GNUmakefile.in 7.63 KB
Newer Older
1
#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
2
# EMULAB-COPYRIGHT
3
# Copyright (c) 2000-2005 University of Utah and the Flux Group.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
4
# All rights reserved.
5
#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
6

7 8 9 10 11 12 13 14
SRCDIR		= @srcdir@
TESTBED_SRCDIR	= @top_srcdir@
EVENTSYS	= @EVENTSYS@
OBJDIR		= ..
SUBDIR		= ssl

include $(OBJDIR)/Makeconf

15 16
all:	emulab.pem server.pem localnode.pem ronnode.pem pcwa.pem ctrlnode.pem \
	keys mksig
17

18
remote-site:	emulab.pem capture.pem capture.fingerprint server.pem \
19
	localnode.pem capture.sha1fingerprint apache.pem
20

21 22 23 24 25 26 27 28 29 30
include $(TESTBED_SRCDIR)/GNUmakerules

#
# You do not want to run these targets unless you are sure you
# know what you are doing! You really do not want to install these
# unless you are very sure you know what you are doing. You could
# mess up all the clients when the CA changes out from under them.
#
pems:	emulab.pem server.pem client.pem

31
emulab.pem:	dirsmade emulab.cnf
32 33 34 35
	#
	# Create the Certificate Authority.
	# The certificate (no key!) is installed on both boss and remote nodes.
	#
36
	openssl req -new -x509 -days 2000 -config emulab.cnf \
37 38
		    -keyout cakey.pem -out cacert.pem
	cp cacert.pem emulab.pem
39
	cp cakey.pem emulab.key
40

41
server.pem:	dirsmade server.cnf ca.cnf
42 43 44
	#
	# Create the server side private key and certificate request.
	#
45 46
	openssl req -new -config server.cnf \
		-keyout server_key.pem -out server_req.pem
47 48 49
	#
	# Combine key and cert request.
	#
50
	cat server_key.pem server_req.pem > newreq.pem
51 52 53
	#
	# Sign the server cert request, creating a server certificate.
	#
54 55
	openssl ca -batch -policy policy_match -config ca.cnf \
		-out server_cert.pem \
56 57 58 59 60 61
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file which is installed
	# on boss and used by tmcd.
	#
62
	cat server_key.pem server_cert.pem > server.pem
63 64
	rm -f newreq.pem

65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90
apache.pem:	dirsmade apache.cnf ca.cnf
	#
	# Create the server side private key and certificate request.
	#
	openssl req -new -config apache.cnf \
		-keyout apache_key.pem -out apache_req.pem
	#
	# Combine key and cert request.
	#
	cat apache_key.pem apache_req.pem > newreq.pem
	#
	# Sign the apache cert request, creating a apache certificate.
	#
	openssl ca -batch -policy policy_sslxmlrpc -config ca.cnf \
		-out apache_cert.pem \
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file. This file is
	# is not actually installed though; the separate files will be
	# installed into the apache cert/key directories by install/boss-install
	# when the boss node is created.
	#
	cat apache_key.pem apache_cert.pem > apache.pem
	rm -f newreq.pem

Leigh B. Stoller's avatar
Leigh B. Stoller committed
91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114
capture.pem:	dirsmade capture.cnf ca.cnf
	#
	# Create the server side private key and certificate request.
	#
	openssl req -new -config capture.cnf \
		-keyout capture_key.pem -out capture_req.pem
	#
	# Combine key and cert request.
	#
	cat capture_key.pem capture_req.pem > newreq.pem
	#
	# Sign the capture cert request, creating a capture certificate.
	#
	openssl ca -batch -policy policy_match -config ca.cnf \
		-out capture_cert.pem \
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file which is installed
	# on boss and used by capture.
	#
	cat capture_key.pem capture_cert.pem > capture.pem
	rm -f newreq.pem

115 116 117 118 119 120 121 122 123 124

#
# Generate the fingerprint of the capture certificate
# NOTE: I'd rather use SHA1 than SHA, but we've widely distributed the
# tiptunnel binary, and it needs SHA
#
capture.fingerprint:	capture.pem
	openssl x509 -sha -noout -fingerprint -in capture.pem \
	    > capture.fingerprint

125 126 127 128
capture.sha1fingerprint:	capture.pem
	openssl x509 -sha1 -noout -fingerprint -in capture.pem \
	    > capture.sha1fingerprint

129 130 131
localnode.pem:	dirsmade localnode.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh localnode

132 133 134
ctrlnode.pem:	dirsmade ctrlnode.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh ctrlnode

135 136
ronnode.pem:	dirsmade ronnode.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh ronnode
137

138 139 140
pcplab.pem:		dirsmade pcplab.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh pcplab

141 142 143
pcwa.pem:		dirsmade pcwa.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh pcwa

144 145 146 147 148 149 150 151 152 153 154 155 156 157 158
keys:		emulab_privkey.pem emulab_pubkey.pem

emulab_privkey.pem:
	#
	# Generate a priv key for signing stuff. This one gets a
	# passphrase.
	# 
	openssl genrsa -out emulab_privkey.pem -des3

emulab_pubkey.pem:	emulab_privkey.pem
	#
	# Extract a pubkey from the privkey
	# 
	openssl rsa -in emulab_privkey.pem -pubout -out emulab_pubkey.pem

159 160 161 162 163 164 165 166
dirsmade:
	-mkdir -p certs
	-mkdir -p newcerts
	-mkdir -p crl
	echo "01" > serial
	touch index.txt
	touch dirsmade

167 168 169 170 171 172 173
install-dirs:
	-mkdir -p $(INSTALL_DIR)/ssl
	-chmod 770 $(INSTALL_DIR)/ssl
	-mkdir -p $(INSTALL_DIR)/ssl/certs
	-mkdir -p $(INSTALL_DIR)/ssl/newcerts
	-chmod 775 $(INSTALL_DIR)/ssl/newcerts
	-mkdir -p $(INSTALL_DIR)/ssl/crl
Leigh B. Stoller's avatar
Leigh B. Stoller committed
174
	-mkdir -p $(INSTALL_LIBDIR)/ssl
175 176 177 178
	echo "01" > $(INSTALL_DIR)/ssl/serial
	touch $(INSTALL_DIR)/ssl/index.txt
	touch install-dirs

179 180 181
#
# You do not want to run these targets unless you are sure you
# know what you are doing!
182
#
183
install:	install-dirs $(INSTALL_SBINDIR)/mksig
184 185
	@echo "BE VERY CAREFUL! INSTALLING NEW CERTS CAN CAUSE DISASTER!"

186
boss-installX:	$(INSTALL_ETCDIR)/emulab.pem \
187
		$(INSTALL_ETCDIR)/emulab.key \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
188
		$(INSTALL_ETCDIR)/server.pem \
189
		$(INSTALL_ETCDIR)/pcplab.pem \
190
		$(INSTALL_ETCDIR)/pcwa.pem \
191
		$(INSTALL_ETCDIR)/ronnode.pem \
192
		$(INSTALL_ETCDIR)/ctrlnode.pem \
193 194 195
		$(INSTALL_ETCDIR)/capture.pem \
		$(INSTALL_ETCDIR)/emulab_privkey.pem \
		$(INSTALL_ETCDIR)/emulab_pubkey.pem
196
	$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
197
	$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf
198
	$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
199
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem
200
	chmod 600 $(INSTALL_ETCDIR)/emulab.key
201 202 203
	chmod 640 $(INSTALL_ETCDIR)/server.pem
	chmod 640 $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/pcplab.pem
204
	chmod 640 $(INSTALL_ETCDIR)/ronnode.pem
205
	chmod 640 $(INSTALL_ETCDIR)/ctrlnode.pem
206
	chmod 640 $(INSTALL_ETCDIR)/pcwa.pem
207
	chmod 640 $(INSTALL_ETCDIR)/emulab_privkey.pem
208

209 210 211
remote-site-boss-install:	install-dirs \
		$(INSTALL_ETCDIR)/emulab.pem \
		$(INSTALL_ETCDIR)/emulab.key \
212 213
		$(INSTALL_ETCDIR)/capture.pem \
		$(INSTALL_ETCDIR)/capture.fingerprint \
214
		$(INSTALL_ETCDIR)/capture.sha1fingerprint \
215
		$(INSTALL_ETCDIR)/ctrlnode.pem \
216
		$(INSTALL_ETCDIR)/server.pem
217
	$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
218
	$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf
219 220
	$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem
221
	chmod 600 $(INSTALL_ETCDIR)/emulab.key
222
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
223
	chmod 644 $(INSTALL_ETCDIR)/capture.fingerprint
224
	chmod 644 $(INSTALL_ETCDIR)/capture.sha1fingerprint
225 226
	chmod 640 $(INSTALL_ETCDIR)/server.pem
	chmod 640 $(INSTALL_ETCDIR)/client.pem
227
	chmod 640 $(INSTALL_ETCDIR)/ctrlnode.pem
228

229
client-install:
230 231 232 233
	$(INSTALL_DATA) localnode.pem $(DESTDIR)$(CLIENT_ETCDIR)/client.pem
	$(INSTALL_DATA) emulab.pem $(DESTDIR)$(CLIENT_ETCDIR)/emulab.pem
	$(INSTALL_DATA) emulab_pubkey.pem \
			$(DESTDIR)$(CLIENT_ETCDIR)/emulab_pubkey.pem
234

Leigh B. Stoller's avatar
Leigh B. Stoller committed
235
control-install:	$(INSTALL_ETCDIR)/capture.pem \
236 237
			$(INSTALL_ETCDIR)/emulab.pem
	$(INSTALL_DATA) ctrlnode.pem $(INSTALL_ETCDIR)/client.pem
Leigh B. Stoller's avatar
Leigh B. Stoller committed
238
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
239 240 241
	chmod 640 $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem

242 243 244
tipserv-install:	$(INSTALL_SBINDIR)/capture.pem
	chmod 640 $(INSTALL_SBINDIR)/capture.pem

245 246 247
usercert-install:	install-dirs
	-mkdir -p $(INSTALL_LIBDIR)/ssl
	$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf
248
	$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
249

250
clean:
251 252 253
	@echo "BE VERY CAREFUL! CLEANING THE SSL DIR CAN CAUSE DISASTER!"

cleanX:
254 255
	rm -f *.pem serial index.txt *.old dirsmade *.cnf
	rm -rf newcerts certs