GNUmakefile.in 9.58 KB
Newer Older
1
#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
2
# EMULAB-COPYRIGHT
3
# Copyright (c) 2000-2008 University of Utah and the Flux Group.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
4
# All rights reserved.
5
#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
6

7 8 9 10 11 12 13 14
SRCDIR		= @srcdir@
TESTBED_SRCDIR	= @top_srcdir@
EVENTSYS	= @EVENTSYS@
OBJDIR		= ..
SUBDIR		= ssl

include $(OBJDIR)/Makeconf

15
all:	emulab.pem server.pem localnode.pem ronnode.pem pcwa.pem ctrlnode.pem \
16
	capture.pem capture.fingerprint capture.sha1fingerprint \
17
	keys mksig jabber.pem
18

19
remote-site:	emulab.pem capture.pem capture.fingerprint server.pem \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
20
	localnode.pem capture.sha1fingerprint apache.pem apache-ops.pem \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
21
	ctrlnode.pem jabber.pem
22

23 24 25 26 27 28 29 30 31 32
include $(TESTBED_SRCDIR)/GNUmakerules

#
# You do not want to run these targets unless you are sure you
# know what you are doing! You really do not want to install these
# unless you are very sure you know what you are doing. You could
# mess up all the clients when the CA changes out from under them.
#
pems:	emulab.pem server.pem client.pem

33
emulab.pem:	dirsmade emulab.cnf
34 35 36 37
	#
	# Create the Certificate Authority.
	# The certificate (no key!) is installed on both boss and remote nodes.
	#
38
	openssl req -new -x509 -days 2000 -config emulab.cnf \
39 40
		    -keyout cakey.pem -out cacert.pem
	cp cacert.pem emulab.pem
41
	cp cakey.pem emulab.key
42

43
server.pem:	dirsmade server.cnf ca.cnf
44 45 46
	#
	# Create the server side private key and certificate request.
	#
47 48
	openssl req -new -config server.cnf \
		-keyout server_key.pem -out server_req.pem
49 50 51
	#
	# Combine key and cert request.
	#
52
	cat server_key.pem server_req.pem > newreq.pem
53 54 55
	#
	# Sign the server cert request, creating a server certificate.
	#
56 57
	openssl ca -batch -policy policy_match -config ca.cnf \
		-out server_cert.pem \
58 59 60 61 62 63
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file which is installed
	# on boss and used by tmcd.
	#
64
	cat server_key.pem server_cert.pem > server.pem
65 66
	rm -f newreq.pem

67 68 69
#
# This is for the main web server on boss.
# 
70
apache.pem:	dirsmade apache.cnf ca.cnf
71 72 73
	#
	# Create the server side private key and certificate request.
	#
74 75
	openssl req -new -config apache.cnf \
		-keyout apache_key.pem -out apache_req.pem
76 77 78
	#
	# Combine key and cert request.
	#
79
	cat apache_key.pem apache_req.pem > newreq.pem
80 81 82 83
	#
	# Sign the apache cert request, creating a apache certificate.
	#
	openssl ca -batch -policy policy_sslxmlrpc -config ca.cnf \
84
		-out apache_cert.pem \
85 86 87 88 89 90 91 92
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file. This file is
	# is not actually installed though; the separate files will be
	# installed into the apache cert/key directories by install/boss-install
	# when the boss node is created.
	#
93
	cat apache_key.pem apache_cert.pem > apache.pem
94 95 96 97 98
	rm -f newreq.pem

#
# This is for the secondary web server on users.
# 
Leigh B. Stoller's avatar
Leigh B. Stoller committed
99
apache-ops.pem:	dirsmade apache2.cnf ca.cnf
100 101 102
	#
	# Create the server side private key and certificate request.
	#
103
	openssl req -new -config apache2.cnf \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
104
		-keyout apache-ops_key.pem -out apache-ops_req.pem
105 106 107
	#
	# Combine key and cert request.
	#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
108
	cat apache-ops_key.pem apache-ops_req.pem > newreq.pem
109 110 111 112
	#
	# Sign the apache cert request, creating a apache certificate.
	#
	openssl ca -batch -policy policy_sslxmlrpc -config ca.cnf \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
113
		-out apache-ops_cert.pem \
114 115 116 117 118 119 120 121
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file. This file is
	# is not actually installed though; the separate files will be
	# installed into the apache cert/key directories by install/boss-install
	# when the boss node is created.
	#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
122
	cat apache-ops_key.pem apache-ops_cert.pem > apache-ops.pem
123 124
	rm -f newreq.pem

Leigh B. Stoller's avatar
Leigh B. Stoller committed
125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148
capture.pem:	dirsmade capture.cnf ca.cnf
	#
	# Create the server side private key and certificate request.
	#
	openssl req -new -config capture.cnf \
		-keyout capture_key.pem -out capture_req.pem
	#
	# Combine key and cert request.
	#
	cat capture_key.pem capture_req.pem > newreq.pem
	#
	# Sign the capture cert request, creating a capture certificate.
	#
	openssl ca -batch -policy policy_match -config ca.cnf \
		-out capture_cert.pem \
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file which is installed
	# on boss and used by capture.
	#
	cat capture_key.pem capture_cert.pem > capture.pem
	rm -f newreq.pem

149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171
jabber.pem:	dirsmade jabber.cnf ca.cnf
	#
	# Create the server side private key and certificate request.
	#
	openssl req -new -config jabber.cnf \
		-keyout jabber_key.pem -out jabber_req.pem
	#
	# Combine key and cert request.
	#
	cat jabber_key.pem jabber_req.pem > newreq.pem
	#
	# Sign the server cert request, creating a server certificate.
	#
	openssl ca -batch -policy policy_sslxmlrpc -config ca.cnf \
		-out jabber_cert.pem \
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file which is installed
	# on boss and used by tmcd.
	#
	cat jabber_key.pem jabber_cert.pem > jabber.pem
	rm -f newreq.pem
172 173 174 175 176 177 178 179 180 181

#
# Generate the fingerprint of the capture certificate
# NOTE: I'd rather use SHA1 than SHA, but we've widely distributed the
# tiptunnel binary, and it needs SHA
#
capture.fingerprint:	capture.pem
	openssl x509 -sha -noout -fingerprint -in capture.pem \
	    > capture.fingerprint

182 183 184 185
capture.sha1fingerprint:	capture.pem
	openssl x509 -sha1 -noout -fingerprint -in capture.pem \
	    > capture.sha1fingerprint

186 187 188
localnode.pem:	dirsmade localnode.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh localnode

189 190 191
ctrlnode.pem:	dirsmade ctrlnode.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh ctrlnode

192 193
ronnode.pem:	dirsmade ronnode.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh ronnode
194

195 196 197
pcplab.pem:		dirsmade pcplab.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh pcplab

198 199 200
pcwa.pem:		dirsmade pcwa.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh pcwa

201 202 203 204 205 206 207 208 209 210 211 212 213 214 215
keys:		emulab_privkey.pem emulab_pubkey.pem

emulab_privkey.pem:
	#
	# Generate a priv key for signing stuff. This one gets a
	# passphrase.
	# 
	openssl genrsa -out emulab_privkey.pem -des3

emulab_pubkey.pem:	emulab_privkey.pem
	#
	# Extract a pubkey from the privkey
	# 
	openssl rsa -in emulab_privkey.pem -pubout -out emulab_pubkey.pem

216 217 218 219 220 221 222 223
dirsmade:
	-mkdir -p certs
	-mkdir -p newcerts
	-mkdir -p crl
	echo "01" > serial
	touch index.txt
	touch dirsmade

224 225 226 227 228 229 230
install-dirs:
	-mkdir -p $(INSTALL_DIR)/ssl
	-chmod 770 $(INSTALL_DIR)/ssl
	-mkdir -p $(INSTALL_DIR)/ssl/certs
	-mkdir -p $(INSTALL_DIR)/ssl/newcerts
	-chmod 775 $(INSTALL_DIR)/ssl/newcerts
	-mkdir -p $(INSTALL_DIR)/ssl/crl
Leigh B. Stoller's avatar
Leigh B. Stoller committed
231
	-mkdir -p $(INSTALL_LIBDIR)/ssl
232 233 234 235
	echo "01" > $(INSTALL_DIR)/ssl/serial
	touch $(INSTALL_DIR)/ssl/index.txt
	touch install-dirs

236 237 238
#
# You do not want to run these targets unless you are sure you
# know what you are doing!
239
#
240
install:	install-dirs $(INSTALL_SBINDIR)/mksig
241 242
	@echo "BE VERY CAREFUL! INSTALLING NEW CERTS CAN CAUSE DISASTER!"

243
boss-installX:	$(INSTALL_ETCDIR)/emulab.pem \
244
		$(INSTALL_ETCDIR)/emulab.key \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
245
		$(INSTALL_ETCDIR)/server.pem \
246
		$(INSTALL_ETCDIR)/pcplab.pem \
247
		$(INSTALL_ETCDIR)/pcwa.pem \
248
		$(INSTALL_ETCDIR)/ronnode.pem \
249
		$(INSTALL_ETCDIR)/ctrlnode.pem \
250
		$(INSTALL_ETCDIR)/capture.pem \
251 252
		$(INSTALL_ETCDIR)/capture.fingerprint \
		$(INSTALL_ETCDIR)/capture.sha1fingerprint \
253
		$(INSTALL_ETCDIR)/emulab_privkey.pem \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
254
		$(INSTALL_ETCDIR)/emulab_pubkey.pem \
255
		install-conf
256
	$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
257
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem
258
	chmod 600 $(INSTALL_ETCDIR)/emulab.key
259 260 261
	chmod 640 $(INSTALL_ETCDIR)/server.pem
	chmod 640 $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/pcplab.pem
262
	chmod 640 $(INSTALL_ETCDIR)/ronnode.pem
263
	chmod 640 $(INSTALL_ETCDIR)/ctrlnode.pem
264
	chmod 640 $(INSTALL_ETCDIR)/pcwa.pem
265
	chmod 640 $(INSTALL_ETCDIR)/emulab_privkey.pem
266 267 268
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
	chmod 644 $(INSTALL_ETCDIR)/capture.fingerprint
	chmod 644 $(INSTALL_ETCDIR)/capture.sha1fingerprint
269

270 271 272 273 274
install-conf:	usercert.cnf syscert.cnf ca.cnf
	$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
	$(INSTALL_DATA) syscert.cnf $(INSTALL_LIBDIR)/ssl/syscert.cnf
	$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf

275 276 277
remote-site-boss-install:	install-dirs \
		$(INSTALL_ETCDIR)/emulab.pem \
		$(INSTALL_ETCDIR)/emulab.key \
278 279
		$(INSTALL_ETCDIR)/capture.pem \
		$(INSTALL_ETCDIR)/capture.fingerprint \
280
		$(INSTALL_ETCDIR)/capture.sha1fingerprint \
281
		$(INSTALL_ETCDIR)/ctrlnode.pem \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
282
		$(INSTALL_ETCDIR)/server.pem \
283
		install-conf
284 285
	$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem
286
	chmod 600 $(INSTALL_ETCDIR)/emulab.key
287
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
288
	chmod 644 $(INSTALL_ETCDIR)/capture.fingerprint
289
	chmod 644 $(INSTALL_ETCDIR)/capture.sha1fingerprint
290 291
	chmod 640 $(INSTALL_ETCDIR)/server.pem
	chmod 640 $(INSTALL_ETCDIR)/client.pem
292
	chmod 640 $(INSTALL_ETCDIR)/ctrlnode.pem
293

294
client-install:
295 296 297 298
	$(INSTALL_DATA) localnode.pem $(DESTDIR)$(CLIENT_ETCDIR)/client.pem
	$(INSTALL_DATA) emulab.pem $(DESTDIR)$(CLIENT_ETCDIR)/emulab.pem
	$(INSTALL_DATA) emulab_pubkey.pem \
			$(DESTDIR)$(CLIENT_ETCDIR)/emulab_pubkey.pem
299

Leigh B. Stoller's avatar
Leigh B. Stoller committed
300
control-install:	$(INSTALL_ETCDIR)/capture.pem \
301 302
			$(INSTALL_ETCDIR)/emulab.pem
	$(INSTALL_DATA) ctrlnode.pem $(INSTALL_ETCDIR)/client.pem
Leigh B. Stoller's avatar
Leigh B. Stoller committed
303
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
304 305 306
	chmod 640 $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem

307 308 309
tipserv-install:	$(INSTALL_SBINDIR)/capture.pem
	chmod 640 $(INSTALL_SBINDIR)/capture.pem

310 311 312
usercert-install:	install-dirs
	-mkdir -p $(INSTALL_LIBDIR)/ssl
	$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf
313
	$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
314

315
clean:
316 317 318
	@echo "BE VERY CAREFUL! CLEANING THE SSL DIR CAN CAUSE DISASTER!"

cleanX:
319 320
	rm -f *.pem serial index.txt *.old dirsmade *.cnf
	rm -rf newcerts certs