175 lines
7.1 KiB
Makefile
175 lines
7.1 KiB
Makefile
# skz-pki - PKI management with OpenSSL
|
|
# Samuel 'sk4nz' AUBERTIN - 2019
|
|
.PHONY: all clean banner epilogue revoke
|
|
# Run make, then add more USERS or SERVERS and re-make.
|
|
SERVERS =
|
|
USERS =
|
|
|
|
include src/pki.mk
|
|
include src/root.mk
|
|
include src/intermediate.mk
|
|
include src/server.mk
|
|
include src/user.mk
|
|
include src/magic.mk
|
|
|
|
all: banner dependencies $(addsuffix .cert.pem, $(SERVERS_LIST)) \
|
|
$(addsuffix .cert.pem, $(USERS_LIST)) epilogue
|
|
|
|
dependencies:
|
|
@which openssl > /dev/null || (echo -e "You need OpenSSL" && exit 1)
|
|
|
|
banner:
|
|
@echo -e "\033[1mskz-pki - PKI management with OpenSSL"
|
|
@echo -e "Samuel 'sk4nz' Aubertin - 2019\033[0m\n"
|
|
|
|
epilogue:
|
|
@echo -e "\033[3m[+] DONE [+]\033[0m"
|
|
|
|
### CA ###
|
|
$(PKI_CERTS_CA_ROOT_DIR):
|
|
@echo -e "\033[3m[+] $@ [+]\033[0m"
|
|
@echo -en "\tCreating CA dirs : "; mkdir $@ $@/certs \
|
|
$@/crl $@/newcerts $@/private && $(output)
|
|
@chmod ${PKI_PRIVATE_DIR_MODE} $@/private
|
|
|
|
$(PKI_CA_PATH)/index.txt $(PKI_INTERMEDIATE_CA_PATH)/index.txt: | \
|
|
$(PKI_CERTS_CA_ROOT_DIR)
|
|
@echo -en "\tCreating $@ : "; touch $@ && $(output)
|
|
|
|
$(PKI_CA_PATH)/serial $(PKI_INTERMEDIATE_CA_PATH)/serial \
|
|
$(PKI_INTERMEDIATE_CA_PATH)/crlnumber: | $(PKI_CERTS_CA_ROOT_DIR)
|
|
@echo -en "\tCreating $@ : "; cp src/serial $@ && $(output)
|
|
|
|
$(PKI_CA_CONFIG): export PKI_CA_CONFIG_CONTENT:=${PKI_CA_CONFIG_CONTENT}
|
|
$(PKI_CA_CONFIG):
|
|
@echo -en "\tTemplating $@ : "; echo "$${PKI_CA_CONFIG_CONTENT}" > $@ && \
|
|
$(output)
|
|
|
|
$(PKI_INTERMEDIATE_CONFIG): export PKI_INTERMEDIATE_CA_CONFIG_CONTENT:=\
|
|
${PKI_INTERMEDIATE_CA_CONFIG_CONTENT}
|
|
$(PKI_INTERMEDIATE_CONFIG):
|
|
@echo -en "\tTemplating $@ : "; echo \
|
|
"$${PKI_INTERMEDIATE_CA_CONFIG_CONTENT}" > $@ && $(output)
|
|
|
|
$(PKI_CA_KEY): | $(PKI_CERTS_CA_ROOT_DIR)
|
|
@echo -en "\tGenerating $@ : "; openssl genrsa -out $@ \
|
|
${PKI_CA_KEY_STRENGTH} 2> /dev/null && $(output)
|
|
@chmod ${PKI_CA_KEY_MODE} $@
|
|
|
|
$(PKI_CA_CERT): $(PKI_CA_KEY) | \
|
|
$(PKI_CA_CONFIG) $(PKI_CA_PATH)/index.txt $(PKI_CA_PATH)/serial
|
|
@echo -en "\tSelf-signing $@ : ";openssl req -config ${PKI_CA_CONFIG} \
|
|
-subj "${PKI_CA_FIELDS}" -key ${PKI_CA_KEY} -new -x509 \
|
|
-days ${PKI_CA_DAYS} -${PKI_HASH_TYPE} -extensions v3_ca -out $@ \
|
|
2> /dev/null && $(output)
|
|
@chmod ${PKI_CA_CERT_MODE} $@
|
|
|
|
### INTERMEDIATE CA ###
|
|
$(PKI_INTERMEDIATE_CA_ROOT_DIR):
|
|
@echo -e "\033[3m[+] $@ [+]\033[0m"
|
|
@echo -en "\tCreating Intermediate CA dirs : "; mkdir $@ $@/certs $@/crl \
|
|
$@/csr $@/newcerts $@/private && $(output)
|
|
@chmod ${PKI_PRIVATE_DIR_MODE} $@/private
|
|
|
|
$(PKI_INTERMEDIATE_KEY): | $(PKI_INTERMEDIATE_CA_ROOT_DIR)
|
|
@echo -en "\tGenerating $@ : "; openssl genrsa -out $@ \
|
|
${PKI_INTERMEDIATE_KEY_STRENGTH} 2> /dev/null && $(output)
|
|
@chmod ${PKI_INTERMEDIATE_KEY_MODE} $@
|
|
|
|
$(PKI_INTERMEDIATE_CSR): $(PKI_INTERMEDIATE_KEY) | $(PKI_INTERMEDIATE_CONFIG) \
|
|
$(PKI_INTERMEDIATE_CA_PATH)/index.txt \
|
|
$(PKI_INTERMEDIATE_CA_PATH)/serial $(PKI_INTERMEDIATE_CA_PATH)/crlnumber
|
|
@echo -en "\tEmitting intermediate CSR $@ : "; openssl req \
|
|
-config ${PKI_INTERMEDIATE_CONFIG} -new -${PKI_HASH_TYPE} \
|
|
-subj "${PKI_INTERMEDIATE_FIELDS}" -key ${PKI_INTERMEDIATE_KEY} -out \
|
|
$@ && $(output)
|
|
@chmod ${PKI_INTERMEDIATE_CERT_MODE} $@
|
|
|
|
$(PKI_INTERMEDIATE_CERT): $(PKI_CA_CERT) $(PKI_INTERMEDIATE_CSR)
|
|
@echo -en "\tSigning intermediate $@ : "; openssl ca -batch -config \
|
|
${PKI_CA_CONFIG} -extensions v3_intermediate_ca -days \
|
|
${PKI_INTERMEDIATE_CERT_DAYS} -notext -md ${PKI_HASH_TYPE} \
|
|
-in ${PKI_INTERMEDIATE_CSR} -out $@ 2> /dev/null && $(output)
|
|
@chmod ${PKI_INTERMEDIATE_CERT_MODE} $@
|
|
@echo -en "\tVerifying $@ : "; openssl verify -CAfile ${PKI_CA_CERT} $@ \
|
|
> /dev/null && $(output)
|
|
|
|
$(PKI_INTERMEDIATE_CHAIN): $(PKI_INTERMEDIATE_CERT) $(PKI_CA_CERT)
|
|
@echo -en "\tCreating $@ : "; cat ${PKI_INTERMEDIATE_CERT} ${PKI_CA_CERT} \
|
|
> $@ && $(output)
|
|
@chmod ${PKI_INTERMEDIATE_CHAIN_MODE} $@
|
|
|
|
### SERVERS ###
|
|
$(PKI_CERTS_MACHINE_ROOT_DIR) $(addprefix ${PKI_SERVER_CA_PATH},${SERVERS}) \
|
|
$(PKI_CERTS_USER_ROOT_DIR) $(addprefix ${PKI_USER_CA_PATH},${USERS}):
|
|
@echo -en "\tCreating dirs $@ : "; mkdir $@ && $(output)
|
|
|
|
$(PKI_SERVER_CONFIG): export PKI_SERVER_CONFIG_CONTENT:=\
|
|
${PKI_SERVER_CONFIG_CONTENT}
|
|
$(PKI_SERVER_CONFIG): | $(PKI_CERTS_MACHINE_ROOT_DIR)
|
|
@echo -en "\tTemplating $@ : "; echo "$${PKI_SERVER_CONFIG_CONTENT}" > $@ \
|
|
&& $(output)
|
|
|
|
$(addsuffix .key.pem, $(SERVERS_LIST)): | $(PKI_SERVER_CONFIG) \
|
|
$(addprefix ${PKI_SERVER_CA_PATH},${SERVERS})
|
|
@echo -en "\tGenerating $@ : "; openssl genrsa -out $@ \
|
|
${PKI_SERVER_KEY_STRENGTH} 2> /dev/null && $(output)
|
|
@chmod ${PKI_SERVER_KEY_MODE} $@
|
|
|
|
$(addsuffix .csr.pem, $(SERVERS_LIST)): | $(addsuffix .key.pem, $(SERVERS_LIST))
|
|
@echo -en "\tEmitting CSR $@ : "; openssl req -config ${PKI_SERVER_CONFIG} \
|
|
-subj "${PKI_COMMON_FIELDS}/CN=$(notdir $(@:.csr.pem=))" \
|
|
-key ${@:.csr.pem=.key.pem} -new -${PKI_HASH_TYPE} -out $@ && $(output)
|
|
|
|
$(addsuffix .cert.pem, $(SERVERS_LIST)): | \
|
|
$(addsuffix .csr.pem, $(SERVERS_LIST)) $(PKI_INTERMEDIATE_CERT) \
|
|
$(PKI_INTERMEDIATE_CHAIN)
|
|
@echo -en "\tSigning $@ : "; openssl ca -batch -config \
|
|
${PKI_INTERMEDIATE_CONFIG} -extensions server_cert -days \
|
|
${PKI_SERVER_CERT_DAYS} -notext -md ${PKI_HASH_TYPE} \
|
|
-in $(@:.cert.pem=.csr.pem) -out $@ 2> /dev/null && $(output)
|
|
@chmod ${PKI_SERVER_CERT_MODE} $@
|
|
@echo -en "\tVerifying $@ : "; openssl verify -CAfile \
|
|
${PKI_INTERMEDIATE_CHAIN} $@ > /dev/null && $(output)
|
|
|
|
### USERS ###
|
|
$(PKI_USER_CONFIG): export PKI_USER_CONFIG_CONTENT:=\
|
|
${PKI_SERVER_CONFIG_CONTENT}
|
|
$(PKI_USER_CONFIG): | $(PKI_CERTS_USER_ROOT_DIR)
|
|
@echo -en "\tTemplating $@ : "; echo "$${PKI_USER_CONFIG_CONTENT}" > $@ && \
|
|
$(output)
|
|
|
|
$(addsuffix .key.pem, $(USERS_LIST)): | $(PKI_USER_CONFIG) \
|
|
$(addprefix ${PKI_USER_CA_PATH},${USERS})
|
|
@echo -en "\tGenerating $@ : "; openssl genrsa -out $@ \
|
|
${PKI_USER_KEY_STRENGTH} 2> /dev/null && $(output)
|
|
@chmod ${PKI_USER_KEY_MODE} $@
|
|
|
|
$(addsuffix .csr.pem, $(USERS_LIST)): | $(addsuffix .key.pem, $(USERS_LIST))
|
|
@echo -en "\tEmitting CSR $@ : "; openssl req -config ${PKI_USER_CONFIG} \
|
|
-subj "${PKI_COMMON_FIELDS}/CN=$(notdir $(@:.csr.pem=))" \
|
|
-key ${@:.csr.pem=.key.pem} -new -${PKI_HASH_TYPE} -out $@ && $(output)
|
|
|
|
$(addsuffix .cert.pem, $(USERS_LIST)): | $(addsuffix .csr.pem, $(USERS_LIST)) \
|
|
$(PKI_INTERMEDIATE_CERT) $(PKI_INTERMEDIATE_CHAIN)
|
|
@echo -en "\tSigning $@ : "; openssl ca -batch -config \
|
|
${PKI_INTERMEDIATE_CONFIG} -extensions usr_cert \
|
|
-days ${PKI_USER_CERT_DAYS} -notext -md ${PKI_HASH_TYPE} \
|
|
-in $(@:.cert.pem=.csr.pem) -out $@ 2> /dev/null && $(output)
|
|
@chmod ${PKI_USER_CERT_MODE} $@
|
|
@echo -en "\tVerifying $@ : "; openssl verify -CAfile \
|
|
${PKI_INTERMEDIATE_CHAIN} $@ > /dev/null && $(output)
|
|
|
|
revoke:
|
|
@SERIAL=$$(cat ${PKI_INTERMEDIATE_CA_NAME}/index.txt | grep ${TO_REVOKE} | \
|
|
awk '{print $$3}') && echo -en "Press [ENTER] to revoke ${TO_REVOKE} :"\
|
|
&& read; openssl ca -config ${PKI_INTERMEDIATE_CONFIG} \
|
|
-revoke ${PKI_INTERMEDIATE_CA_NAME}/newcerts/$$SERIAL.pem
|
|
|
|
clean:
|
|
@echo -e "\033[31mWARNING - ALL THE PKI WILL BE DELETED - WARNING\033[0m"
|
|
@echo -en "Press [ENTER] to delete the PKI : "; read
|
|
@rm -rf ${PKI_CERTS_CA_ROOT_DIR} ${PKI_INTERMEDIATE_CA_ROOT_DIR} \
|
|
${PKI_CERTS_MACHINE_ROOT_DIR} ${PKI_CERTS_USER_ROOT_DIR}
|
|
@echo -e "PKI deleted"
|