enabled batch key generation

2023-10-24 15:51:00 +00:00
parent f578f70a69
commit b17b808404
5 changed files with 162 additions and 12 deletions
--- a/ssl/create-key
+++ b/ssl/create-key
@@ -0,0 +1,8 @@
+#!/usr/bin/bash
+echo creating keys for $1
+# create kopano clients ssl key pair (for authentification)
+# private key for client, public key for server sslkeys
+export CN=$1
+export SAN=DNS:$CN
+openssl req -new -out tmp/$CN.csr -nodes -keyout certs/$CN.key 
+openssl ca -batch -in tmp/$CN.csr -passin env:CA_PWD -out certs/$CN.crt -extensions server_ext
--- a/ssl/etc/kopano-ca.conf
+++ b/ssl/etc/kopano-ca.conf
@@ -0,0 +1,129 @@
+# Simple Signing CA
+
+# The [default] section contains global constants that can be referred to from
+# the entire configuration file. It may also hold settings pertaining to more
+# than one openssl command.
+
+[ default ]
+ca                      = kopano-ca             # CA name
+dir                     = .                     # Top dir
+
+# The next part of the configuration file is used by the openssl req command.
+# It defines the CA's key pair, its DN, and the desired extensions for the CA
+# certificate.
+
+[ req_ca ]
+default_bits            = 2048                  # RSA key size
+encrypt_key             = yes                   # Protect private key
+default_md              = sha256                # MD to use
+utf8                    = yes                   # Input is UTF-8
+string_mask             = utf8only              # Emit UTF-8 strings
+prompt                  = no                    # Don't prompt for DN
+distinguished_name      = ca_dn                 # DN section
+req_extensions          = ca_reqext             # Desired extensions
+
+[ ca_dn ]
+0.domainComponent       = "de"
+1.domainComponent       = "dts"
+organizationName        = "Digital Trust Solutions"
+organizationalUnitName  = "Information Security Unit"
+commonName              = "DTS Signing CA"
+countryName			        = DE
+stateOrProvinceName     = Hesse
+localityName            = Frankfurt/Main
+emailAddress            = andreas@baloghs.de
+# /DC=de/DC=dts/O=Digital Trust Solutions/OU=Information Security Unit+CN=DTS Signing CA/
+
+[ ca_reqext ]
+keyUsage                = critical,keyCertSign,cRLSign
+basicConstraints        = critical,CA:true,pathlen:0
+subjectKeyIdentifier    = hash
+
+[ req ]
+default_bits            = 2048                  # RSA key size
+encrypt_key             = yes                   # Protect private key
+default_md              = sha256                # MD to use
+utf8                    = yes                   # Input is UTF-8
+string_mask             = utf8only              # Emit UTF-8 strings
+prompt                  = no                    # Don't prompt for DN
+distinguished_name      = server_dn             # DN section
+req_extensions          = server_reqext         # Desired extensions
+
+[ server_dn ]
+0.domainComponent       = "de"
+1.domainComponent       = "dts"
+organizationName        = "Digital Trust Solutions"
+organizationalUnitName  = "Information Security Unit"
+commonName              = $ENV::CN
+countryName			        = DE
+stateOrProvinceName     = Hesse
+localityName            = Frankfurt/Main
+emailAddress            = andreas@baloghs.de
+
+[ server_reqext ]
+keyUsage                = critical,digitalSignature,keyEncipherment
+extendedKeyUsage        = serverAuth,clientAuth
+subjectKeyIdentifier    = hash
+subjectAltName          = $ENV::SAN
+
+# The remainder of the configuration file is used by the openssl ca command.
+# The CA section defines the locations of CA assets, as well as the policies
+# applying to the CA.
+
+[ ca ]
+default_ca              = signing_ca            # The default CA section
+
+[ signing_ca ]
+certificate             = $dir/certs/$ca.crt    # The CA cert
+private_key             = $dir/certs/$ca.key    # CA private key
+new_certs_dir           = $dir/db               # Certificate archive
+serial                  = $dir/db/$ca.crt.srl   # Serial number file
+crlnumber               = $dir/db/$ca.crl.srl   # CRL number file
+database                = $dir/db/$ca.db        # Index file
+unique_subject          = no                    # Require unique subject
+default_days            = 3652                  # How long to certify for
+default_md              = sha256                # MD to use
+policy                  = match_pol             # Default naming policy
+email_in_dn             = no                    # Add email to cert DN
+preserve                = no                    # Keep passed DN ordering
+name_opt                = ca_default            # Subject DN display options
+cert_opt                = ca_default            # Certificate display options
+copy_extensions         = copy                  # Copy extensions from CSR
+x509_extensions         = server_ext            # Default cert extensions
+default_crl_days        = 7                     # How long before next CRL
+crl_extensions          = crl_ext               # CRL extensions
+
+# Naming policies control which parts of a DN end up in the certificate and
+# under what circumstances certification should be denied.
+
+[ match_pol ]
+domainComponent         = match                 # Must match 'simple.org'
+organizationName        = match                 # Must match 'Simple Inc'
+organizationalUnitName  = optional              # Included if present
+commonName              = supplied              # Must be present
+
+[ any_pol ]
+domainComponent         = optional
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = optional
+emailAddress            = optional
+
+# Certificate extensions define what types of certificates the CA is able to
+# create.
+
+[ signing_ca_ext ]
+keyUsage                = critical,keyCertSign,cRLSign
+basicConstraints        = critical,CA:true,pathlen:0
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always
+
+[ server_ext ]
+keyUsage                = critical,digitalSignature,keyEncipherment
+basicConstraints        = CA:false
+extendedKeyUsage        = serverAuth,clientAuth
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always
--- a/ssl/mkcerts
+++ b/ssl/mkcerts
@@ -1,18 +1,27 @@
 #!/usr/bin/bash
+export OPENSSL_CONF=./etc/kopano-ca.conf
+export CA_PWD=kopano
+export CA_SUBJ="/DC=de/DC=dts/O=Digital Trust Solutions/OU=Information Security Unit/CN=DTS Signing CA/"
 # create ssl certificates for docker network
+rm tmp/*.csr
+rm db/*.pem
+rm db/*.db
+rm db/*.srl
+touch db/kopano-ca.db
+touch db/kopano-ca.db.attr 
+echo 01 >db/kopano-ca.crt.srl
+echo 01 >db/kopano-ca.crl.srl
 # create signing ca (minimal pki)
-openssl req -new -config etc/kopano-ca.conf -out ca/kopano-ca.csr -keyout private/kopano-ca.key
-openssl ca -selfsign -config etc/kopano-ca.conf -in ca/kopano-ca.csr -out certs/kopano-ca.crt -extensions signing_ca_ext
+openssl req -new -reqexts ca_reqext -subj "$CA_SUBJ" -out tmp/kopano-ca.csr -passout pass:$CA_PWD -keyout certs/kopano-ca.key
+openssl ca -batch -selfsign -in tmp/kopano-ca.csr -passin env:CA_PWD -out certs/kopano-ca.crt -extensions signing_ca_ext
+
 # create kopano server ssl key (for encryption)
-set SAN=DNS:server
-openssl req -new -config etc/kopano-server.conf -out certs/kopano-server.csr -keyout private/kopano-server.key
-openssl ca -config etc/kopano-ca.conf -in certs/kopano-server.csr -out certs/kopano-server.crt -extensions server_ext
+./create-key server

 # create kopano clients ssl key pair (for authentification)
 # private key for client, public key for server sslkeys
-create-key dagent
-create-key spooler
-create-key search
-create-key webapp
-create-key z-push
-
+./create-key dagent
+./create-key spooler
+./create-key search
+./create-key webapp
+./create-key z-push