Commit ad3a6c5b authored by Leigh Stoller's avatar Leigh Stoller

Add several configure variables to the defs file so that the ssl certificates

(config files) can be localized:

	C                      = @SSLCERT_COUNTRY@
	ST                     = @SSLCERT_STATE@
	L                      = @SSLCERT_LOCALITY@
	O                      = @SSLCERT_ORGNAME@

Which are initialized locally to:

	SSLCERT_COUNTRY="US"
	SSLCERT_STATE="Utah"
	SSLCERT_LOCALITY="Salt Lake City"
	SSLCERT_ORGNAME="Utah Network Testbed"

Also added an "apache" target which will generate an initial cert/key
for the apache server. This is a self signed certificate of course, which
is fine for getting a new site off the ground. Note that the cert/key are
installed during by install/boss-install.
parent 91bd30b2
......@@ -882,6 +882,10 @@ fi
......@@ -934,6 +938,15 @@ LINKTEST_NSPATH="/share/linktest-ns"
BOSSEVENTPORT=2927
UNIFIED_BOSS_AND_OPS=0
#
# SSL Certificate stuff. Used to customize config files in ssl directory.
# Note that OrganizationalUnit is set in the cnf file.
# CommonName is typically set to BOSSNODE and emailAddress to TBOPSEMAIL
#
SSLCERT_COUNTRY="US"
SSLCERT_STATE="Utah"
SSLCERT_LOCALITY="Salt Lake City"
SSLCERT_ORGNAME="Utah Network Testbed"
#
# Network config stuff. Obviously, this needs to be localized, but there are
# too many defs files too worry about right now.
#
......@@ -1376,7 +1389,7 @@ fi
# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
# ./install, which can be erroneously created by make from ./install.sh.
echo $ac_n "checking for a BSD compatible install""... $ac_c" 1>&6
echo "configure:1380: checking for a BSD compatible install" >&5
echo "configure:1393: checking for a BSD compatible install" >&5
if test -z "$INSTALL"; then
if eval "test \"`echo '$''{'ac_cv_path_install'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
......@@ -1438,7 +1451,6 @@ esac
outfiles="$outfiles Makeconf GNUmakefile \
assign/GNUmakefile \
ssl/GNUmakefile ssl/mksig \
ssl/ca.cnf ssl/ctrlnode.cnf \
capture/GNUmakefile \
db/GNUmakefile db/nalloc db/nfree db/if2port db/backup \
db/webcontrol db/node_status db/genelists db/genelists.proxy \
......@@ -1769,6 +1781,10 @@ s%@PUBLIC_ROUTER@%$PUBLIC_ROUTER%g
s%@PUBLIC_NETMASK@%$PUBLIC_NETMASK%g
s%@DHCPD_DYNRANGE@%$DHCPD_DYNRANGE%g
s%@DHCPD_CONTROLNET_DECL@%$DHCPD_CONTROLNET_DECL%g
s%@SSLCERT_COUNTRY@%$SSLCERT_COUNTRY%g
s%@SSLCERT_STATE@%$SSLCERT_STATE%g
s%@SSLCERT_LOCALITY@%$SSLCERT_LOCALITY%g
s%@SSLCERT_ORGNAME@%$SSLCERT_ORGNAME%g
s%@TBOPSEMAIL@%$TBOPSEMAIL%g
s%@TBOPSEMAIL_NOSLASH@%$TBOPSEMAIL_NOSLASH%g
s%@TBLOGSEMAIL@%$TBLOGSEMAIL%g
......
......@@ -78,6 +78,10 @@ AC_SUBST(PUBLIC_ROUTER)
AC_SUBST(PUBLIC_NETMASK)
AC_SUBST(DHCPD_DYNRANGE)
AC_SUBST(DHCPD_CONTROLNET_DECL)
AC_SUBST(SSLCERT_COUNTRY)
AC_SUBST(SSLCERT_STATE)
AC_SUBST(SSLCERT_LOCALITY)
AC_SUBST(SSLCERT_ORGNAME)
#
# Offer both versions of the email addresses that have the @ escaped
......@@ -126,6 +130,15 @@ LINKTEST_NSPATH="/share/linktest-ns"
BOSSEVENTPORT=2927
UNIFIED_BOSS_AND_OPS=0
#
# SSL Certificate stuff. Used to customize config files in ssl directory.
# Note that OrganizationalUnit is set in the cnf file.
# CommonName is typically set to BOSSNODE and emailAddress to TBOPSEMAIL
#
SSLCERT_COUNTRY="US"
SSLCERT_STATE="Utah"
SSLCERT_LOCALITY="Salt Lake City"
SSLCERT_ORGNAME="Utah Network Testbed"
#
# Network config stuff. Obviously, this needs to be localized, but there are
# too many defs files too worry about right now.
#
......@@ -477,7 +490,6 @@ esac]
outfiles="$outfiles Makeconf GNUmakefile \
assign/GNUmakefile \
ssl/GNUmakefile ssl/mksig \
ssl/ca.cnf ssl/ctrlnode.cnf \
capture/GNUmakefile \
db/GNUmakefile db/nalloc db/nfree db/if2port db/backup \
db/webcontrol db/node_status db/genelists db/genelists.proxy \
......
......@@ -35,6 +35,15 @@ THISHOMEBASE=Emulab.Net
PLABSUPPORT=1
PLAB_ROOTBALL="plabroot-10.tar.bz2"
#
# SSL Certificate stuff. Used to customize config files in ssl directory.
# Note that OrganizationalUnit is set in the cnf file.
# CommonName is typically set to BOSSNODE and emailAddress to TBOPSEMAIL
#
SSLCERT_COUNTRY="US"
SSLCERT_STATE="Utah"
SSLCERT_LOCALITY="Salt Lake City"
SSLCERT_ORGNAME="Utah Network Testbed"
#
# Network config stuff. Used to generate initial named and dhcpd config files.
#
BOSSNODE_IP=155.98.32.70
......
......@@ -16,7 +16,7 @@ all: emulab.pem server.pem localnode.pem ronnode.pem pcwa.pem ctrlnode.pem \
keys mksig
remote-site: emulab.pem capture.pem capture.fingerprint server.pem \
localnode.pem capture.sha1fingerprint
localnode.pem capture.sha1fingerprint apache.pem
include $(TESTBED_SRCDIR)/GNUmakerules
......@@ -62,6 +62,32 @@ server.pem: dirsmade server.cnf ca.cnf
cat server_key.pem server_cert.pem > server.pem
rm -f newreq.pem
apache.pem: dirsmade apache.cnf ca.cnf
#
# Create the server side private key and certificate request.
#
openssl req -new -config apache.cnf \
-keyout apache_key.pem -out apache_req.pem
#
# Combine key and cert request.
#
cat apache_key.pem apache_req.pem > newreq.pem
#
# Sign the apache cert request, creating a apache certificate.
#
openssl ca -batch -policy policy_sslxmlrpc -config ca.cnf \
-out apache_cert.pem \
-cert cacert.pem -keyfile cakey.pem \
-infiles newreq.pem
#
# Combine the key and the certificate into one file. This file is
# is not actually installed though; the separate files will be
# installed into the apache cert/key directories by install/boss-install
# when the boss node is created.
#
cat apache_key.pem apache_cert.pem > apache.pem
rm -f newreq.pem
capture.pem: dirsmade capture.cnf ca.cnf
#
# Create the server side private key and certificate request.
......@@ -167,7 +193,7 @@ boss-installX: $(INSTALL_ETCDIR)/emulab.pem \
$(INSTALL_ETCDIR)/capture.pem \
$(INSTALL_ETCDIR)/emulab_privkey.pem \
$(INSTALL_ETCDIR)/emulab_pubkey.pem
$(INSTALL_DATA) $(SRCDIR)/usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf
$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
chmod 640 $(INSTALL_ETCDIR)/emulab.pem
......@@ -188,7 +214,7 @@ remote-site-boss-install: install-dirs \
$(INSTALL_ETCDIR)/capture.sha1fingerprint \
$(INSTALL_ETCDIR)/ctrlnode.pem \
$(INSTALL_ETCDIR)/server.pem
$(INSTALL_DATA) $(SRCDIR)/usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf
$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
chmod 640 $(INSTALL_ETCDIR)/emulab.pem
......@@ -219,7 +245,7 @@ tipserv-install: $(INSTALL_SBINDIR)/capture.pem
usercert-install: install-dirs
-mkdir -p $(INSTALL_LIBDIR)/ssl
$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf
$(INSTALL_DATA) $(SRCDIR)/usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
clean:
@echo "BE VERY CAREFUL! CLEANING THE SSL DIR CAN CAUSE DISASTER!"
......
[ req ]
prompt = no
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
encrypt_key = no
string_mask = nombstr
[ req_distinguished_name ]
C = @SSLCERT_COUNTRY@
ST = @SSLCERT_STATE@
L = @SSLCERT_LOCALITY@
O = @SSLCERT_ORGNAME@
OU = Server
# The apache server wants the CommonName (CN) to match what we set "ServerName"
# to in apache/http.conf.in (in the SSL section).
CN = www.@OURDOMAIN@
emailAddress = @TBOPSEMAIL@
[ req_attributes ]
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
......@@ -9,10 +9,10 @@ encrypt_key = no
string_mask = nombstr
[ req_distinguished_name ]
C = US
ST = Utah
L = Salt Lake City
O = Utah Network Testbed
C = @SSLCERT_COUNTRY@
ST = @SSLCERT_STATE@
L = @SSLCERT_LOCALITY@
O = @SSLCERT_ORGNAME@
OU = Capture Server
# capture uses CN for verification.
CN = @BOSSNODE@
......
......@@ -9,10 +9,10 @@ encrypt_key = no
string_mask = nombstr
[ req_distinguished_name ]
C = US
ST = Utah
L = Salt Lake City
O = Utah Network Testbed
C = @SSLCERT_COUNTRY@
ST = @SSLCERT_STATE@
L = @SSLCERT_LOCALITY@
O = @SSLCERT_ORGNAME@
# tmcd uses OU and CN for verification.
OU = controlnode
CN = @BOSSNODE@
......
......@@ -10,10 +10,10 @@ encrypt_key = no
string_mask = nombstr
[ req_distinguished_name ]
C = US
ST = Utah
L = Salt Lake City
O = Utah Network Testbed
C = @SSLCERT_COUNTRY@
ST = @SSLCERT_STATE@
L = @SSLCERT_LOCALITY@
O = @SSLCERT_ORGNAME@
OU = Certificate Authority
CN = @BOSSNODE@
emailAddress = @TBOPSEMAIL@
......
......@@ -9,10 +9,10 @@ encrypt_key = no
string_mask = nombstr
[ req_distinguished_name ]
C = US
ST = Utah
L = Salt Lake City
O = Utah Network Testbed
C = @SSLCERT_COUNTRY@
ST = @SSLCERT_STATE@
L = @SSLCERT_LOCALITY@
O = @SSLCERT_ORGNAME@
# tmcd uses OU and CN for verification.
OU = pclocal
CN = @BOSSNODE@
......
......@@ -9,10 +9,10 @@ encrypt_key = no
string_mask = nombstr
[ req_distinguished_name ]
C = US
ST = Utah
L = Salt Lake City
O = Utah Network Testbed
C = @SSLCERT_COUNTRY@
ST = @SSLCERT_STATE@
L = @SSLCERT_LOCALITY@
O = @SSLCERT_ORGNAME@
# tmcd uses OU and CN for verification.
OU = pcplab
CN = @BOSSNODE@
......
......@@ -9,10 +9,10 @@ encrypt_key = no
string_mask = nombstr
[ req_distinguished_name ]
C = US
ST = Utah
L = Salt Lake City
O = Utah Network Testbed
C = @SSLCERT_COUNTRY@
ST = @SSLCERT_STATE@
L = @SSLCERT_LOCALITY@
O = @SSLCERT_ORGNAME@
# tmcd uses OU and CN for verification.
OU = pcwa
CN = @BOSSNODE@
......
......@@ -9,10 +9,10 @@ encrypt_key = no
string_mask = nombstr
[ req_distinguished_name ]
C = US
ST = Utah
L = Salt Lake City
O = Utah Network Testbed
C = @SSLCERT_COUNTRY@
ST = @SSLCERT_STATE@
L = @SSLCERT_LOCALITY@
O = @SSLCERT_ORGNAME@
# tmcd uses OU and CN for verification.
OU = pcron
CN = @BOSSNODE@
......
......@@ -9,10 +9,10 @@ encrypt_key = no
string_mask = nombstr
[ req_distinguished_name ]
C = US
ST = Utah
L = Salt Lake City
O = Utah Network Testbed
C = @SSLCERT_COUNTRY@
ST = @SSLCERT_STATE@
L = @SSLCERT_LOCALITY@
O = @SSLCERT_ORGNAME@
OU = Server
# tmcc uses CN for verification.
CN = @BOSSNODE@
......
......@@ -18,7 +18,7 @@ basicConstraints = CA:true
# This will be appended to by mkusercert.
[ req_distinguished_name ]
C = US
ST = Utah
L = Salt Lake City
O = Utah Network Testbed
C = @SSLCERT_COUNTRY@
ST = @SSLCERT_STATE@
L = @SSLCERT_LOCALITY@
O = @SSLCERT_ORGNAME@
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment