def main():
# http://docs.python.org/2/library/argparse.html
global logger
parser = argparse.ArgumentParser(description='Create a server certificate using the cacerts db.')
parser.add_argument('--loglevel', help='Specify the default logging level (optional).', choices=['debug', 'info', 'warning', 'error', 'DEBUG', 'INFO', 'WARNING', 'ERROR'], default='info')
parser.add_argument('--logfile', help='Specify logfile name.', default='/tmp/create_servercert.log')
parser.add_argument('--cacerts_dir', help='alternate cacerts config dir.', default='../cacerts')
parser.add_argument('--domain', help='The domain name.', default='forj.io')
parser.add_argument('--site', help='The name of the site.', default='')
parser.add_argument('--password', help='Specify a password (optional).', default='changeme')
parser.add_argument('--subject', help='Specify the certificate subject info.', default='/C=US/ST=California/L=Roseville/O=HP/OU=PDE')
parser.add_argument('--altnames', help='Specify alternative names like "/CN=server1/CN=server2"', default='')
args = parser.parse_args()
util.setup_logging(args.logfile, args.loglevel)
util.banner_start()
util.logger.debug("parsed arguments")
util.logger.info("got folder " + args.cacerts_dir)
cacerts_dir = os.path.abspath(args.cacerts_dir)
util.validate_directory(cacerts_dir)
cainter_dir = os.path.abspath(os.path.join(cacerts_dir, "ca2013"))
util.validate_directory(cainter_dir)
cakey_pem = os.path.abspath(os.path.join(cacerts_dir, "private/cakey.pem"))
util.validate_file(cakey_pem)
if not args.site:
util.logger.error("found cakey_pem")
sys.exit(1)
source_dir = cainter_dir
destin_dir = os.path.join(cainter_dir, 'certs')
# http://docs.python.org/2/library/subprocess.html#replacing-older-functions-with-the-subprocess-module
util.openssl_cmd("test", args.site, cainter_dir, 'version')
# pushd /cacerts/ca2013
#
# [ -f ~/.rnd ] && sudo rm -f ~/.rnd
# openssl genrsa -passout pass:xxxxxxxx -des3 -out $_SITE.key 2048 -config ./openssl.cnf
# openssl req -passin pass:xxxxxxxx -new -key $_SITE.key -out $_SITE.csr -subj "/C=US/ST=California/L=Roseville/O=HP/OU=PDE/CN=$_SITE.forj.io" -config ./openssl.cnf
# openssl ca -passin pass:xxxxxxxx -batch -config openssl.cnf -policy policy_anything -out $_SITE.crt -infiles $_SITE.csr
subject = args.subject + "/CN=" + args.site + "." + args.domain + args.altnames
util.openssl_cmd("genrsa", args.site + '.' + args.domain, cainter_dir, "-passout pass:"******" -des3 2048 -config ./openssl.cnf")
util.openssl_cmd("req", args.site + '.' + args.domain, cainter_dir, "-passin pass:"******" -new -subj " + subject + " -config ./openssl.cnf")
# -keyfile and -cert makes the linkage to intermediate certificate
util.openssl_cmd("ca", args.site + '.' + args.domain, cainter_dir, "-passin pass:"******" -batch -config ./openssl.cnf -policy policy_anything -keyfile ./private/cakey.pem -cert ./cacert.pem")
# cd cainter_dir
# mv $_SITE.key $_SITE.csr $_SITE.crt certs
extensions = ['.key', '.csr', '.crt']
for ext in extensions:
util.logger.debug("relocating " + args.site + ext)
os.rename(os.path.join(source_dir, args.site + '.' + args.domain + ext),
os.path.join(destin_dir, args.site + '.' + args.domain + ext))
# this is an ssl cert, remove the ssl password on the key....
# openssl rsa -passin pass:xxxxxxxx -in $_SITE.key -out $_FQDN.key
key_in = os.path.join(destin_dir, args.site + '.' + args.domain + '.key')
key_out = os.path.join(destin_dir, args.site + '.' + args.domain + '.key2')
util.openssl_cmd("rsa", args.site, cainter_dir, "-passin pass:"******" -in " + key_in + " -out " + key_out)
util.logger.debug("unlink : " + key_in)
os.unlink(key_in)
util.logger.debug("rename : " + key_out + " -> " + key_in)
os.rename(key_out, key_in)
def main():
# http://docs.python.org/2/library/argparse.html
global logger
parser = argparse.ArgumentParser(
description='Create a server certificate using the cacerts db.')
parser.add_argument('--loglevel',
help='Specify the default logging level (optional).',
choices=[
'debug', 'info', 'warning', 'error', 'DEBUG',
'INFO', 'WARNING', 'ERROR'
],
default='info')
parser.add_argument('--logfile',
help='Specify logfile name.',
default='/tmp/create_servercert.log')
parser.add_argument('--cacerts_dir',
help='alternate cacerts config dir.',
default='../cacerts')
parser.add_argument('--domain', help='The domain name.', default='forj.io')
parser.add_argument('--site', help='The name of the site.', default='')
parser.add_argument('--password',
help='Specify a password (optional).',
default='changeme')
parser.add_argument('--subject',
help='Specify the certificate subject info.',
default='/C=US/ST=California/L=Roseville/O=HP/OU=PDE')
parser.add_argument(
'--altnames',
help='Specify alternative names like "/CN=server1/CN=server2"',
default='')
args = parser.parse_args()
util.setup_logging(args.logfile, args.loglevel)
util.banner_start()
util.logger.debug("parsed arguments")
util.logger.info("got folder " + args.cacerts_dir)
cacerts_dir = os.path.abspath(args.cacerts_dir)
util.validate_directory(cacerts_dir)
cainter_dir = os.path.abspath(os.path.join(cacerts_dir, "ca2013"))
util.validate_directory(cainter_dir)
cakey_pem = os.path.abspath(os.path.join(cacerts_dir, "private/cakey.pem"))
util.validate_file(cakey_pem)
if not args.site:
util.logger.error("found cakey_pem")
sys.exit(1)
source_dir = cainter_dir
destin_dir = os.path.join(cainter_dir, 'certs')
# http://docs.python.org/2/library/subprocess.html#replacing-older-functions-with-the-subprocess-module
util.openssl_cmd("test", args.site, cainter_dir, 'version')
# pushd /cacerts/ca2013
#
# [ -f ~/.rnd ] && sudo rm -f ~/.rnd
# openssl genrsa -passout pass:xxxxxxxx -des3 -out $_SITE.key 2048 -config ./openssl.cnf
# openssl req -passin pass:xxxxxxxx -new -key $_SITE.key -out $_SITE.csr -subj "/C=US/ST=California/L=Roseville/O=HP/OU=PDE/CN=$_SITE.forj.io" -config ./openssl.cnf
# openssl ca -passin pass:xxxxxxxx -batch -config openssl.cnf -policy policy_anything -out $_SITE.crt -infiles $_SITE.csr
subject = args.subject + "/CN=" + args.site + "." + args.domain + args.altnames
util.openssl_cmd(
"genrsa", args.site + '.' + args.domain, cainter_dir,
"-passout pass:"******" -des3 2048 -config ./openssl.cnf")
util.openssl_cmd(
"req", args.site + '.' + args.domain, cainter_dir, "-passin pass:"******" -new -subj " + subject + " -config ./openssl.cnf")
# -keyfile and -cert makes the linkage to intermediate certificate
util.openssl_cmd(
"ca", args.site + '.' + args.domain, cainter_dir,
"-passin pass:"******" -batch -config ./openssl.cnf -policy policy_anything -keyfile ./private/cakey.pem -cert ./cacert.pem"
)
# cd cainter_dir
# mv $_SITE.key $_SITE.csr $_SITE.crt certs
extensions = ['.key', '.csr', '.crt']
for ext in extensions:
util.logger.debug("relocating " + args.site + ext)
os.rename(
os.path.join(source_dir, args.site + '.' + args.domain + ext),
os.path.join(destin_dir, args.site + '.' + args.domain + ext))
# this is an ssl cert, remove the ssl password on the key....
# openssl rsa -passin pass:xxxxxxxx -in $_SITE.key -out $_FQDN.key
key_in = os.path.join(destin_dir, args.site + '.' + args.domain + '.key')
key_out = os.path.join(destin_dir, args.site + '.' + args.domain + '.key2')
util.openssl_cmd(
"rsa", args.site, cainter_dir, "-passin pass:"******" -in " + key_in + " -out " + key_out)
util.logger.debug("unlink : " + key_in)
os.unlink(key_in)
util.logger.debug("rename : " + key_out + " -> " + key_in)
os.rename(key_out, key_in)
def main():
# http://docs.python.org/2/library/argparse.html
global logger
parser = argparse.ArgumentParser(description='Create a server certificate using the cacerts db.')
parser.add_argument('--loglevel', help='Specify the default logging level (optional).', choices=['debug', 'info', 'warning', 'error', 'DEBUG', 'INFO', 'WARNING', 'ERROR'], default='info')
parser.add_argument('--logfile', help='Specify logfile name.', default='/tmp/create_servercert.log')
parser.add_argument('--cacerts_dir', help='alternate cacerts config dir.', default='../cacerts')
parser.add_argument('--domain', help='The domain name.', default='forj.io')
parser.add_argument('--site', help='The name of the site.', default='')
parser.add_argument('--password', help='Specify a password (optional).', default='changeme')
parser.add_argument('--subject', help='Specify the certificate subject info.', default='/C=US/ST=California/L=Roseville/O=HP/OU=PDE')
parser.add_argument('--altnames', help='Specify alternative names like "/CN=server1/CN=server2"', default='')
args = parser.parse_args()
util.setup_logging(args.logfile, args.loglevel)
cacerts_dir = os.path.abspath(args.cacerts_dir)
ca2013_dir = os.path.abspath(os.path.join(cacerts_dir, "ca2013"))
site_name = args.site + "." + args.domain
subject = args.subject + "/CN="+site_name
util.validate_directory(cacerts_dir)
util.validate_directory(ca2013_dir)
util.validate_directory(ca2013_dir+"/private")
util.validate_directory(ca2013_dir+"/certs")
util.validate_directory(ca2013_dir+"/crl")
util.validate_directory(ca2013_dir+"/newcerts")
util.validate_file(cacerts_dir+"/openssl.cnf")
util.validate_file(cacerts_dir+"/serial")
util.validate_file(ca2013_dir+"/serial")
# Creating root cert
# Running at cacerts_dir
copyfile("/dev/null", cacerts_dir+"/index.txt")
print "(1)"
util.openssl_cmd("genrsa -passout pass:"******" -des3 -out private/cakey.key 4096", "", cacerts_dir, "")
copyfile(cacerts_dir+"/private/cakey.key", cacerts_dir+"/private/cakey.pem")
print "(2)"
util.openssl_cmd("req -passin pass:"******" -subj " + subject + " -new -x509 -nodes -sha1 -days 1825 -key private/cakey.key -out cacert.pem -config ./openssl.cnf", "", cacerts_dir, "")
# Creating intermediate cert
# Running at cacerts_dir/ca2013
copyfile("/dev/null", ca2013_dir+"/index.txt")
copyfile(cacerts_dir+"/openssl.cnf", ca2013_dir+"/openssl.cnf")
print "(3)"
util.openssl_cmd("genrsa -passout pass:"******" -des3 -out private/cakey.pem 4096", "", ca2013_dir, "")
print "(4)"
util.openssl_cmd("req -passin pass:"******" -subj " + subject + " -new -sha1 -key private/cakey.pem -out ca2013.csr -config ./openssl.cnf", "", ca2013_dir, "")
print "(5)"
util.openssl_cmd("ca -batch -extensions v3_ca -days 365 -out cacert.pem -in ca2013.csr -config openssl.cnf -key "+args.password+" -keyfile ../private/cakey.key -cert ../cacert.pem", "", ca2013_dir, "")
copyfile(ca2013_dir+"/cacert.pem", ca2013_dir+"/chain.crt")
file2 = open(cacerts_dir+"/cacert.pem", "rb")
with open(ca2013_dir+"/chain.crt", "a") as myfile:
myfile.write(file2.read())
# Root and Intermediate certificates
copyfile(cacerts_dir+"/cacert.pem", cacerts_dir+"/root.cer")
copyfile(ca2013_dir+"/cacert.pem", cacerts_dir+"/intermediate.cer")
# Permissions
os.chmod(cacerts_dir+"/cacert.pem", 0755)
os.chmod(cacerts_dir+"/intermediate.cer", 0755)
os.chmod(cacerts_dir+"/root.cer", 0755)
os.chmod(cacerts_dir+"/private/cakey.pem", 0400)
os.chmod(cacerts_dir+"/ca2013/private/cakey.pem", 0755)
os.chmod(cacerts_dir+"/private/cakey.key", 0755)
os.chmod(cacerts_dir+"/ca2013/ca2013.csr", 0755)
os.chmod(cacerts_dir+"/ca2013/cacert.pem", 0755)
os.chmod(cacerts_dir+"/ca2013/chain.crt", 0755)
os.chmod(cacerts_dir+"/index.txt", 0765)
os.chmod(cacerts_dir+"/ca2013/index.txt", 0765)
# TODO: create a recursive chown def
uid = getpwnam('puppet').pw_uid
gid = getpwnam('puppet').pw_gid
os.chown(cacerts_dir+"/cacert.pem", uid, gid)
os.chown(cacerts_dir+"/intermediate.cer", uid, gid)
os.chown(cacerts_dir+"/root.cer", uid, gid)
os.chown(cacerts_dir+"/private/cakey.pem", uid, gid)
os.chown(cacerts_dir+"/ca2013/private/cakey.pem", uid, gid)
os.chown(cacerts_dir+"/private/cakey.key", uid, gid)
os.chown(cacerts_dir+"/ca2013/ca2013.csr", uid, gid)
os.chown(cacerts_dir+"/ca2013/cacert.pem", uid, gid)
os.chown(cacerts_dir+"/ca2013/chain.crt", uid, gid)
os.chown(cacerts_dir+"/index.txt", uid, gid)
os.chown(cacerts_dir+"/ca2013/index.txt", uid, gid)
def main():
# http://docs.python.org/2/library/argparse.html
global logger
parser = argparse.ArgumentParser(description='Create a server certificate using the cacerts db.')
parser.add_argument('--loglevel', help='Specify the default logging level (optional).', choices=['debug', 'info', 'warning', 'error', 'DEBUG', 'INFO', 'WARNING', 'ERROR'], default='info')
parser.add_argument('--logfile', help='Specify logfile name.', default='/tmp/create_servercert.log')
parser.add_argument('--cacerts_dir', help='alternate cacerts config dir.', default='../cacerts')
parser.add_argument('--domain', help='The domain name.', default='forj.io')
parser.add_argument('--site', help='The name of the site.', default='')
parser.add_argument('--password', help='Specify a password (optional).', default='changeme')
parser.add_argument('--subject', help='Specify the certificate subject info.', default='/C=US/ST=California/L=Roseville/O=HP/OU=PDE')
parser.add_argument('--altnames', help='Specify alternative names like "/CN=server1/CN=server2"', default='')
args = parser.parse_args()
util.setup_logging(args.logfile, args.loglevel)
cacerts_dir = os.path.abspath(args.cacerts_dir)
ca2013_dir = os.path.abspath(os.path.join(cacerts_dir, "ca2013"))
site_name = args.site + "." + args.domain
subject = args.subject + "/CN=" + site_name
util.validate_directory(cacerts_dir)
util.validate_directory(ca2013_dir)
util.validate_directory(ca2013_dir + "/private")
util.validate_directory(ca2013_dir + "/certs")
util.validate_directory(ca2013_dir + "/crl")
util.validate_directory(ca2013_dir + "/newcerts")
util.validate_file(cacerts_dir + "/openssl.cnf")
util.validate_file(cacerts_dir + "/serial")
util.validate_file(ca2013_dir + "/serial")
# Creating root cert
# Running at cacerts_dir
copyfile("/dev/null", cacerts_dir + "/index.txt")
print "(1)"
util.openssl_cmd("genrsa -passout pass:"******" -des3 -out private/cakey.key 4096", "", cacerts_dir, "")
copyfile(cacerts_dir + "/private/cakey.key", cacerts_dir + "/private/cakey.pem")
print "(2)"
util.openssl_cmd("req -passin pass:"******" -subj " + subject + " -new -x509 -nodes -sha1 -days 1825 -key private/cakey.key -out cacert.pem -config ./openssl.cnf", "", cacerts_dir, "")
# Creating intermediate cert
# Running at cacerts_dir/ca2013
copyfile("/dev/null", ca2013_dir + "/index.txt")
copyfile(cacerts_dir + "/openssl.cnf", ca2013_dir + "/openssl.cnf")
print "(3)"
util.openssl_cmd("genrsa -passout pass:"******" -des3 -out private/cakey.pem 4096", "", ca2013_dir, "")
print "(4)"
util.openssl_cmd("req -passin pass:"******" -subj " + subject + " -new -sha1 -key private/cakey.pem -out ca2013.csr -config ./openssl.cnf", "", ca2013_dir, "")
print "(5)"
util.openssl_cmd("ca -batch -extensions v3_ca -days 365 -out cacert.pem -in ca2013.csr -config openssl.cnf -key " + args.password + " -keyfile ../private/cakey.key -cert ../cacert.pem", "", ca2013_dir, "")
copyfile(ca2013_dir + "/cacert.pem", ca2013_dir + "/chain.crt")
file2 = open(cacerts_dir + "/cacert.pem", "rb")
with open(ca2013_dir + "/chain.crt", "a") as myfile:
myfile.write(file2.read())
# Root and Intermediate certificates
copyfile(cacerts_dir + "/cacert.pem", cacerts_dir + "/root.cer")
copyfile(ca2013_dir + "/cacert.pem", cacerts_dir + "/intermediate.cer")
# Permissions
os.chmod(cacerts_dir + "/cacert.pem", 0755)
os.chmod(cacerts_dir + "/intermediate.cer", 0755)
os.chmod(cacerts_dir + "/root.cer", 0755)
os.chmod(cacerts_dir + "/private/cakey.pem", 0400)
os.chmod(cacerts_dir + "/ca2013/private/cakey.pem", 0755)
os.chmod(cacerts_dir + "/private/cakey.key", 0755)
os.chmod(cacerts_dir + "/ca2013/ca2013.csr", 0755)
os.chmod(cacerts_dir + "/ca2013/cacert.pem", 0755)
os.chmod(cacerts_dir + "/ca2013/chain.crt", 0755)
os.chmod(cacerts_dir + "/index.txt", 0765)
os.chmod(cacerts_dir + "/ca2013/index.txt", 0765)
# TODO: create a recursive chown def
uid = getpwnam('puppet').pw_uid
gid = getpwnam('puppet').pw_gid
os.chown(cacerts_dir + "/cacert.pem", uid, gid)
os.chown(cacerts_dir + "/intermediate.cer", uid, gid)
os.chown(cacerts_dir + "/root.cer", uid, gid)
os.chown(cacerts_dir + "/private/cakey.pem", uid, gid)
os.chown(cacerts_dir + "/ca2013/private/cakey.pem", uid, gid)
os.chown(cacerts_dir + "/private/cakey.key", uid, gid)
os.chown(cacerts_dir + "/ca2013/ca2013.csr", uid, gid)
os.chown(cacerts_dir + "/ca2013/cacert.pem", uid, gid)
os.chown(cacerts_dir + "/ca2013/chain.crt", uid, gid)
os.chown(cacerts_dir + "/index.txt", uid, gid)
os.chown(cacerts_dir + "/ca2013/index.txt", uid, gid)