GNUmakefile.in 9.9 KB
Newer Older
1
#
Leigh Stoller's avatar
Leigh Stoller committed
2
# EMULAB-COPYRIGHT
3
# Copyright (c) 2000-2010 University of Utah and the Flux Group.
Leigh Stoller's avatar
Leigh Stoller committed
4
# All rights reserved.
5
#
Leigh Stoller's avatar
Leigh Stoller committed
6

7 8 9 10 11 12 13 14
SRCDIR		= @srcdir@
TESTBED_SRCDIR	= @top_srcdir@
EVENTSYS	= @EVENTSYS@
OBJDIR		= ..
SUBDIR		= ssl

include $(OBJDIR)/Makeconf

15
all:	emulab.pem server.pem localnode.pem ronnode.pem pcwa.pem ctrlnode.pem \
16
	capture.pem capture.fingerprint capture.sha1fingerprint \
17
	keys mksig jabber.pem updatecert
18

19
remote-site:	emulab.pem capture.pem capture.fingerprint server.pem \
Leigh Stoller's avatar
Leigh Stoller committed
20
	localnode.pem capture.sha1fingerprint apache.pem apache-ops.pem \
21
	ctrlnode.pem jabber.pem updatecert
22

23 24
clearinghouse:	emulab.pem apache.pem

25 26 27 28 29 30 31 32 33 34
include $(TESTBED_SRCDIR)/GNUmakerules

#
# You do not want to run these targets unless you are sure you
# know what you are doing! You really do not want to install these
# unless you are very sure you know what you are doing. You could
# mess up all the clients when the CA changes out from under them.
#
pems:	emulab.pem server.pem client.pem

35
emulab.pem:	dirsmade emulab.cnf
36 37 38 39
	#
	# Create the Certificate Authority.
	# The certificate (no key!) is installed on both boss and remote nodes.
	#
40
	openssl req -new -x509 -days 2000 -config emulab.cnf \
41 42
		    -keyout cakey.pem -out cacert.pem
	cp cacert.pem emulab.pem
43
	cp cakey.pem emulab.key
44

45
server.pem:	dirsmade server.cnf ca.cnf
46 47 48
	#
	# Create the server side private key and certificate request.
	#
49 50
	openssl req -new -config server.cnf \
		-keyout server_key.pem -out server_req.pem
51 52 53
	#
	# Combine key and cert request.
	#
54
	cat server_key.pem server_req.pem > newreq.pem
55 56 57
	#
	# Sign the server cert request, creating a server certificate.
	#
58 59
	openssl ca -batch -policy policy_match -config ca.cnf \
		-out server_cert.pem \
60 61 62 63 64 65
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file which is installed
	# on boss and used by tmcd.
	#
66
	cat server_key.pem server_cert.pem > server.pem
67 68
	rm -f newreq.pem

69 70 71
#
# This is for the main web server on boss.
# 
72
apache.pem:	dirsmade apache.cnf ca.cnf
73 74 75
	#
	# Create the server side private key and certificate request.
	#
76 77
	openssl req -new -config apache.cnf \
		-keyout apache_key.pem -out apache_req.pem
78 79 80
	#
	# Combine key and cert request.
	#
81
	cat apache_key.pem apache_req.pem > newreq.pem
82 83 84 85
	#
	# Sign the apache cert request, creating a apache certificate.
	#
	openssl ca -batch -policy policy_sslxmlrpc -config ca.cnf \
86
		-out apache_cert.pem \
87 88 89 90 91 92 93 94
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file. This file is
	# is not actually installed though; the separate files will be
	# installed into the apache cert/key directories by install/boss-install
	# when the boss node is created.
	#
95
	cat apache_key.pem apache_cert.pem > apache.pem
96 97 98 99 100
	rm -f newreq.pem

#
# This is for the secondary web server on users.
# 
Leigh Stoller's avatar
Leigh Stoller committed
101
apache-ops.pem:	dirsmade apache2.cnf ca.cnf
102 103 104
	#
	# Create the server side private key and certificate request.
	#
105
	openssl req -new -config apache2.cnf \
Leigh Stoller's avatar
Leigh Stoller committed
106
		-keyout apache-ops_key.pem -out apache-ops_req.pem
107 108 109
	#
	# Combine key and cert request.
	#
Leigh Stoller's avatar
Leigh Stoller committed
110
	cat apache-ops_key.pem apache-ops_req.pem > newreq.pem
111 112 113 114
	#
	# Sign the apache cert request, creating a apache certificate.
	#
	openssl ca -batch -policy policy_sslxmlrpc -config ca.cnf \
Leigh Stoller's avatar
Leigh Stoller committed
115
		-out apache-ops_cert.pem \
116 117 118 119 120 121 122 123
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file. This file is
	# is not actually installed though; the separate files will be
	# installed into the apache cert/key directories by install/boss-install
	# when the boss node is created.
	#
Leigh Stoller's avatar
Leigh Stoller committed
124
	cat apache-ops_key.pem apache-ops_cert.pem > apache-ops.pem
125 126
	rm -f newreq.pem

127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150
capture.pem:	dirsmade capture.cnf ca.cnf
	#
	# Create the server side private key and certificate request.
	#
	openssl req -new -config capture.cnf \
		-keyout capture_key.pem -out capture_req.pem
	#
	# Combine key and cert request.
	#
	cat capture_key.pem capture_req.pem > newreq.pem
	#
	# Sign the capture cert request, creating a capture certificate.
	#
	openssl ca -batch -policy policy_match -config ca.cnf \
		-out capture_cert.pem \
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file which is installed
	# on boss and used by capture.
	#
	cat capture_key.pem capture_cert.pem > capture.pem
	rm -f newreq.pem

151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173
jabber.pem:	dirsmade jabber.cnf ca.cnf
	#
	# Create the server side private key and certificate request.
	#
	openssl req -new -config jabber.cnf \
		-keyout jabber_key.pem -out jabber_req.pem
	#
	# Combine key and cert request.
	#
	cat jabber_key.pem jabber_req.pem > newreq.pem
	#
	# Sign the server cert request, creating a server certificate.
	#
	openssl ca -batch -policy policy_sslxmlrpc -config ca.cnf \
		-out jabber_cert.pem \
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file which is installed
	# on boss and used by tmcd.
	#
	cat jabber_key.pem jabber_cert.pem > jabber.pem
	rm -f newreq.pem
174 175 176 177 178 179 180 181 182 183

#
# Generate the fingerprint of the capture certificate
# NOTE: I'd rather use SHA1 than SHA, but we've widely distributed the
# tiptunnel binary, and it needs SHA
#
capture.fingerprint:	capture.pem
	openssl x509 -sha -noout -fingerprint -in capture.pem \
	    > capture.fingerprint

184 185 186 187
capture.sha1fingerprint:	capture.pem
	openssl x509 -sha1 -noout -fingerprint -in capture.pem \
	    > capture.sha1fingerprint

188 189 190
localnode.pem:	dirsmade localnode.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh localnode

191 192 193
ctrlnode.pem:	dirsmade ctrlnode.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh ctrlnode

194 195
ronnode.pem:	dirsmade ronnode.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh ronnode
196

197 198 199
pcplab.pem:		dirsmade pcplab.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh pcplab

200 201 202
pcwa.pem:		dirsmade pcwa.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh pcwa

203 204 205 206 207 208 209 210 211 212 213 214 215 216 217
keys:		emulab_privkey.pem emulab_pubkey.pem

emulab_privkey.pem:
	#
	# Generate a priv key for signing stuff. This one gets a
	# passphrase.
	# 
	openssl genrsa -out emulab_privkey.pem -des3

emulab_pubkey.pem:	emulab_privkey.pem
	#
	# Extract a pubkey from the privkey
	# 
	openssl rsa -in emulab_privkey.pem -pubout -out emulab_pubkey.pem

218 219 220 221 222 223 224 225
dirsmade:
	-mkdir -p certs
	-mkdir -p newcerts
	-mkdir -p crl
	echo "01" > serial
	touch index.txt
	touch dirsmade

226 227 228 229 230 231 232
install-dirs:
	-mkdir -p $(INSTALL_DIR)/ssl
	-chmod 770 $(INSTALL_DIR)/ssl
	-mkdir -p $(INSTALL_DIR)/ssl/certs
	-mkdir -p $(INSTALL_DIR)/ssl/newcerts
	-chmod 775 $(INSTALL_DIR)/ssl/newcerts
	-mkdir -p $(INSTALL_DIR)/ssl/crl
233
	-mkdir -p $(INSTALL_LIBDIR)/ssl
234 235 236 237
	echo "01" > $(INSTALL_DIR)/ssl/serial
	touch $(INSTALL_DIR)/ssl/index.txt
	touch install-dirs

238 239 240
#
# You do not want to run these targets unless you are sure you
# know what you are doing!
241
#
242
install:	install-dirs $(INSTALL_SBINDIR)/mksig
243 244
	@echo "BE VERY CAREFUL! INSTALLING NEW CERTS CAN CAUSE DISASTER!"

245
boss-installX:	$(INSTALL_ETCDIR)/emulab.pem \
246
		$(INSTALL_ETCDIR)/emulab.key \
247
		$(INSTALL_ETCDIR)/server.pem \
248
		$(INSTALL_ETCDIR)/pcplab.pem \
249
		$(INSTALL_ETCDIR)/pcwa.pem \
250
		$(INSTALL_ETCDIR)/ronnode.pem \
251
		$(INSTALL_ETCDIR)/ctrlnode.pem \
252
		$(INSTALL_ETCDIR)/capture.pem \
253 254
		$(INSTALL_ETCDIR)/capture.fingerprint \
		$(INSTALL_ETCDIR)/capture.sha1fingerprint \
255
		$(INSTALL_ETCDIR)/emulab_privkey.pem \
Leigh Stoller's avatar
Leigh Stoller committed
256
		$(INSTALL_ETCDIR)/emulab_pubkey.pem \
257
		$(INSTALL_SBINDIR)/updatecert \
258
		install-conf
259
	$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
260
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem
261
	chmod 600 $(INSTALL_ETCDIR)/emulab.key
262 263 264
	chmod 640 $(INSTALL_ETCDIR)/server.pem
	chmod 640 $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/pcplab.pem
265
	chmod 640 $(INSTALL_ETCDIR)/ronnode.pem
266
	chmod 640 $(INSTALL_ETCDIR)/ctrlnode.pem
267
	chmod 640 $(INSTALL_ETCDIR)/pcwa.pem
268
	chmod 640 $(INSTALL_ETCDIR)/emulab_privkey.pem
269 270 271
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
	chmod 644 $(INSTALL_ETCDIR)/capture.fingerprint
	chmod 644 $(INSTALL_ETCDIR)/capture.sha1fingerprint
272

273 274 275 276 277
install-conf:	usercert.cnf syscert.cnf ca.cnf
	$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
	$(INSTALL_DATA) syscert.cnf $(INSTALL_LIBDIR)/ssl/syscert.cnf
	$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf

278 279 280
remote-site-boss-install:	install-dirs \
		$(INSTALL_ETCDIR)/emulab.pem \
		$(INSTALL_ETCDIR)/emulab.key \
281 282
		$(INSTALL_ETCDIR)/capture.pem \
		$(INSTALL_ETCDIR)/capture.fingerprint \
283
		$(INSTALL_ETCDIR)/capture.sha1fingerprint \
284
		$(INSTALL_ETCDIR)/ctrlnode.pem \
Leigh Stoller's avatar
Leigh Stoller committed
285
		$(INSTALL_ETCDIR)/server.pem \
286
		$(INSTALL_SBINDIR)/updatecert \
287
		install-conf
288 289
	$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem
290
	chmod 600 $(INSTALL_ETCDIR)/emulab.key
291
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
292
	chmod 644 $(INSTALL_ETCDIR)/capture.fingerprint
293
	chmod 644 $(INSTALL_ETCDIR)/capture.sha1fingerprint
294 295
	chmod 640 $(INSTALL_ETCDIR)/server.pem
	chmod 640 $(INSTALL_ETCDIR)/client.pem
296
	chmod 640 $(INSTALL_ETCDIR)/ctrlnode.pem
297

298
client-install:
299 300 301 302
	$(INSTALL_DATA) localnode.pem $(DESTDIR)$(CLIENT_ETCDIR)/client.pem
	$(INSTALL_DATA) emulab.pem $(DESTDIR)$(CLIENT_ETCDIR)/emulab.pem
	$(INSTALL_DATA) emulab_pubkey.pem \
			$(DESTDIR)$(CLIENT_ETCDIR)/emulab_pubkey.pem
303

Leigh Stoller's avatar
Leigh Stoller committed
304
control-install:	$(INSTALL_ETCDIR)/capture.pem \
305 306
			$(INSTALL_ETCDIR)/emulab.pem
	$(INSTALL_DATA) ctrlnode.pem $(INSTALL_ETCDIR)/client.pem
Leigh Stoller's avatar
Leigh Stoller committed
307
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
308 309 310
	chmod 640 $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem

311 312 313 314 315 316 317
clearinghouse-install:	install-dirs \
		$(INSTALL_ETCDIR)/emulab.pem \
		$(INSTALL_ETCDIR)/emulab.key \
		install-conf
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem
	chmod 600 $(INSTALL_ETCDIR)/emulab.key

318 319 320
tipserv-install:	$(INSTALL_SBINDIR)/capture.pem
	chmod 640 $(INSTALL_SBINDIR)/capture.pem

321 322 323
usercert-install:	install-dirs
	-mkdir -p $(INSTALL_LIBDIR)/ssl
	$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf
324
	$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
325

326
clean:
327 328 329
	@echo "BE VERY CAREFUL! CLEANING THE SSL DIR CAN CAUSE DISASTER!"

cleanX:
330 331
	rm -f *.pem serial index.txt *.old dirsmade *.cnf
	rm -rf newcerts certs