GNUmakefile.in 10.6 KB
Newer Older
1
#
Leigh B Stoller's avatar
Leigh B Stoller committed
2
# Copyright (c) 2000-2013 University of Utah and the Flux Group.
3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
# 
# {{{EMULAB-LICENSE
# 
# This file is part of the Emulab network testbed software.
# 
# This file is free software: you can redistribute it and/or modify it
# under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at
# your option) any later version.
# 
# This file is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public
# License for more details.
# 
# You should have received a copy of the GNU Affero General Public License
# along with this file.  If not, see <http://www.gnu.org/licenses/>.
# 
# }}}
22
#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
23

24 25 26 27 28 29
SRCDIR		= @srcdir@
TESTBED_SRCDIR	= @top_srcdir@
EVENTSYS	= @EVENTSYS@
OBJDIR		= ..
SUBDIR		= ssl

30 31 32 33 34 35 36
# Installed certs and keys.
APACHE_ETCDIR	    = @INSTALL_APACHE_CONFIG@
APACHE_CERTFILE     = $(APACHE_ETCDIR)/ssl.crt/www.$(OURDOMAIN).crt
APACHE_KEYFILE      = $(APACHE_ETCDIR)/ssl.key/www.$(OURDOMAIN).key
APACHE_CERTFILE_OPS = $(APACHE_ETCDIR)/ssl.crt/$(USERNODE).crt
APACHE_KEYFILE_OPS  = $(APACHE_ETCDIR)/ssl.key/$(USERNODE).key

37 38
include $(OBJDIR)/Makeconf

39
all:	emulab.pem server.pem localnode.pem ctrlnode.pem \
40
	capture.pem capture.fingerprint capture.sha1fingerprint \
Leigh B Stoller's avatar
Leigh B Stoller committed
41
	keys mksig updatecert
42

43
remote-site:	emulab.pem capture.pem capture.fingerprint server.pem \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
44
	localnode.pem capture.sha1fingerprint apache.pem apache-ops.pem \
Leigh B Stoller's avatar
Leigh B Stoller committed
45
	ctrlnode.pem updatecert
46

47 48
clearinghouse:	emulab.pem apache.pem

49 50 51 52 53 54 55 56 57 58
include $(TESTBED_SRCDIR)/GNUmakerules

#
# You do not want to run these targets unless you are sure you
# know what you are doing! You really do not want to install these
# unless you are very sure you know what you are doing. You could
# mess up all the clients when the CA changes out from under them.
#
pems:	emulab.pem server.pem client.pem

59
emulab.pem:	dirsmade mkserial emulab.cnf emulab-geni.cnf emulab.key 
60 61
	#
	# Create the Certificate Authority.
62
	# The certificate is installed on both boss and remote nodes.
63
	#
64 65 66 67
ifeq (@PROTOGENI_SUPPORT@,1)
	openssl req -new -x509 -days 2000 -config emulab-geni.cnf \
		    -text -key emulab.key -out emulab.pem
else
68
	openssl req -new -x509 -days 2000 -config emulab.cnf \
69
		    -text -key emulab.key -out emulab.pem
70
endif
71

72 73
server.pem:	dirsmade mkserial server.cnf ca.cnf server.key server.req
	# Create the serial file.
74
	perl ./mkserial
75 76 77
	#
	# Sign the server cert request, creating a server certificate.
	#
78
	openssl ca -batch -policy policy_match -config ca.cnf \
79 80
		-out server.pem -cert emulab.pem -keyfile emulab.key \
		-infiles server.req
81 82 83 84
	#
	# Combine the key and the certificate into one file which is installed
	# on boss and used by tmcd.
	#
85
	cat server.key >> server.pem
86

87 88 89
#
# This is for the main web server on boss.
# 
90 91
apache.pem:	dirsmade mkserial apache.cnf ca.cnf apache.key apache.req
	# Create the serial file.
92
	perl ./mkserial
93
	#
94
	# Sign the apache cert request, creating an apache certificate.
95 96
	#
	openssl ca -batch -policy policy_sslxmlrpc -config ca.cnf \
97 98
		-out apache.pem -cert emulab.pem -keyfile emulab.key \
		-infiles apache.req
99 100 101 102

#
# This is for the secondary web server on users.
# 
103 104
apache-ops.pem:	dirsmade mkserial apache-ops.cnf ca.cnf apache-ops.key apache-ops.req
	# Create the serial file.
105
	perl ./mkserial
106
	#
107
	# Sign the apache cert request, creating an apache certificate.
108 109
	#
	openssl ca -batch -policy policy_sslxmlrpc -config ca.cnf \
110 111
		-out apache-ops.pem -cert emulab.pem -keyfile emulab.key \
		-infiles apache-ops.req
112

113 114
capture.pem:	dirsmade mkserial capture.cnf ca.cnf capture.key capture.req
	# Create the serial file.
115
	perl ./mkserial
Leigh B. Stoller's avatar
Leigh B. Stoller committed
116 117 118 119
	#
	# Sign the capture cert request, creating a capture certificate.
	#
	openssl ca -batch -policy policy_match -config ca.cnf \
120 121
		-out capture.pem -cert emulab.pem -keyfile emulab.key \
		-infiles capture.req
Leigh B. Stoller's avatar
Leigh B. Stoller committed
122 123 124 125
	#
	# Combine the key and the certificate into one file which is installed
	# on boss and used by capture.
	#
126
	cat capture.key >> capture.pem
Leigh B. Stoller's avatar
Leigh B. Stoller committed
127

128 129 130 131 132 133 134 135 136
#
# Generate the fingerprint of the capture certificate
# NOTE: I'd rather use SHA1 than SHA, but we've widely distributed the
# tiptunnel binary, and it needs SHA
#
capture.fingerprint:	capture.pem
	openssl x509 -sha -noout -fingerprint -in capture.pem \
	    > capture.fingerprint

137 138 139 140
capture.sha1fingerprint:	capture.pem
	openssl x509 -sha1 -noout -fingerprint -in capture.pem \
	    > capture.sha1fingerprint

141 142 143
localnode.pem:	dirsmade mkserial localnode.cnf ca.cnf localnode.key localnode.req
	cat localnode.key >> localnode.req
	# Create the serial file.
144
	perl ./mkserial
145 146
	$(SRCDIR)/mkclient.sh localnode

147 148 149
ctrlnode.pem:	dirsmade mkserial ctrlnode.cnf ca.cnf ctrlnode.key ctrlnode.req
	cat ctrlnode.key >> ctrlnode.req
	# Create the serial file.
150
	perl ./mkserial
151 152
	$(SRCDIR)/mkclient.sh ctrlnode

153 154 155 156 157 158 159 160 161 162 163 164 165 166 167
keys:		emulab_privkey.pem emulab_pubkey.pem

emulab_privkey.pem:
	#
	# Generate a priv key for signing stuff. This one gets a
	# passphrase.
	# 
	openssl genrsa -out emulab_privkey.pem -des3

emulab_pubkey.pem:	emulab_privkey.pem
	#
	# Extract a pubkey from the privkey
	# 
	openssl rsa -in emulab_privkey.pem -pubout -out emulab_pubkey.pem

168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202
#
# Rule to generate an rsa key with no encryption
# If this fails, check to make sure that ~/.rnd is owned
# by you and writable. 
#
%.key:
	openssl genrsa -out $@ -rand .rand 1024

# The point of the this is to recover the keys from where they were
# originally installed. We do this cause people often lose their
# original build tree, but if want to rebuild the certs, we usually
# want the original keys. 
recover-keys:
	-cp $(INSTALL_DIR)/etc/emulab.key emulab.key
	-cp $(APACHE_KEYFILE) apache.key
	-openssl rsa -in $(INSTALL_DIR)/etc/server.pem -out server.key
	-openssl rsa -in $(INSTALL_DIR)/etc/capture.pem -out capture.key
	-openssl rsa -in $(INSTALL_DIR)/etc/ctrlnode.pem -out ctrlnode.key
	-openssl rsa -in $(INSTALL_DIR)/etc/client.pem -out localnode.key
	-scp ${USERNODE}:${APACHE_KEYFILE_OPS} apache-ops.key
	touch recover-keys

#
# Rule to generate a certificate request using the existing key.
#
%.req:
	# No good place to put this. 
	@chmod +x mkserial
	openssl req -new -config $*.cnf -key $*.key -out $@
	#
	# Combine key and cert request.
	#
	cat $*.key >> $@

dirsmade: 
203 204 205
	-mkdir -p certs
	-mkdir -p newcerts
	-mkdir -p crl
206 207
	# The initial system certificates start here.
	echo "0001" > serial
208 209 210
	touch index.txt
	touch dirsmade

211 212
install-dirs:
	-mkdir -p $(INSTALL_DIR)/ssl
213
	chmod 770 $(INSTALL_DIR)/ssl
214 215
	-mkdir -p $(INSTALL_DIR)/ssl/certs
	-mkdir -p $(INSTALL_DIR)/ssl/newcerts
216
	chmod 775 $(INSTALL_DIR)/ssl/newcerts
217
	-mkdir -p $(INSTALL_DIR)/ssl/crl
218
	-mkdir -p $(INSTALL_DIR)/ssl/keys
Leigh B. Stoller's avatar
Leigh B. Stoller committed
219
	-mkdir -p $(INSTALL_LIBDIR)/ssl
220 221 222 223 224 225 226 227
	-mkdir -p $(APACHE_ETCDIR)/ssl.crt
	-mkdir -p $(APACHE_ETCDIR)/ssl.key
	chmod 700 $(APACHE_ETCDIR)/ssl.crt
	chmod 700 $(APACHE_ETCDIR)/ssl.key

$(INSTALL_DIR)/ssl/serial:
	# It does not matter what we put in here; we use the DB to
	# create unique serial numbers after initial install
228
	echo "01" > $(INSTALL_DIR)/ssl/serial
229 230

$(INSTALL_DIR)/ssl/index.txt:
231 232
	touch $(INSTALL_DIR)/ssl/index.txt

233 234 235
#
# You do not want to run these targets unless you are sure you
# know what you are doing!
236
#
237
install:	install-dirs $(INSTALL_SBINDIR)/mksig
238 239
	@echo "BE VERY CAREFUL! INSTALLING NEW CERTS CAN CAUSE DISASTER!"

240 241 242
boss-installX:	install-dirs \
		$(INSTALL_DIR)/ssl/serial $(INSTALL_DIR)/ssl/index.txt \
		$(INSTALL_ETCDIR)/emulab.pem \
243
		$(INSTALL_ETCDIR)/emulab.key \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
244
		$(INSTALL_ETCDIR)/server.pem \
245
		$(INSTALL_ETCDIR)/ctrlnode.pem \
246
		$(INSTALL_ETCDIR)/capture.pem \
247 248
		$(INSTALL_ETCDIR)/capture.fingerprint \
		$(INSTALL_ETCDIR)/capture.sha1fingerprint \
249
		$(INSTALL_ETCDIR)/emulab_privkey.pem \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
250
		$(INSTALL_ETCDIR)/emulab_pubkey.pem \
251
		$(INSTALL_SBINDIR)/updatecert \
252
		install-conf
253
	$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
254
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem
255
	chmod 600 $(INSTALL_ETCDIR)/emulab.key
256 257
	chmod 640 $(INSTALL_ETCDIR)/server.pem
	chmod 640 $(INSTALL_ETCDIR)/client.pem
258
	chmod 640 $(INSTALL_ETCDIR)/ctrlnode.pem
259
	chmod 640 $(INSTALL_ETCDIR)/emulab_privkey.pem
260 261 262
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
	chmod 644 $(INSTALL_ETCDIR)/capture.fingerprint
	chmod 644 $(INSTALL_ETCDIR)/capture.sha1fingerprint
263

264 265 266 267 268
install-conf:	usercert.cnf syscert.cnf ca.cnf
	$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
	$(INSTALL_DATA) syscert.cnf $(INSTALL_LIBDIR)/ssl/syscert.cnf
	$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf

269
remote-site-boss-install:	install-dirs \
270
		$(INSTALL_DIR)/ssl/serial $(INSTALL_DIR)/ssl/index.txt \
271 272
		$(INSTALL_ETCDIR)/emulab.pem \
		$(INSTALL_ETCDIR)/emulab.key \
273 274
		$(INSTALL_ETCDIR)/capture.pem \
		$(INSTALL_ETCDIR)/capture.fingerprint \
275
		$(INSTALL_ETCDIR)/capture.sha1fingerprint \
276
		$(INSTALL_ETCDIR)/ctrlnode.pem \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
277
		$(INSTALL_ETCDIR)/server.pem \
278
		$(INSTALL_SBINDIR)/updatecert \
279
		install-conf
280 281
	$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem
282
	chmod 600 $(INSTALL_ETCDIR)/emulab.key
283
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
284
	chmod 644 $(INSTALL_ETCDIR)/capture.fingerprint
285
	chmod 644 $(INSTALL_ETCDIR)/capture.sha1fingerprint
286 287
	chmod 640 $(INSTALL_ETCDIR)/server.pem
	chmod 640 $(INSTALL_ETCDIR)/client.pem
288
	chmod 640 $(INSTALL_ETCDIR)/ctrlnode.pem
289

290 291 292
# Do not run this if you have a "real" web certificate.
apache-install: $(APACHE_CERTFILE) $(APACHE_KEYFILE)

293
client-install:
294 295 296 297
	$(INSTALL_DATA) localnode.pem $(DESTDIR)$(CLIENT_ETCDIR)/client.pem
	$(INSTALL_DATA) emulab.pem $(DESTDIR)$(CLIENT_ETCDIR)/emulab.pem
	$(INSTALL_DATA) emulab_pubkey.pem \
			$(DESTDIR)$(CLIENT_ETCDIR)/emulab_pubkey.pem
298

Leigh B. Stoller's avatar
Leigh B. Stoller committed
299
control-install:	$(INSTALL_ETCDIR)/capture.pem \
300 301
			$(INSTALL_ETCDIR)/emulab.pem
	$(INSTALL_DATA) ctrlnode.pem $(INSTALL_ETCDIR)/client.pem
Leigh B. Stoller's avatar
Leigh B. Stoller committed
302
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
303 304 305
	chmod 640 $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem

306 307 308 309 310 311 312
clearinghouse-install:	install-dirs \
		$(INSTALL_ETCDIR)/emulab.pem \
		$(INSTALL_ETCDIR)/emulab.key \
		install-conf
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem
	chmod 600 $(INSTALL_ETCDIR)/emulab.key

313 314
tipserv-install:	$(INSTALL_ETCDIR)/capture.pem
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
315

316 317 318
usercert-install:	install-dirs
	-mkdir -p $(INSTALL_LIBDIR)/ssl
	$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf
319
	$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
320

321
clean:
322 323
	@echo "BE VERY CAREFUL! CLEANING THE SSL DIR CAN CAUSE DISASTER!"

324 325 326 327 328 329 330 331 332 333 334 335 336 337 338
cleanX: clean-certs clean-keys
	rm -f serial index.txt *.old dirsmade *.cnf
	rm -f mkserial updatecert mksig
	rm -rf newcerts certs crl

#
# Leave the private keys behind so that new certs use same keys;
# existing certs still have valid sigs.
#
clean-certs:
	rm -f *.pem *.req *.old *.cnf
	rm -f *fingerprint

clean-keys:
	rm -f *.key