GNUmakefile.in 5.47 KB
Newer Older
1
#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
2
# EMULAB-COPYRIGHT
3
# Copyright (c) 2000-2004 University of Utah and the Flux Group.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
4
# All rights reserved.
5
#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
6

7 8 9 10 11 12 13 14
SRCDIR		= @srcdir@
TESTBED_SRCDIR	= @top_srcdir@
EVENTSYS	= @EVENTSYS@
OBJDIR		= ..
SUBDIR		= ssl

include $(OBJDIR)/Makeconf

15 16
all:	emulab.pem server.pem localnode.pem ronnode.pem pcwa.pem ctrlnode.pem \
	keys mksig
17

18
remote-site:	emulab.pem capture.pem capture.fingerprint server.pem \
19
	localnode.pem capture.sha1fingerprint
20

21 22 23 24 25 26 27 28 29 30
include $(TESTBED_SRCDIR)/GNUmakerules

#
# You do not want to run these targets unless you are sure you
# know what you are doing! You really do not want to install these
# unless you are very sure you know what you are doing. You could
# mess up all the clients when the CA changes out from under them.
#
pems:	emulab.pem server.pem client.pem

31
emulab.pem:	dirsmade emulab.cnf
32 33 34 35
	#
	# Create the Certificate Authority.
	# The certificate (no key!) is installed on both boss and remote nodes.
	#
36
	openssl req -new -x509 -days 1000 -config emulab.cnf \
37 38 39
		    -keyout cakey.pem -out cacert.pem
	cp cacert.pem emulab.pem

40
server.pem:	dirsmade server.cnf ca.cnf
41 42 43
	#
	# Create the server side private key and certificate request.
	#
44 45
	openssl req -new -config server.cnf \
		-keyout server_key.pem -out server_req.pem
46 47 48
	#
	# Combine key and cert request.
	#
49
	cat server_key.pem server_req.pem > newreq.pem
50 51 52
	#
	# Sign the server cert request, creating a server certificate.
	#
53 54
	openssl ca -batch -policy policy_match -config ca.cnf \
		-out server_cert.pem \
55 56 57 58 59 60
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file which is installed
	# on boss and used by tmcd.
	#
61
	cat server_key.pem server_cert.pem > server.pem
62 63
	rm -f newreq.pem

Leigh B. Stoller's avatar
Leigh B. Stoller committed
64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87
capture.pem:	dirsmade capture.cnf ca.cnf
	#
	# Create the server side private key and certificate request.
	#
	openssl req -new -config capture.cnf \
		-keyout capture_key.pem -out capture_req.pem
	#
	# Combine key and cert request.
	#
	cat capture_key.pem capture_req.pem > newreq.pem
	#
	# Sign the capture cert request, creating a capture certificate.
	#
	openssl ca -batch -policy policy_match -config ca.cnf \
		-out capture_cert.pem \
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file which is installed
	# on boss and used by capture.
	#
	cat capture_key.pem capture_cert.pem > capture.pem
	rm -f newreq.pem

88 89 90 91 92 93 94 95 96 97

#
# Generate the fingerprint of the capture certificate
# NOTE: I'd rather use SHA1 than SHA, but we've widely distributed the
# tiptunnel binary, and it needs SHA
#
capture.fingerprint:	capture.pem
	openssl x509 -sha -noout -fingerprint -in capture.pem \
	    > capture.fingerprint

98 99 100 101
capture.sha1fingerprint:	capture.pem
	openssl x509 -sha1 -noout -fingerprint -in capture.pem \
	    > capture.sha1fingerprint

102 103 104
localnode.pem:	dirsmade localnode.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh localnode

105 106 107
ctrlnode.pem:	dirsmade ctrlnode.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh ctrlnode

108 109
ronnode.pem:	dirsmade ronnode.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh ronnode
110

111 112 113
pcplab.pem:		dirsmade pcplab.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh pcplab

114 115 116
pcwa.pem:		dirsmade pcwa.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh pcwa

117 118 119 120 121 122 123 124 125 126 127 128 129 130 131
keys:		emulab_privkey.pem emulab_pubkey.pem

emulab_privkey.pem:
	#
	# Generate a priv key for signing stuff. This one gets a
	# passphrase.
	# 
	openssl genrsa -out emulab_privkey.pem -des3

emulab_pubkey.pem:	emulab_privkey.pem
	#
	# Extract a pubkey from the privkey
	# 
	openssl rsa -in emulab_privkey.pem -pubout -out emulab_pubkey.pem

132 133 134 135 136 137 138 139 140 141 142
dirsmade:
	-mkdir -p certs
	-mkdir -p newcerts
	-mkdir -p crl
	echo "01" > serial
	touch index.txt
	touch dirsmade

#
# You do not want to run these targets unless you are sure you
# know what you are doing!
143
#
144
install:	$(INSTALL_SBINDIR)/mksig
145 146
	@echo "BE VERY CAREFUL! INSTALLING NEW CERTS CAN CAUSE DISASTER!"

147
boss-installX:	$(INSTALL_ETCDIR)/emulab.pem \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
148
		$(INSTALL_ETCDIR)/server.pem \
149
		$(INSTALL_ETCDIR)/pcplab.pem \
150
		$(INSTALL_ETCDIR)/pcwa.pem \
151
		$(INSTALL_ETCDIR)/ronnode.pem \
152 153 154
		$(INSTALL_ETCDIR)/capture.pem \
		$(INSTALL_ETCDIR)/emulab_privkey.pem \
		$(INSTALL_ETCDIR)/emulab_pubkey.pem
155
	$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
156 157 158 159
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem
	chmod 640 $(INSTALL_ETCDIR)/server.pem
	chmod 640 $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/pcplab.pem
160
	chmod 640 $(INSTALL_ETCDIR)/ronnode.pem
161
	chmod 640 $(INSTALL_ETCDIR)/pcwa.pem
162
	chmod 640 $(INSTALL_ETCDIR)/emulab_privkey.pem
163

164
remote-site-boss-install:	$(INSTALL_ETCDIR)/emulab.pem \
165 166
		$(INSTALL_ETCDIR)/capture.pem \
		$(INSTALL_ETCDIR)/capture.fingerprint \
167
		$(INSTALL_ETCDIR)/capture.sha1fingerprint \
168
		$(INSTALL_ETCDIR)/server.pem
169 170 171
	$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
172
	chmod 644 $(INSTALL_ETCDIR)/capture.fingerprint
173
	chmod 644 $(INSTALL_ETCDIR)/capture.sha1fingerprint
174 175 176
	chmod 640 $(INSTALL_ETCDIR)/server.pem
	chmod 640 $(INSTALL_ETCDIR)/client.pem

177
client-install:
178 179 180 181
	$(INSTALL_DATA) localnode.pem $(DESTDIR)$(CLIENT_ETCDIR)/client.pem
	$(INSTALL_DATA) emulab.pem $(DESTDIR)$(CLIENT_ETCDIR)/emulab.pem
	$(INSTALL_DATA) emulab_pubkey.pem \
			$(DESTDIR)$(CLIENT_ETCDIR)/emulab_pubkey.pem
182

183 184 185
tipserv-install:	$(INSTALL_SBINDIR)/capture.pem
	chmod 640 $(INSTALL_SBINDIR)/capture.pem

186
clean:
187 188 189
	@echo "BE VERY CAREFUL! CLEANING THE SSL DIR CAN CAUSE DISASTER!"

cleanX:
190 191
	rm -f *.pem serial index.txt *.old dirsmade *.cnf
	rm -rf newcerts certs