONFIG) \ + $(addprefix ${PKI_SERVER_CA_PATH},${SERVERS}) + @echo -en "\tGenerating $@ : "; openssl genrsa -out $@ \ + ${PKI_SERVER_KEY_STRENGTH} 2> /dev/null && $(output) + @chmod ${PKI_SERVER_KEY_MODE} $@ + +$(addsuffix .csr.pem, $(SERVERS_LIST)): | $(addsuffix .key.pem, $(SERVERS_LIST)) + @echo -en "\tEmitting CSR $@ : "; openssl req -config ${PKI_SERVER_CONFIG} \ + -subj "${PKI_COMMON_FIELDS}/CN=$(notdir $(@:.csr.pem=))" \ + -key ${@:.csr.pem=.key.pem} -new -${PKI_HASH_TYPE} -out $@ && $(output) + +$(addsuffix .cert.pem, $(SERVERS_LIST)): | \ + $(addsuffix .csr.pem, $(SERVERS_LIST)) $(PKI_INTERMEDIATE_CERT) \ + $(PKI_INTERMEDIATE_CHAIN) + @echo -en "\tSigning $@ : "; openssl ca -batch -config \ + ${PKI_INTERMEDIATE_CONFIG} -extensions server_cert -days \ + ${PKI_SERVER_CERT_DAYS} -notext -md ${PKI_HASH_TYPE} \ + -in $(@:.cert.pem=.csr.pem) -out $@ 2> /dev/null && $(output) + @chmod ${PKI_SERVER_CERT_MODE} $@ + @echo -en "\tVerifying $@ : "; openssl verify -CAfile \ + ${PKI_INTERMEDIATE_CHAIN} $@ > /dev/null && $(output) + +### USERS ### +$(PKI_USER_CONFIG): export PKI_USER_CONFIG_CONTENT:=\ + ${PKI_SERVER_CONFIG_CONTENT} +$(PKI_USER_CONFIG): | $(PKI_CERTS_USER_ROOT_DIR) + @echo -en "\tTemplating $@ : "; echo "$${PKI_USER_CONFIG_CONTENT}" > $@ && \ + $(output) + +$(addsuffix .key.pem, $(USERS_LIST)): | $(PKI_USER_CONFIG) \ + $(addprefix ${PKI_USER_CA_PATH},${USERS}) + @echo -en "\tGenerating $@ : "; openssl genrsa -out $@ \ + ${PKI_USER_KEY_STRENGTH} 2> /dev/null && $(output) + @chmod ${PKI_USER_KEY_MODE} $@ + +$(addsuffix .csr.pem, $(USERS_LIST)): | $(addsuffix .key.pem, $(USERS_LIST)) + @echo -en "\tEmitting CSR $@ : "; openssl req -config ${PKI_USER_CONFIG} \ + -subj "${PKI_COMMON_FIELDS}/CN=$(notdir $(@:.csr.pem=))" \ + -key ${@:.csr.pem=.key.pem} -new -${PKI_HASH_TYPE} -out $@ && $(output) + +$(addsuffix .cert.pem, $(USERS_LIST)): | $(addsuffix .csr.pem, $(USERS_LIST)) \ + $(PKI_INTERMEDIATE_CERT) $(PKI_INTERMEDIATE_CHAIN) + @echo -en "\tSigning $@ : "; openssl ca -batch -config \ + ${PKI_INTERMEDIATE_CONFIG} -extensions usr_cert \ + -days ${PKI_USER_CERT_DAYS} -notext -md ${PKI_HASH_TYPE} \ + -in $(@:.cert.pem=.csr.pem) -out $@ 2> /dev/null && $(output) + @chmod ${PKI_USER_CERT_MODE} $@ + @echo -en "\tVerifying $@ : "; openssl verify -CAfile \ + ${PKI_INTERMEDIATE_CHAIN} $@ > /dev/null && $(output) + +revoke: + @SERIAL=$$(cat ${PKI_INTERMEDIATE_CA_NAME}/index.txt | grep ${TO_REVOKE} | \ + awk '{print $$3}') && echo -en "Press [ENTER] to revoke ${TO_REVOKE} :"\ + && read; openssl ca -config ${PKI_INTERMEDIATE_CONFIG} \ + -revoke ${PKI_INTERMEDIATE_CA_NAME}/newcerts/$$SERIAL.pem + +clean: + @echo -e "\033[31mWARNING - ALL THE PKI WILL BE DELETED - WARNING\033[0m" + @echo -en "Press [ENTER] to delete the PKI : "; read + @rm -rf ${PKI_CERTS_CA_ROOT_DIR} ${PKI_INTERMEDIATE_CA_ROOT_DIR} \ + ${PKI_CERTS_MACHINE_ROOT_DIR} ${PKI_CERTS_USER_ROOT_DIR} + @echo -e "PKI deleted" diff --git a/README.md b/README.md new file mode 100644 index 0000000..7636cb0 --- /dev/null +++ b/README.md @@ -0,0 +1,61 @@ +# skz-pki - PKI management with OpenSSL + +Samuel 'sk4nz' AUBERTIN - 2019 + +Version 0.0.1 + +## Features + +Fully idempotent PKI. + +Every configuration knob is located in ```src/pki.mk``` + +## HOWTO + +### Create the PKI + +Edit ```USERS``` and ```SERVERS``` in the _Makefile_, then run ```make```, but +you can also explicity declare ```USERS``` and ```SERVERS``` with the environment +variables : + +```make USERS="kafka@sk4.nz orwell@sk4.nz" SERVERS="trebuchet.sk4.nz"``` + +### Revocation + +Revocation works one certificate at a time using the ```TO_REVOKE``` environment +variable. + +```make revoke TO_REVOKE=kafka@sk4.nz``` + +### Invocation from another Makefile + +``` +PKI_PATH = skz-pki +MY_SERVERS = trebuchet.sk4.nz +MY_USERS = kafka@sk4.nz orwell@sk4.nz + +$(PKI_PATH): + @cd $@ && $(MAKE) SERVERS="$(MY_SERVERS)" USERS="$(MY_USERS)" +``` + +### Delete PKI + +```make clean``` + +## License + +``` +Copyright (c) 2019 Samuel 'sk4nz' AUBERTIN + +Permission to use, copy, modify, and distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +``` diff --git a/TODO.md b/TODO.md new file mode 100644 index 0000000..9f58695 --- /dev/null +++ b/TODO.md @@ -0,0 +1,4 @@ +* Certs altenatives ie PKI_SERVER_ALTERNATIVE_NAMES & PKI_SERVER_ALTERNATIVE_IPS +* Passord handling (prompt ? gpg ?) +* OSCP server ? +* More fancy outputs ? diff --git a/src/intermediate.mk b/src/intermediate.mk new file mode 100644 index 0000000..f73093a --- /dev/null +++ b/src/intermediate.mk @@ -0,0 +1,132 @@ +define PKI_INTERMEDIATE_CA_CONFIG_CONTENT = +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# Directory and file locations. +dir = ${PKI_INTERMEDIATE_CA_PATH} +certs = $$dir/certs +crl_dir = $$dir/crl +new_certs_dir = $$dir/newcerts +database = $$dir/index.txt +serial = $$dir/serial +RANDFILE = $$dir/private/.rand + +# The intermediate key and certificate. +private_key = $$dir/private/${PKI_INTERMEDIATE_CA_NAME}.key.pem +certificate = $$dir/certs/${PKI_INTERMEDIATE_CA_NAME}.cert.pem + +# For certificate revocation lists. +crlnumber = $$dir/crlnumber +crl = $$dir/crl/${PKI_INTERMEDIATE_CA_NAME}.crl.pem +crl_extensions = crl_ext +default_crl_days = 30 + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +name_opt = ca_default +cert_opt = ca_default +default_days = 375 +preserve = no +policy = policy_loose +copy_extensions = copy + +[ policy_strict ] +# The root CA should only sign intermediate certificates that match. +# See the POLICY FORMAT section of `man ca`. +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_loose ] +# Allow the intermediate CA to sign a more diverse range of certificates. +# See the POLICY FORMAT section of the `ca` man page. +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 2048 +distinguished_name = req_distinguished_name +string_mask = utf8only + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +# Extension to add when the -x509 option is used. +x509_extensions = v3_ca + +[ req_distinguished_name ] +# See . +countryName = Country Name (2 letter code) +stateOrProvinceName = State or Province Name +localityName = Locality Name +0.organizationName = Organization Name +organizationalUnitName = Organizational Unit Name +commonName = Common Name +emailAddress = Email Address + +# Optionally, specify some defaults. +countryName_default = GB +stateOrProvinceName_default = England +localityName_default = +0.organizationName_default = Alice Ltd +#organizationalUnitName_default = +#emailAddress_default = + +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ usr_cert ] +# Extensions for client certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = client, email +nsComment = "OpenSSL Generated Client Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection + +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth, clientAuth + +[ crl_ext ] +# Extension for CRLs (`man x509v3_config`). +authorityKeyIdentifier=keyid:always + +[ ocsp ] +# Extension for OCSP signing certificates (`man ocsp`). +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, digitalSignature +extendedKeyUsage = critical, OCSPSigning +endef diff --git a/src/magic.mk b/src/magic.mk new file mode 100644 index 0000000..d51160d --- /dev/null +++ b/src/magic.mk @@ -0,0 +1,7 @@ +# Some magic +SERVERS_LIST = $(addprefix ${PKI_SERVER_CA_PATH},$(join $(addsuffix / ,\ + ${SERVERS}),${SERVERS})) +USERS_LIST = $(addprefix ${PKI_USER_CA_PATH},$(join $(addsuffix / ,\ + ${USERS}),${USERS})) + +output = echo -e '\033[32mOK\033[0m' || (echo -e '\033[31mFail\033[0m'; exit 1) diff --git a/src/pki.mk b/src/pki.mk new file mode 100644 index 0000000..85c084b --- /dev/null +++ b/src/pki.mk @@ -0,0 +1,89 @@ +# CA location +PKI_CERTS_CA_ROOT_DIR=ca +PKI_CERTS_MACHINE_ROOT_DIR=servers +PKI_CERTS_USER_ROOT_DIR=users +PKI_CA_NAME=skz +PKI_INTERMEDIATE_CA_NAME=intermediate + +# Cert fields +PKI_COUNTRY=FR +PKI_LOCALITY=Montpellier +PKI_ORGANIZATION=sk4.nz +PKI_STATE=Occitanie + +# CA Common name +PKI_CA_COMMON_NAME=sk4.nz\\ Certificate\\ Authority +PKI_INTERMEDIATE_COMMON_NAME=sk4.nz\\ Intermediate\\ Certificate\\ Authority + +# Servers common name +PKI_SERVER_COMMON_NAME=server.sk4.nz +PKI_USER_COMMON_NAME=sk4nz@sk4.nz + +# Servers alternative names +PKI_SERVER_ALTERNATIVE_NAMES=alt.sk4.nz +PKI_SERVER_ALTERNATIVE_IPS=127.0.0.1 + +# Cert lifespan +PKI_SERVER_CERT_DAYS=365 +PKI_USER_CERT_DAYS=365 +PKI_INTERMEDIATE_CERT_DAYS=3650 +PKI_CA_DAYS=7300 + +# Hashing method +PKI_HASH_TYPE=sha256 + +# File paths +PKI_CA_PATH=${PKI_CERTS_CA_ROOT_DIR} +PKI_INTERMEDIATE_CA_PATH=${PKI_INTERMEDIATE_CA_NAME} +PKI_INTERMEDIATE_CA_ROOT_DIR=${PKI_INTERMEDIATE_CA_NAME} +PKI_SERVER_CA_PATH=${PKI_CERTS_MACHINE_ROOT_DIR}/ +PKI_USER_CA_PATH=${PKI_CERTS_USER_ROOT_DIR}/ + +PKI_COMMON_FIELDS=/C=${PKI_COUNTRY}/ST=${PKI_STATE}/L=${PKI_LOCALITY}/O=${PKI_ORGANIZATION} +PKI_CA_FIELDS=${PKI_COMMON_FIELDS}/CN=${PKI_CA_COMMON_NAME} +PKI_INTERMEDIATE_FIELDS=${PKI_COMMON_FIELDS}/CN=${PKI_INTERMEDIATE_COMMON_NAME} + +PKI_CA_CONFIG=${PKI_CA_PATH}/openssl.cnf +PKI_INTERMEDIATE_CONFIG=${PKI_INTERMEDIATE_CA_PATH}/openssl.cnf +PKI_SERVER_CONFIG=${PKI_CERTS_MACHINE_ROOT_DIR}/openssl.cnf +PKI_USER_CONFIG=${PKI_CERTS_USER_ROOT_DIR}/openssl.cnf + +PKI_CA_KEY=${PKI_CA_PATH}/private/${PKI_CA_NAME}.key.pem +PKI_CA_CERT=${PKI_CA_PATH}/certs/${PKI_CA_NAME}.cert.pem + +PKI_INTERMEDIATE_KEY=${PKI_INTERMEDIATE_CA_PATH}/private/${PKI_INTERMEDIATE_CA_NAME}.key.pem +PKI_INTERMEDIATE_CSR=${PKI_INTERMEDIATE_CA_PATH}/csr/${PKI_INTERMEDIATE_CA_NAME}.csr.pem +PKI_INTERMEDIATE_CERT=${PKI_INTERMEDIATE_CA_PATH}/certs/${PKI_INTERMEDIATE_CA_NAME}.cert.pem + +PKI_SERVER_KEY=${PKI_SERVER_CA_PATH}/${PKI_SERVER_COMMON_NAME}.key.pem +PKI_SERVER_CSR=${PKI_SERVER_CA_PATH}/${PKI_SERVER_COMMON_NAME}.csr.pem +PKI_SERVER_CERT=${PKI_SERVER_CA_PATH}/${PKI_SERVER_COMMON_NAME}.cert.pem + +PKI_USER_KEY=${PKI_USER_CA_PATH}/${PKI_USER_COMMON_NAME}.key.pem +PKI_USER_CSR=${PKI_USER_CA_PATH}/${PKI_USER_COMMON_NAME}.csr.pem +PKI_USER_CERT=${PKI_USER_CA_PATH}/${PKI_USER_COMMON_NAME}.cert.pem + +PKI_INTERMEDIATE_CHAIN=${PKI_INTERMEDIATE_CA_PATH}/certs/${PKI_CA_NAME}-chain.cert.pem +PKI_SERVER_INTERMEDIATE_CHAIN=${PKI_SERVER_CA_PATH}/${PKI_CA_NAME}-chain.cert.pem + +# File modes +PKI_PRIVATE_DIR_MODE=0700 + +PKI_CA_KEY_MODE=0400 +PKI_CA_CERT_MODE=0444 + +PKI_INTERMEDIATE_KEY_MODE=0400 +PKI_INTERMEDIATE_CERT_MODE=0444 +PKI_INTERMEDIATE_CHAIN_MODE=0444 + +PKI_SERVER_KEY_MODE=0444 +PKI_SERVER_CERT_MODE=0444 + +PKI_USER_KEY_MODE=0444 +PKI_USER_CERT_MODE=0444 + +# Key strength +PKI_CA_KEY_STRENGTH=4096 +PKI_INTERMEDIATE_KEY_STRENGTH=4096 +PKI_SERVER_KEY_STRENGTH=4096 +PKI_USER_KEY_STRENGTH=4096 diff --git a/src/root.mk b/src/root.mk new file mode 100644 index 0000000..2064753 --- /dev/null +++ b/src/root.mk @@ -0,0 +1,131 @@ +define PKI_CA_CONFIG_CONTENT = +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# Directory and file locations. +dir = ${PKI_CA_PATH} +certs = $$dir/certs +crl_dir = $$dir/crl +new_certs_dir = $$dir/newcerts +database = $$dir/index.txt +serial = $$dir/serial +RANDFILE = $$dir/private/.rand + +# The root key and root certificate. +private_key = $$dir/private/${PKI_CA_NAME}.key.pem +certificate = $$dir/certs/${PKI_CA_NAME}.cert.pem + +# For certificate revocation lists. +crlnumber = $$dir/crlnumber +crl = $$dir/crl/ca.crl.pem +crl_extensions = crl_ext +default_crl_days = 30 + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +name_opt = ca_default +cert_opt = ca_default +default_days = 375 +preserve = no +policy = policy_strict + +[ policy_strict ] +# The root CA should only sign intermediate certificates that match. +# See the POLICY FORMAT section of `man ca`. +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_loose ] +# Allow the intermediate CA to sign a more diverse range of certificates. +# See the POLICY FORMAT section of the `ca` man page. +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 2048 +distinguished_name = req_distinguished_name +string_mask = utf8only + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +# Extension to add when the -x509 option is used. +x509_extensions = v3_ca + +[ req_distinguished_name ] +# See . +countryName = Country Name (2 letter code) +stateOrProvinceName = State or Province Name +localityName = Locality Name +0.organizationName = Organization Name +organizationalUnitName = Organizational Unit Name +commonName = Common Name +emailAddress = Email Address + +# Optionally, specify some defaults. +countryName_default = GB +stateOrProvinceName_default = England +localityName_default = +0.organizationName_default = Alice Ltd +#organizationalUnitName_default = +#emailAddress_default = + +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ usr_cert ] +# Extensions for client certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = client, email +nsComment = "OpenSSL Generated Client Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection + +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth, clientAuth + +[ crl_ext ] +# Extension for CRLs (`man x509v3_config`). +authorityKeyIdentifier=keyid:always + +[ ocsp ] +# Extension for OCSP signing certificates (`man ocsp`). +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, digitalSignature +extendedKeyUsage = critical, OCSPSigning +endef diff --git a/src/serial b/src/serial new file mode 100644 index 0000000..83b33d2 --- /dev/null +++ b/src/serial @@ -0,0 +1 @@ +1000 diff --git a/src/server.mk b/src/server.mk new file mode 100644 index 0000000..8ac927d --- /dev/null +++ b/src/server.mk @@ -0,0 +1,144 @@ +define PKI_SERVER_CONFIG_CONTENT = +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# Directory and file locations. +dir = ${PKI_INTERMEDIATE_CA_PATH} +certs = $$dir/certs +crl_dir = $$dir/crl +new_certs_dir = $$dir/newcerts +database = $$dir/index.txt +serial = $$dir/serial +RANDFILE = $$dir/private/.rand + +# The intermediate key and certificate. +private_key = $$dir/private/${PKI_INTERMEDIATE_CA_NAME}.key.pem +certificate = $$dir/certs/${PKI_INTERMEDIATE_CA_NAME}.cert.pem + +# For certificate revocation lists. +crlnumber = $$dir/crlnumber +crl = $$dir/crl/${PKI_INTERMEDIATE_CA_NAME}.crl.pem +crl_extensions = crl_ext +default_crl_days = 30 + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +name_opt = ca_default +cert_opt = ca_default +default_days = 375 +preserve = no +policy = policy_loose + +[ policy_strict ] +# The root CA should only sign intermediate certificates that match. +# See the POLICY FORMAT section of `man ca`. +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_loose ] +# Allow the intermediate CA to sign a more diverse range of certificates. +# See the POLICY FORMAT section of the `ca` man page. +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 2048 +distinguished_name = req_distinguished_name +string_mask = utf8only + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +# Extension to add when the -x509 option is used. +x509_extensions = v3_ca + +req_extensions = v3_req + +[ req_distinguished_name ] +# See . +countryName = Country Name (2 letter code) +stateOrProvinceName = State or Province Name +localityName = Locality Name +0.organizationName = Organization Name +organizationalUnitName = Organizational Unit Name +commonName = Common Name +emailAddress = Email Address + +# Optionally, specify some defaults. +countryName_default = GB +stateOrProvinceName_default = England +localityName_default = +0.organizationName_default = Alice Ltd +#organizationalUnitName_default = +#emailAddress_default = + +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_req ] +# Extensions to add to a certificate request +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +subjectAltName = @alt_names + +[ usr_cert ] +# Extensions for client certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = client, email +nsComment = "OpenSSL Generated Client Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection + +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth, clientAuth +subjectAltName = @alt_names + +[alt_names] +DNS.1 = ${PKI_SERVER_ALTERNATIVE_NAMES} +IP.1 = ${PKI_SERVER_ALTERNATIVE_IPS} + +[ crl_ext ] +# Extension for CRLs (`man x509v3_config`). +authorityKeyIdentifier=keyid:always + +[ ocsp ] +# Extension for OCSP signing certificates (`man ocsp`). +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, digitalSignature +extendedKeyUsage = critical, OCSPSigning +endef diff --git a/src/user.mk b/src/user.mk new file mode 100644 index 0000000..d8f506e --- /dev/null +++ b/src/user.mk @@ -0,0 +1,139 @@ +define PKI_USER_CONFIG_CONTENT = +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# Directory and file locations. +dir = ${PKI_INTERMEDIATE_CA_PATH} +certs = $$dir/certs +crl_dir = $$dir/crl +new_certs_dir = $$dir/newcerts +database = $$dir/index.txt +serial = $$dir/serial +RANDFILE = $$dir/private/.rand + +# The intermediate key and certificate. +private_key = $$dir/private/${PKI_INTERMEDIATE_CA_NAME}.key.pem +certificate = $$dir/certs/${PKI_INTERMEDIATE_CA_NAME}.cert.pem + +# For certificate revocation lists. +crlnumber = $$dir/crlnumber +crl = $$dir/crl/${PKI_INTERMEDIATE_CA_NAME}.crl.pem +crl_extensions = crl_ext +default_crl_days = 30 + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +name_opt = ca_default +cert_opt = ca_default +default_days = 375 +preserve = no +policy = policy_loose + +[ policy_strict ] +# The root CA should only sign intermediate certificates that match. +# See the POLICY FORMAT section of `man ca`. +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_loose ] +# Allow the intermediate CA to sign a more diverse range of certificates. +# See the POLICY FORMAT section of the `ca` man page. +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 2048 +distinguished_name = req_distinguished_name +string_mask = utf8only + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +# Extension to add when the -x509 option is used. +x509_extensions = v3_ca + +req_extensions = v3_req + +[ req_distinguished_name ] +# See . +countryName = Country Name (2 letter code) +stateOrProvinceName = State or Province Name +localityName = Locality Name +0.organizationName = Organization Name +organizationalUnitName = Organizational Unit Name +commonName = Common Name +emailAddress = Email Address + +# Optionally, specify some defaults. +countryName_default = GB +stateOrProvinceName_default = England +localityName_default = +0.organizationName_default = Alice Ltd +#organizationalUnitName_default = +#emailAddress_default = + +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_req ] +# Extensions to add to a certificate request +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +subjectAltName = @alt_names + +[ usr_cert ] +# Extensions for client certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = client, email +nsComment = "OpenSSL Generated Client Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection + +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth, clientAuth + +[ crl_ext ] +# Extension for CRLs (`man x509v3_config`). +authorityKeyIdentifier=keyid:always + +[ ocsp ] +# Extension for OCSP signing certificates (`man ocsp`). +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, digitalSignature +extendedKeyUsage = critical, OCSPSigning +endef