Gitiles
Code Review Sign In
gerrit.nordix.org / onap / aaf / authz / bc299c00e5a86732c5a063a1d7c7bccf1d4ab21b / . / conf / CA / bootstrap.sh
blob: 7d89b35c2d1d4f93b00dc5125ebba1e8b023e9b5 [file] [log] [blame]
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]1#
2# Streamlined AAF Bootstrap initial Cert
3# Removed Variables so it can be run for AutoDeployments
4#
5echo "Bootstrap AAF Certificate"
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]6mkdir -p private certs newcerts
7chmod 700 private
8chmod 755 certs newcerts
9touch index.txt
10echo "unique_subject = no" > index.txt.attr
Instrumental0d4ec122018-08-30 14:33:08 -0500[diff] [blame]11if [ ! -e ./serial ]; then
12 echo '01' > ./serial
13fi
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]14
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]15NAME=aaf.bootstrap
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]16FQDN=$(hostname -f)
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]17FQI=aaf@aaf.osaaf.org
18SUBJECT="/CN=$FQDN/OU=$FQI`cat subject.aaf`"
19SIGNER_P12=$1
20SIGNER_KEY=/tmp/aaf_signer.key
21SIGNER_CRT=/tmp/aaf_signer.crt
22PASSPHRASE=$2
23if [ "PASSPHRASE" = "" ]; then
24 PASSPHRASE="something easy"
25fi
26BOOTSTRAP_SAN=/tmp/$NAME.san
27BOOTSTRAP_KEY=/tmp/$NAME.key
28BOOTSTRAP_CSR=/tmp/$NAME.csr
29BOOTSTRAP_CRT=/tmp/$NAME.crt
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]30BOOTSTRAP_CHAIN=/tmp/$NAME.chain
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]31BOOTSTRAP_P12=$NAME.p12
Instrumentalbc299c02018-09-25 06:42:31 -0500[diff] [blame^]32BOOTSTRAP_ISSUER=$NAME.issuer
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]33
34
35# If Signer doesn't exist, create Self-Signed CA
36if [ ! -e "$SIGNER_P12" ]; then
37 # Creating Signer CA
38 openssl req -config openssl.conf -x509 -sha256 -extensions v3_ca \
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]39 -newkey rsa:4096 -subj /CN="Signer$(cat subject.aaf)" \
40 -keyout $SIGNER_KEY -out $SIGNER_CRT -days 365 -passout stdin << EOF
41$PASSPHRASE
42EOF
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]43
44 # Move to P12 (Signer)
45 openssl pkcs12 -name RootCA -export -in $SIGNER_CRT -inkey $SIGNER_KEY -out $SIGNER_P12 -passin stdin -passout stdin << EOF
46$PASSPHRASE
47$PASSPHRASE
48$PASSPHRASE
49EOF
50
51else
52 # Get Private key from P12
53 openssl pkcs12 -in $SIGNER_P12 -nocerts -nodes -passin stdin -passout stdin -out $SIGNER_KEY << EOF
54$PASSPHRASE
55$PASSPHRASE
56EOF
57
58 # Get Cert from P12
59 openssl pkcs12 -in $SIGNER_P12 -clcerts -nokeys -passin stdin -out $SIGNER_CRT << EOF
60$PASSPHRASE
61EOF
62
63fi
64
65# SANS
66cp san.conf $BOOTSTRAP_SAN
67NUM=1
68for D in $FQDN aaf.osaaf.org service.aaf.osaaf.org locate.aaf.osaaf.org oauth.aaf.osaaf.org gui.aaf.osaaf.org cm.aaf.osaaf.org hello.aaf.osaaf.org; do
69 echo "DNS.$NUM = $D" >> $BOOTSTRAP_SAN
70 NUM=$((NUM+1))
71done
72
73# Create CSR
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]74openssl req -new -newkey rsa:2048 -nodes -keyout $BOOTSTRAP_KEY \
75 -out $BOOTSTRAP_CSR -outform PEM -subj "$SUBJECT" \
76 -passout stdin << EOF
77$PASSPHRASE
78EOF
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]79
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]80echo Sign it
81openssl ca -batch -config openssl.conf -extensions server_cert \
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]82 -cert $SIGNER_CRT -keyfile $SIGNER_KEY \
83 -policy policy_loose \
84 -days 90 \
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]85 -passin stdin \
86 -out $BOOTSTRAP_CRT \
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]87 -extfile $BOOTSTRAP_SAN \
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]88 -infiles $BOOTSTRAP_CSR << EOF
89$PASSPHRASE
90EOF
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]91
92# Make a P12
93# Add THIS Intermediate CA into chain
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]94cat $BOOTSTRAP_CRT
95cp $BOOTSTRAP_CRT $BOOTSTRAP_CHAIN
96cat $SIGNER_CRT >> $BOOTSTRAP_CHAIN
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]97
98# Note: Openssl will pickup and load all Certs in the Chain file
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]99openssl pkcs12 -name $FQI -export -in $BOOTSTRAP_CHAIN -inkey $BOOTSTRAP_KEY -out $BOOTSTRAP_P12 -passin stdin -passout stdin << EOF
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]100$PASSPHRASE
101$PASSPHRASE
102$PASSPHRASE
103EOF
104
Instrumentalbc299c02018-09-25 06:42:31 -0500[diff] [blame^]105# Make Issuer name
106ISSUER=$(openssl x509 -subject -noout -in $SIGNER_CRT | cut -c 10-)
107for I in ${ISSUER//\// }; do
108 if [ -n "$CADI_X509_ISSUER" ]; then
109 CADI_X509_ISSUER=", $CADI_X509_ISSUER"
110 fi
111 CADI_X509_ISSUER="$I$CADI_X509_ISSUER"
112done
113echo $CADI_X509_ISSUER > $BOOTSTRAP_ISSUER
114
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]115# Cleanup
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]116rm -f $BOOTSTRAP_SAN $BOOTSTRAP_KEY $BOOTSTRAP_CSR $BOOTSTRAP_CRT $BOOTSTRAP_CHAIN $SIGNER_KEY $SIGNER_CRT