All new accounts created on Gitlab now require administrator approval. If you invite any collaborators, please let Flux staff know so they can approve the accounts.

GNUmakefile.in 8.82 KB
Newer Older
1
#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
2
# EMULAB-COPYRIGHT
3
# Copyright (c) 2000-2005 University of Utah and the Flux Group.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
4
# All rights reserved.
5
#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
6

7 8 9 10 11 12 13 14
SRCDIR		= @srcdir@
TESTBED_SRCDIR	= @top_srcdir@
EVENTSYS	= @EVENTSYS@
OBJDIR		= ..
SUBDIR		= ssl

include $(OBJDIR)/Makeconf

15
all:	emulab.pem server.pem localnode.pem ronnode.pem pcwa.pem ctrlnode.pem \
16
	capture.pem capture.fingerprint capture.sha1fingerprint \
17
	keys mksig
18

19
remote-site:	emulab.pem capture.pem capture.fingerprint server.pem \
20
	localnode.pem capture.sha1fingerprint apache.pem
21

22 23 24 25 26 27 28 29 30 31
include $(TESTBED_SRCDIR)/GNUmakerules

#
# You do not want to run these targets unless you are sure you
# know what you are doing! You really do not want to install these
# unless you are very sure you know what you are doing. You could
# mess up all the clients when the CA changes out from under them.
#
pems:	emulab.pem server.pem client.pem

32
emulab.pem:	dirsmade emulab.cnf
33 34 35 36
	#
	# Create the Certificate Authority.
	# The certificate (no key!) is installed on both boss and remote nodes.
	#
37
	openssl req -new -x509 -days 2000 -config emulab.cnf \
38 39
		    -keyout cakey.pem -out cacert.pem
	cp cacert.pem emulab.pem
40
	cp cakey.pem emulab.key
41

42
server.pem:	dirsmade server.cnf ca.cnf
43 44 45
	#
	# Create the server side private key and certificate request.
	#
46 47
	openssl req -new -config server.cnf \
		-keyout server_key.pem -out server_req.pem
48 49 50
	#
	# Combine key and cert request.
	#
51
	cat server_key.pem server_req.pem > newreq.pem
52 53 54
	#
	# Sign the server cert request, creating a server certificate.
	#
55 56
	openssl ca -batch -policy policy_match -config ca.cnf \
		-out server_cert.pem \
57 58 59 60 61 62
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file which is installed
	# on boss and used by tmcd.
	#
63
	cat server_key.pem server_cert.pem > server.pem
64 65
	rm -f newreq.pem

66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97
#
# This is for the main web server on boss.
# 
apache2.pem:	dirsmade apache2.cnf ca.cnf
	#
	# Create the server side private key and certificate request.
	#
	openssl req -new -config apache2.cnf \
		-keyout apache2_key.pem -out apache2_req.pem
	#
	# Combine key and cert request.
	#
	cat apache2_key.pem apache2_req.pem > newreq.pem
	#
	# Sign the apache cert request, creating a apache certificate.
	#
	openssl ca -batch -policy policy_sslxmlrpc -config ca.cnf \
		-out apache2_cert.pem \
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file. This file is
	# is not actually installed though; the separate files will be
	# installed into the apache cert/key directories by install/boss-install
	# when the boss node is created.
	#
	cat apache2_key.pem apache2_cert.pem > apache2.pem
	rm -f newreq.pem

#
# This is for the secondary web server on users.
# 
98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123
apache.pem:	dirsmade apache.cnf ca.cnf
	#
	# Create the server side private key and certificate request.
	#
	openssl req -new -config apache.cnf \
		-keyout apache_key.pem -out apache_req.pem
	#
	# Combine key and cert request.
	#
	cat apache_key.pem apache_req.pem > newreq.pem
	#
	# Sign the apache cert request, creating a apache certificate.
	#
	openssl ca -batch -policy policy_sslxmlrpc -config ca.cnf \
		-out apache_cert.pem \
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file. This file is
	# is not actually installed though; the separate files will be
	# installed into the apache cert/key directories by install/boss-install
	# when the boss node is created.
	#
	cat apache_key.pem apache_cert.pem > apache.pem
	rm -f newreq.pem

Leigh B. Stoller's avatar
Leigh B. Stoller committed
124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147
capture.pem:	dirsmade capture.cnf ca.cnf
	#
	# Create the server side private key and certificate request.
	#
	openssl req -new -config capture.cnf \
		-keyout capture_key.pem -out capture_req.pem
	#
	# Combine key and cert request.
	#
	cat capture_key.pem capture_req.pem > newreq.pem
	#
	# Sign the capture cert request, creating a capture certificate.
	#
	openssl ca -batch -policy policy_match -config ca.cnf \
		-out capture_cert.pem \
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file which is installed
	# on boss and used by capture.
	#
	cat capture_key.pem capture_cert.pem > capture.pem
	rm -f newreq.pem

148 149 150 151 152 153 154 155 156 157

#
# Generate the fingerprint of the capture certificate
# NOTE: I'd rather use SHA1 than SHA, but we've widely distributed the
# tiptunnel binary, and it needs SHA
#
capture.fingerprint:	capture.pem
	openssl x509 -sha -noout -fingerprint -in capture.pem \
	    > capture.fingerprint

158 159 160 161
capture.sha1fingerprint:	capture.pem
	openssl x509 -sha1 -noout -fingerprint -in capture.pem \
	    > capture.sha1fingerprint

162 163 164
localnode.pem:	dirsmade localnode.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh localnode

165 166 167
ctrlnode.pem:	dirsmade ctrlnode.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh ctrlnode

168 169
ronnode.pem:	dirsmade ronnode.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh ronnode
170

171 172 173
pcplab.pem:		dirsmade pcplab.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh pcplab

174 175 176
pcwa.pem:		dirsmade pcwa.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh pcwa

177 178 179 180 181 182 183 184 185 186 187 188 189 190 191
keys:		emulab_privkey.pem emulab_pubkey.pem

emulab_privkey.pem:
	#
	# Generate a priv key for signing stuff. This one gets a
	# passphrase.
	# 
	openssl genrsa -out emulab_privkey.pem -des3

emulab_pubkey.pem:	emulab_privkey.pem
	#
	# Extract a pubkey from the privkey
	# 
	openssl rsa -in emulab_privkey.pem -pubout -out emulab_pubkey.pem

192 193 194 195 196 197 198 199
dirsmade:
	-mkdir -p certs
	-mkdir -p newcerts
	-mkdir -p crl
	echo "01" > serial
	touch index.txt
	touch dirsmade

200 201 202 203 204 205 206
install-dirs:
	-mkdir -p $(INSTALL_DIR)/ssl
	-chmod 770 $(INSTALL_DIR)/ssl
	-mkdir -p $(INSTALL_DIR)/ssl/certs
	-mkdir -p $(INSTALL_DIR)/ssl/newcerts
	-chmod 775 $(INSTALL_DIR)/ssl/newcerts
	-mkdir -p $(INSTALL_DIR)/ssl/crl
Leigh B. Stoller's avatar
Leigh B. Stoller committed
207
	-mkdir -p $(INSTALL_LIBDIR)/ssl
208 209 210 211
	echo "01" > $(INSTALL_DIR)/ssl/serial
	touch $(INSTALL_DIR)/ssl/index.txt
	touch install-dirs

212 213 214
#
# You do not want to run these targets unless you are sure you
# know what you are doing!
215
#
216
install:	install-dirs $(INSTALL_SBINDIR)/mksig
217 218
	@echo "BE VERY CAREFUL! INSTALLING NEW CERTS CAN CAUSE DISASTER!"

219
boss-installX:	$(INSTALL_ETCDIR)/emulab.pem \
220
		$(INSTALL_ETCDIR)/emulab.key \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
221
		$(INSTALL_ETCDIR)/server.pem \
222
		$(INSTALL_ETCDIR)/pcplab.pem \
223
		$(INSTALL_ETCDIR)/pcwa.pem \
224
		$(INSTALL_ETCDIR)/ronnode.pem \
225
		$(INSTALL_ETCDIR)/ctrlnode.pem \
226
		$(INSTALL_ETCDIR)/capture.pem \
227 228
		$(INSTALL_ETCDIR)/capture.fingerprint \
		$(INSTALL_ETCDIR)/capture.sha1fingerprint \
229 230
		$(INSTALL_ETCDIR)/emulab_privkey.pem \
		$(INSTALL_ETCDIR)/emulab_pubkey.pem
231
	$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
232
	$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf
233
	$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
234
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem
235
	chmod 600 $(INSTALL_ETCDIR)/emulab.key
236 237 238
	chmod 640 $(INSTALL_ETCDIR)/server.pem
	chmod 640 $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/pcplab.pem
239
	chmod 640 $(INSTALL_ETCDIR)/ronnode.pem
240
	chmod 640 $(INSTALL_ETCDIR)/ctrlnode.pem
241
	chmod 640 $(INSTALL_ETCDIR)/pcwa.pem
242
	chmod 640 $(INSTALL_ETCDIR)/emulab_privkey.pem
243 244 245
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
	chmod 644 $(INSTALL_ETCDIR)/capture.fingerprint
	chmod 644 $(INSTALL_ETCDIR)/capture.sha1fingerprint
246

247 248 249
remote-site-boss-install:	install-dirs \
		$(INSTALL_ETCDIR)/emulab.pem \
		$(INSTALL_ETCDIR)/emulab.key \
250 251
		$(INSTALL_ETCDIR)/capture.pem \
		$(INSTALL_ETCDIR)/capture.fingerprint \
252
		$(INSTALL_ETCDIR)/capture.sha1fingerprint \
253
		$(INSTALL_ETCDIR)/ctrlnode.pem \
254
		$(INSTALL_ETCDIR)/server.pem
255
	$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
256
	$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf
257 258
	$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem
259
	chmod 600 $(INSTALL_ETCDIR)/emulab.key
260
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
261
	chmod 644 $(INSTALL_ETCDIR)/capture.fingerprint
262
	chmod 644 $(INSTALL_ETCDIR)/capture.sha1fingerprint
263 264
	chmod 640 $(INSTALL_ETCDIR)/server.pem
	chmod 640 $(INSTALL_ETCDIR)/client.pem
265
	chmod 640 $(INSTALL_ETCDIR)/ctrlnode.pem
266

267
client-install:
268 269 270 271
	$(INSTALL_DATA) localnode.pem $(DESTDIR)$(CLIENT_ETCDIR)/client.pem
	$(INSTALL_DATA) emulab.pem $(DESTDIR)$(CLIENT_ETCDIR)/emulab.pem
	$(INSTALL_DATA) emulab_pubkey.pem \
			$(DESTDIR)$(CLIENT_ETCDIR)/emulab_pubkey.pem
272

Leigh B. Stoller's avatar
Leigh B. Stoller committed
273
control-install:	$(INSTALL_ETCDIR)/capture.pem \
274 275
			$(INSTALL_ETCDIR)/emulab.pem
	$(INSTALL_DATA) ctrlnode.pem $(INSTALL_ETCDIR)/client.pem
Leigh B. Stoller's avatar
Leigh B. Stoller committed
276
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
277 278 279
	chmod 640 $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem

280 281 282
tipserv-install:	$(INSTALL_SBINDIR)/capture.pem
	chmod 640 $(INSTALL_SBINDIR)/capture.pem

283 284 285
usercert-install:	install-dirs
	-mkdir -p $(INSTALL_LIBDIR)/ssl
	$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf
286
	$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
287

288
clean:
289 290 291
	@echo "BE VERY CAREFUL! CLEANING THE SSL DIR CAN CAUSE DISASTER!"

cleanX:
292 293
	rm -f *.pem serial index.txt *.old dirsmade *.cnf
	rm -rf newcerts certs