Commit ad3a6c5b authored by Leigh B. Stoller's avatar Leigh B. Stoller
Browse files

Add several configure variables to the defs file so that the ssl certificates

(config files) can be localized:

	C                      = @SSLCERT_COUNTRY@
	ST                     = @SSLCERT_STATE@
	L                      = @SSLCERT_LOCALITY@
	O                      = @SSLCERT_ORGNAME@

Which are initialized locally to:

	SSLCERT_COUNTRY="US"
	SSLCERT_STATE="Utah"
	SSLCERT_LOCALITY="Salt Lake City"
	SSLCERT_ORGNAME="Utah Network Testbed"

Also added an "apache" target which will generate an initial cert/key
for the apache server. This is a self signed certificate of course, which
is fine for getting a new site off the ground. Note that the cert/key are
installed during by install/boss-install.
parent 91bd30b2
......@@ -882,6 +882,10 @@ fi
......@@ -934,6 +938,15 @@ LINKTEST_NSPATH="/share/linktest-ns"
BOSSEVENTPORT=2927
UNIFIED_BOSS_AND_OPS=0
#
# SSL Certificate stuff. Used to customize config files in ssl directory.
# Note that OrganizationalUnit is set in the cnf file.
# CommonName is typically set to BOSSNODE and emailAddress to TBOPSEMAIL
#
SSLCERT_COUNTRY="US"
SSLCERT_STATE="Utah"
SSLCERT_LOCALITY="Salt Lake City"
SSLCERT_ORGNAME="Utah Network Testbed"
#
# Network config stuff. Obviously, this needs to be localized, but there are
# too many defs files too worry about right now.
#
......@@ -1376,7 +1389,7 @@ fi
# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
# ./install, which can be erroneously created by make from ./install.sh.
echo $ac_n "checking for a BSD compatible install""... $ac_c" 1>&6
echo "configure:1380: checking for a BSD compatible install" >&5
echo "configure:1393: checking for a BSD compatible install" >&5
if test -z "$INSTALL"; then
if eval "test \"`echo '$''{'ac_cv_path_install'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
......@@ -1438,7 +1451,6 @@ esac
outfiles="$outfiles Makeconf GNUmakefile \
assign/GNUmakefile \
ssl/GNUmakefile ssl/mksig \
ssl/ca.cnf ssl/ctrlnode.cnf \
capture/GNUmakefile \
db/GNUmakefile db/nalloc db/nfree db/if2port db/backup \
db/webcontrol db/node_status db/genelists db/genelists.proxy \
......@@ -1769,6 +1781,10 @@ s%@PUBLIC_ROUTER@%$PUBLIC_ROUTER%g
s%@PUBLIC_NETMASK@%$PUBLIC_NETMASK%g
s%@DHCPD_DYNRANGE@%$DHCPD_DYNRANGE%g
s%@DHCPD_CONTROLNET_DECL@%$DHCPD_CONTROLNET_DECL%g
s%@SSLCERT_COUNTRY@%$SSLCERT_COUNTRY%g
s%@SSLCERT_STATE@%$SSLCERT_STATE%g
s%@SSLCERT_LOCALITY@%$SSLCERT_LOCALITY%g
s%@SSLCERT_ORGNAME@%$SSLCERT_ORGNAME%g
s%@TBOPSEMAIL@%$TBOPSEMAIL%g
s%@TBOPSEMAIL_NOSLASH@%$TBOPSEMAIL_NOSLASH%g
s%@TBLOGSEMAIL@%$TBLOGSEMAIL%g
......
......@@ -78,6 +78,10 @@ AC_SUBST(PUBLIC_ROUTER)
AC_SUBST(PUBLIC_NETMASK)
AC_SUBST(DHCPD_DYNRANGE)
AC_SUBST(DHCPD_CONTROLNET_DECL)
AC_SUBST(SSLCERT_COUNTRY)
AC_SUBST(SSLCERT_STATE)
AC_SUBST(SSLCERT_LOCALITY)
AC_SUBST(SSLCERT_ORGNAME)
#
# Offer both versions of the email addresses that have the @ escaped
......@@ -126,6 +130,15 @@ LINKTEST_NSPATH="/share/linktest-ns"
BOSSEVENTPORT=2927
UNIFIED_BOSS_AND_OPS=0
#
# SSL Certificate stuff. Used to customize config files in ssl directory.
# Note that OrganizationalUnit is set in the cnf file.
# CommonName is typically set to BOSSNODE and emailAddress to TBOPSEMAIL
#
SSLCERT_COUNTRY="US"
SSLCERT_STATE="Utah"
SSLCERT_LOCALITY="Salt Lake City"
SSLCERT_ORGNAME="Utah Network Testbed"
#
# Network config stuff. Obviously, this needs to be localized, but there are
# too many defs files too worry about right now.
#
......@@ -477,7 +490,6 @@ esac]
outfiles="$outfiles Makeconf GNUmakefile \
assign/GNUmakefile \
ssl/GNUmakefile ssl/mksig \
ssl/ca.cnf ssl/ctrlnode.cnf \
capture/GNUmakefile \
db/GNUmakefile db/nalloc db/nfree db/if2port db/backup \
db/webcontrol db/node_status db/genelists db/genelists.proxy \
......
......@@ -35,6 +35,15 @@ THISHOMEBASE=Emulab.Net
PLABSUPPORT=1
PLAB_ROOTBALL="plabroot-10.tar.bz2"
#
# SSL Certificate stuff. Used to customize config files in ssl directory.
# Note that OrganizationalUnit is set in the cnf file.
# CommonName is typically set to BOSSNODE and emailAddress to TBOPSEMAIL
#
SSLCERT_COUNTRY="US"
SSLCERT_STATE="Utah"
SSLCERT_LOCALITY="Salt Lake City"
SSLCERT_ORGNAME="Utah Network Testbed"
#
# Network config stuff. Used to generate initial named and dhcpd config files.
#
BOSSNODE_IP=155.98.32.70
......
......@@ -16,7 +16,7 @@ all: emulab.pem server.pem localnode.pem ronnode.pem pcwa.pem ctrlnode.pem \
keys mksig
remote-site: emulab.pem capture.pem capture.fingerprint server.pem \
localnode.pem capture.sha1fingerprint
localnode.pem capture.sha1fingerprint apache.pem
include $(TESTBED_SRCDIR)/GNUmakerules
......@@ -62,6 +62,32 @@ server.pem: dirsmade server.cnf ca.cnf
cat server_key.pem server_cert.pem > server.pem
rm -f newreq.pem
apache.pem: dirsmade apache.cnf ca.cnf
#
# Create the server side private key and certificate request.
#
openssl req -new -config apache.cnf \
-keyout apache_key.pem -out apache_req.pem
#
# Combine key and cert request.
#
cat apache_key.pem apache_req.pem > newreq.pem
#
# Sign the apache cert request, creating a apache certificate.
#
openssl ca -batch -policy policy_sslxmlrpc -config ca.cnf \
-out apache_cert.pem \
-cert cacert.pem -keyfile cakey.pem \
-infiles newreq.pem
#
# Combine the key and the certificate into one file. This file is
# is not actually installed though; the separate files will be
# installed into the apache cert/key directories by install/boss-install
# when the boss node is created.
#
cat apache_key.pem apache_cert.pem > apache.pem
rm -f newreq.pem
capture.pem: dirsmade capture.cnf ca.cnf
#
# Create the server side private key and certificate request.
......@@ -167,7 +193,7 @@ boss-installX: $(INSTALL_ETCDIR)/emulab.pem \
$(INSTALL_ETCDIR)/capture.pem \
$(INSTALL_ETCDIR)/emulab_privkey.pem \
$(INSTALL_ETCDIR)/emulab_pubkey.pem
$(INSTALL_DATA) $(SRCDIR)/usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf
$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
chmod 640 $(INSTALL_ETCDIR)/emulab.pem
......@@ -188,7 +214,7 @@ remote-site-boss-install: install-dirs \
$(INSTALL_ETCDIR)/capture.sha1fingerprint \
$(INSTALL_ETCDIR)/ctrlnode.pem \
$(INSTALL_ETCDIR)/server.pem
$(INSTALL_DATA) $(SRCDIR)/usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf
$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
chmod 640 $(INSTALL_ETCDIR)/emulab.pem
......@@ -219,7 +245,7 @@ tipserv-install: $(INSTALL_SBINDIR)/capture.pem
usercert-install: install-dirs
-mkdir -p $(INSTALL_LIBDIR)/ssl
$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf
$(INSTALL_DATA) $(SRCDIR)/usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
clean:
@echo "BE VERY CAREFUL! CLEANING THE SSL DIR CAN CAUSE DISASTER!"
......
[ req ]
prompt = no
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
encrypt_key = no
string_mask = nombstr
[ req_distinguished_name ]
C = @SSLCERT_COUNTRY@
ST = @SSLCERT_STATE@
L = @SSLCERT_LOCALITY@
O = @SSLCERT_ORGNAME@
OU = Server
# The apache server wants the CommonName (CN) to match what we set "ServerName"
# to in apache/http.conf.in (in the SSL section).
CN = www.@OURDOMAIN@
emailAddress = @TBOPSEMAIL@
[ req_attributes ]
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
......@@ -9,10 +9,10 @@ encrypt_key = no
string_mask = nombstr
[ req_distinguished_name ]
C = US
ST = Utah
L = Salt Lake City
O = Utah Network Testbed
C = @SSLCERT_COUNTRY@
ST = @SSLCERT_STATE@
L = @SSLCERT_LOCALITY@
O = @SSLCERT_ORGNAME@
OU = Capture Server
# capture uses CN for verification.
CN = @BOSSNODE@
......
......@@ -9,10 +9,10 @@ encrypt_key = no
string_mask = nombstr
[ req_distinguished_name ]
C = US
ST = Utah
L = Salt Lake City
O = Utah Network Testbed
C = @SSLCERT_COUNTRY@
ST = @SSLCERT_STATE@
L = @SSLCERT_LOCALITY@
O = @SSLCERT_ORGNAME@
# tmcd uses OU and CN for verification.
OU = controlnode
CN = @BOSSNODE@
......
......@@ -10,10 +10,10 @@ encrypt_key = no
string_mask = nombstr
[ req_distinguished_name ]
C = US
ST = Utah
L = Salt Lake City
O = Utah Network Testbed
C = @SSLCERT_COUNTRY@
ST = @SSLCERT_STATE@
L = @SSLCERT_LOCALITY@
O = @SSLCERT_ORGNAME@
OU = Certificate Authority
CN = @BOSSNODE@
emailAddress = @TBOPSEMAIL@
......
......@@ -9,10 +9,10 @@ encrypt_key = no
string_mask = nombstr
[ req_distinguished_name ]
C = US
ST = Utah
L = Salt Lake City
O = Utah Network Testbed
C = @SSLCERT_COUNTRY@
ST = @SSLCERT_STATE@
L = @SSLCERT_LOCALITY@
O = @SSLCERT_ORGNAME@
# tmcd uses OU and CN for verification.
OU = pclocal
CN = @BOSSNODE@
......
......@@ -9,10 +9,10 @@ encrypt_key = no
string_mask = nombstr
[ req_distinguished_name ]
C = US
ST = Utah
L = Salt Lake City
O = Utah Network Testbed
C = @SSLCERT_COUNTRY@
ST = @SSLCERT_STATE@
L = @SSLCERT_LOCALITY@
O = @SSLCERT_ORGNAME@
# tmcd uses OU and CN for verification.
OU = pcplab
CN = @BOSSNODE@
......
......@@ -9,10 +9,10 @@ encrypt_key = no
string_mask = nombstr
[ req_distinguished_name ]
C = US
ST = Utah
L = Salt Lake City
O = Utah Network Testbed
C = @SSLCERT_COUNTRY@
ST = @SSLCERT_STATE@
L = @SSLCERT_LOCALITY@
O = @SSLCERT_ORGNAME@
# tmcd uses OU and CN for verification.
OU = pcwa
CN = @BOSSNODE@
......
......@@ -9,10 +9,10 @@ encrypt_key = no
string_mask = nombstr
[ req_distinguished_name ]
C = US
ST = Utah
L = Salt Lake City
O = Utah Network Testbed
C = @SSLCERT_COUNTRY@
ST = @SSLCERT_STATE@
L = @SSLCERT_LOCALITY@
O = @SSLCERT_ORGNAME@
# tmcd uses OU and CN for verification.
OU = pcron
CN = @BOSSNODE@
......
......@@ -9,10 +9,10 @@ encrypt_key = no
string_mask = nombstr
[ req_distinguished_name ]
C = US
ST = Utah
L = Salt Lake City
O = Utah Network Testbed
C = @SSLCERT_COUNTRY@
ST = @SSLCERT_STATE@
L = @SSLCERT_LOCALITY@
O = @SSLCERT_ORGNAME@
OU = Server
# tmcc uses CN for verification.
CN = @BOSSNODE@
......
......@@ -18,7 +18,7 @@ basicConstraints = CA:true
# This will be appended to by mkusercert.
[ req_distinguished_name ]
C = US
ST = Utah
L = Salt Lake City
O = Utah Network Testbed
C = @SSLCERT_COUNTRY@
ST = @SSLCERT_STATE@
L = @SSLCERT_LOCALITY@
O = @SSLCERT_ORGNAME@
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment