about summary refs log tree commit diff stats
path: root/system/services/taskserver/certs/generate
diff options
context:
space:
mode:
authorSoispha <soispha@vhack.eu>2023-10-04 20:11:42 +0200
committerSoispha <soispha@vhack.eu>2023-10-16 17:20:00 +0200
commit1dd6f8d3b4d7dc93095e662aaca190d3fe1be264 (patch)
treea6b06ec7b3a400f22f41627f8497258fb6b8d6f1 /system/services/taskserver/certs/generate
parentfix(system/services/taskserver): declare certs/keys in pki.manual (diff)
downloadnixos-server-1dd6f8d3b4d7dc93095e662aaca190d3fe1be264.zip
feat(system/services/taskserver): Integrate Let's Encrypt certificates
The current setup now runs the `taskserver.vhack.eu` domain with a
Let's Encrypt certificate and additionally uses a self-signed CA
certificate to validate clients.

The shell scripts used to generate the CA certificate and the derived
client certificate (and keys) are taken nearly unmodified from the
upstream repository [1].

[1]: https://github.com/GothenburgBitFactory/taskserver/tree/9794cff61e56bdfb193c6aa4cebb57970ac68aef/pki
Diffstat (limited to '')
-rwxr-xr-xsystem/services/taskserver/certs/generate41
-rwxr-xr-xsystem/services/taskserver/certs/generate.ca47
-rwxr-xr-xsystem/services/taskserver/certs/generate.client54
-rwxr-xr-xsystem/services/taskserver/certs/generate.crl42
4 files changed, 184 insertions, 0 deletions
diff --git a/system/services/taskserver/certs/generate b/system/services/taskserver/certs/generate
new file mode 100755
index 0000000..253e4bb
--- /dev/null
+++ b/system/services/taskserver/certs/generate
@@ -0,0 +1,41 @@
+#!/bin/sh
+
+# For a public or production server, purchase a cert from a known CA, and skip
+# the next step.
+
+# For development, testing and personal server management, create a CA key and
+# cert, and use that to generate a server key and cert.  Creates:
+#   ca.key.pem
+#   ca.cert.pem
+#   server.key.pem
+#   server.cert.pem
+
+GENERATION_LOCATION="/run/user/$(id -u)/taskserver/keys";
+
+mkdir -p "$GENERATION_LOCATION"
+cp ./vars ./generate.ca ./generate.crl ./generate.client "$GENERATION_LOCATION"
+cd "$GENERATION_LOCATION" || echo "(BUG?) No possible location fould!" 1>&2
+
+./generate.ca
+
+# Generate a certificate revocation list (CRL).  The initial CRL is empty, but
+# can grow over time.  Creates:
+#   server.crl.pem
+
+./generate.crl
+
+# The above is sufficient to operate a server. You now need to run a client cert creation
+# process per client; Add the required client names and uncomment
+# ./generate.client <client_name>
+#
+./generate.client soispha
+./generate.client android-mobile
+./generate.client android-tab
+#
+# Creates:
+#   <client_name>.key.pem
+#   <client_name>.cert.pem
+
+
+rm ./vars ./generate.ca ./generate.crl ./generate.client
+echo "(INFO) Look for the keys at: $GENERATION_LOCATION"
diff --git a/system/services/taskserver/certs/generate.ca b/system/services/taskserver/certs/generate.ca
new file mode 100755
index 0000000..4ffc6e9
--- /dev/null
+++ b/system/services/taskserver/certs/generate.ca
@@ -0,0 +1,47 @@
+#!/bin/sh
+
+# Take the correct binary to create the certificates
+CERTTOOL=$(command -v gnutls-certtool 2>/dev/null || command -v certtool 2>/dev/null)
+if [ -z "$CERTTOOL" ]
+then
+  echo "ERROR: No certtool found" >&2
+  exit 1
+fi
+
+. ./vars
+
+if ! [ -f ca.key.pem ]
+then
+  # Create a CA key.
+  $CERTTOOL \
+    --generate-privkey \
+    --sec-param $SEC_PARAM \
+    --outfile ca.key.pem
+fi
+
+chmod 600 ca.key.pem
+
+if ! [ -f ca.template ]
+then
+  # Sign a CA cert.
+  cat <<EOF >ca.template
+organization = $ORGANIZATION
+cn = $CN CA
+country = $COUNTRY
+expiration_days = $EXPIRATION_DAYS
+ca
+EOF
+#state = $STATE
+#locality = $LOCALITY
+fi
+
+if ! [ -f ca.cert.pem ] || [ ca.template -nt ca.cert.pem ]
+then
+  $CERTTOOL \
+    --generate-self-signed \
+    --load-privkey ca.key.pem \
+    --template ca.template \
+    --outfile ca.cert.pem
+fi
+
+chmod 600 ca.cert.pem
diff --git a/system/services/taskserver/certs/generate.client b/system/services/taskserver/certs/generate.client
new file mode 100755
index 0000000..976cb82
--- /dev/null
+++ b/system/services/taskserver/certs/generate.client
@@ -0,0 +1,54 @@
+#!/bin/sh
+
+# Take the correct binary to create the certificates
+CERTTOOL=$(command -v gnutls-certtool 2>/dev/null || command -v certtool 2>/dev/null)
+if [ -z "$CERTTOOL" ]
+then
+  echo "ERROR: No certtool found" >&2
+  exit 1
+fi
+
+. ./vars
+
+NAME=client
+if [ $# -gt 0 ]
+then
+  NAME=$1
+fi
+
+if ! [ -f ${NAME}.key.pem ]
+then
+  # Create a client key.
+  $CERTTOOL \
+    --generate-privkey \
+    --sec-param $SEC_PARAM \
+    --outfile ${NAME}.key.pem
+fi
+
+chmod 600 ${NAME}.key.pem
+
+if ! [ -f ${NAME}.template ]
+then
+  # Sign a client cert with the key.
+  cat <<EOF >${NAME}.template
+organization = $ORGANIZATION
+cn = $CN
+expiration_days = $EXPIRATION_DAYS
+tls_www_client
+encryption_key
+signing_key
+EOF
+fi
+
+if ! [ -f ${NAME}.cert.pem ] || [ ${NAME}.template -nt ${NAME}.cert.pem ]
+then
+  $CERTTOOL \
+    --generate-certificate \
+    --load-privkey ${NAME}.key.pem \
+    --load-ca-certificate ca.cert.pem \
+    --load-ca-privkey ca.key.pem \
+    --template ${NAME}.template \
+    --outfile ${NAME}.cert.pem
+fi
+
+chmod 600 ${NAME}.cert.pem
diff --git a/system/services/taskserver/certs/generate.crl b/system/services/taskserver/certs/generate.crl
new file mode 100755
index 0000000..6a9daa8
--- /dev/null
+++ b/system/services/taskserver/certs/generate.crl
@@ -0,0 +1,42 @@
+#!/bin/sh
+
+# Take the correct binary to create the certificates
+CERTTOOL=$(command -v gnutls-certtool 2>/dev/null || command -v certtool 2>/dev/null)
+if [ -z "$CERTTOOL" ]
+then
+  echo "ERROR: No certtool found" >&2
+  exit 1
+fi
+
+. ./vars
+
+if ! [ -f crl.template ]
+then
+  # CRL - Certificate Revocation List
+  cat <<EOF >crl.template
+expiration_days = $EXPIRATION_DAYS
+EOF
+fi
+
+if ! [ -f server.crl.pem ] || [ crl.template -nt server.crl.pem ]
+then
+  $CERTTOOL \
+    --generate-crl \
+    --load-ca-privkey ca.key.pem \
+    --load-ca-certificate ca.cert.pem \
+    --template crl.template \
+    --outfile server.crl.pem
+fi
+
+chmod 600 server.crl.pem
+
+# To create a CRL that contains some revoked certificates, place the
+# certificates in a file and use --load-certificate as follows:
+# $CERTTOOL \
+#   --generate-crl \
+#   --load-ca-privkey ca.key.pem \
+#   --load-ca-certificate ca.cert.pem \
+#   --load-certificate revoked-certs.pem
+
+# To verify a CRL:
+#   $CERTTOOL --verify-crl --load-ca-certificate ca.cert.pem --infile server.crl.pem