sk4nz/skz-pki
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sync

Browse Source
This commit is contained in:
Samuel Aubertin 2023-12-23 14:10:48 +01:00
commit 0bb0583e54
11 changed files with 895 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
LICENSE Normal file
View File

@ -0,0 +1,13 @@
Copyright (c) 2023 Samuel 'sk4nz' AUBERTIN sk4nz@sk4.nz
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.""'')

174
Makefile Normal file
View File

@ -0,0 +1,174 @@
# skz-pki - PKI management with OpenSSL
# Samuel 'sk4nz' AUBERTIN - 2019
.PHONY: all clean banner epilogue revoke
# Run make, then add more USERS or SERVERS and re-make.
SERVERS =
USERS =
include src/pki.mk
include src/root.mk
include src/intermediate.mk
include src/server.mk
include src/user.mk
include src/magic.mk
all: banner dependencies $(addsuffix .cert.pem, $(SERVERS_LIST)) \
$(addsuffix .cert.pem, $(USERS_LIST)) epilogue
dependencies:
@which openssl > /dev/null || (echo -e "You need OpenSSL" && exit 1)
banner:
@echo -e "\033[1mskz-pki - PKI management with OpenSSL"
@echo -e "Samuel 'sk4nz' Aubertin - 2019\033[0m\n"
epilogue:
@echo -e "\033[3m[+] DONE [+]\033[0m"
### CA ###
$(PKI_CERTS_CA_ROOT_DIR):
@echo -e "\033[3m[+] $@ [+]\033[0m"
@echo -en "\tCreating CA dirs : "; mkdir $@ $@/certs \
$@/crl $@/newcerts $@/private && $(output)
@chmod ${PKI_PRIVATE_DIR_MODE} $@/private
$(PKI_CA_PATH)/index.txt $(PKI_INTERMEDIATE_CA_PATH)/index.txt: | \
$(PKI_CERTS_CA_ROOT_DIR)
@echo -en "\tCreating $@ : "; touch $@ && $(output)
$(PKI_CA_PATH)/serial $(PKI_INTERMEDIATE_CA_PATH)/serial \
$(PKI_INTERMEDIATE_CA_PATH)/crlnumber: | $(PKI_CERTS_CA_ROOT_DIR)
@echo -en "\tCreating $@ : "; cp src/serial $@ && $(output)
$(PKI_CA_CONFIG): export PKI_CA_CONFIG_CONTENT:=${PKI_CA_CONFIG_CONTENT}
$(PKI_CA_CONFIG):
@echo -en "\tTemplating $@ : "; echo "$${PKI_CA_CONFIG_CONTENT}" > $@ && \
$(output)
$(PKI_INTERMEDIATE_CONFIG): export PKI_INTERMEDIATE_CA_CONFIG_CONTENT:=\
${PKI_INTERMEDIATE_CA_CONFIG_CONTENT}
$(PKI_INTERMEDIATE_CONFIG):
@echo -en "\tTemplating $@ : "; echo \
"$${PKI_INTERMEDIATE_CA_CONFIG_CONTENT}" > $@ && $(output)
$(PKI_CA_KEY): | $(PKI_CERTS_CA_ROOT_DIR)
@echo -en "\tGenerating $@ : "; openssl genrsa -out $@ \
${PKI_CA_KEY_STRENGTH} 2> /dev/null && $(output)
@chmod ${PKI_CA_KEY_MODE} $@
$(PKI_CA_CERT): $(PKI_CA_KEY) | \
$(PKI_CA_CONFIG) $(PKI_CA_PATH)/index.txt $(PKI_CA_PATH)/serial
@echo -en "\tSelf-signing $@ : ";openssl req -config ${PKI_CA_CONFIG} \
-subj "${PKI_CA_FIELDS}" -key ${PKI_CA_KEY} -new -x509 \
-days ${PKI_CA_DAYS} -${PKI_HASH_TYPE} -extensions v3_ca -out $@ \
2> /dev/null && $(output)
@chmod ${PKI_CA_CERT_MODE} $@
### INTERMEDIATE CA ###
$(PKI_INTERMEDIATE_CA_ROOT_DIR):
@echo -e "\033[3m[+] $@ [+]\033[0m"
@echo -en "\tCreating Intermediate CA dirs : "; mkdir $@ $@/certs $@/crl \
$@/csr $@/newcerts $@/private && $(output)
@chmod ${PKI_PRIVATE_DIR_MODE} $@/private
$(PKI_INTERMEDIATE_KEY): | $(PKI_INTERMEDIATE_CA_ROOT_DIR)
@echo -en "\tGenerating $@ : "; openssl genrsa -out $@ \
${PKI_INTERMEDIATE_KEY_STRENGTH} 2> /dev/null && $(output)
@chmod ${PKI_INTERMEDIATE_KEY_MODE} $@
$(PKI_INTERMEDIATE_CSR): $(PKI_INTERMEDIATE_KEY) | $(PKI_INTERMEDIATE_CONFIG) \
$(PKI_INTERMEDIATE_CA_PATH)/index.txt \
$(PKI_INTERMEDIATE_CA_PATH)/serial $(PKI_INTERMEDIATE_CA_PATH)/crlnumber
@echo -en "\tEmitting intermediate CSR $@ : "; openssl req \
-config ${PKI_INTERMEDIATE_CONFIG} -new -${PKI_HASH_TYPE} \
-subj "${PKI_INTERMEDIATE_FIELDS}" -key ${PKI_INTERMEDIATE_KEY} -out \
$@ && $(output)
@chmod ${PKI_INTERMEDIATE_CERT_MODE} $@
$(PKI_INTERMEDIATE_CERT): $(PKI_CA_CERT) $(PKI_INTERMEDIATE_CSR)
@echo -en "\tSigning intermediate $@ : "; openssl ca -batch -config \
${PKI_CA_CONFIG} -extensions v3_intermediate_ca -days \
${PKI_INTERMEDIATE_CERT_DAYS} -notext -md ${PKI_HASH_TYPE} \
-in ${PKI_INTERMEDIATE_CSR} -out $@ 2> /dev/null && $(output)
@chmod ${PKI_INTERMEDIATE_CERT_MODE} $@
@echo -en "\tVerifying $@ : "; openssl verify -CAfile ${PKI_CA_CERT} $@ \
> /dev/null && $(output)
$(PKI_INTERMEDIATE_CHAIN): $(PKI_INTERMEDIATE_CERT) $(PKI_CA_CERT)
@echo -en "\tCreating $@ : "; cat ${PKI_INTERMEDIATE_CERT} ${PKI_CA_CERT} \
> $@ && $(output)
@chmod ${PKI_INTERMEDIATE_CHAIN_MODE} $@
### SERVERS ###
$(PKI_CERTS_MACHINE_ROOT_DIR) $(addprefix ${PKI_SERVER_CA_PATH},${SERVERS}) \
$(PKI_CERTS_USER_ROOT_DIR) $(addprefix ${PKI_USER_CA_PATH},${USERS}):
@echo -en "\tCreating dirs $@ : "; mkdir $@ && $(output)
$(PKI_SERVER_CONFIG): export PKI_SERVER_CONFIG_CONTENT:=\
${PKI_SERVER_CONFIG_CONTENT}
$(PKI_SERVER_CONFIG): | $(PKI_CERTS_MACHINE_ROOT_DIR)
@echo -en "\tTemplating $@ : "; echo "$${PKI_SERVER_CONFIG_CONTENT}" > $@ \
&& $(output)
$(addsuffix .key.pem, $(SERVERS_LIST)): | $(PKI_SERVER_CONFIG) \
$(addprefix ${PKI_SERVER_CA_PATH},${SERVERS})
@echo -en "\tGenerating $@ : "; openssl genrsa -out $@ \
${PKI_SERVER_KEY_STRENGTH} 2> /dev/null && $(output)
@chmod ${PKI_SERVER_KEY_MODE} $@
$(addsuffix .csr.pem, $(SERVERS_LIST)): | $(addsuffix .key.pem, $(SERVERS_LIST))
@echo -en "\tEmitting CSR $@ : "; openssl req -config ${PKI_SERVER_CONFIG} \
-subj "${PKI_COMMON_FIELDS}/CN=$(notdir $(@:.csr.pem=))" \
-key ${@:.csr.pem=.key.pem} -new -${PKI_HASH_TYPE} -out $@ && $(output)
$(addsuffix .cert.pem, $(SERVERS_LIST)): | \
$(addsuffix .csr.pem, $(SERVERS_LIST)) $(PKI_INTERMEDIATE_CERT) \
$(PKI_INTERMEDIATE_CHAIN)
@echo -en "\tSigning $@ : "; openssl ca -batch -config \
${PKI_INTERMEDIATE_CONFIG} -extensions server_cert -days \
${PKI_SERVER_CERT_DAYS} -notext -md ${PKI_HASH_TYPE} \
-in $(@:.cert.pem=.csr.pem) -out $@ 2> /dev/null && $(output)
@chmod ${PKI_SERVER_CERT_MODE} $@
@echo -en "\tVerifying $@ : "; openssl verify -CAfile \
${PKI_INTERMEDIATE_CHAIN} $@ > /dev/null && $(output)
### USERS ###
$(PKI_USER_CONFIG): export PKI_USER_CONFIG_CONTENT:=\
${PKI_SERVER_CONFIG_CONTENT}
$(PKI_USER_CONFIG): | $(PKI_CERTS_USER_ROOT_DIR)
@echo -en "\tTemplating $@ : "; echo "$${PKI_USER_CONFIG_CONTENT}" > $@ && \
$(output)
$(addsuffix .key.pem, $(USERS_LIST)): | $(PKI_USER_CONFIG) \
$(addprefix ${PKI_USER_CA_PATH},${USERS})
@echo -en "\tGenerating $@ : "; openssl genrsa -out $@ \
${PKI_USER_KEY_STRENGTH} 2> /dev/null && $(output)
@chmod ${PKI_USER_KEY_MODE} $@
$(addsuffix .csr.pem, $(USERS_LIST)): | $(addsuffix .key.pem, $(USERS_LIST))
@echo -en "\tEmitting CSR $@ : "; openssl req -config ${PKI_USER_CONFIG} \
-subj "${PKI_COMMON_FIELDS}/CN=$(notdir $(@:.csr.pem=))" \
-key ${@:.csr.pem=.key.pem} -new -${PKI_HASH_TYPE} -out $@ && $(output)
$(addsuffix .cert.pem, $(USERS_LIST)): | $(addsuffix .csr.pem, $(USERS_LIST)) \
$(PKI_INTERMEDIATE_CERT) $(PKI_INTERMEDIATE_CHAIN)
@echo -en "\tSigning $@ : "; openssl ca -batch -config \
${PKI_INTERMEDIATE_CONFIG} -extensions usr_cert \
-days ${PKI_USER_CERT_DAYS} -notext -md ${PKI_HASH_TYPE} \
-in $(@:.cert.pem=.csr.pem) -out $@ 2> /dev/null && $(output)
@chmod ${PKI_USER_CERT_MODE} $@
@echo -en "\tVerifying $@ : "; openssl verify -CAfile \
${PKI_INTERMEDIATE_CHAIN} $@ > /dev/null && $(output)
revoke:
@SERIAL=$$(cat ${PKI_INTERMEDIATE_CA_NAME}/index.txt | grep ${TO_REVOKE} | \
awk '{print $$3}') && echo -en "Press [ENTER] to revoke ${TO_REVOKE} :"\
&& read; openssl ca -config ${PKI_INTERMEDIATE_CONFIG} \
-revoke ${PKI_INTERMEDIATE_CA_NAME}/newcerts/$$SERIAL.pem
clean:
@echo -e "\033[31mWARNING - ALL THE PKI WILL BE DELETED - WARNING\033[0m"
@echo -en "Press [ENTER] to delete the PKI : "; read
@rm -rf ${PKI_CERTS_CA_ROOT_DIR} ${PKI_INTERMEDIATE_CA_ROOT_DIR} \
${PKI_CERTS_MACHINE_ROOT_DIR} ${PKI_CERTS_USER_ROOT_DIR}
@echo -e "PKI deleted"

61
README.md Normal file
View File

@ -0,0 +1,61 @@
# skz-pki - PKI management with OpenSSL
Samuel 'sk4nz' AUBERTIN - 2019
Version 0.0.1
## Features
Fully idempotent PKI.
Every configuration knob is located in ```src/pki.mk```
## HOWTO
### Create the PKI
Edit ```USERS``` and ```SERVERS``` in the _Makefile_, then run ```make```, but
you can also explicity declare ```USERS``` and ```SERVERS``` with the environment
variables :
```make USERS="kafka@sk4.nz orwell@sk4.nz" SERVERS="trebuchet.sk4.nz"```
### Revocation
Revocation works one certificate at a time using the ```TO_REVOKE``` environment
variable.
```make revoke TO_REVOKE=kafka@sk4.nz```
### Invocation from another Makefile
```
PKI_PATH = skz-pki
MY_SERVERS = trebuchet.sk4.nz
MY_USERS = kafka@sk4.nz orwell@sk4.nz
$(PKI_PATH):
@cd $@ && $(MAKE) SERVERS="$(MY_SERVERS)" USERS="$(MY_USERS)"
```
### Delete PKI
```make clean```
## License
```
Copyright (c) 2019 Samuel 'sk4nz' AUBERTIN <samuel DOT aubertin@gmail DOT com>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
```

4
TODO.md Normal file
View File

@ -0,0 +1,4 @@
* Certs altenatives ie PKI_SERVER_ALTERNATIVE_NAMES & PKI_SERVER_ALTERNATIVE_IPS
* Passord handling (prompt ? gpg ?)
* OSCP server ?
* More fancy outputs ?

132
src/intermediate.mk Normal file
View File

@ -0,0 +1,132 @@
define PKI_INTERMEDIATE_CA_CONFIG_CONTENT =
[ ca ]
# `man ca`
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = ${PKI_INTERMEDIATE_CA_PATH}
certs = $$dir/certs
crl_dir = $$dir/crl
new_certs_dir = $$dir/newcerts
database = $$dir/index.txt
serial = $$dir/serial
RANDFILE = $$dir/private/.rand
# The intermediate key and certificate.
private_key = $$dir/private/${PKI_INTERMEDIATE_CA_NAME}.key.pem
certificate = $$dir/certs/${PKI_INTERMEDIATE_CA_NAME}.cert.pem
# For certificate revocation lists.
crlnumber = $$dir/crlnumber
crl = $$dir/crl/${PKI_INTERMEDIATE_CA_NAME}.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_loose
copy_extensions = copy
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = GB
stateOrProvinceName_default = England
localityName_default =
0.organizationName_default = Alice Ltd
#organizationalUnitName_default =
#emailAddress_default =
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
endef

7
src/magic.mk Normal file
View File

@ -0,0 +1,7 @@
# Some magic
SERVERS_LIST = $(addprefix ${PKI_SERVER_CA_PATH},$(join $(addsuffix / ,\
${SERVERS}),${SERVERS}))
USERS_LIST = $(addprefix ${PKI_USER_CA_PATH},$(join $(addsuffix / ,\
${USERS}),${USERS}))
output = echo -e '\033[32mOK\033[0m' || (echo -e '\033[31mFail\033[0m'; exit 1)

89
src/pki.mk Normal file
View File

@ -0,0 +1,89 @@
# CA location
PKI_CERTS_CA_ROOT_DIR=ca
PKI_CERTS_MACHINE_ROOT_DIR=servers
PKI_CERTS_USER_ROOT_DIR=users
PKI_CA_NAME=skz
PKI_INTERMEDIATE_CA_NAME=intermediate
# Cert fields
PKI_COUNTRY=FR
PKI_LOCALITY=Montpellier
PKI_ORGANIZATION=sk4.nz
PKI_STATE=Occitanie
# CA Common name
PKI_CA_COMMON_NAME=sk4.nz\\ Certificate\\ Authority
PKI_INTERMEDIATE_COMMON_NAME=sk4.nz\\ Intermediate\\ Certificate\\ Authority
# Servers common name
PKI_SERVER_COMMON_NAME=server.sk4.nz
PKI_USER_COMMON_NAME=sk4nz@sk4.nz
# Servers alternative names
PKI_SERVER_ALTERNATIVE_NAMES=alt.sk4.nz
PKI_SERVER_ALTERNATIVE_IPS=127.0.0.1
# Cert lifespan
PKI_SERVER_CERT_DAYS=365
PKI_USER_CERT_DAYS=365
PKI_INTERMEDIATE_CERT_DAYS=3650
PKI_CA_DAYS=7300
# Hashing method
PKI_HASH_TYPE=sha256
# File paths
PKI_CA_PATH=${PKI_CERTS_CA_ROOT_DIR}
PKI_INTERMEDIATE_CA_PATH=${PKI_INTERMEDIATE_CA_NAME}
PKI_INTERMEDIATE_CA_ROOT_DIR=${PKI_INTERMEDIATE_CA_NAME}
PKI_SERVER_CA_PATH=${PKI_CERTS_MACHINE_ROOT_DIR}/
PKI_USER_CA_PATH=${PKI_CERTS_USER_ROOT_DIR}/
PKI_COMMON_FIELDS=/C=${PKI_COUNTRY}/ST=${PKI_STATE}/L=${PKI_LOCALITY}/O=${PKI_ORGANIZATION}
PKI_CA_FIELDS=${PKI_COMMON_FIELDS}/CN=${PKI_CA_COMMON_NAME}
PKI_INTERMEDIATE_FIELDS=${PKI_COMMON_FIELDS}/CN=${PKI_INTERMEDIATE_COMMON_NAME}
PKI_CA_CONFIG=${PKI_CA_PATH}/openssl.cnf
PKI_INTERMEDIATE_CONFIG=${PKI_INTERMEDIATE_CA_PATH}/openssl.cnf
PKI_SERVER_CONFIG=${PKI_CERTS_MACHINE_ROOT_DIR}/openssl.cnf
PKI_USER_CONFIG=${PKI_CERTS_USER_ROOT_DIR}/openssl.cnf
PKI_CA_KEY=${PKI_CA_PATH}/private/${PKI_CA_NAME}.key.pem
PKI_CA_CERT=${PKI_CA_PATH}/certs/${PKI_CA_NAME}.cert.pem
PKI_INTERMEDIATE_KEY=${PKI_INTERMEDIATE_CA_PATH}/private/${PKI_INTERMEDIATE_CA_NAME}.key.pem
PKI_INTERMEDIATE_CSR=${PKI_INTERMEDIATE_CA_PATH}/csr/${PKI_INTERMEDIATE_CA_NAME}.csr.pem
PKI_INTERMEDIATE_CERT=${PKI_INTERMEDIATE_CA_PATH}/certs/${PKI_INTERMEDIATE_CA_NAME}.cert.pem
PKI_SERVER_KEY=${PKI_SERVER_CA_PATH}/${PKI_SERVER_COMMON_NAME}.key.pem
PKI_SERVER_CSR=${PKI_SERVER_CA_PATH}/${PKI_SERVER_COMMON_NAME}.csr.pem
PKI_SERVER_CERT=${PKI_SERVER_CA_PATH}/${PKI_SERVER_COMMON_NAME}.cert.pem
PKI_USER_KEY=${PKI_USER_CA_PATH}/${PKI_USER_COMMON_NAME}.key.pem
PKI_USER_CSR=${PKI_USER_CA_PATH}/${PKI_USER_COMMON_NAME}.csr.pem
PKI_USER_CERT=${PKI_USER_CA_PATH}/${PKI_USER_COMMON_NAME}.cert.pem
PKI_INTERMEDIATE_CHAIN=${PKI_INTERMEDIATE_CA_PATH}/certs/${PKI_CA_NAME}-chain.cert.pem
PKI_SERVER_INTERMEDIATE_CHAIN=${PKI_SERVER_CA_PATH}/${PKI_CA_NAME}-chain.cert.pem
# File modes
PKI_PRIVATE_DIR_MODE=0700
PKI_CA_KEY_MODE=0400
PKI_CA_CERT_MODE=0444
PKI_INTERMEDIATE_KEY_MODE=0400
PKI_INTERMEDIATE_CERT_MODE=0444
PKI_INTERMEDIATE_CHAIN_MODE=0444
PKI_SERVER_KEY_MODE=0444
PKI_SERVER_CERT_MODE=0444
PKI_USER_KEY_MODE=0444
PKI_USER_CERT_MODE=0444
# Key strength
PKI_CA_KEY_STRENGTH=4096
PKI_INTERMEDIATE_KEY_STRENGTH=4096
PKI_SERVER_KEY_STRENGTH=4096
PKI_USER_KEY_STRENGTH=4096

131
src/root.mk Normal file
View File

@ -0,0 +1,131 @@
define PKI_CA_CONFIG_CONTENT =
[ ca ]
# `man ca`
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = ${PKI_CA_PATH}
certs = $$dir/certs
crl_dir = $$dir/crl
new_certs_dir = $$dir/newcerts
database = $$dir/index.txt
serial = $$dir/serial
RANDFILE = $$dir/private/.rand
# The root key and root certificate.
private_key = $$dir/private/${PKI_CA_NAME}.key.pem
certificate = $$dir/certs/${PKI_CA_NAME}.cert.pem
# For certificate revocation lists.
crlnumber = $$dir/crlnumber
crl = $$dir/crl/ca.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_strict
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = GB
stateOrProvinceName_default = England
localityName_default =
0.organizationName_default = Alice Ltd
#organizationalUnitName_default =
#emailAddress_default =
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
endef

1
src/serial Normal file
View File

@ -0,0 +1 @@
1000

144
src/server.mk Normal file
View File

@ -0,0 +1,144 @@
define PKI_SERVER_CONFIG_CONTENT =
[ ca ]
# `man ca`
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = ${PKI_INTERMEDIATE_CA_PATH}
certs = $$dir/certs
crl_dir = $$dir/crl
new_certs_dir = $$dir/newcerts
database = $$dir/index.txt
serial = $$dir/serial
RANDFILE = $$dir/private/.rand
# The intermediate key and certificate.
private_key = $$dir/private/${PKI_INTERMEDIATE_CA_NAME}.key.pem
certificate = $$dir/certs/${PKI_INTERMEDIATE_CA_NAME}.cert.pem
# For certificate revocation lists.
crlnumber = $$dir/crlnumber
crl = $$dir/crl/${PKI_INTERMEDIATE_CA_NAME}.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_loose
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
req_extensions = v3_req
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = GB
stateOrProvinceName_default = England
localityName_default =
0.organizationName_default = Alice Ltd
#organizationalUnitName_default =
#emailAddress_default =
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${PKI_SERVER_ALTERNATIVE_NAMES}
IP.1 = ${PKI_SERVER_ALTERNATIVE_IPS}
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
endef

139
src/user.mk Normal file
View File

@ -0,0 +1,139 @@
define PKI_USER_CONFIG_CONTENT =
[ ca ]
# `man ca`
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = ${PKI_INTERMEDIATE_CA_PATH}
certs = $$dir/certs
crl_dir = $$dir/crl
new_certs_dir = $$dir/newcerts
database = $$dir/index.txt
serial = $$dir/serial
RANDFILE = $$dir/private/.rand
# The intermediate key and certificate.
private_key = $$dir/private/${PKI_INTERMEDIATE_CA_NAME}.key.pem
certificate = $$dir/certs/${PKI_INTERMEDIATE_CA_NAME}.cert.pem
# For certificate revocation lists.
crlnumber = $$dir/crlnumber
crl = $$dir/crl/${PKI_INTERMEDIATE_CA_NAME}.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_loose
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
req_extensions = v3_req
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = GB
stateOrProvinceName_default = England
localityName_default =
0.organizationName_default = Alice Ltd
#organizationalUnitName_default =
#emailAddress_default =
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
endef