dpneumo · December 22, 2024 16:32 · Mar 25, 2019 · Mar 25, 2019
diff --git a/blacklakeca.cnf b/blacklakeca.cnf
@@ -0,0 +1,85 @@
+#
+# OpenSSL configuration file.
+#
+HOME             = .
+dir              = $HOME/CA/intermediate
+
+####################################################################
+[ ca ]
+default_ca       = CA_default
+
+[ CA_default ]
+certificate      = $dir/certs/blacklakeca.cert.pem
+private_key      = $dir/private/blacklakeca.key.pem
+
+certs            = $dir/certs
+new_certs_dir    = $dir/newcerts
+database         = $dir/index.txt
+serial           = $dir/serial
+RANDFILE         = $dir/private/.rand
+
+crl_dir          = $dir/crl
+crlnumber        = $dir/crlnumber
+crl              = $crl_dir/blacklakeca.crl.pem
+crl_extensions   = crl_ext
+default_crl_days = 30
+
+default_md       = sha512
+
+nameopt          = ca_default
+certopt          = ca_default
+default_days     = 1095
+preserve         = no
+policy           = policy_loose
+email_in_dn      = yes
+unique_subject   = no
+
+[ policy_loose ]
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+####################################################################
+[ req ]
+default_bits        = 4096
+default_md          = sha512
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+attributes          = req_attributes
+x509_extensions     = v3_intermediate_ca
+
+[ req_distinguished_name ]
+countryName             = Country Name (2 letter code)
+countryName_min         = 2
+countryName_max         = 2
+stateOrProvinceName     = State or Province Name (full name)
+localityName            = Locality Name (city, district)
+0.organizationName      = Organization Name (company)
+organizationalUnitName  = Organizational Unit Name (department, division)
+commonName              = Common Name (hostname, IP, or your name)
+commonName_max          = 64
+emailAddress            = Email Address
+emailAddress_max        = 64
+
+[ req_attributes ]
+
+[ v3_intermediate_ca ]
+basicConstraints        = critical, CA:TRUE, pathlen:0
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always
+keyUsage                = critical, digitalSignature, cRLSign, keyCertSign
+subjectAltName          = email:move
+
+[ crl_ext ]
+authorityKeyIdentifier  = keyid:always
+
+[ ocsp ]
+basicConstraints        = CA:FALSE
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid
+keyUsage                = critical, digitalSignature
+extendedKeyUsage        = critical, OCSPSigning
diff --git a/rootca.cnf b/rootca.cnf
@@ -0,0 +1,84 @@
+#
+# OpenSSL configuration file.
+#
+HOME             = .
+dir              = $HOME/CA
+
+####################################################################
+[ ca ]
+default_ca       = CA_default
+
+[ CA_default ]
+certificate      = $dir/certs/rootca.cert.pem
+private_key      = $dir/private/rootca.key.pem
+
+certs            = $dir/certs
+new_certs_dir    = $dir/newcerts
+database         = $dir/index.txt
+serial           = $dir/serial
+RANDFILE         = $dir/private/.rand
+
+crl_dir          = $dir/crl
+crlnumber        = $dir/crlnumber
+crl              = $crl_dir/rootca.crl.pem
+crl_extensions   = crl_ext
+default_crl_days = 30
+
+default_md       = sha512
+
+nameopt          = ca_default
+certopt          = ca_default
+default_days     = 3650
+preserve         = no
+policy           = policy_strict
+email_in_dn      = yes
+unique_subject   = no
+
+[ policy_strict ]
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+####################################################################
+[ req ]
+default_bits        = 4096
+default_md          = sha512
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+attributes          = req_attributes
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+countryName             = Country Name (2 letter code)
+countryName_min         = 2
+countryName_max         = 2
+stateOrProvinceName     = State or Province Name (full name)
+localityName            = Locality Name (city, district)
+0.organizationName      = Organization Name (company)
+organizationalUnitName  = Organizational Unit Name (department, division)
+commonName              = Common Name (hostname, IP, or your name)
+commonName_max          = 64
+emailAddress            = Email Address
+emailAddress_max        = 64
+
+[ req_attributes ]
+
+[ v3_ca ]
+basicConstraints        = critical, CA:TRUE
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always
+keyUsage                = critical, digitalSignature, cRLSign, keyCertSign
+subjectAltName          = email:move
+
+[ crl_ext ]
+authorityKeyIdentifier  = keyid:always
+
+[ ocsp ]
+basicConstraints        = CA:FALSE
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid
+keyUsage                = critical, digitalSignature
+extendedKeyUsage        = critical, OCSPSigning
diff --git a/server.cnf b/server.cnf
@@ -0,0 +1,93 @@
+#
+# OpenSSL configuration file.
+#
+HOME             = .
+dir              = $HOME/CA/intermediate
+
+####################################################################
+[ ca ]
+default_ca       = CA_default
+
+[ CA_default ]
+certificate      = $dir/certs/blacklakeca.cert.pem
+private_key      = $dir/private/blacklakeca.key.pem
+
+certs            = $dir/certs
+new_certs_dir    = $dir/newcerts
+database         = $dir/index.txt
+serial           = $dir/serial
+RANDFILE         = $dir/private/.rand
+
+crl_dir          = $dir/crl
+crlnumber        = $dir/crlnumber
+crl              = $crl_dir/blacklakeca.crl
+crl_extensions   = crl_ext
+default_crl_days = 30
+
+default_md       = sha512
+
+nameopt          = ca_default
+certopt          = ca_default
+default_days     = 365
+preserve         = no
+policy           = policy_loose
+email_in_dn      = no
+unique_subject   = no
+
+[ policy_loose ]
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+####################################################################
+[ req ]
+default_bits        = 4096
+default_md          = sha512
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+attributes          = req_attributes
+x509_extensions     = server_cert
+
+[ req_distinguished_name ]
+countryName             = Country Name (2 letter code)
+countryName_min         = 2
+countryName_max         = 2
+stateOrProvinceName     = State or Province Name (full name)
+localityName            = Locality Name (city, district)
+0.organizationName      = Organization Name (company)
+organizationalUnitName  = Organizational Unit Name (department, division)
+commonName              = Common Name (hostname, IP, or your name)
+commonName_max          = 64
+emailAddress            = Email Address
+emailAddress_max        = 64
+
+[ req_attributes ]
+
+[ server_cert ]
+basicConstraints        = CA:FALSE
+nsCertType              = server
+nsComment               = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid
+keyUsage                = critical, digitalSignature, keyEncipherment
+extendedKeyUsage        = serverAuth
+subjectAltName          = @alt_names
+
+[alt_names]
+DNS.1 = stratus.attlocal.net
+DNS.2 = stratus
+IP.1  = ${ENV::SUBJ_IP}
+
+[ crl_ext ]
+authorityKeyIdentifier  = keyid:always
+
+[ ocsp ]
+basicConstraints        = CA:FALSE
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid
+keyUsage                = critical, digitalSignature
+extendedKeyUsage        = critical, OCSPSigning
diff --git a/README b/README
@@ -0,0 +1,14 @@
+Copy the 4 scripts to /home/<user>
+
+From /home/<user>:
+  ./setup_rootca.sh
+  ./setup_blacklakeca.sh
+
+  ipaddr=$(ip route get 8.8.8.8 | awk '{print $7}')
+  SUBJ_IP=$ipaddr ./stratus_server_cert.sh
+
+This will:
+    1. Setup the self signed root CA
+    2. Setup the blacklake intermediate CA
+    3. Create the stratus server cert
+
diff --git a/prep_ca.sh b/prep_ca.sh
@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+# Run:  ./prep_ca_dirs.sh
+# will run in user's home dir
+
+cd /home/$(whoami)
+printf "========= Prep CA dirs ==========\n"
+# Prepare root CA directories in dir CA
+mkdir -p CA && cd CA
+mkdir -p certs newcerts csr crl private
+chmod 700 private
+touch index.txt
+if [[ ! -e 'serial' ]]; then
+  echo '1000' > serial
+fi
+if [[ ! -e 'crlnumber' ]]; then
+  echo '1000' > crlnumber
+fi
+# Prepare intermediate CA directories in dir CA/intermediate
+mkdir -p intermediate && cd intermediate
+mkdir -p certs newcerts crl csr private
+chmod 700 private
+touch index.txt
+if [[ ! -e 'serial' ]]; then
+  echo '1000' > serial
+fi
+if [[ ! -e 'crlnumber' ]]; then
+  echo '1000' > crlnumber
+fi
+
+
+cd /home/$(whoami)
+printf "========= Place CA scripts ==========\n"
+SRC='/vagrant/client_files'
+cp $SRC/openssl/setup_rootca.sh               setup_rootca.sh
+cp $SRC/openssl/setup_blacklakeca.sh          setup_blacklakeca.sh
+cp $SRC/openssl/stratus_server_cert.sh        stratus_server_cert.sh
+chmod +x *.sh
diff --git a/setup_blacklakeca.sh b/setup_blacklakeca.sh
@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+# Run:  ./setup_blacklakeca.sh
+# will run in user's home dir
+
+cd /home/$(whoami)
+
+casubj='/C=US/ST=Texas/L=Arlington/O=BlackLakeSoftware/OU=CertMan/CN=blacklakeca/[email protected]'
+
+SRC='/vagrant/client_files'
+CAint='CA/intermediate'
+
+# Install configuration file
+cp $SRC'/openssl/CA/blacklakeca.cnf' $CAint'/blacklakeca.cnf'
+chmod 644 $CAint'/blacklakeca.cnf'
+
+# Build the intermediate CA certificate
+printf "\n========= Build intermediate CA with blacklakeca.cnf ==========\n"
+# Generate intermediate CA csr
+# Also creates and saves private key. Unencrypted!
+printf "========= blacklakeca csr with blacklakeca.cnf ==========\n"
+openssl req -new -subj $casubj \
+            -nodes -sha512 \
+            -keyout $CAint'/private/blacklakeca.key.pem' \
+            -config $CAint'/blacklakeca.cnf' \
+            -out $CAint'/csr/blacklakeca.csr.pem'
+
+
+# Make intermediate CA private key read-only by current user
+chmod 400 $CAint'/private/blacklakeca.key.pem'
+
+# Generate the intermediate CA certificate - valid 3 yrs
+printf "======= Sign blacklakeca csr with rootca cert => blacklakeca cert ======\n"
+openssl ca -in $CAint'/csr/blacklakeca.csr.pem' \
+           -keyfile 'CA/private/rootca.key.pem' \
+           -cert 'CA/certs/rootca.cert.pem' \
+           -config $CAint'/blacklakeca.cnf' \
+           -extensions 'v3_intermediate_ca' \
+           -notext \
+           -out $CAint'/certs/blacklakeca.cert.pem'
+
+# Make intermediate CA certificate read-only by all users
+chmod 444 $CAint'/certs/blacklakeca.cert.pem'
+
+# Show the intermediate CA certificate
+openssl x509 -noout -text \
+             -in $CAint'/certs/blacklakeca.cert.pem'
+
+openssl verify -CAfile 'CA/certs/rootca.cert.pem' \
+               $CAint'/certs/blacklakeca.cert.pem'
+
+# Cert chain
+cat $CAint'/certs/blacklakeca.cert.pem' \
+    'CA/certs/rootca.cert.pem' > $CAint'/certs/blacklakeca-chain.cert.pem'
+chmod 444 $CAint'/certs/blacklakeca-chain.cert.pem'
diff --git a/setup_rootca.sh b/setup_rootca.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+# Run:  ./setup_rootca.sh
+# will run in user's home dir
+
+cd /home/$(whoami)
+
+casubj='/C=US/ST=Texas/L=Arlington/O=BlackLakeSoftware/OU=CertMan/CN=rootca/[email protected]'
+
+SRC='/vagrant/client_files'
+
+
+# Install configuration file
+cp $SRC'/openssl/CA/rootca.cnf' 'CA/rootca.cnf'
+chmod 644 'CA/rootca.cnf'
+
+# Build the root CA certificate
+printf "========= Building root CA with rootca.cnf ==========\n"
+openssl req -new  -subj $casubj \
+            -nodes -newkey rsa:4096 \
+            -keyout 'CA/private/rootca.key.pem' \
+            -x509 \
+            -config 'CA/rootca.cnf' \
+            -extensions 'v3_ca' \
+            -out 'CA/certs/rootca.cert.pem'
+
+# Make root CA certificate read only by all users
+chmod 444 'CA/certs/rootca.cert.pem'
+
+# Show the rootca cert
+openssl x509 -noout -text \
+             -in 'CA/certs/rootca.cert.pem'
diff --git a/stratus_server_cert.sh b/stratus_server_cert.sh
@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+# Run:  ./stratus_server_cert.sh
+# will run in user's home dir
+
+cd /home/$(whoami)
+
+servsubj='/C=US/ST=Texas/L=Arlington/O=BlackLakeSoftware/OU=Apps/CN=stratus'
+
+SRC='/vagrant/client_files'
+CAint='CA/intermediate'
+
+# Install configuration file
+cp $SRC'/openssl/CA/server.cnf' $CAint'/server.cnf'
+chmod 644 $CAint'/server.cnf'
+
+# Build Server Certificate
+printf "========= Server certificate with server.cnf ==========\n"
+# Generate Server csr
+# Also creates and saves private key. Unencrypted!
+printf "========= Server csr with server.cnf ==========\n"
+openssl req -new -subj $servsubj \
+            -nodes -sha512 \
+            -keyout $CAint'/private/stratus.key.pem' \
+            -config $CAint'/server.cnf' \
+            -out $CAint'/csr/stratus.csr.pem'
+
+# Make Server private key read-only by current user
+chmod 400 $CAint'/private/stratus.key.pem'
+
+# Generate the Server certificate - valid 1 year
+printf "========= Use blacklake CA to generate Server cert ==========\n"
+openssl ca -in $CAint'/csr/stratus.csr.pem' \
+           -keyfile $CAint'/private/blacklakeca.key.pem' \
+           -cert $CAint'/certs/blacklakeca.cert.pem' \
+           -config $CAint'/server.cnf' \
+           -extensions 'server_cert' \
+           -notext \
+           -out $CAint'/certs/stratus.cert.pem'
+
+# Make Server certificate read-only by all users
+chmod 444 $CAint'/certs/stratus.cert.pem'
+
+# Show the Server certificate
+openssl x509 -noout -text \
+             -in $CAint'/certs/stratus.cert.pem'
+
+openssl verify -CAfile $CAint'/certs/blacklakeca-chain.cert.pem' \
+               $CAint'/certs/stratus.cert.pem'
No results found