def GenerateKeys(config, overwrite_keys=False):
"""Generate the keys we need for a GRR server."""
if not hasattr(key_utils, "MakeCACert"):
parser.error("Generate keys can only run with open source key_utils.")
if (config.Get("PrivateKeys.server_key", default=None)
and not overwrite_keys):
print config.Get("PrivateKeys.server_key")
raise RuntimeError(
"Config %s already has keys, use --overwrite_keys to "
"override." % config.parser)
length = grr_config.CONFIG["Server.rsa_key_length"]
print "All keys will have a bit length of %d." % length
print "Generating executable signing key"
executable_key = rdf_crypto.RSAPrivateKey.GenerateKey(bits=length)
config.Set("PrivateKeys.executable_signing_private_key",
executable_key.AsPEM())
config.Set("Client.executable_signing_public_key",
executable_key.GetPublicKey().AsPEM())
print "Generating CA keys"
ca_key = rdf_crypto.RSAPrivateKey.GenerateKey(bits=length)
ca_cert = key_utils.MakeCACert(ca_key)
config.Set("CA.certificate", ca_cert.AsPEM())
config.Set("PrivateKeys.ca_key", ca_key.AsPEM())
print "Generating Server keys"
server_key = rdf_crypto.RSAPrivateKey.GenerateKey(bits=length)
server_cert = key_utils.MakeCASignedCert(u"grr", server_key, ca_cert,
ca_key)
config.Set("Frontend.certificate", server_cert.AsPEM())
config.Set("PrivateKeys.server_key", server_key.AsPEM())
print "Generating secret key for csrf protection."
GenerateCSRFKey(config)
def RotateServerKey(cn=u"grr", keylength=4096):
"""This function creates and installs a new server key.
Note that
- Clients might experience intermittent connection problems after
the server keys rotated.
- It's not possible to go back to an earlier key. Clients that see a
new certificate will remember the cert's serial number and refuse
to accept any certificate with a smaller serial number from that
point on.
Args:
cn: The common name for the server to use.
keylength: Length in bits for the new server key.
Raises:
ValueError: There is no CA cert in the config. Probably the server
still needs to be initialized.
"""
ca_certificate = config.CONFIG["CA.certificate"]
ca_private_key = config.CONFIG["PrivateKeys.ca_key"]
if not ca_certificate or not ca_private_key:
raise ValueError("No existing CA certificate found.")
# Check the current certificate serial number
existing_cert = config.CONFIG["Frontend.certificate"]
serial_number = existing_cert.GetSerialNumber() + 1
EPrint("Generating new server key (%d bits, cn '%s', serial # %d)" %
(keylength, cn, serial_number))
server_private_key = rdf_crypto.RSAPrivateKey.GenerateKey(bits=keylength)
server_cert = key_utils.MakeCASignedCert(
unicode(cn),
server_private_key,
ca_certificate,
ca_private_key,
serial_number=serial_number)
EPrint("Updating configuration.")
config.CONFIG.Set("Frontend.certificate", server_cert)
config.CONFIG.Set("PrivateKeys.server_key", server_private_key.AsPEM())
config.CONFIG.Write()
EPrint("Server key rotated, please restart the GRR Frontends.")
Use this script to make a new server key and certificate. You can just run the
script inside a console using `run -i make_new_server_key.py`.
"""
from __future__ import print_function
from __future__ import unicode_literals
from grr import config
from grr.lib.rdfvalues import crypto as rdf_crypto
from grr.server import key_utils
ca_certificate = config.CONFIG["CA.certificate"]
ca_private_key = config.CONFIG["PrivateKeys.ca_key"]
# Check the current certificate serial number
existing_cert = config.CONFIG["Frontend.certificate"]
print("Current serial number:", existing_cert.GetSerialNumber())
server_private_key = rdf_crypto.RSAPrivateKey.GenerateKey(bits=4096)
server_cert = key_utils.MakeCASignedCert(
u"grr",
server_private_key,
ca_certificate,
ca_private_key,
serial_number=existing_cert.GetSerialNumber() + 1)
print("New Server cert (Frontend.certificate):")
print(server_cert.AsPEM())
print("New Server Private Key:")
print(server_private_key.AsPEM())
