diff options
Diffstat (limited to '')
| -rwxr-xr-x | system/services/taskserver/certs/generate | 75 | ||||
| -rwxr-xr-x | system/services/taskserver/certs/generate.ca | 43 | ||||
| -rwxr-xr-x | system/services/taskserver/certs/generate.client | 54 | ||||
| -rwxr-xr-x | system/services/taskserver/certs/generate.crl | 42 |
4 files changed, 0 insertions, 214 deletions
diff --git a/system/services/taskserver/certs/generate b/system/services/taskserver/certs/generate deleted file mode 100755 index c3b58ae..0000000 --- a/system/services/taskserver/certs/generate +++ /dev/null @@ -1,75 +0,0 @@ -#!/usr/bin/env nix-shell -#! nix-shell -i dash --packages openssl gnutls dash -#! nix-shell --impure - -# For a public or production server, purchase a cert from a known CA, and skip -# the next step. - -# For development, testing and personal server management, create a CA key and -# cert, and use that to generate a server key and cert. Creates: -# ca.key.pem -# ca.cert.pem -# server.key.pem -# server.cert.pem - -GENERATION_LOCATION="/run/user/$(id -u)/taskserver/certs" -BASEDIR="$(dirname "$0")" -cd "$BASEDIR" || { - echo "(BUG?) No basedir ('$BASEDIR')" 1>&2 - exit 1 -} - -ca=false -crl=false -clients=false - -for arg in "$@"; do - case "$arg" in - "--ca") - ca=true - ;; - "--crl") - crl=true - ;; - "--clients") - clients=true - ;; - esac -done - -# `ca.cert.pem` is not on this list, as it would otherwise get deleted in the `rm` on the -# second-to last line -set -- ./vars ./generate.ca ./generate.crl ./generate.client ./ca.key.pem.gpg ./isrgrootx1.pem - -mkdir --parents "$GENERATION_LOCATION" -cp "$@" ./ca.cert.pem "$GENERATION_LOCATION" -cd "$GENERATION_LOCATION" || echo "(BUG?) No possible location fould!" 1>&2 - -gpg --decrypt ca.key.pem.gpg >ca.key.pem - -[ "$ca" = true ] && ./generate.ca -cat ./isrgrootx1.pem >>./ca.cert.pem - -# Generate a certificate revocation list (CRL). The initial CRL is empty, but -# can grow over time. Creates: -# server.crl.pem - -[ "$crl" = true ] && ./generate.crl - -# The above is sufficient to operate a server. You now need to run a client cert creation -# process per client; Add the required client names and uncomment -# ./generate.client <client_name> -# -# -# Creates: -# <client_name>.key.pem -# <client_name>.cert.pem -# -[ "$clients" = true ] && ./generate.client soispha -[ "$clients" = true ] && ./generate.client android-mobile -[ "$clients" = true ] && ./generate.client android-tab - -rm "$@" "./ca.key.pem" -echo "(INFO) Look for the keys at: $GENERATION_LOCATION" - -# vim: ft=sh diff --git a/system/services/taskserver/certs/generate.ca b/system/services/taskserver/certs/generate.ca deleted file mode 100755 index eb0dd5c..0000000 --- a/system/services/taskserver/certs/generate.ca +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/sh - -# Take the correct binary to create the certificates -CERTTOOL=$(command -v gnutls-certtool 2>/dev/null || command -v certtool 2>/dev/null) -if [ -z "$CERTTOOL" ]; then - echo "ERROR: No certtool found" >&2 - exit 1 -fi - -. ./vars - -if ! [ -f ca.key.pem ]; then - # Create a CA key. - $CERTTOOL \ - --generate-privkey \ - --sec-param $SEC_PARAM \ - --outfile ca.key.pem -fi - -chmod 600 ca.key.pem - -if ! [ -f ca.template ]; then - # Sign a CA cert. - cat <<EOF >ca.template -organization = $ORGANIZATION -cn = $CN CA -country = $COUNTRY -expiration_days = $EXPIRATION_DAYS -ca -EOF -#state = $STATE -#locality = $LOCALITY -fi - -if ! [ -f ca.cert.pem ]; then - $CERTTOOL \ - --generate-self-signed \ - --load-privkey ca.key.pem \ - --template ca.template \ - --outfile ca.cert.pem -fi - -chmod 600 ca.cert.pem diff --git a/system/services/taskserver/certs/generate.client b/system/services/taskserver/certs/generate.client deleted file mode 100755 index 4f0e503..0000000 --- a/system/services/taskserver/certs/generate.client +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/sh - -# Take the correct binary to create the certificates -CERTTOOL=$(command -v gnutls-certtool 2>/dev/null || command -v certtool 2>/dev/null) -if [ -z "$CERTTOOL" ] -then - echo "ERROR: No certtool found" >&2 - exit 1 -fi - -. ./vars - -NAME=client -if [ $# -gt 0 ] -then - NAME=$1 -fi - -if ! [ -f "$NAME".key.pem ] -then - # Create a client key. - $CERTTOOL \ - --generate-privkey \ - --sec-param $SEC_PARAM \ - --outfile "$NAME".key.pem -fi - -chmod 600 "$NAME".key.pem - -if ! [ -f "$NAME".template ] -then - # Sign a client cert with the key. - cat <<EOF >"$NAME".template -organization = $ORGANIZATION -cn = $CN -expiration_days = $EXPIRATION_DAYS -tls_www_client -encryption_key -signing_key -EOF -fi - -if ! [ -f "$NAME".cert.pem ] -then - $CERTTOOL \ - --generate-certificate \ - --load-privkey "$NAME".key.pem \ - --load-ca-certificate ca.cert.pem \ - --load-ca-privkey ca.key.pem \ - --template "$NAME".template \ - --outfile "$NAME".cert.pem -fi - -chmod 600 "$NAME".cert.pem diff --git a/system/services/taskserver/certs/generate.crl b/system/services/taskserver/certs/generate.crl deleted file mode 100755 index e9f6715..0000000 --- a/system/services/taskserver/certs/generate.crl +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/sh - -# Take the correct binary to create the certificates -CERTTOOL=$(command -v gnutls-certtool 2>/dev/null || command -v certtool 2>/dev/null) -if [ -z "$CERTTOOL" ] -then - echo "ERROR: No certtool found" >&2 - exit 1 -fi - -. ./vars - -if ! [ -f crl.template ] -then - # CRL - Certificate Revocation List - cat <<EOF >crl.template -expiration_days = $EXPIRATION_DAYS -EOF -fi - -if ! [ -f server.crl.pem ] -then - $CERTTOOL \ - --generate-crl \ - --load-ca-privkey ca.key.pem \ - --load-ca-certificate ca.cert.pem \ - --template crl.template \ - --outfile server.crl.pem -fi - -chmod 600 server.crl.pem - -# To create a CRL that contains some revoked certificates, place the -# certificates in a file and use --load-certificate as follows: -# $CERTTOOL \ -# --generate-crl \ -# --load-ca-privkey ca.key.pem \ -# --load-ca-certificate ca.cert.pem \ -# --load-certificate revoked-certs.pem - -# To verify a CRL: -# $CERTTOOL --verify-crl --load-ca-certificate ca.cert.pem --infile server.crl.pem |