All new accounts created on Gitlab now require administrator approval. If you invite any collaborators, please let Flux staff know so they can approve the accounts.

GNUmakefile.in 8.91 KB
Newer Older
1
#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
2
# EMULAB-COPYRIGHT
3
# Copyright (c) 2000-2005 University of Utah and the Flux Group.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
4
# All rights reserved.
5
#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
6

7 8 9 10 11 12 13 14
SRCDIR		= @srcdir@
TESTBED_SRCDIR	= @top_srcdir@
EVENTSYS	= @EVENTSYS@
OBJDIR		= ..
SUBDIR		= ssl

include $(OBJDIR)/Makeconf

15
all:	emulab.pem server.pem localnode.pem ronnode.pem pcwa.pem ctrlnode.pem \
16
	capture.pem capture.fingerprint capture.sha1fingerprint \
17
	keys mksig
18

19
remote-site:	emulab.pem capture.pem capture.fingerprint server.pem \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
20 21
	localnode.pem capture.sha1fingerprint apache.pem apache-ops.pem \
	ctrlnode.pem
22

23 24 25 26 27 28 29 30 31 32
include $(TESTBED_SRCDIR)/GNUmakerules

#
# You do not want to run these targets unless you are sure you
# know what you are doing! You really do not want to install these
# unless you are very sure you know what you are doing. You could
# mess up all the clients when the CA changes out from under them.
#
pems:	emulab.pem server.pem client.pem

33
emulab.pem:	dirsmade emulab.cnf
34 35 36 37
	#
	# Create the Certificate Authority.
	# The certificate (no key!) is installed on both boss and remote nodes.
	#
38
	openssl req -new -x509 -days 2000 -config emulab.cnf \
39 40
		    -keyout cakey.pem -out cacert.pem
	cp cacert.pem emulab.pem
41
	cp cakey.pem emulab.key
42

43
server.pem:	dirsmade server.cnf ca.cnf
44 45 46
	#
	# Create the server side private key and certificate request.
	#
47 48
	openssl req -new -config server.cnf \
		-keyout server_key.pem -out server_req.pem
49 50 51
	#
	# Combine key and cert request.
	#
52
	cat server_key.pem server_req.pem > newreq.pem
53 54 55
	#
	# Sign the server cert request, creating a server certificate.
	#
56 57
	openssl ca -batch -policy policy_match -config ca.cnf \
		-out server_cert.pem \
58 59 60 61 62 63
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file which is installed
	# on boss and used by tmcd.
	#
64
	cat server_key.pem server_cert.pem > server.pem
65 66
	rm -f newreq.pem

67 68 69
#
# This is for the main web server on boss.
# 
70
apache.pem:	dirsmade apache.cnf ca.cnf
71 72 73
	#
	# Create the server side private key and certificate request.
	#
74 75
	openssl req -new -config apache.cnf \
		-keyout apache_key.pem -out apache_req.pem
76 77 78
	#
	# Combine key and cert request.
	#
79
	cat apache_key.pem apache_req.pem > newreq.pem
80 81 82 83
	#
	# Sign the apache cert request, creating a apache certificate.
	#
	openssl ca -batch -policy policy_sslxmlrpc -config ca.cnf \
84
		-out apache_cert.pem \
85 86 87 88 89 90 91 92
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file. This file is
	# is not actually installed though; the separate files will be
	# installed into the apache cert/key directories by install/boss-install
	# when the boss node is created.
	#
93
	cat apache_key.pem apache_cert.pem > apache.pem
94 95 96 97 98
	rm -f newreq.pem

#
# This is for the secondary web server on users.
# 
Leigh B. Stoller's avatar
Leigh B. Stoller committed
99
apache-ops.pem:	dirsmade apache2.cnf ca.cnf
100 101 102
	#
	# Create the server side private key and certificate request.
	#
103
	openssl req -new -config apache2.cnf \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
104
		-keyout apache-ops_key.pem -out apache-ops_req.pem
105 106 107
	#
	# Combine key and cert request.
	#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
108
	cat apache-ops_key.pem apache-ops_req.pem > newreq.pem
109 110 111 112
	#
	# Sign the apache cert request, creating a apache certificate.
	#
	openssl ca -batch -policy policy_sslxmlrpc -config ca.cnf \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
113
		-out apache-ops_cert.pem \
114 115 116 117 118 119 120 121
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file. This file is
	# is not actually installed though; the separate files will be
	# installed into the apache cert/key directories by install/boss-install
	# when the boss node is created.
	#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
122
	cat apache-ops_key.pem apache-ops_cert.pem > apache-ops.pem
123 124
	rm -f newreq.pem

Leigh B. Stoller's avatar
Leigh B. Stoller committed
125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148
capture.pem:	dirsmade capture.cnf ca.cnf
	#
	# Create the server side private key and certificate request.
	#
	openssl req -new -config capture.cnf \
		-keyout capture_key.pem -out capture_req.pem
	#
	# Combine key and cert request.
	#
	cat capture_key.pem capture_req.pem > newreq.pem
	#
	# Sign the capture cert request, creating a capture certificate.
	#
	openssl ca -batch -policy policy_match -config ca.cnf \
		-out capture_cert.pem \
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file which is installed
	# on boss and used by capture.
	#
	cat capture_key.pem capture_cert.pem > capture.pem
	rm -f newreq.pem

149 150 151 152 153 154 155 156 157 158

#
# Generate the fingerprint of the capture certificate
# NOTE: I'd rather use SHA1 than SHA, but we've widely distributed the
# tiptunnel binary, and it needs SHA
#
capture.fingerprint:	capture.pem
	openssl x509 -sha -noout -fingerprint -in capture.pem \
	    > capture.fingerprint

159 160 161 162
capture.sha1fingerprint:	capture.pem
	openssl x509 -sha1 -noout -fingerprint -in capture.pem \
	    > capture.sha1fingerprint

163 164 165
localnode.pem:	dirsmade localnode.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh localnode

166 167 168
ctrlnode.pem:	dirsmade ctrlnode.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh ctrlnode

169 170
ronnode.pem:	dirsmade ronnode.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh ronnode
171

172 173 174
pcplab.pem:		dirsmade pcplab.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh pcplab

175 176 177
pcwa.pem:		dirsmade pcwa.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh pcwa

178 179 180 181 182 183 184 185 186 187 188 189 190 191 192
keys:		emulab_privkey.pem emulab_pubkey.pem

emulab_privkey.pem:
	#
	# Generate a priv key for signing stuff. This one gets a
	# passphrase.
	# 
	openssl genrsa -out emulab_privkey.pem -des3

emulab_pubkey.pem:	emulab_privkey.pem
	#
	# Extract a pubkey from the privkey
	# 
	openssl rsa -in emulab_privkey.pem -pubout -out emulab_pubkey.pem

193 194 195 196 197 198 199 200
dirsmade:
	-mkdir -p certs
	-mkdir -p newcerts
	-mkdir -p crl
	echo "01" > serial
	touch index.txt
	touch dirsmade

201 202 203 204 205 206 207
install-dirs:
	-mkdir -p $(INSTALL_DIR)/ssl
	-chmod 770 $(INSTALL_DIR)/ssl
	-mkdir -p $(INSTALL_DIR)/ssl/certs
	-mkdir -p $(INSTALL_DIR)/ssl/newcerts
	-chmod 775 $(INSTALL_DIR)/ssl/newcerts
	-mkdir -p $(INSTALL_DIR)/ssl/crl
Leigh B. Stoller's avatar
Leigh B. Stoller committed
208
	-mkdir -p $(INSTALL_LIBDIR)/ssl
209 210 211 212
	echo "01" > $(INSTALL_DIR)/ssl/serial
	touch $(INSTALL_DIR)/ssl/index.txt
	touch install-dirs

213 214 215
#
# You do not want to run these targets unless you are sure you
# know what you are doing!
216
#
217
install:	install-dirs $(INSTALL_SBINDIR)/mksig
218 219
	@echo "BE VERY CAREFUL! INSTALLING NEW CERTS CAN CAUSE DISASTER!"

220
boss-installX:	$(INSTALL_ETCDIR)/emulab.pem \
221
		$(INSTALL_ETCDIR)/emulab.key \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
222
		$(INSTALL_ETCDIR)/server.pem \
223
		$(INSTALL_ETCDIR)/pcplab.pem \
224
		$(INSTALL_ETCDIR)/pcwa.pem \
225
		$(INSTALL_ETCDIR)/ronnode.pem \
226
		$(INSTALL_ETCDIR)/ctrlnode.pem \
227
		$(INSTALL_ETCDIR)/capture.pem \
228 229
		$(INSTALL_ETCDIR)/capture.fingerprint \
		$(INSTALL_ETCDIR)/capture.sha1fingerprint \
230
		$(INSTALL_ETCDIR)/emulab_privkey.pem \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
231 232
		$(INSTALL_ETCDIR)/emulab_pubkey.pem \
		usercert.cnf
233
	$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
234
	$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf
235
	$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
236
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem
237
	chmod 600 $(INSTALL_ETCDIR)/emulab.key
238 239 240
	chmod 640 $(INSTALL_ETCDIR)/server.pem
	chmod 640 $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/pcplab.pem
241
	chmod 640 $(INSTALL_ETCDIR)/ronnode.pem
242
	chmod 640 $(INSTALL_ETCDIR)/ctrlnode.pem
243
	chmod 640 $(INSTALL_ETCDIR)/pcwa.pem
244
	chmod 640 $(INSTALL_ETCDIR)/emulab_privkey.pem
245 246 247
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
	chmod 644 $(INSTALL_ETCDIR)/capture.fingerprint
	chmod 644 $(INSTALL_ETCDIR)/capture.sha1fingerprint
248

249 250 251
remote-site-boss-install:	install-dirs \
		$(INSTALL_ETCDIR)/emulab.pem \
		$(INSTALL_ETCDIR)/emulab.key \
252 253
		$(INSTALL_ETCDIR)/capture.pem \
		$(INSTALL_ETCDIR)/capture.fingerprint \
254
		$(INSTALL_ETCDIR)/capture.sha1fingerprint \
255
		$(INSTALL_ETCDIR)/ctrlnode.pem \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
256 257
		$(INSTALL_ETCDIR)/server.pem \
		usercert.cnf
258
	$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
259
	$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf
260 261
	$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem
262
	chmod 600 $(INSTALL_ETCDIR)/emulab.key
263
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
264
	chmod 644 $(INSTALL_ETCDIR)/capture.fingerprint
265
	chmod 644 $(INSTALL_ETCDIR)/capture.sha1fingerprint
266 267
	chmod 640 $(INSTALL_ETCDIR)/server.pem
	chmod 640 $(INSTALL_ETCDIR)/client.pem
268
	chmod 640 $(INSTALL_ETCDIR)/ctrlnode.pem
269

270
client-install:
271 272 273 274
	$(INSTALL_DATA) localnode.pem $(DESTDIR)$(CLIENT_ETCDIR)/client.pem
	$(INSTALL_DATA) emulab.pem $(DESTDIR)$(CLIENT_ETCDIR)/emulab.pem
	$(INSTALL_DATA) emulab_pubkey.pem \
			$(DESTDIR)$(CLIENT_ETCDIR)/emulab_pubkey.pem
275

Leigh B. Stoller's avatar
Leigh B. Stoller committed
276
control-install:	$(INSTALL_ETCDIR)/capture.pem \
277 278
			$(INSTALL_ETCDIR)/emulab.pem
	$(INSTALL_DATA) ctrlnode.pem $(INSTALL_ETCDIR)/client.pem
Leigh B. Stoller's avatar
Leigh B. Stoller committed
279
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
280 281 282
	chmod 640 $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem

283 284 285
tipserv-install:	$(INSTALL_SBINDIR)/capture.pem
	chmod 640 $(INSTALL_SBINDIR)/capture.pem

286 287 288
usercert-install:	install-dirs
	-mkdir -p $(INSTALL_LIBDIR)/ssl
	$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf
289
	$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
290

291
clean:
292 293 294
	@echo "BE VERY CAREFUL! CLEANING THE SSL DIR CAN CAUSE DISASTER!"

cleanX:
295 296
	rm -f *.pem serial index.txt *.old dirsmade *.cnf
	rm -rf newcerts certs