Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initial Yubikey support #5

Open
wants to merge 13 commits into
base: develop
Choose a base branch
from
6 changes: 6 additions & 0 deletions .travis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ before_install:
script:
- |
bash --posix ./create-root-ca -l -d travis-ca <<EOF
n
travis-ca
bogus.com
US
Expand All @@ -28,13 +29,15 @@ script:
rootCA_password
San Francisco
Jurisdiction of travis-server.bogus-com
n
EOF
- |
bash --posix ./bin/create-client -c travis-client << EOF
rootCA_password
San Francisco
private
travis-client@bogus.com
n
EOF
- |
bash --posix ./bin/revoke-cert -c certs/server/travis-server-bogus-com/travis-server-bogus-com.crt << EOF
Expand All @@ -45,6 +48,7 @@ script:
- |
bash --posix ./bin/create-signing-ca -d travis-signing << EOF
rootCA_password
n
travis-signing
bogus.com
US
Expand All @@ -64,13 +68,15 @@ script:
signCA_password
San Francisco
Jurisdiction of travis-server.bogus-com
n
EOF
- |
bash --posix ./bin/create-client -c travis-client << EOF
signCA_password
San Francisco
private
travis-client@bogus.com
n
EOF
- |
bash --posix ./bin/revoke-cert -c certs/server/travis-server-bogus-com/travis-server-bogus-com.crt << EOF
Expand Down
12 changes: 12 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ A suite of bash scripts for automating very basic OpenSSL Certificate Authority
* Creating Server certificates
* Creating Client certificates
* Revoking certificates and maintaining CRLs
* Creating CSRs
* Managing SSH keys

## Usage

Expand All @@ -27,6 +29,7 @@ A suite of bash scripts for automating very basic OpenSSL Certificate Authority
| revoke-cert | Revoke a (client\|server) certificate |
| show-status | Show the infos about the current CA (signed certificates...) |
| sign-csr | Sign an imported client certificate |
| create-csr | Create a client certificate |

#### Important files:

Expand All @@ -49,6 +52,8 @@ create-root-ca -d $ROOT_CA_DIR

```
$ROOT_CA_DIR/ca/ca.crt
$ROOT_CA_DIR/ca/ca.pub
$ROOT_CA_DIR/ca/ca.ssh.pub
$ROOT_CA_DIR/ca/private/ca.key
$ROOT_CA_DIR/ca/ca.crl
```
Expand All @@ -65,6 +70,8 @@ $ROOT_CA_DIR/bin/create-signing-ca -d $SIGNING_CA_DIR

```
$SIGNING_CA_DIR/ca/ca.crt
$SIGNING_CA_DIR/ca/ca.pub
$SIGNING_CA_DIR/ca/ca.ssh.pub
$SIGNING_CA_DIR/ca/private/ca.key
$SIGNING_CA_DIR/ca/ca.crl
$SIGNING_CA_DIR/ca/root.crt
Expand All @@ -86,6 +93,8 @@ All addresses **must** be supplied via the *-a* flag.
```
$CA_DIR/certs/server/FQDN-Description/FQDN-Description.crt
$CA_DIR/certs/server/FQDN-Description/FQDN-Description.key
$CA_DIR/certs/server/FQDN-Description/FQDN-Description.pub
$CA_DIR/certs/server/FQDN-Description/FQDN-Description.ssh.pub
$CA_DIR/certs/server/FQDN-Description/FQDN-Description.csr
```

Expand All @@ -102,6 +111,8 @@ $CA_DIR/bin/create-client -c user@domain.com
```
$CA_DIR/certs/clients/user-domain-com/user-domain-com.crt
$CA_DIR/certs/clients/user-domain-com/user-domain-com.key
$CA_DIR/certs/clients/user-domain-com/user-domain-com.pub
$CA_DIR/certs/clients/user-domain-com/user-domain-com.ssh.pub
$CA_DIR/certs/clients/user-domain-com/user-domain-com.csr
```

Expand Down Expand Up @@ -130,6 +141,7 @@ These scripts are very simple, and make some hard-coded assumptions about behavi
* Client and Server certificates have 3072-bit RSA keys (configurable in *defaults.conf*)
* Client and Server keys are not encrypted
* There is no wrapper *yet* for renewing certificates
* PKCS11 support is in beta

## License

Expand Down
101 changes: 87 additions & 14 deletions create-client
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@

# Derek Moore <derek.moore@gmail.com>
# Christian Göttsche <cgzones@googlemail.com>
# Tom Bereknyei <tomberek@gmail.com>

set -eu
set -o pipefail
Expand Down Expand Up @@ -59,49 +60,121 @@ fi


echo
if [ -n "$CA_ENABLE_ENGINE" ]; then
echo -e "$NOTE Your CA key is on PKCS11 device, enter PIN."
fi
echo -e -n "$INPUT Enter passphase for signing CA key: "
read -r -s PASS
echo
export CA_PASS="${PASS}"
openssl rsa -check \
-in ca/private/ca.key \
-passin env:CA_PASS \
-noout

openssl_engine_cmd='
-engine pkcs11
-inform engine
-in pkcs11:object=SIGN%20key'
openssl rsa \
${CA_ENABLE_ENGINE:+$openssl_engine_cmd} \
$( [ -z $CA_ENABLE_ENGINE ] && echo "-check -in ca/private/ca.key") \
-noout \
-passin env:CA_PASS

trap 'rm -Rf "certs/clients/$SAFE_NAME"' 0
mkdir "certs/clients/$SAFE_NAME"
mkdir -p "certs/clients/$SAFE_NAME/ssh"

# Generate the client cert openssl config
export CA_USERNAME="${CLIENT_NAME}"
export CA_CERT_MAIL=""
ask_client_cert_questions
export SAN="email:$CA_CERT_MAIL"
template "${BIN_DIR}/templates/client.tpl" "certs/clients/$SAFE_NAME/$SAFE_NAME.conf"
template "${BIN_DIR}/templates/clients.tpl" "certs/clients/$SAFE_NAME/$SAFE_NAME.conf"

echo -e -n "$INPUT Create csr on pkcs11 device? (key must be in \"PIV AUTH key\" or 9a): [yN]"
read -r SURE
if [ "${SURE}" != "y" ] && [ "${SURE}" != "Y" ]; then
ENABLE_ENGINE=
else
echo -e -n "$INPUT Enter PIN for PIV key: "
read -r -s PASS
echo
export PIV_PASS="${PASS}"
ENABLE_ENGINE=1
CA_PASS=$PIV_PASS init_slot 9a "certs/clients/$SAFE_NAME/$SAFE_NAME.pub" "pkcs11:object=PIV%20AUTH%20key"
fi

echo -e "$NOTE Creating the client key and csr"

# Create the client key and csr
openssl req -new -nodes \
-batch \
openssl_engine_cmd='
-engine pkcs11
-keyform engine
-key pkcs11:object=PIV%20AUTH%20key
-passin env:PIV_PASS'
openssl req -new -batch \
${ENABLE_ENGINE:+$openssl_engine_cmd} \
-config "certs/clients/$SAFE_NAME/$SAFE_NAME.conf" \
-keyout "certs/clients/$SAFE_NAME/$SAFE_NAME.key" \
-out "certs/clients/$SAFE_NAME/$SAFE_NAME.csr"
openssl rsa -noout -check -in "certs/clients/$SAFE_NAME/$SAFE_NAME.key"
chmod 0400 "certs/clients/$SAFE_NAME/$SAFE_NAME.key"
-out "certs/clients/$SAFE_NAME/$SAFE_NAME.csr" \
$( [ -z $ENABLE_ENGINE ] && echo "
-nodes
-keyout certs/clients/$SAFE_NAME/$SAFE_NAME.key")

openssl_engine_cmd='
-engine pkcs11
-inform engine
-in pkcs11:object=PIV%20AUTH%20key
-passin env:PIV_PASS'
openssl rsa \
${ENABLE_ENGINE:+$openssl_engine_cmd} \
$( [ -z $ENABLE_ENGINE ] && echo "-check -in certs/clients/$SAFE_NAME/$SAFE_NAME.key") \
-noout

if [ -z "$ENABLE_ENGINE" ]; then
chmod 0400 "certs/clients/$SAFE_NAME/$SAFE_NAME.key"
ln -s ../"$SAFE_NAME".key "certs/clients/$SAFE_NAME/ssh/$SAFE_NAME.ssh"
openssl rsa -in "certs/clients/$SAFE_NAME/$SAFE_NAME.key" \
-pubout -out "certs/clients/$SAFE_NAME/$SAFE_NAME.pub"
fi

echo -e "$NOTE Creating client SSH ($SAFE_NAME.ssh.pub)"
echo -e "$NOTE Example sshd_config: TrustedUserCAKeys ca.ssh.pub"
echo -e "$NOTE Example sshd_config: AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u"
echo -e "$NOTE Example known_hosts: @cert-authority *.example.com <ca.ssh.pub>"

ssh-keygen -f "certs/clients/$SAFE_NAME/$SAFE_NAME.pub" -i -mPKCS8 \
| awk "{printf \$0;print \" ${SAFE_NAME}\"}" > "certs/clients/$SAFE_NAME/ssh/$SAFE_NAME.ssh.pub"
ssh-keygen -lvf "certs/clients/$SAFE_NAME/ssh/$SAFE_NAME.ssh.pub"


echo -e "$NOTE Creating the client certificate"

# Create the client certificate
openssl_engine_cmd="\
-engine pkcs11 \
-keyform engine \
-keyfile pkcs11:object=SIGN%20key"
openssl ca -batch -notext \
${CA_ENABLE_ENGINE:+$openssl_engine_cmd} \
-config ca/ca.conf \
-in "certs/clients/$SAFE_NAME/$SAFE_NAME.csr" \
-out "certs/clients/$SAFE_NAME/$SAFE_NAME.crt" \
-extensions client_ext \
-extensions clients_ext \
-passin env:CA_PASS

if [[ -n "$ENABLE_ENGINE" ]]; then
replace_crt 9a certs/clients/"$SAFE_NAME"/"$SAFE_NAME".crt
fi

echo -e "$NOTE Verifying certificate/key pair"

key_mod=$(openssl rsa -noout -modulus -in "certs/clients/$SAFE_NAME/$SAFE_NAME.key")
openssl_engine_cmd="\
-engine pkcs11 \
-inform engine \
-in pkcs11:object=PIV%20AUTH%20key \
-passin env:PIV_PASS"
key_mod=$(openssl rsa \
${ENABLE_ENGINE:+$openssl_engine_cmd} -noout -modulus \
$( [ -z $ENABLE_ENGINE ] && echo "-in certs/clients/$SAFE_NAME/$SAFE_NAME.key")
)

cert_mod=$(openssl x509 -noout -modulus -in "certs/clients/$SAFE_NAME/$SAFE_NAME.crt")

if [ ! "$key_mod" = "$cert_mod" ];then
Expand Down
Loading