Updated cert gen script path for bootRun

2025-04-07 11:26:51 +00:00 · 2023-07-10 15:57:10 +00:00 · 2023-07-10 15:57:10 +00:00 · a569bda8db
commit a569bda8db
parent a8e5758cf4
3 changed files with 14 additions and 19 deletions
--- a/package/scripts/pki/ca.conf
+++ b/package/scripts/pki/ca.conf
@ -35,7 +35,6 @@ crlDistributionPoints   = URI:https://example.com/crl

 [ server_extensions ]
 keyUsage                = critical,digitalSignature,keyEncipherment
-basicConstraints        = critical
 extendedKeyUsage        = serverAuth,clientAuth
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid:always
@ -46,7 +45,6 @@ crlDistributionPoints   = URI:https://example.com/crl
 keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
-basicConstraints = critical
 keyUsage = critical, digitalSignature
 authorityInfoAccess = caIssuers;URI:https://example.com/certs/
 crlDistributionPoints   = URI:https://example.com/crl
--- a/package/scripts/pki/pki_chain_gen.sh
+++ b/package/scripts/pki/pki_chain_gen.sh
@ -72,7 +72,7 @@ ROOT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test root ca"
 INT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test intermediate ca"
 LEAF_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test ca"
 SIGNER_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test signer"
-TLS_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="localhost"
+TLS_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN=localhost"

 # Add check for existing folder and halt if it exists
 if [ -d "$ACTOR_ALT"/"$CERT_FOLDER" ]; then
@ -81,7 +81,7 @@ if [ -d "$ACTOR_ALT"/"$CERT_FOLDER" ]; then
 fi

 # Intialize sub folders
-#echo "Creating PKI for $ACTOR_ALT using $KSIZE $ASYM_ALG and $HASH_ALG..."
+echo "Creating PKI for $ACTOR_ALT using $KSIZE $ASYM_ALG and $HASH_ALG..."

 mkdir -p "$ACTOR_ALT" "$ACTOR_ALT"/"$CERT_FOLDER" "$ACTOR_ALT"/ca/certs
 cp ca.conf "$ACTOR_ALT"/.
@ -101,17 +101,12 @@ create_cert () {
   CERT_PATH="$1"
   ISSUER="$2"
   SUBJ_DN="$3"
+   EXTENSION="$4"
   ISSUER_KEY="$ISSUER".key
   ISSUER_CERT="$ISSUER".pem
   ALIAS=${CERT_PATH#*/}    # Use filename without path as an alias    

-   if [ "$CERT_TYPE" == "rim_signer" ]; then
-      EXTENSION="signer_extensions"
-   else
-      EXTENSION="ca_extensions"
-   fi
-
-   echo "Creating cert for "$CERT_TYPE" using $ISSUER_KEY with a DN="$SUBJ_DN"..."
+   echo "Creating cert using "$ISSUER_KEY" with a DN="$SUBJ_DN"..."

   if [ "$ASYM_ALG" == "rsa" ]; then 
       openssl req -newkey rsa:"$ASYM_SIZE" \
@ -122,6 +117,7 @@ create_cert () {
       openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key &> /dev/null
       openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG  -subj "$SUBJ_DN" &> /dev/null    
   fi
+
   openssl ca -config ca.conf \
           -keyfile "$ISSUER_KEY" \
           -md $HASH_ALG \
@ -149,24 +145,24 @@ create_cert () {
 create_cert_chain () {

   # Create an intermediate CA, Sign with Root CA
-   create_cert "$PKI_INT" "$PKI_ROOT" "$INT_DN"
+   create_cert "$PKI_INT" "$PKI_ROOT" "$INT_DN" "ca_extensions"

   # Create a Leaf CA (CA1), Sign with intermediate CA
-   create_cert "$PKI_CA1" "$PKI_INT" "$LEAF_DN"1
+   create_cert "$PKI_CA1" "$PKI_INT" "$LEAF_DN"1 "ca_extensions"

   # Create a Leaf CA (CA2), Sign with intermediate CA

-   create_cert "$PKI_CA2" "$PKI_INT" "$LEAF_DN"2
+   create_cert "$PKI_CA2" "$PKI_INT" "$LEAF_DN"2 "ca_extensions"

   # Create a Leaf CA (CA3), Sign with intermediate CA

-   create_cert "$PKI_CA3" "$PKI_INT" "$LEAF_DN"3
+   create_cert "$PKI_CA3" "$PKI_INT" "$LEAF_DN"3 "ca_extensions"

   # Create a RIM Signer
-   create_cert "$RIM_SIGNER" "$PKI_CA2" "$SIGNER_DN"
+   create_cert "$RIM_SIGNER" "$PKI_CA2" "$SIGNER_DN" "signer_extensions"

   # Create a ACA Sever Cert for TLS use
-   create_cert "$TLS_SERVER" "$PKI_CA3" "$TLS_DN"
+   create_cert "$TLS_SERVER" "$PKI_CA3" "$TLS_DN" "server_extensions"

   # Create Cert trust store by adding the Intermediate and root certs 
   cat "$PKI_CA1.pem" "$PKI_CA2.pem" "$PKI_CA3.pem" "$PKI_INT.pem" "$PKI_ROOT.pem" >  "$TRUST_STORE_FILE"
--- a/package/scripts/pki/pki_setup.sh
+++ b/package/scripts/pki/pki_setup.sh
@ -10,6 +10,7 @@ PROP_FILE=/etc/hirs/aca/application.properties

 # Capture location of the script to allow from invocation from any location 
 SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
+echo "SCRIPT_DIR is $SCRIPT_DIR"
 # Set HIRS PKI  password
 if [ -z $HIRS_PKI_PWD ]; then
   # Create a 32 character random password
@ -35,10 +36,10 @@ popd &> /dev/null
 # Create Cert Chains
 if [ ! -d "/etc/hirs/certificates" ]; then
  
-   if [ -d /opt/hirs/scripts/pki ]; then
+   if [ -d "/opt/hirs/scripts/pki" ]; then
            PKI_SETUP_DIR="/opt/hirs/scripts/pki"
         else
-            PKI_SETUP_DIR=="$SCRIPT_DIR/../pki"
+            PKI_SETUP_DIR="$SCRIPT_DIR"
      fi
      echo "PKI_SETUP_DIR is $PKI_SETUP_DIR"