diff --git a/.gitignore b/.gitignore index 7887a5c..49380b8 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,5 @@ /dist -*.tmp \ No newline at end of file +*.tmp +ssl/certs +ssl/tmp +ssl/db \ No newline at end of file diff --git a/ssl/create-key b/ssl/create-key new file mode 100644 index 0000000..3a49fc5 --- /dev/null +++ b/ssl/create-key @@ -0,0 +1,8 @@ +#!/usr/bin/bash +echo creating keys for $1 +# create kopano clients ssl key pair (for authentification) +# private key for client, public key for server sslkeys +export CN=$1 +export SAN=DNS:$CN +openssl req -new -out tmp/$CN.csr -nodes -keyout certs/$CN.key +openssl ca -batch -in tmp/$CN.csr -passin env:CA_PWD -out certs/$CN.crt -extensions server_ext diff --git a/ssl/etc/kopano-ca.conf b/ssl/etc/kopano-ca.conf new file mode 100644 index 0000000..258eae1 --- /dev/null +++ b/ssl/etc/kopano-ca.conf @@ -0,0 +1,129 @@ +# Simple Signing CA + +# The [default] section contains global constants that can be referred to from +# the entire configuration file. It may also hold settings pertaining to more +# than one openssl command. + +[ default ] +ca = kopano-ca # CA name +dir = . # Top dir + +# The next part of the configuration file is used by the openssl req command. +# It defines the CA's key pair, its DN, and the desired extensions for the CA +# certificate. + +[ req_ca ] +default_bits = 2048 # RSA key size +encrypt_key = yes # Protect private key +default_md = sha256 # MD to use +utf8 = yes # Input is UTF-8 +string_mask = utf8only # Emit UTF-8 strings +prompt = no # Don't prompt for DN +distinguished_name = ca_dn # DN section +req_extensions = ca_reqext # Desired extensions + +[ ca_dn ] +0.domainComponent = "de" +1.domainComponent = "dts" +organizationName = "Digital Trust Solutions" +organizationalUnitName = "Information Security Unit" +commonName = "DTS Signing CA" +countryName = DE +stateOrProvinceName = Hesse +localityName = Frankfurt/Main +emailAddress = andreas@baloghs.de +# /DC=de/DC=dts/O=Digital Trust Solutions/OU=Information Security Unit+CN=DTS Signing CA/ + +[ ca_reqext ] +keyUsage = critical,keyCertSign,cRLSign +basicConstraints = critical,CA:true,pathlen:0 +subjectKeyIdentifier = hash + +[ req ] +default_bits = 2048 # RSA key size +encrypt_key = yes # Protect private key +default_md = sha256 # MD to use +utf8 = yes # Input is UTF-8 +string_mask = utf8only # Emit UTF-8 strings +prompt = no # Don't prompt for DN +distinguished_name = server_dn # DN section +req_extensions = server_reqext # Desired extensions + +[ server_dn ] +0.domainComponent = "de" +1.domainComponent = "dts" +organizationName = "Digital Trust Solutions" +organizationalUnitName = "Information Security Unit" +commonName = $ENV::CN +countryName = DE +stateOrProvinceName = Hesse +localityName = Frankfurt/Main +emailAddress = andreas@baloghs.de + +[ server_reqext ] +keyUsage = critical,digitalSignature,keyEncipherment +extendedKeyUsage = serverAuth,clientAuth +subjectKeyIdentifier = hash +subjectAltName = $ENV::SAN + +# The remainder of the configuration file is used by the openssl ca command. +# The CA section defines the locations of CA assets, as well as the policies +# applying to the CA. + +[ ca ] +default_ca = signing_ca # The default CA section + +[ signing_ca ] +certificate = $dir/certs/$ca.crt # The CA cert +private_key = $dir/certs/$ca.key # CA private key +new_certs_dir = $dir/db # Certificate archive +serial = $dir/db/$ca.crt.srl # Serial number file +crlnumber = $dir/db/$ca.crl.srl # CRL number file +database = $dir/db/$ca.db # Index file +unique_subject = no # Require unique subject +default_days = 3652 # How long to certify for +default_md = sha256 # MD to use +policy = match_pol # Default naming policy +email_in_dn = no # Add email to cert DN +preserve = no # Keep passed DN ordering +name_opt = ca_default # Subject DN display options +cert_opt = ca_default # Certificate display options +copy_extensions = copy # Copy extensions from CSR +x509_extensions = server_ext # Default cert extensions +default_crl_days = 7 # How long before next CRL +crl_extensions = crl_ext # CRL extensions + +# Naming policies control which parts of a DN end up in the certificate and +# under what circumstances certification should be denied. + +[ match_pol ] +domainComponent = match # Must match 'simple.org' +organizationName = match # Must match 'Simple Inc' +organizationalUnitName = optional # Included if present +commonName = supplied # Must be present + +[ any_pol ] +domainComponent = optional +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = optional +emailAddress = optional + +# Certificate extensions define what types of certificates the CA is able to +# create. + +[ signing_ca_ext ] +keyUsage = critical,keyCertSign,cRLSign +basicConstraints = critical,CA:true,pathlen:0 +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +[ server_ext ] +keyUsage = critical,digitalSignature,keyEncipherment +basicConstraints = CA:false +extendedKeyUsage = serverAuth,clientAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always diff --git a/ssl/mkcerts b/ssl/mkcerts index 3456482..4b51f96 100644 --- a/ssl/mkcerts +++ b/ssl/mkcerts @@ -1,18 +1,27 @@ #!/usr/bin/bash +export OPENSSL_CONF=./etc/kopano-ca.conf +export CA_PWD=kopano +export CA_SUBJ="/DC=de/DC=dts/O=Digital Trust Solutions/OU=Information Security Unit/CN=DTS Signing CA/" # create ssl certificates for docker network +rm tmp/*.csr +rm db/*.pem +rm db/*.db +rm db/*.srl +touch db/kopano-ca.db +touch db/kopano-ca.db.attr +echo 01 >db/kopano-ca.crt.srl +echo 01 >db/kopano-ca.crl.srl # create signing ca (minimal pki) -openssl req -new -config etc/kopano-ca.conf -out ca/kopano-ca.csr -keyout private/kopano-ca.key -openssl ca -selfsign -config etc/kopano-ca.conf -in ca/kopano-ca.csr -out certs/kopano-ca.crt -extensions signing_ca_ext +openssl req -new -reqexts ca_reqext -subj "$CA_SUBJ" -out tmp/kopano-ca.csr -passout pass:$CA_PWD -keyout certs/kopano-ca.key +openssl ca -batch -selfsign -in tmp/kopano-ca.csr -passin env:CA_PWD -out certs/kopano-ca.crt -extensions signing_ca_ext + # create kopano server ssl key (for encryption) -set SAN=DNS:server -openssl req -new -config etc/kopano-server.conf -out certs/kopano-server.csr -keyout private/kopano-server.key -openssl ca -config etc/kopano-ca.conf -in certs/kopano-server.csr -out certs/kopano-server.crt -extensions server_ext +./create-key server # create kopano clients ssl key pair (for authentification) # private key for client, public key for server sslkeys -create-key dagent -create-key spooler -create-key search -create-key webapp -create-key z-push - +./create-key dagent +./create-key spooler +./create-key search +./create-key webapp +./create-key z-push diff --git a/todo b/todo index f8e2615..e499235 100644 --- a/todo +++ b/todo @@ -6,4 +6,5 @@ remove all etc volume mounts kopano server and database tuning check logging for all containers remove passwords from gitlab & docker +add spamd baloghs.de migration \ No newline at end of file