GNUmakefile.in 9.59 KB
Newer Older
1
#
Leigh Stoller's avatar
Leigh Stoller committed
2
# EMULAB-COPYRIGHT
3
# Copyright (c) 2000-2008 University of Utah and the Flux Group.
Leigh Stoller's avatar
Leigh Stoller committed
4
# All rights reserved.
5
#
Leigh Stoller's avatar
Leigh Stoller committed
6

7 8 9 10 11 12 13 14
SRCDIR		= @srcdir@
TESTBED_SRCDIR	= @top_srcdir@
EVENTSYS	= @EVENTSYS@
OBJDIR		= ..
SUBDIR		= ssl

include $(OBJDIR)/Makeconf

15
all:	emulab.pem server.pem localnode.pem ronnode.pem pcwa.pem ctrlnode.pem \
16
	capture.pem capture.fingerprint capture.sha1fingerprint \
17
	keys mksig jabber.pem
18

19
remote-site:	emulab.pem capture.pem capture.fingerprint server.pem \
Leigh Stoller's avatar
Leigh Stoller committed
20
	localnode.pem capture.sha1fingerprint apache.pem apache-ops.pem \
Leigh Stoller's avatar
Leigh Stoller committed
21
	ctrlnode.pem jabber.pem
22

23 24 25 26 27 28 29 30 31 32
include $(TESTBED_SRCDIR)/GNUmakerules

#
# You do not want to run these targets unless you are sure you
# know what you are doing! You really do not want to install these
# unless you are very sure you know what you are doing. You could
# mess up all the clients when the CA changes out from under them.
#
pems:	emulab.pem server.pem client.pem

33
emulab.pem:	dirsmade emulab.cnf
34 35 36 37
	#
	# Create the Certificate Authority.
	# The certificate (no key!) is installed on both boss and remote nodes.
	#
38
	openssl req -new -x509 -days 2000 -config emulab.cnf \
39 40
		    -keyout cakey.pem -out cacert.pem
	cp cacert.pem emulab.pem
41
	cp cakey.pem emulab.key
42

43
server.pem:	dirsmade server.cnf ca.cnf
44 45 46
	#
	# Create the server side private key and certificate request.
	#
47 48
	openssl req -new -config server.cnf \
		-keyout server_key.pem -out server_req.pem
49 50 51
	#
	# Combine key and cert request.
	#
52
	cat server_key.pem server_req.pem > newreq.pem
53 54 55
	#
	# Sign the server cert request, creating a server certificate.
	#
56 57
	openssl ca -batch -policy policy_match -config ca.cnf \
		-out server_cert.pem \
58 59 60 61 62 63
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file which is installed
	# on boss and used by tmcd.
	#
64
	cat server_key.pem server_cert.pem > server.pem
65 66
	rm -f newreq.pem

67 68 69
#
# This is for the main web server on boss.
# 
70
apache.pem:	dirsmade apache.cnf ca.cnf
71 72 73
	#
	# Create the server side private key and certificate request.
	#
74 75
	openssl req -new -config apache.cnf \
		-keyout apache_key.pem -out apache_req.pem
76 77 78
	#
	# Combine key and cert request.
	#
79
	cat apache_key.pem apache_req.pem > newreq.pem
80 81 82 83
	#
	# Sign the apache cert request, creating a apache certificate.
	#
	openssl ca -batch -policy policy_sslxmlrpc -config ca.cnf \
84
		-out apache_cert.pem \
85 86 87 88 89 90 91 92
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file. This file is
	# is not actually installed though; the separate files will be
	# installed into the apache cert/key directories by install/boss-install
	# when the boss node is created.
	#
93
	cat apache_key.pem apache_cert.pem > apache.pem
94 95 96 97 98
	rm -f newreq.pem

#
# This is for the secondary web server on users.
# 
Leigh Stoller's avatar
Leigh Stoller committed
99
apache-ops.pem:	dirsmade apache2.cnf ca.cnf
100 101 102
	#
	# Create the server side private key and certificate request.
	#
103
	openssl req -new -config apache2.cnf \
Leigh Stoller's avatar
Leigh Stoller committed
104
		-keyout apache-ops_key.pem -out apache-ops_req.pem
105 106 107
	#
	# Combine key and cert request.
	#
Leigh Stoller's avatar
Leigh Stoller committed
108
	cat apache-ops_key.pem apache-ops_req.pem > newreq.pem
109 110 111 112
	#
	# Sign the apache cert request, creating a apache certificate.
	#
	openssl ca -batch -policy policy_sslxmlrpc -config ca.cnf \
Leigh Stoller's avatar
Leigh Stoller committed
113
		-out apache-ops_cert.pem \
114 115 116 117 118 119 120 121
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file. This file is
	# is not actually installed though; the separate files will be
	# installed into the apache cert/key directories by install/boss-install
	# when the boss node is created.
	#
Leigh Stoller's avatar
Leigh Stoller committed
122
	cat apache-ops_key.pem apache-ops_cert.pem > apache-ops.pem
123 124
	rm -f newreq.pem

125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148
capture.pem:	dirsmade capture.cnf ca.cnf
	#
	# Create the server side private key and certificate request.
	#
	openssl req -new -config capture.cnf \
		-keyout capture_key.pem -out capture_req.pem
	#
	# Combine key and cert request.
	#
	cat capture_key.pem capture_req.pem > newreq.pem
	#
	# Sign the capture cert request, creating a capture certificate.
	#
	openssl ca -batch -policy policy_match -config ca.cnf \
		-out capture_cert.pem \
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file which is installed
	# on boss and used by capture.
	#
	cat capture_key.pem capture_cert.pem > capture.pem
	rm -f newreq.pem

149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171
jabber.pem:	dirsmade jabber.cnf ca.cnf
	#
	# Create the server side private key and certificate request.
	#
	openssl req -new -config jabber.cnf \
		-keyout jabber_key.pem -out jabber_req.pem
	#
	# Combine key and cert request.
	#
	cat jabber_key.pem jabber_req.pem > newreq.pem
	#
	# Sign the server cert request, creating a server certificate.
	#
	openssl ca -batch -policy policy_sslxmlrpc -config ca.cnf \
		-out jabber_cert.pem \
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file which is installed
	# on boss and used by tmcd.
	#
	cat jabber_key.pem jabber_cert.pem > jabber.pem
	rm -f newreq.pem
172 173 174 175 176 177 178 179 180 181

#
# Generate the fingerprint of the capture certificate
# NOTE: I'd rather use SHA1 than SHA, but we've widely distributed the
# tiptunnel binary, and it needs SHA
#
capture.fingerprint:	capture.pem
	openssl x509 -sha -noout -fingerprint -in capture.pem \
	    > capture.fingerprint

182 183 184 185
capture.sha1fingerprint:	capture.pem
	openssl x509 -sha1 -noout -fingerprint -in capture.pem \
	    > capture.sha1fingerprint

186 187 188
localnode.pem:	dirsmade localnode.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh localnode

189 190 191
ctrlnode.pem:	dirsmade ctrlnode.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh ctrlnode

192 193
ronnode.pem:	dirsmade ronnode.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh ronnode
194

195 196 197
pcplab.pem:		dirsmade pcplab.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh pcplab

198 199 200
pcwa.pem:		dirsmade pcwa.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh pcwa

201 202 203 204 205 206 207 208 209 210 211 212 213 214 215
keys:		emulab_privkey.pem emulab_pubkey.pem

emulab_privkey.pem:
	#
	# Generate a priv key for signing stuff. This one gets a
	# passphrase.
	# 
	openssl genrsa -out emulab_privkey.pem -des3

emulab_pubkey.pem:	emulab_privkey.pem
	#
	# Extract a pubkey from the privkey
	# 
	openssl rsa -in emulab_privkey.pem -pubout -out emulab_pubkey.pem

216 217 218 219 220 221 222 223
dirsmade:
	-mkdir -p certs
	-mkdir -p newcerts
	-mkdir -p crl
	echo "01" > serial
	touch index.txt
	touch dirsmade

224 225 226 227 228 229 230
install-dirs:
	-mkdir -p $(INSTALL_DIR)/ssl
	-chmod 770 $(INSTALL_DIR)/ssl
	-mkdir -p $(INSTALL_DIR)/ssl/certs
	-mkdir -p $(INSTALL_DIR)/ssl/newcerts
	-chmod 775 $(INSTALL_DIR)/ssl/newcerts
	-mkdir -p $(INSTALL_DIR)/ssl/crl
231
	-mkdir -p $(INSTALL_LIBDIR)/ssl
232 233 234 235
	echo "01" > $(INSTALL_DIR)/ssl/serial
	touch $(INSTALL_DIR)/ssl/index.txt
	touch install-dirs

236 237 238
#
# You do not want to run these targets unless you are sure you
# know what you are doing!
239
#
240
install:	install-dirs $(INSTALL_SBINDIR)/mksig
241 242
	@echo "BE VERY CAREFUL! INSTALLING NEW CERTS CAN CAUSE DISASTER!"

243
boss-installX:	$(INSTALL_ETCDIR)/emulab.pem \
244
		$(INSTALL_ETCDIR)/emulab.key \
245
		$(INSTALL_ETCDIR)/server.pem \
246
		$(INSTALL_ETCDIR)/pcplab.pem \
247
		$(INSTALL_ETCDIR)/pcwa.pem \
248
		$(INSTALL_ETCDIR)/ronnode.pem \
249
		$(INSTALL_ETCDIR)/ctrlnode.pem \
250
		$(INSTALL_ETCDIR)/capture.pem \
251 252
		$(INSTALL_ETCDIR)/capture.fingerprint \
		$(INSTALL_ETCDIR)/capture.sha1fingerprint \
253
		$(INSTALL_ETCDIR)/emulab_privkey.pem \
Leigh Stoller's avatar
Leigh Stoller committed
254
		$(INSTALL_ETCDIR)/emulab_pubkey.pem \
255
		usercert.cnf syscert.cnf
256
	$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
257
	$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf
258
	$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
259
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem
260
	chmod 600 $(INSTALL_ETCDIR)/emulab.key
261 262 263
	chmod 640 $(INSTALL_ETCDIR)/server.pem
	chmod 640 $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/pcplab.pem
264
	chmod 640 $(INSTALL_ETCDIR)/ronnode.pem
265
	chmod 640 $(INSTALL_ETCDIR)/ctrlnode.pem
266
	chmod 640 $(INSTALL_ETCDIR)/pcwa.pem
267
	chmod 640 $(INSTALL_ETCDIR)/emulab_privkey.pem
268 269 270
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
	chmod 644 $(INSTALL_ETCDIR)/capture.fingerprint
	chmod 644 $(INSTALL_ETCDIR)/capture.sha1fingerprint
271

272 273 274
remote-site-boss-install:	install-dirs \
		$(INSTALL_ETCDIR)/emulab.pem \
		$(INSTALL_ETCDIR)/emulab.key \
275 276
		$(INSTALL_ETCDIR)/capture.pem \
		$(INSTALL_ETCDIR)/capture.fingerprint \
277
		$(INSTALL_ETCDIR)/capture.sha1fingerprint \
278
		$(INSTALL_ETCDIR)/ctrlnode.pem \
Leigh Stoller's avatar
Leigh Stoller committed
279 280
		$(INSTALL_ETCDIR)/server.pem \
		usercert.cnf
281
	$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
282
	$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf
283 284
	$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem
285
	chmod 600 $(INSTALL_ETCDIR)/emulab.key
286
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
287
	chmod 644 $(INSTALL_ETCDIR)/capture.fingerprint
288
	chmod 644 $(INSTALL_ETCDIR)/capture.sha1fingerprint
289 290
	chmod 640 $(INSTALL_ETCDIR)/server.pem
	chmod 640 $(INSTALL_ETCDIR)/client.pem
291
	chmod 640 $(INSTALL_ETCDIR)/ctrlnode.pem
292

293
client-install:
294 295 296 297
	$(INSTALL_DATA) localnode.pem $(DESTDIR)$(CLIENT_ETCDIR)/client.pem
	$(INSTALL_DATA) emulab.pem $(DESTDIR)$(CLIENT_ETCDIR)/emulab.pem
	$(INSTALL_DATA) emulab_pubkey.pem \
			$(DESTDIR)$(CLIENT_ETCDIR)/emulab_pubkey.pem
298

Leigh Stoller's avatar
Leigh Stoller committed
299
control-install:	$(INSTALL_ETCDIR)/capture.pem \
300 301
			$(INSTALL_ETCDIR)/emulab.pem
	$(INSTALL_DATA) ctrlnode.pem $(INSTALL_ETCDIR)/client.pem
Leigh Stoller's avatar
Leigh Stoller committed
302
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
303 304 305
	chmod 640 $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem

306 307 308
tipserv-install:	$(INSTALL_SBINDIR)/capture.pem
	chmod 640 $(INSTALL_SBINDIR)/capture.pem

309 310 311
usercert-install:	install-dirs
	-mkdir -p $(INSTALL_LIBDIR)/ssl
	$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf
312
	$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
313

314
clean:
315 316 317
	@echo "BE VERY CAREFUL! CLEANING THE SSL DIR CAN CAUSE DISASTER!"

cleanX:
318 319
	rm -f *.pem serial index.txt *.old dirsmade *.cnf
	rm -rf newcerts certs