Ejemplo n.º 1
0
def main():
    # http://docs.python.org/2/library/argparse.html
    global logger
    parser = argparse.ArgumentParser(description='Create a server certificate using the cacerts db.')
    parser.add_argument('--loglevel', help='Specify the default logging level (optional).', choices=['debug', 'info', 'warning', 'error', 'DEBUG', 'INFO', 'WARNING', 'ERROR'], default='info')
    parser.add_argument('--logfile', help='Specify logfile name.', default='/tmp/create_servercert.log')
    parser.add_argument('--cacerts_dir', help='alternate cacerts config dir.', default='../cacerts')
    parser.add_argument('--domain', help='The domain name.', default='forj.io')
    parser.add_argument('--site', help='The name of the site.', default='')
    parser.add_argument('--password', help='Specify a password (optional).', default='changeme')
    parser.add_argument('--subject', help='Specify the certificate subject info.', default='/C=US/ST=California/L=Roseville/O=HP/OU=PDE')
    parser.add_argument('--altnames', help='Specify alternative names like "/CN=server1/CN=server2"', default='')
    args = parser.parse_args()

    util.setup_logging(args.logfile, args.loglevel)
    util.banner_start()
    util.logger.debug("parsed arguments")
    util.logger.info("got folder " + args.cacerts_dir)
    cacerts_dir = os.path.abspath(args.cacerts_dir)

    util.validate_directory(cacerts_dir)
    cainter_dir = os.path.abspath(os.path.join(cacerts_dir, "ca2013"))
    util.validate_directory(cainter_dir)
    cakey_pem = os.path.abspath(os.path.join(cacerts_dir, "private/cakey.pem"))
    util.validate_file(cakey_pem)

    if not args.site:
        util.logger.error("found cakey_pem")
        sys.exit(1)

    source_dir = cainter_dir
    destin_dir = os.path.join(cainter_dir, 'certs')

    # http://docs.python.org/2/library/subprocess.html#replacing-older-functions-with-the-subprocess-module
    util.openssl_cmd("test", args.site, cainter_dir, 'version')

    # pushd /cacerts/ca2013
    #
    # [ -f ~/.rnd ] && sudo rm -f ~/.rnd
    # openssl genrsa -passout pass:xxxxxxxx -des3 -out $_SITE.key 2048 -config ./openssl.cnf
    # openssl req -passin pass:xxxxxxxx -new -key $_SITE.key -out $_SITE.csr -subj "/C=US/ST=California/L=Roseville/O=HP/OU=PDE/CN=$_SITE.forj.io" -config ./openssl.cnf
    # openssl ca -passin pass:xxxxxxxx -batch -config openssl.cnf -policy policy_anything -out $_SITE.crt -infiles $_SITE.csr
    subject = args.subject + "/CN=" + args.site + "." + args.domain + args.altnames
    util.openssl_cmd("genrsa", args.site + '.' + args.domain, cainter_dir, "-passout pass:"******" -des3 2048 -config ./openssl.cnf")
    util.openssl_cmd("req", args.site + '.' + args.domain, cainter_dir, "-passin pass:"******" -new -subj " + subject + " -config ./openssl.cnf")
    # -keyfile and -cert makes the linkage to intermediate certificate
    util.openssl_cmd("ca", args.site + '.' + args.domain, cainter_dir, "-passin pass:"******" -batch -config ./openssl.cnf -policy policy_anything -keyfile ./private/cakey.pem -cert ./cacert.pem")

    # cd cainter_dir
    # mv $_SITE.key $_SITE.csr $_SITE.crt certs
    extensions = ['.key', '.csr', '.crt']

    for ext in extensions:
        util.logger.debug("relocating " + args.site + ext)
        os.rename(os.path.join(source_dir, args.site + '.' + args.domain + ext),
                  os.path.join(destin_dir, args.site + '.' + args.domain + ext))

    # this is an ssl cert, remove the ssl password on the key....
    #  openssl rsa -passin pass:xxxxxxxx -in $_SITE.key -out $_FQDN.key
    key_in = os.path.join(destin_dir, args.site + '.' + args.domain + '.key')
    key_out = os.path.join(destin_dir, args.site + '.' + args.domain + '.key2')
    util.openssl_cmd("rsa", args.site, cainter_dir, "-passin pass:"******" -in " + key_in + " -out " + key_out)
    util.logger.debug("unlink : " + key_in)
    os.unlink(key_in)
    util.logger.debug("rename : " + key_out + " -> " + key_in)
    os.rename(key_out, key_in)
Ejemplo n.º 2
0
def main():
    # http://docs.python.org/2/library/argparse.html
    global logger
    parser = argparse.ArgumentParser(
        description='Create a server certificate using the cacerts db.')
    parser.add_argument('--loglevel',
                        help='Specify the default logging level (optional).',
                        choices=[
                            'debug', 'info', 'warning', 'error', 'DEBUG',
                            'INFO', 'WARNING', 'ERROR'
                        ],
                        default='info')
    parser.add_argument('--logfile',
                        help='Specify logfile name.',
                        default='/tmp/create_servercert.log')
    parser.add_argument('--cacerts_dir',
                        help='alternate cacerts config dir.',
                        default='../cacerts')
    parser.add_argument('--domain', help='The domain name.', default='forj.io')
    parser.add_argument('--site', help='The name of the site.', default='')
    parser.add_argument('--password',
                        help='Specify a password (optional).',
                        default='changeme')
    parser.add_argument('--subject',
                        help='Specify the certificate subject info.',
                        default='/C=US/ST=California/L=Roseville/O=HP/OU=PDE')
    parser.add_argument(
        '--altnames',
        help='Specify alternative names like "/CN=server1/CN=server2"',
        default='')
    args = parser.parse_args()

    util.setup_logging(args.logfile, args.loglevel)
    util.banner_start()
    util.logger.debug("parsed arguments")
    util.logger.info("got folder " + args.cacerts_dir)
    cacerts_dir = os.path.abspath(args.cacerts_dir)

    util.validate_directory(cacerts_dir)
    cainter_dir = os.path.abspath(os.path.join(cacerts_dir, "ca2013"))
    util.validate_directory(cainter_dir)
    cakey_pem = os.path.abspath(os.path.join(cacerts_dir, "private/cakey.pem"))
    util.validate_file(cakey_pem)

    if not args.site:
        util.logger.error("found cakey_pem")
        sys.exit(1)

    source_dir = cainter_dir
    destin_dir = os.path.join(cainter_dir, 'certs')

    # http://docs.python.org/2/library/subprocess.html#replacing-older-functions-with-the-subprocess-module
    util.openssl_cmd("test", args.site, cainter_dir, 'version')

    # pushd /cacerts/ca2013
    #
    # [ -f ~/.rnd ] && sudo rm -f ~/.rnd
    # openssl genrsa -passout pass:xxxxxxxx -des3 -out $_SITE.key 2048 -config ./openssl.cnf
    # openssl req -passin pass:xxxxxxxx -new -key $_SITE.key -out $_SITE.csr -subj "/C=US/ST=California/L=Roseville/O=HP/OU=PDE/CN=$_SITE.forj.io" -config ./openssl.cnf
    # openssl ca -passin pass:xxxxxxxx -batch -config openssl.cnf -policy policy_anything -out $_SITE.crt -infiles $_SITE.csr
    subject = args.subject + "/CN=" + args.site + "." + args.domain + args.altnames
    util.openssl_cmd(
        "genrsa", args.site + '.' + args.domain, cainter_dir,
        "-passout pass:"******" -des3 2048 -config ./openssl.cnf")
    util.openssl_cmd(
        "req", args.site + '.' + args.domain, cainter_dir, "-passin pass:"******" -new -subj " + subject + " -config ./openssl.cnf")
    # -keyfile and -cert makes the linkage to intermediate certificate
    util.openssl_cmd(
        "ca", args.site + '.' + args.domain, cainter_dir,
        "-passin pass:"******" -batch -config ./openssl.cnf -policy policy_anything -keyfile ./private/cakey.pem -cert ./cacert.pem"
    )

    # cd cainter_dir
    # mv $_SITE.key $_SITE.csr $_SITE.crt certs
    extensions = ['.key', '.csr', '.crt']

    for ext in extensions:
        util.logger.debug("relocating " + args.site + ext)
        os.rename(
            os.path.join(source_dir, args.site + '.' + args.domain + ext),
            os.path.join(destin_dir, args.site + '.' + args.domain + ext))

    # this is an ssl cert, remove the ssl password on the key....
    #  openssl rsa -passin pass:xxxxxxxx -in $_SITE.key -out $_FQDN.key
    key_in = os.path.join(destin_dir, args.site + '.' + args.domain + '.key')
    key_out = os.path.join(destin_dir, args.site + '.' + args.domain + '.key2')
    util.openssl_cmd(
        "rsa", args.site, cainter_dir, "-passin pass:"******" -in " + key_in + " -out " + key_out)
    util.logger.debug("unlink : " + key_in)
    os.unlink(key_in)
    util.logger.debug("rename : " + key_out + " -> " + key_in)
    os.rename(key_out, key_in)
Ejemplo n.º 3
0
def main():
    # http://docs.python.org/2/library/argparse.html
    global logger
    parser = argparse.ArgumentParser(description='Create a server certificate using the cacerts db.')
    parser.add_argument('--loglevel', help='Specify the default logging level (optional).', choices=['debug', 'info', 'warning', 'error', 'DEBUG', 'INFO', 'WARNING', 'ERROR'], default='info')
    parser.add_argument('--logfile', help='Specify logfile name.', default='/tmp/create_servercert.log')
    parser.add_argument('--cacerts_dir', help='alternate cacerts config dir.', default='../cacerts')
    parser.add_argument('--domain', help='The domain name.', default='forj.io')
    parser.add_argument('--site', help='The name of the site.', default='')
    parser.add_argument('--password', help='Specify a password (optional).', default='changeme')
    parser.add_argument('--subject', help='Specify the certificate subject info.', default='/C=US/ST=California/L=Roseville/O=HP/OU=PDE')
    parser.add_argument('--altnames', help='Specify alternative names like "/CN=server1/CN=server2"', default='')
    args = parser.parse_args()

    util.setup_logging(args.logfile, args.loglevel)
    cacerts_dir = os.path.abspath(args.cacerts_dir)
    ca2013_dir = os.path.abspath(os.path.join(cacerts_dir, "ca2013"))
    site_name = args.site + "." + args.domain
    subject = args.subject + "/CN="+site_name

    util.validate_directory(cacerts_dir)
    util.validate_directory(ca2013_dir)
    util.validate_directory(ca2013_dir+"/private")
    util.validate_directory(ca2013_dir+"/certs")
    util.validate_directory(ca2013_dir+"/crl")
    util.validate_directory(ca2013_dir+"/newcerts")

    util.validate_file(cacerts_dir+"/openssl.cnf")
    util.validate_file(cacerts_dir+"/serial")
    util.validate_file(ca2013_dir+"/serial")

    # Creating root cert
    # Running at cacerts_dir
    copyfile("/dev/null", cacerts_dir+"/index.txt")
    print "(1)"
    util.openssl_cmd("genrsa -passout pass:"******" -des3 -out private/cakey.key 4096", "", cacerts_dir, "")
    copyfile(cacerts_dir+"/private/cakey.key", cacerts_dir+"/private/cakey.pem")
    print "(2)"
    util.openssl_cmd("req -passin pass:"******" -subj " + subject + " -new -x509 -nodes -sha1 -days 1825 -key private/cakey.key -out cacert.pem -config ./openssl.cnf", "", cacerts_dir, "")

    # Creating intermediate cert
    # Running at cacerts_dir/ca2013
    copyfile("/dev/null", ca2013_dir+"/index.txt")
    copyfile(cacerts_dir+"/openssl.cnf", ca2013_dir+"/openssl.cnf")
    print "(3)"
    util.openssl_cmd("genrsa -passout pass:"******" -des3 -out private/cakey.pem 4096", "", ca2013_dir, "")
    print "(4)"
    util.openssl_cmd("req -passin pass:"******" -subj " + subject + " -new -sha1 -key private/cakey.pem -out ca2013.csr -config ./openssl.cnf", "", ca2013_dir, "")
    print "(5)"
    util.openssl_cmd("ca -batch -extensions v3_ca -days 365 -out cacert.pem -in ca2013.csr -config openssl.cnf -key "+args.password+" -keyfile ../private/cakey.key -cert ../cacert.pem", "", ca2013_dir, "")
    copyfile(ca2013_dir+"/cacert.pem", ca2013_dir+"/chain.crt")
    file2 = open(cacerts_dir+"/cacert.pem", "rb")
    with open(ca2013_dir+"/chain.crt", "a") as myfile:
        myfile.write(file2.read())

    # Root and Intermediate certificates
    copyfile(cacerts_dir+"/cacert.pem", cacerts_dir+"/root.cer")
    copyfile(ca2013_dir+"/cacert.pem", cacerts_dir+"/intermediate.cer")

    # Permissions
    os.chmod(cacerts_dir+"/cacert.pem", 0755)
    os.chmod(cacerts_dir+"/intermediate.cer", 0755)
    os.chmod(cacerts_dir+"/root.cer", 0755)
    os.chmod(cacerts_dir+"/private/cakey.pem", 0400)
    os.chmod(cacerts_dir+"/ca2013/private/cakey.pem", 0755)
    os.chmod(cacerts_dir+"/private/cakey.key", 0755)
    os.chmod(cacerts_dir+"/ca2013/ca2013.csr", 0755)
    os.chmod(cacerts_dir+"/ca2013/cacert.pem", 0755)
    os.chmod(cacerts_dir+"/ca2013/chain.crt", 0755)
    os.chmod(cacerts_dir+"/index.txt", 0765)
    os.chmod(cacerts_dir+"/ca2013/index.txt", 0765)

    # TODO: create a recursive chown def
    uid = getpwnam('puppet').pw_uid
    gid = getpwnam('puppet').pw_gid
    os.chown(cacerts_dir+"/cacert.pem", uid, gid)
    os.chown(cacerts_dir+"/intermediate.cer", uid, gid)
    os.chown(cacerts_dir+"/root.cer", uid, gid)
    os.chown(cacerts_dir+"/private/cakey.pem", uid, gid)
    os.chown(cacerts_dir+"/ca2013/private/cakey.pem", uid, gid)
    os.chown(cacerts_dir+"/private/cakey.key", uid, gid)
    os.chown(cacerts_dir+"/ca2013/ca2013.csr", uid, gid)
    os.chown(cacerts_dir+"/ca2013/cacert.pem", uid, gid)
    os.chown(cacerts_dir+"/ca2013/chain.crt", uid, gid)
    os.chown(cacerts_dir+"/index.txt", uid, gid)
    os.chown(cacerts_dir+"/ca2013/index.txt", uid, gid)
Ejemplo n.º 4
0
def main():
    # http://docs.python.org/2/library/argparse.html
    global logger
    parser = argparse.ArgumentParser(description='Create a server certificate using the cacerts db.')
    parser.add_argument('--loglevel', help='Specify the default logging level (optional).', choices=['debug', 'info', 'warning', 'error', 'DEBUG', 'INFO', 'WARNING', 'ERROR'], default='info')
    parser.add_argument('--logfile', help='Specify logfile name.', default='/tmp/create_servercert.log')
    parser.add_argument('--cacerts_dir', help='alternate cacerts config dir.', default='../cacerts')
    parser.add_argument('--domain', help='The domain name.', default='forj.io')
    parser.add_argument('--site', help='The name of the site.', default='')
    parser.add_argument('--password', help='Specify a password (optional).', default='changeme')
    parser.add_argument('--subject', help='Specify the certificate subject info.', default='/C=US/ST=California/L=Roseville/O=HP/OU=PDE')
    parser.add_argument('--altnames', help='Specify alternative names like "/CN=server1/CN=server2"', default='')
    args = parser.parse_args()

    util.setup_logging(args.logfile, args.loglevel)
    cacerts_dir = os.path.abspath(args.cacerts_dir)
    ca2013_dir = os.path.abspath(os.path.join(cacerts_dir, "ca2013"))
    site_name = args.site + "." + args.domain
    subject = args.subject + "/CN=" + site_name

    util.validate_directory(cacerts_dir)
    util.validate_directory(ca2013_dir)
    util.validate_directory(ca2013_dir + "/private")
    util.validate_directory(ca2013_dir + "/certs")
    util.validate_directory(ca2013_dir + "/crl")
    util.validate_directory(ca2013_dir + "/newcerts")

    util.validate_file(cacerts_dir + "/openssl.cnf")
    util.validate_file(cacerts_dir + "/serial")
    util.validate_file(ca2013_dir + "/serial")

    # Creating root cert
    # Running at cacerts_dir
    copyfile("/dev/null", cacerts_dir + "/index.txt")
    print "(1)"
    util.openssl_cmd("genrsa -passout pass:"******" -des3 -out private/cakey.key 4096", "", cacerts_dir, "")
    copyfile(cacerts_dir + "/private/cakey.key", cacerts_dir + "/private/cakey.pem")
    print "(2)"
    util.openssl_cmd("req -passin pass:"******" -subj " + subject + " -new -x509 -nodes -sha1 -days 1825 -key private/cakey.key -out cacert.pem -config ./openssl.cnf", "", cacerts_dir, "")

    # Creating intermediate cert
    # Running at cacerts_dir/ca2013
    copyfile("/dev/null", ca2013_dir + "/index.txt")
    copyfile(cacerts_dir + "/openssl.cnf", ca2013_dir + "/openssl.cnf")
    print "(3)"
    util.openssl_cmd("genrsa -passout pass:"******" -des3 -out private/cakey.pem 4096", "", ca2013_dir, "")
    print "(4)"
    util.openssl_cmd("req -passin pass:"******" -subj " + subject + " -new -sha1 -key private/cakey.pem -out ca2013.csr -config ./openssl.cnf", "", ca2013_dir, "")
    print "(5)"
    util.openssl_cmd("ca -batch -extensions v3_ca -days 365 -out cacert.pem -in ca2013.csr -config openssl.cnf -key " + args.password + " -keyfile ../private/cakey.key -cert ../cacert.pem", "", ca2013_dir, "")
    copyfile(ca2013_dir + "/cacert.pem", ca2013_dir + "/chain.crt")
    file2 = open(cacerts_dir + "/cacert.pem", "rb")
    with open(ca2013_dir + "/chain.crt", "a") as myfile:
        myfile.write(file2.read())

    # Root and Intermediate certificates
    copyfile(cacerts_dir + "/cacert.pem", cacerts_dir + "/root.cer")
    copyfile(ca2013_dir + "/cacert.pem", cacerts_dir + "/intermediate.cer")

    # Permissions
    os.chmod(cacerts_dir + "/cacert.pem", 0755)
    os.chmod(cacerts_dir + "/intermediate.cer", 0755)
    os.chmod(cacerts_dir + "/root.cer", 0755)
    os.chmod(cacerts_dir + "/private/cakey.pem", 0400)
    os.chmod(cacerts_dir + "/ca2013/private/cakey.pem", 0755)
    os.chmod(cacerts_dir + "/private/cakey.key", 0755)
    os.chmod(cacerts_dir + "/ca2013/ca2013.csr", 0755)
    os.chmod(cacerts_dir + "/ca2013/cacert.pem", 0755)
    os.chmod(cacerts_dir + "/ca2013/chain.crt", 0755)
    os.chmod(cacerts_dir + "/index.txt", 0765)
    os.chmod(cacerts_dir + "/ca2013/index.txt", 0765)

    # TODO: create a recursive chown def
    uid = getpwnam('puppet').pw_uid
    gid = getpwnam('puppet').pw_gid
    os.chown(cacerts_dir + "/cacert.pem", uid, gid)
    os.chown(cacerts_dir + "/intermediate.cer", uid, gid)
    os.chown(cacerts_dir + "/root.cer", uid, gid)
    os.chown(cacerts_dir + "/private/cakey.pem", uid, gid)
    os.chown(cacerts_dir + "/ca2013/private/cakey.pem", uid, gid)
    os.chown(cacerts_dir + "/private/cakey.key", uid, gid)
    os.chown(cacerts_dir + "/ca2013/ca2013.csr", uid, gid)
    os.chown(cacerts_dir + "/ca2013/cacert.pem", uid, gid)
    os.chown(cacerts_dir + "/ca2013/chain.crt", uid, gid)
    os.chown(cacerts_dir + "/index.txt", uid, gid)
    os.chown(cacerts_dir + "/ca2013/index.txt", uid, gid)