diff options
| author | Soispha <soispha@vhack.eu> | 2023-11-07 16:44:08 +0100 |
|---|---|---|
| committer | Soispha <soispha@vhack.eu> | 2023-11-07 16:44:08 +0100 |
| commit | 961729eed1540a7633f5200c63dcf8650d35c56f (patch) | |
| tree | 71e84be3ddd87068c45698c0c43dd3227e20c7b3 /system/services/taskserver/certs | |
| parent | chore(version): v0.17.0 (diff) | |
| download | nixos-server-961729eed1540a7633f5200c63dcf8650d35c56f.tar.gz nixos-server-961729eed1540a7633f5200c63dcf8650d35c56f.zip | |
fix(system/services/taskserver/certs): Move cert generation to script
This fully removes the human-factor and allows it to just run `./generate` to generate all required certificates and keys (with the needed extra keys and certificates)
Diffstat (limited to 'system/services/taskserver/certs')
| -rw-r--r-- | system/services/taskserver/certs/ca.cert.pem | 52 | ||||
| -rw-r--r-- | system/services/taskserver/certs/ca.key.pem.gpg | bin | 0 -> 13824 bytes | |||
| -rwxr-xr-x | system/services/taskserver/certs/check_expire | 6 | ||||
| -rwxr-xr-x | system/services/taskserver/certs/generate | 21 | ||||
| -rwxr-xr-x | system/services/taskserver/certs/generate.ca | 2 | ||||
| -rwxr-xr-x | system/services/taskserver/certs/generate.client | 20 | ||||
| -rwxr-xr-x | system/services/taskserver/certs/generate.crl | 2 | ||||
| -rw-r--r-- | system/services/taskserver/certs/isrgrootx1.pem | 31 |
8 files changed, 112 insertions, 22 deletions
diff --git a/system/services/taskserver/certs/ca.cert.pem b/system/services/taskserver/certs/ca.cert.pem new file mode 100644 index 0000000..d6e5513 --- /dev/null +++ b/system/services/taskserver/certs/ca.cert.pem @@ -0,0 +1,52 @@ +-----BEGIN CERTIFICATE----- +MIIJPDCCBSSgAwIBAgIURpRPfm0/A8HaS8D6O5YlHH+i/dMwDQYJKoZIhvcNAQEM +BQAwPjELMAkGA1UEBhMCRVUxDjAMBgNVBAoTBVZoYWNrMR8wHQYDVQQDExZ0YXNr +c2VydmVyLnZoYWNrLmV1IENBMB4XDTIzMTAwNDE3NDIxN1oXDTI0MTAwMzE3NDIx +N1owPjELMAkGA1UEBhMCRVUxDjAMBgNVBAoTBVZoYWNrMR8wHQYDVQQDExZ0YXNr +c2VydmVyLnZoYWNrLmV1IENBMIIEIjANBgkqhkiG9w0BAQEFAAOCBA8AMIIECgKC +BAEAvqK+cCSMRS4QXagPcIHHkdc2mr7DLqqvDSisybD6CFJYH+7YgDP/reqLRCpL +3J1VmBYlthK6EzsGf7v/rdkgoMEL9pLTgguNS8FWIHybn9X/diYX/hp6CGV4hfn1 +eJFjV78o9dWAFwWrZzGDOW/lbXnqaB+EFbbV/R+lNxwwSXWpxyRjygYVJhiKX5Pt +u1eN10MPOuX6afdaduag383rHXe6wcOOF+Af+F2mZmvdySBAkjHaL+VvS3ounj8q +PSC/HoYzDWa4fHnhcgfLJq2ngmLnSQFtDDTq3xd/MBVk17qExD6efIrcGoLSG/L9 +CQJaV/DdfdZwCNNnGz2nm+Whx3MIvlI2cWBM2jxFsfPEiNqPWyaBOBN6JVnE4Xfd +odfzAvgRPDipansnFvwbYbfmq/sUQbN21tYYpi28EPQMGNkJ5XYf21wLCSo2QCLe +n8KttXKp2dBi9ykFKRpVUVxalIunco1lBxccXILz0aRILdcoTMCyOAiAZ11QJ+Ij +vV+gLyBzq2+IMBflsWx0BWZ+yXQJbmMkxJ+wkc26oNG6ZcklckZYkbKKLqmVo2wc +UW+NODIuwcaKQrqXqzxM/pFuW0eeBKymMg77u7NN3mkUI5sx9F3djQ6RuFFI5KYM +AGlQB1dlFyj9qtMrqNLi7GSnTCSbeoJq6Tl1NEKELbjIYvAUIYA5O0rAZHMWqNog +30IaAL8GZaTf4l78ueJeIdGve1Zl+FXka+Clj0d/B4pVqkIu7/pk4Vldc/Bzm5mm +JIReQZz6NRn8m0szAmeK9ucxx6jzshXnRQrVBUntYYWZzCWQgHjNPF3vXdFrfZgl +ar/0whmRap7uM7TiMSHRgJjPd7iG27RKXd3dRr51KYaeHSjhnK/26oelBIQDVA6V +nK69GpD2AFkWpgkUfqD89rLBOxWxdKZgC6ucTtmprwg5pRkfRCgV32fzJkBAoMkN +erg8uQGjT/EnTSxEK72XK2MRDpUpKZvB2GoG69dOYs1L9mtIbxgdexeBlw2UNF1l +JDlPQUEmlY/QptWCro7H0HcdP/iXCadTZcxIf+ln0cfMwlVYgTn+4NWWvRNskWx2 +c8RqynsrjM/7PIuWltVizlcAp7WIQtbBHcTs9lNBRSQrtxEaSuLoZ2cLiw9qBN7j +2goLCEKvRI/KqsVj9/NirMpVg4g3t/ZQSEh56w6seKPynzEF1KKdA+2tCzwuSmDs +UT0hHpzepoTXJoix/eRWl4yVsUD1zz1HdL+WJL0vWNZax92Q1afq5icjtEty4/Ng +Ek35dWGQI21usyVHKH+jsFFioj+3pm5jPUb7tCZ/sptYlXOL6MtSWmpOzMqjiDQK +pZizY/mseUHQOyz9MBdZ3Vv8GQIDAQABozIwMDAPBgNVHRMBAf8EBTADAQH/MB0G +A1UdDgQWBBQiVaWbtkt9aYDBbPhXAGtpi6HxAzANBgkqhkiG9w0BAQwFAAOCBAEA +SSHCnVVo6GCftsLy8o6QCNsqZwewmVOYlhcSRJIAnAH4W85QWWwVKjcVd88qMzB5 +xREvw90EKa56ZoWbnX97eIl0PyUaNdaZs7gsBmhSAzLXNeArLJqknn2/MvQ/8hm9 +95mvS1d01/C7PHgLZ5rcqJHq0M3M2e3ldQIMAzHOY6mvmci8NCfqEcdqZHaWNmx7 +gOFQpz14W1uqvzM2B4oDt6Z+TSOHfIIhH1WCKISthz+0lzjYnut4cY4Ay9cp8Hp0 +Iwuj3PHKHvqxnPMtmUObxReZ/fFGkpJkkvxI8D+Wvua3/6vRGgt27zmJSL26Bxdg +pq4GGZ7iGgBpigaRYNj6RkQRsp7vlAa3ZmKoXjKVGyjgKNw5X3WA3MGkc/HL7sB+ +89Rgorn90o3ou4A63gCHXWXjdpT9kY0Jk1januQ/OziPJcGvtHSW7Vtt/dQ3QNe7 +Ahkmm0D6wHdYZdTmBvZFE2aiyJ2B+VI2qD8ZgDlFOmb2Q+axlPD0olfAY+aYeCoF +2mlGw+PSAThTZbESjdYAq6oAkDSp1m+UlKoTvK4i4f6I7r2XQnl/VlMzLvBR6u2J +fwmUMjFxv/9a/GRdYqEB7fMRlRLinT/to319DdmYa9KyA2vH+/9kYod8dvz07By6 +Iht8BLkPRup1QiQZdfdJorKl/MNGtNm+dM/bwb/Ceso6iOrf8QVfrztk3dj1qeC0 +GKo/ORsLMqnmQHobWjk19PzEpr6NvxfKWYxgFTrm8c9Mx0FXEwwo7eJpMWYdTIG5 +Oprb3L++zuLXnqr0ufGeL3rMfagSMhawukTvn8Ni5vt7UDp8FgXK4YbXJpbPPuGP +AvatrnOsH6z0C86zVkZmq2w7/xoXugf8UMhZAaG7mtoffCa/aoakiC4sM6j2OOOJ +w9vgwKG7aH7RdQ3mKpoi1g+JYyRr/754YNienVlp2Lt7qJ7vao+BAsWSR4Oh9Ni9 +RYznlWeIF1i6pEAgXYmWV4tF+fXqgE0fbPCXF/ygsGw/1WYF3Kv//1PptLK/a+XX +TIQOQw2fsiZ9+tSyOCCjdWeUqvqq8wrLawu+q3js+6ha0Dz9hl/Je6qBYNIH1vo2 +x0RSy2Wq5OZe1PNAyuJZqI+sS4DiBb0V8n+AQ2G19vOg/hoUXWHkNRVdAWl1IrOD +puUgwNSw+B0c1PY3NEHNNKb4ViksLr2FvSTIiHGAcZjVTOPSfxF9m/Aj/Do83LI3 +oYWEngzP0H+OnjX3nAUzaRqnQyFs5/2MrEFfOZXXtcvdQ+59eR7mxKxIuCGzs8q/ +8HEWmFuAwcHwEmWb6FQlKoMVU+qeNwk9ArPSQDVZnW1vyZsNYc72xwdFSBxR1E4s +q3QPnPpVzFvh+K/1A81CSQ== +-----END CERTIFICATE----- diff --git a/system/services/taskserver/certs/ca.key.pem.gpg b/system/services/taskserver/certs/ca.key.pem.gpg new file mode 100644 index 0000000..f52482d --- /dev/null +++ b/system/services/taskserver/certs/ca.key.pem.gpg Binary files differdiff --git a/system/services/taskserver/certs/check_expire b/system/services/taskserver/certs/check_expire index 59f9dc6..89969cc 100755 --- a/system/services/taskserver/certs/check_expire +++ b/system/services/taskserver/certs/check_expire @@ -1,7 +1,7 @@ #!/bin/sh for cert in *.cert.pem; do - echo $cert - openssl x509 -noout -in $cert -dates - echo + echo "$cert" + openssl x509 -noout -in "$cert" -dates + echo done diff --git a/system/services/taskserver/certs/generate b/system/services/taskserver/certs/generate index 253e4bb..283697f 100755 --- a/system/services/taskserver/certs/generate +++ b/system/services/taskserver/certs/generate @@ -10,13 +10,19 @@ # server.key.pem # server.cert.pem -GENERATION_LOCATION="/run/user/$(id -u)/taskserver/keys"; +GENERATION_LOCATION="/run/user/$(id -u)/taskserver/certs"; +BASEDIR="$(dirname "$0")" +cd "$BASEDIR" || echo "(BUG?) No basedir ('$BASEDIR')" 1>&2 + +set -- ./vars ./generate.ca ./generate.crl ./generate.client ./ca.key.pem.gpg ./isrgrootx1.pem mkdir -p "$GENERATION_LOCATION" -cp ./vars ./generate.ca ./generate.crl ./generate.client "$GENERATION_LOCATION" +cp "$@" "./ca.cert.pem" "$GENERATION_LOCATION" cd "$GENERATION_LOCATION" || echo "(BUG?) No possible location fould!" 1>&2 -./generate.ca +gpg --decrypt ca.key.pem.gpg > ca.key.pem +cat ./isrgrootx1.pem >> ./ca.cert.pem +[ -f ./ca.key.pem ] || ./generate.ca # Generate a certificate revocation list (CRL). The initial CRL is empty, but # can grow over time. Creates: @@ -28,14 +34,15 @@ cd "$GENERATION_LOCATION" || echo "(BUG?) No possible location fould!" 1>&2 # process per client; Add the required client names and uncomment # ./generate.client <client_name> # -./generate.client soispha -./generate.client android-mobile -./generate.client android-tab # # Creates: # <client_name>.key.pem # <client_name>.cert.pem +# +./generate.client soispha +./generate.client android-mobile +./generate.client android-tab -rm ./vars ./generate.ca ./generate.crl ./generate.client +rm "$@" "./ca.key.pem" echo "(INFO) Look for the keys at: $GENERATION_LOCATION" diff --git a/system/services/taskserver/certs/generate.ca b/system/services/taskserver/certs/generate.ca index 4ffc6e9..a9fbc0c 100755 --- a/system/services/taskserver/certs/generate.ca +++ b/system/services/taskserver/certs/generate.ca @@ -35,7 +35,7 @@ EOF #locality = $LOCALITY fi -if ! [ -f ca.cert.pem ] || [ ca.template -nt ca.cert.pem ] +if ! [ -f ca.cert.pem ] then $CERTTOOL \ --generate-self-signed \ diff --git a/system/services/taskserver/certs/generate.client b/system/services/taskserver/certs/generate.client index 976cb82..4f0e503 100755 --- a/system/services/taskserver/certs/generate.client +++ b/system/services/taskserver/certs/generate.client @@ -16,21 +16,21 @@ then NAME=$1 fi -if ! [ -f ${NAME}.key.pem ] +if ! [ -f "$NAME".key.pem ] then # Create a client key. $CERTTOOL \ --generate-privkey \ --sec-param $SEC_PARAM \ - --outfile ${NAME}.key.pem + --outfile "$NAME".key.pem fi -chmod 600 ${NAME}.key.pem +chmod 600 "$NAME".key.pem -if ! [ -f ${NAME}.template ] +if ! [ -f "$NAME".template ] then # Sign a client cert with the key. - cat <<EOF >${NAME}.template + cat <<EOF >"$NAME".template organization = $ORGANIZATION cn = $CN expiration_days = $EXPIRATION_DAYS @@ -40,15 +40,15 @@ signing_key EOF fi -if ! [ -f ${NAME}.cert.pem ] || [ ${NAME}.template -nt ${NAME}.cert.pem ] +if ! [ -f "$NAME".cert.pem ] then $CERTTOOL \ --generate-certificate \ - --load-privkey ${NAME}.key.pem \ + --load-privkey "$NAME".key.pem \ --load-ca-certificate ca.cert.pem \ --load-ca-privkey ca.key.pem \ - --template ${NAME}.template \ - --outfile ${NAME}.cert.pem + --template "$NAME".template \ + --outfile "$NAME".cert.pem fi -chmod 600 ${NAME}.cert.pem +chmod 600 "$NAME".cert.pem diff --git a/system/services/taskserver/certs/generate.crl b/system/services/taskserver/certs/generate.crl index 6a9daa8..e9f6715 100755 --- a/system/services/taskserver/certs/generate.crl +++ b/system/services/taskserver/certs/generate.crl @@ -18,7 +18,7 @@ expiration_days = $EXPIRATION_DAYS EOF fi -if ! [ -f server.crl.pem ] || [ crl.template -nt server.crl.pem ] +if ! [ -f server.crl.pem ] then $CERTTOOL \ --generate-crl \ diff --git a/system/services/taskserver/certs/isrgrootx1.pem b/system/services/taskserver/certs/isrgrootx1.pem new file mode 100644 index 0000000..b85c803 --- /dev/null +++ b/system/services/taskserver/certs/isrgrootx1.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw +TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 +WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu +ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY +MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc +h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+ +0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U +A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW +T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH +B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC +B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv +KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn +OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn +jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw +qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI +rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV +HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq +hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL +ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ +3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK +NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5 +ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur +TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC +jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc +oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq +4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA +mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d +emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= +-----END CERTIFICATE----- |