Gitiles
Code Review Sign In
gerrit.nordix.org / onap / aaf / authz / 4b6435c97dc1e05ee6a1e06190e3c431f9d1a8fe / . / conf / CA / bootstrap.sh
blob: c6064fbed9166bf97306f4c2c42f9c9ffa863b68 [file] [log] [blame]
Instrumental7a1817b2018-11-05 11:11:15 -0600[diff] [blame]1#!/bin/bash
2#########
3# ============LICENSE_START====================================================
4# org.onap.aaf
5# ===========================================================================
6# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
7# ===========================================================================
8# Licensed under the Apache License, Version 2.0 (the "License");
9# you may not use this file except in compliance with the License.
10# You may obtain a copy of the License at
11#
12# http://www.apache.org/licenses/LICENSE-2.0
13#
14# Unless required by applicable law or agreed to in writing, software
15# distributed under the License is distributed on an "AS IS" BASIS,
16# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17# See the License for the specific language governing permissions and
18# limitations under the License.
19# ============LICENSE_END====================================================
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]20#
21# Streamlined AAF Bootstrap initial Cert
22# Removed Variables so it can be run for AutoDeployments
23#
24echo "Bootstrap AAF Certificate"
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]25mkdir -p private certs newcerts
26chmod 700 private
27chmod 755 certs newcerts
28touch index.txt
29echo "unique_subject = no" > index.txt.attr
Instrumental0d4ec122018-08-30 14:33:08 -0500[diff] [blame]30if [ ! -e ./serial ]; then
Instrumental93871ff2018-10-15 07:37:28 -0500[diff] [blame]31 echo $(date +%s)_$(shuf -i 0-1000000 -n 1) > ./serial
Instrumental0d4ec122018-08-30 14:33:08 -0500[diff] [blame]32fi
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]33
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]34NAME=aaf.bootstrap
Instrumental27afb022019-02-07 16:36:56 -0600[diff] [blame]35HOSTNAME="${HOSTNAME:=$(hostname -)}"
36FQDN="${aaf_locator_fqdn:=$HOSTNAME}"
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]37FQI=aaf@aaf.osaaf.org
38SUBJECT="/CN=$FQDN/OU=$FQI`cat subject.aaf`"
39SIGNER_P12=$1
40SIGNER_KEY=/tmp/aaf_signer.key
41SIGNER_CRT=/tmp/aaf_signer.crt
42PASSPHRASE=$2
43if [ "PASSPHRASE" = "" ]; then
44 PASSPHRASE="something easy"
45fi
46BOOTSTRAP_SAN=/tmp/$NAME.san
47BOOTSTRAP_KEY=/tmp/$NAME.key
48BOOTSTRAP_CSR=/tmp/$NAME.csr
49BOOTSTRAP_CRT=/tmp/$NAME.crt
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]50BOOTSTRAP_CHAIN=/tmp/$NAME.chain
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]51BOOTSTRAP_P12=$NAME.p12
Instrumentalbc299c02018-09-25 06:42:31 -0500[diff] [blame]52BOOTSTRAP_ISSUER=$NAME.issuer
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]53
54
55# If Signer doesn't exist, create Self-Signed CA
56if [ ! -e "$SIGNER_P12" ]; then
57 # Creating Signer CA
58 openssl req -config openssl.conf -x509 -sha256 -extensions v3_ca \
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]59 -newkey rsa:4096 -subj /CN="Signer$(cat subject.aaf)" \
60 -keyout $SIGNER_KEY -out $SIGNER_CRT -days 365 -passout stdin << EOF
61$PASSPHRASE
62EOF
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]63
64 # Move to P12 (Signer)
65 openssl pkcs12 -name RootCA -export -in $SIGNER_CRT -inkey $SIGNER_KEY -out $SIGNER_P12 -passin stdin -passout stdin << EOF
66$PASSPHRASE
67$PASSPHRASE
68$PASSPHRASE
69EOF
70
71else
72 # Get Private key from P12
73 openssl pkcs12 -in $SIGNER_P12 -nocerts -nodes -passin stdin -passout stdin -out $SIGNER_KEY << EOF
74$PASSPHRASE
75$PASSPHRASE
76EOF
77
78 # Get Cert from P12
79 openssl pkcs12 -in $SIGNER_P12 -clcerts -nokeys -passin stdin -out $SIGNER_CRT << EOF
80$PASSPHRASE
81EOF
82
83fi
84
85# SANS
86cp san.conf $BOOTSTRAP_SAN
Instrumental1e3be602018-10-03 19:40:44 -0500[diff] [blame]87SANS=$FQDN
88if [ "$FQDN" -ne "$HOSTNAME" ]; then
89 SANS="$SANS $HOSTNAME"
90fi
91
92for ROOT in $(cat san_root.aaf); do
93 SANS="$SANS $ROOT"
Instrumental12414fe2019-01-22 10:27:32 -0600[diff] [blame]94 for C in service locate oauth token introspect gui cm hello; do
Instrumental1e3be602018-10-03 19:40:44 -0500[diff] [blame]95 SANS="$SANS $C.$ROOT"
96 done
97done
Instrumental65cdc092018-10-15 12:34:59 -0500[diff] [blame]98
Instrumental12414fe2019-01-22 10:27:32 -0600[diff] [blame]99for C in service locate oauth token introspect gui cm hello; do
Instrumental65cdc092018-10-15 12:34:59 -0500[diff] [blame]100 SANS="$SANS aaf-$C"
101 SANS="$SANS aaf-$C.onap"
102done
103
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]104NUM=1
Instrumental1e3be602018-10-03 19:40:44 -0500[diff] [blame]105for D in $SANS; do
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]106 echo "DNS.$NUM = $D" >> $BOOTSTRAP_SAN
107 NUM=$((NUM+1))
108done
109
110# Create CSR
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]111openssl req -new -newkey rsa:2048 -nodes -keyout $BOOTSTRAP_KEY \
112 -out $BOOTSTRAP_CSR -outform PEM -subj "$SUBJECT" \
113 -passout stdin << EOF
114$PASSPHRASE
115EOF
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]116
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]117echo Sign it
118openssl ca -batch -config openssl.conf -extensions server_cert \
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]119 -cert $SIGNER_CRT -keyfile $SIGNER_KEY \
120 -policy policy_loose \
Instrumental08e93402018-10-03 08:38:52 -0500[diff] [blame]121 -days 365 \
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]122 -passin stdin \
123 -out $BOOTSTRAP_CRT \
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]124 -extfile $BOOTSTRAP_SAN \
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]125 -infiles $BOOTSTRAP_CSR << EOF
126$PASSPHRASE
127EOF
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]128
129# Make a P12
130# Add THIS Intermediate CA into chain
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]131cat $BOOTSTRAP_CRT
132cp $BOOTSTRAP_CRT $BOOTSTRAP_CHAIN
133cat $SIGNER_CRT >> $BOOTSTRAP_CHAIN
Instrumental08e93402018-10-03 08:38:52 -0500[diff] [blame]134cat $BOOTSTRAP_CHAIN
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]135
136# Note: Openssl will pickup and load all Certs in the Chain file
Instrumental08e93402018-10-03 08:38:52 -0500[diff] [blame]137#openssl pkcs12 -name $FQI -export -in $BOOTSTRAP_CRT -inkey $BOOTSTRAP_KEY -CAfile $SIGNER_CRT -out $BOOTSTRAP_P12 -passin stdin -passout stdin << EOF
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]138openssl pkcs12 -name $FQI -export -in $BOOTSTRAP_CHAIN -inkey $BOOTSTRAP_KEY -out $BOOTSTRAP_P12 -passin stdin -passout stdin << EOF
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]139$PASSPHRASE
140$PASSPHRASE
141$PASSPHRASE
142EOF
143
Instrumentalbc299c02018-09-25 06:42:31 -0500[diff] [blame]144# Make Issuer name
145ISSUER=$(openssl x509 -subject -noout -in $SIGNER_CRT | cut -c 10-)
146for I in ${ISSUER//\// }; do
147 if [ -n "$CADI_X509_ISSUER" ]; then
148 CADI_X509_ISSUER=", $CADI_X509_ISSUER"
149 fi
150 CADI_X509_ISSUER="$I$CADI_X509_ISSUER"
151done
152echo $CADI_X509_ISSUER > $BOOTSTRAP_ISSUER
153
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]154# Cleanup
Instrumental08e93402018-10-03 08:38:52 -0500[diff] [blame]155rm -f $BOOTSTRAP_SAN $BOOTSTRAP_KEY $BOOTSTRAP_CSR $BOOTSTRAP_CRT $SIGNER_KEY $SIGNER_CRT $BOOTSTRAP_CHAIN