Instrumental | cc596dd | 2018-08-23 09:52:14 -0500 | [diff] [blame] | 1 | # |
| 2 | # Streamlined AAF Bootstrap initial Cert |
| 3 | # Removed Variables so it can be run for AutoDeployments |
| 4 | # |
| 5 | echo "Bootstrap AAF Certificate" |
Instrumental | b8a8129 | 2018-08-23 16:32:45 -0500 | [diff] [blame] | 6 | mkdir -p private certs newcerts |
| 7 | chmod 700 private |
| 8 | chmod 755 certs newcerts |
| 9 | touch index.txt |
| 10 | echo "unique_subject = no" > index.txt.attr |
Instrumental | 0d4ec12 | 2018-08-30 14:33:08 -0500 | [diff] [blame] | 11 | if [ ! -e ./serial ]; then |
| 12 | echo '01' > ./serial |
| 13 | fi |
Instrumental | b8a8129 | 2018-08-23 16:32:45 -0500 | [diff] [blame] | 14 | |
Instrumental | cc596dd | 2018-08-23 09:52:14 -0500 | [diff] [blame] | 15 | NAME=aaf.bootstrap |
Instrumental | b8a8129 | 2018-08-23 16:32:45 -0500 | [diff] [blame] | 16 | FQDN=$(hostname -f) |
Instrumental | cc596dd | 2018-08-23 09:52:14 -0500 | [diff] [blame] | 17 | FQI=aaf@aaf.osaaf.org |
| 18 | SUBJECT="/CN=$FQDN/OU=$FQI`cat subject.aaf`" |
| 19 | SIGNER_P12=$1 |
| 20 | SIGNER_KEY=/tmp/aaf_signer.key |
| 21 | SIGNER_CRT=/tmp/aaf_signer.crt |
| 22 | PASSPHRASE=$2 |
| 23 | if [ "PASSPHRASE" = "" ]; then |
| 24 | PASSPHRASE="something easy" |
| 25 | fi |
| 26 | BOOTSTRAP_SAN=/tmp/$NAME.san |
| 27 | BOOTSTRAP_KEY=/tmp/$NAME.key |
| 28 | BOOTSTRAP_CSR=/tmp/$NAME.csr |
| 29 | BOOTSTRAP_CRT=/tmp/$NAME.crt |
Instrumental | b8a8129 | 2018-08-23 16:32:45 -0500 | [diff] [blame] | 30 | BOOTSTRAP_CHAIN=/tmp/$NAME.chain |
Instrumental | cc596dd | 2018-08-23 09:52:14 -0500 | [diff] [blame] | 31 | BOOTSTRAP_P12=$NAME.p12 |
| 32 | |
| 33 | |
| 34 | # If Signer doesn't exist, create Self-Signed CA |
| 35 | if [ ! -e "$SIGNER_P12" ]; then |
| 36 | # Creating Signer CA |
| 37 | openssl req -config openssl.conf -x509 -sha256 -extensions v3_ca \ |
Instrumental | b8a8129 | 2018-08-23 16:32:45 -0500 | [diff] [blame] | 38 | -newkey rsa:4096 -subj /CN="Signer$(cat subject.aaf)" \ |
| 39 | -keyout $SIGNER_KEY -out $SIGNER_CRT -days 365 -passout stdin << EOF |
| 40 | $PASSPHRASE |
| 41 | EOF |
Instrumental | cc596dd | 2018-08-23 09:52:14 -0500 | [diff] [blame] | 42 | |
| 43 | # Move to P12 (Signer) |
| 44 | openssl pkcs12 -name RootCA -export -in $SIGNER_CRT -inkey $SIGNER_KEY -out $SIGNER_P12 -passin stdin -passout stdin << EOF |
| 45 | $PASSPHRASE |
| 46 | $PASSPHRASE |
| 47 | $PASSPHRASE |
| 48 | EOF |
| 49 | |
| 50 | else |
| 51 | # Get Private key from P12 |
| 52 | openssl pkcs12 -in $SIGNER_P12 -nocerts -nodes -passin stdin -passout stdin -out $SIGNER_KEY << EOF |
| 53 | $PASSPHRASE |
| 54 | $PASSPHRASE |
| 55 | EOF |
| 56 | |
| 57 | # Get Cert from P12 |
| 58 | openssl pkcs12 -in $SIGNER_P12 -clcerts -nokeys -passin stdin -out $SIGNER_CRT << EOF |
| 59 | $PASSPHRASE |
| 60 | EOF |
| 61 | |
| 62 | fi |
| 63 | |
| 64 | # SANS |
| 65 | cp san.conf $BOOTSTRAP_SAN |
| 66 | NUM=1 |
| 67 | for D in $FQDN aaf.osaaf.org service.aaf.osaaf.org locate.aaf.osaaf.org oauth.aaf.osaaf.org gui.aaf.osaaf.org cm.aaf.osaaf.org hello.aaf.osaaf.org; do |
| 68 | echo "DNS.$NUM = $D" >> $BOOTSTRAP_SAN |
| 69 | NUM=$((NUM+1)) |
| 70 | done |
| 71 | |
| 72 | # Create CSR |
Instrumental | b8a8129 | 2018-08-23 16:32:45 -0500 | [diff] [blame] | 73 | openssl req -new -newkey rsa:2048 -nodes -keyout $BOOTSTRAP_KEY \ |
| 74 | -out $BOOTSTRAP_CSR -outform PEM -subj "$SUBJECT" \ |
| 75 | -passout stdin << EOF |
| 76 | $PASSPHRASE |
| 77 | EOF |
Instrumental | cc596dd | 2018-08-23 09:52:14 -0500 | [diff] [blame] | 78 | |
Instrumental | b8a8129 | 2018-08-23 16:32:45 -0500 | [diff] [blame] | 79 | echo Sign it |
| 80 | openssl ca -batch -config openssl.conf -extensions server_cert \ |
Instrumental | cc596dd | 2018-08-23 09:52:14 -0500 | [diff] [blame] | 81 | -cert $SIGNER_CRT -keyfile $SIGNER_KEY \ |
| 82 | -policy policy_loose \ |
| 83 | -days 90 \ |
Instrumental | b8a8129 | 2018-08-23 16:32:45 -0500 | [diff] [blame] | 84 | -passin stdin \ |
| 85 | -out $BOOTSTRAP_CRT \ |
Instrumental | cc596dd | 2018-08-23 09:52:14 -0500 | [diff] [blame] | 86 | -extfile $BOOTSTRAP_SAN \ |
Instrumental | b8a8129 | 2018-08-23 16:32:45 -0500 | [diff] [blame] | 87 | -infiles $BOOTSTRAP_CSR << EOF |
| 88 | $PASSPHRASE |
| 89 | EOF |
Instrumental | cc596dd | 2018-08-23 09:52:14 -0500 | [diff] [blame] | 90 | |
| 91 | # Make a P12 |
| 92 | # Add THIS Intermediate CA into chain |
Instrumental | b8a8129 | 2018-08-23 16:32:45 -0500 | [diff] [blame] | 93 | cat $BOOTSTRAP_CRT |
| 94 | cp $BOOTSTRAP_CRT $BOOTSTRAP_CHAIN |
| 95 | cat $SIGNER_CRT >> $BOOTSTRAP_CHAIN |
Instrumental | cc596dd | 2018-08-23 09:52:14 -0500 | [diff] [blame] | 96 | |
| 97 | # Note: Openssl will pickup and load all Certs in the Chain file |
Instrumental | b8a8129 | 2018-08-23 16:32:45 -0500 | [diff] [blame] | 98 | openssl pkcs12 -name $FQI -export -in $BOOTSTRAP_CHAIN -inkey $BOOTSTRAP_KEY -out $BOOTSTRAP_P12 -passin stdin -passout stdin << EOF |
Instrumental | cc596dd | 2018-08-23 09:52:14 -0500 | [diff] [blame] | 99 | $PASSPHRASE |
| 100 | $PASSPHRASE |
| 101 | $PASSPHRASE |
| 102 | EOF |
| 103 | |
| 104 | # Cleanup |
Instrumental | b8a8129 | 2018-08-23 16:32:45 -0500 | [diff] [blame] | 105 | rm -f $BOOTSTRAP_SAN $BOOTSTRAP_KEY $BOOTSTRAP_CSR $BOOTSTRAP_CRT $BOOTSTRAP_CHAIN $SIGNER_KEY $SIGNER_CRT |