GNUmakefile.in 9.81 KB
Newer Older
1
#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
2
# EMULAB-COPYRIGHT
3
# Copyright (c) 2000-2009 University of Utah and the Flux Group.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
4
# All rights reserved.
5
#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
6

7 8 9 10 11 12 13 14
SRCDIR		= @srcdir@
TESTBED_SRCDIR	= @top_srcdir@
EVENTSYS	= @EVENTSYS@
OBJDIR		= ..
SUBDIR		= ssl

include $(OBJDIR)/Makeconf

15
all:	emulab.pem server.pem localnode.pem ronnode.pem pcwa.pem ctrlnode.pem \
16
	capture.pem capture.fingerprint capture.sha1fingerprint \
17
	keys mksig jabber.pem
18

19
remote-site:	emulab.pem capture.pem capture.fingerprint server.pem \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
20
	localnode.pem capture.sha1fingerprint apache.pem apache-ops.pem \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
21
	ctrlnode.pem jabber.pem
22

23 24
clearinghouse:	emulab.pem apache.pem

25 26 27 28 29 30 31 32 33 34
include $(TESTBED_SRCDIR)/GNUmakerules

#
# You do not want to run these targets unless you are sure you
# know what you are doing! You really do not want to install these
# unless you are very sure you know what you are doing. You could
# mess up all the clients when the CA changes out from under them.
#
pems:	emulab.pem server.pem client.pem

35
emulab.pem:	dirsmade emulab.cnf
36 37 38 39
	#
	# Create the Certificate Authority.
	# The certificate (no key!) is installed on both boss and remote nodes.
	#
40
	openssl req -new -x509 -days 2000 -config emulab.cnf \
41 42
		    -keyout cakey.pem -out cacert.pem
	cp cacert.pem emulab.pem
43
	cp cakey.pem emulab.key
44

45
server.pem:	dirsmade server.cnf ca.cnf
46 47 48
	#
	# Create the server side private key and certificate request.
	#
49 50
	openssl req -new -config server.cnf \
		-keyout server_key.pem -out server_req.pem
51 52 53
	#
	# Combine key and cert request.
	#
54
	cat server_key.pem server_req.pem > newreq.pem
55 56 57
	#
	# Sign the server cert request, creating a server certificate.
	#
58 59
	openssl ca -batch -policy policy_match -config ca.cnf \
		-out server_cert.pem \
60 61 62 63 64 65
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file which is installed
	# on boss and used by tmcd.
	#
66
	cat server_key.pem server_cert.pem > server.pem
67 68
	rm -f newreq.pem

69 70 71
#
# This is for the main web server on boss.
# 
72
apache.pem:	dirsmade apache.cnf ca.cnf
73 74 75
	#
	# Create the server side private key and certificate request.
	#
76 77
	openssl req -new -config apache.cnf \
		-keyout apache_key.pem -out apache_req.pem
78 79 80
	#
	# Combine key and cert request.
	#
81
	cat apache_key.pem apache_req.pem > newreq.pem
82 83 84 85
	#
	# Sign the apache cert request, creating a apache certificate.
	#
	openssl ca -batch -policy policy_sslxmlrpc -config ca.cnf \
86
		-out apache_cert.pem \
87 88 89 90 91 92 93 94
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file. This file is
	# is not actually installed though; the separate files will be
	# installed into the apache cert/key directories by install/boss-install
	# when the boss node is created.
	#
95
	cat apache_key.pem apache_cert.pem > apache.pem
96 97 98 99 100
	rm -f newreq.pem

#
# This is for the secondary web server on users.
# 
Leigh B. Stoller's avatar
Leigh B. Stoller committed
101
apache-ops.pem:	dirsmade apache2.cnf ca.cnf
102 103 104
	#
	# Create the server side private key and certificate request.
	#
105
	openssl req -new -config apache2.cnf \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
106
		-keyout apache-ops_key.pem -out apache-ops_req.pem
107 108 109
	#
	# Combine key and cert request.
	#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
110
	cat apache-ops_key.pem apache-ops_req.pem > newreq.pem
111 112 113 114
	#
	# Sign the apache cert request, creating a apache certificate.
	#
	openssl ca -batch -policy policy_sslxmlrpc -config ca.cnf \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
115
		-out apache-ops_cert.pem \
116 117 118 119 120 121 122 123
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file. This file is
	# is not actually installed though; the separate files will be
	# installed into the apache cert/key directories by install/boss-install
	# when the boss node is created.
	#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
124
	cat apache-ops_key.pem apache-ops_cert.pem > apache-ops.pem
125 126
	rm -f newreq.pem

Leigh B. Stoller's avatar
Leigh B. Stoller committed
127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150
capture.pem:	dirsmade capture.cnf ca.cnf
	#
	# Create the server side private key and certificate request.
	#
	openssl req -new -config capture.cnf \
		-keyout capture_key.pem -out capture_req.pem
	#
	# Combine key and cert request.
	#
	cat capture_key.pem capture_req.pem > newreq.pem
	#
	# Sign the capture cert request, creating a capture certificate.
	#
	openssl ca -batch -policy policy_match -config ca.cnf \
		-out capture_cert.pem \
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file which is installed
	# on boss and used by capture.
	#
	cat capture_key.pem capture_cert.pem > capture.pem
	rm -f newreq.pem

151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173
jabber.pem:	dirsmade jabber.cnf ca.cnf
	#
	# Create the server side private key and certificate request.
	#
	openssl req -new -config jabber.cnf \
		-keyout jabber_key.pem -out jabber_req.pem
	#
	# Combine key and cert request.
	#
	cat jabber_key.pem jabber_req.pem > newreq.pem
	#
	# Sign the server cert request, creating a server certificate.
	#
	openssl ca -batch -policy policy_sslxmlrpc -config ca.cnf \
		-out jabber_cert.pem \
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file which is installed
	# on boss and used by tmcd.
	#
	cat jabber_key.pem jabber_cert.pem > jabber.pem
	rm -f newreq.pem
174 175 176 177 178 179 180 181 182 183

#
# Generate the fingerprint of the capture certificate
# NOTE: I'd rather use SHA1 than SHA, but we've widely distributed the
# tiptunnel binary, and it needs SHA
#
capture.fingerprint:	capture.pem
	openssl x509 -sha -noout -fingerprint -in capture.pem \
	    > capture.fingerprint

184 185 186 187
capture.sha1fingerprint:	capture.pem
	openssl x509 -sha1 -noout -fingerprint -in capture.pem \
	    > capture.sha1fingerprint

188 189 190
localnode.pem:	dirsmade localnode.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh localnode

191 192 193
ctrlnode.pem:	dirsmade ctrlnode.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh ctrlnode

194 195
ronnode.pem:	dirsmade ronnode.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh ronnode
196

197 198 199
pcplab.pem:		dirsmade pcplab.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh pcplab

200 201 202
pcwa.pem:		dirsmade pcwa.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh pcwa

203 204 205 206 207 208 209 210 211 212 213 214 215 216 217
keys:		emulab_privkey.pem emulab_pubkey.pem

emulab_privkey.pem:
	#
	# Generate a priv key for signing stuff. This one gets a
	# passphrase.
	# 
	openssl genrsa -out emulab_privkey.pem -des3

emulab_pubkey.pem:	emulab_privkey.pem
	#
	# Extract a pubkey from the privkey
	# 
	openssl rsa -in emulab_privkey.pem -pubout -out emulab_pubkey.pem

218 219 220 221 222 223 224 225
dirsmade:
	-mkdir -p certs
	-mkdir -p newcerts
	-mkdir -p crl
	echo "01" > serial
	touch index.txt
	touch dirsmade

226 227 228 229 230 231 232
install-dirs:
	-mkdir -p $(INSTALL_DIR)/ssl
	-chmod 770 $(INSTALL_DIR)/ssl
	-mkdir -p $(INSTALL_DIR)/ssl/certs
	-mkdir -p $(INSTALL_DIR)/ssl/newcerts
	-chmod 775 $(INSTALL_DIR)/ssl/newcerts
	-mkdir -p $(INSTALL_DIR)/ssl/crl
Leigh B. Stoller's avatar
Leigh B. Stoller committed
233
	-mkdir -p $(INSTALL_LIBDIR)/ssl
234 235 236 237
	echo "01" > $(INSTALL_DIR)/ssl/serial
	touch $(INSTALL_DIR)/ssl/index.txt
	touch install-dirs

238 239 240
#
# You do not want to run these targets unless you are sure you
# know what you are doing!
241
#
242
install:	install-dirs $(INSTALL_SBINDIR)/mksig
243 244
	@echo "BE VERY CAREFUL! INSTALLING NEW CERTS CAN CAUSE DISASTER!"

245
boss-installX:	$(INSTALL_ETCDIR)/emulab.pem \
246
		$(INSTALL_ETCDIR)/emulab.key \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
247
		$(INSTALL_ETCDIR)/server.pem \
248
		$(INSTALL_ETCDIR)/pcplab.pem \
249
		$(INSTALL_ETCDIR)/pcwa.pem \
250
		$(INSTALL_ETCDIR)/ronnode.pem \
251
		$(INSTALL_ETCDIR)/ctrlnode.pem \
252
		$(INSTALL_ETCDIR)/capture.pem \
253 254
		$(INSTALL_ETCDIR)/capture.fingerprint \
		$(INSTALL_ETCDIR)/capture.sha1fingerprint \
255
		$(INSTALL_ETCDIR)/emulab_privkey.pem \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
256
		$(INSTALL_ETCDIR)/emulab_pubkey.pem \
257
		install-conf
258
	$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
259
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem
260
	chmod 600 $(INSTALL_ETCDIR)/emulab.key
261 262 263
	chmod 640 $(INSTALL_ETCDIR)/server.pem
	chmod 640 $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/pcplab.pem
264
	chmod 640 $(INSTALL_ETCDIR)/ronnode.pem
265
	chmod 640 $(INSTALL_ETCDIR)/ctrlnode.pem
266
	chmod 640 $(INSTALL_ETCDIR)/pcwa.pem
267
	chmod 640 $(INSTALL_ETCDIR)/emulab_privkey.pem
268 269 270
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
	chmod 644 $(INSTALL_ETCDIR)/capture.fingerprint
	chmod 644 $(INSTALL_ETCDIR)/capture.sha1fingerprint
271

272 273 274 275 276
install-conf:	usercert.cnf syscert.cnf ca.cnf
	$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
	$(INSTALL_DATA) syscert.cnf $(INSTALL_LIBDIR)/ssl/syscert.cnf
	$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf

277 278 279
remote-site-boss-install:	install-dirs \
		$(INSTALL_ETCDIR)/emulab.pem \
		$(INSTALL_ETCDIR)/emulab.key \
280 281
		$(INSTALL_ETCDIR)/capture.pem \
		$(INSTALL_ETCDIR)/capture.fingerprint \
282
		$(INSTALL_ETCDIR)/capture.sha1fingerprint \
283
		$(INSTALL_ETCDIR)/ctrlnode.pem \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
284
		$(INSTALL_ETCDIR)/server.pem \
285
		install-conf
286 287
	$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem
288
	chmod 600 $(INSTALL_ETCDIR)/emulab.key
289
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
290
	chmod 644 $(INSTALL_ETCDIR)/capture.fingerprint
291
	chmod 644 $(INSTALL_ETCDIR)/capture.sha1fingerprint
292 293
	chmod 640 $(INSTALL_ETCDIR)/server.pem
	chmod 640 $(INSTALL_ETCDIR)/client.pem
294
	chmod 640 $(INSTALL_ETCDIR)/ctrlnode.pem
295

296
client-install:
297 298 299 300
	$(INSTALL_DATA) localnode.pem $(DESTDIR)$(CLIENT_ETCDIR)/client.pem
	$(INSTALL_DATA) emulab.pem $(DESTDIR)$(CLIENT_ETCDIR)/emulab.pem
	$(INSTALL_DATA) emulab_pubkey.pem \
			$(DESTDIR)$(CLIENT_ETCDIR)/emulab_pubkey.pem
301

Leigh B. Stoller's avatar
Leigh B. Stoller committed
302
control-install:	$(INSTALL_ETCDIR)/capture.pem \
303 304
			$(INSTALL_ETCDIR)/emulab.pem
	$(INSTALL_DATA) ctrlnode.pem $(INSTALL_ETCDIR)/client.pem
Leigh B. Stoller's avatar
Leigh B. Stoller committed
305
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
306 307 308
	chmod 640 $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem

309 310 311 312 313 314 315
clearinghouse-install:	install-dirs \
		$(INSTALL_ETCDIR)/emulab.pem \
		$(INSTALL_ETCDIR)/emulab.key \
		install-conf
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem
	chmod 600 $(INSTALL_ETCDIR)/emulab.key

316 317 318
tipserv-install:	$(INSTALL_SBINDIR)/capture.pem
	chmod 640 $(INSTALL_SBINDIR)/capture.pem

319 320 321
usercert-install:	install-dirs
	-mkdir -p $(INSTALL_LIBDIR)/ssl
	$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf
322
	$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
323

324
clean:
325 326 327
	@echo "BE VERY CAREFUL! CLEANING THE SSL DIR CAN CAUSE DISASTER!"

cleanX:
328 329
	rm -f *.pem serial index.txt *.old dirsmade *.cnf
	rm -rf newcerts certs