From 774c6b0e9c9af36d68cb4ba8ac8d317dc0c7a2bf Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Wed, 23 Dec 2020 22:14:13 +0100 Subject: [PATCH] Add signer configuration --- docker-compose.yml | 3 ++ docker/apache-webdb-foreground | 4 ++ docker/run-signer | 14 ++++++ .../signer-config/class3-client-codesign.cnf | 40 +++++++++++++++++ docker/signer-config/class3-client-org.cnf | 40 +++++++++++++++++ docker/signer-config/class3-client.cnf | 36 ++++++++------- docker/signer-config/class3-ocsp.cnf | 38 ++++++++++++++++ docker/signer-config/class3-server-org.cnf | 39 ++++++++++++++++ docker/signer-config/class3-server.cnf | 34 ++++++++++++++ docker/signer-config/class3-subca.cnf | 33 ++++++++++++++ docker/signer-config/class3-timestamp.cnf | 38 ++++++++++++++++ .../signer-config/openssl-client-codesign.cnf | 40 +++++++++++++++++ docker/signer-config/openssl-client-org.cnf | 40 +++++++++++++++++ docker/signer-config/openssl-client.cnf | 44 ++++++++++--------- docker/signer-config/openssl-ocsp.cnf | 38 ++++++++++++++++ docker/signer-config/openssl-server-org.cnf | 39 ++++++++++++++++ docker/signer-config/openssl-server.cnf | 34 ++++++++++++++ docker/signer-config/openssl-subca.cnf | 34 ++++++++++++++ docker/signer-config/openssl-timestamp.cnf | 38 ++++++++++++++++ mgr.Dockerfile | 2 +- signer.Dockerfile | 7 ++- signer_client.Dockerfile | 1 + webdb.Dockerfile | 2 + 23 files changed, 597 insertions(+), 41 deletions(-) create mode 100644 docker/signer-config/class3-client-codesign.cnf create mode 100644 docker/signer-config/class3-client-org.cnf create mode 100644 docker/signer-config/class3-ocsp.cnf create mode 100644 docker/signer-config/class3-server-org.cnf create mode 100644 docker/signer-config/class3-server.cnf create mode 100644 docker/signer-config/class3-subca.cnf create mode 100644 docker/signer-config/class3-timestamp.cnf create mode 100644 docker/signer-config/openssl-client-codesign.cnf create mode 100644 docker/signer-config/openssl-client-org.cnf create mode 100644 docker/signer-config/openssl-ocsp.cnf create mode 100644 docker/signer-config/openssl-server-org.cnf create mode 100644 docker/signer-config/openssl-server.cnf create mode 100644 docker/signer-config/openssl-subca.cnf create mode 100644 docker/signer-config/openssl-timestamp.cnf diff --git a/docker-compose.yml b/docker-compose.yml index 970c42d..bfa4c26 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -39,6 +39,7 @@ services: MYSQL_WEBDB_DATABASE: cacert CSR_DIRECTORY: /certs/csr CRT_DIRECTORY: /certs/crt + CRL_DIRECTORY: /certs/crl DEFAULT_HOSTNAME: www.cacert.localhost SECURE_HOSTNAME: secure.cacert.localhost TVERIFY_HOSTNAME: tverify.cacert.localhost @@ -97,6 +98,7 @@ services: MYSQL_WEBDB_DATABASE: cacert CSR_DIRECTORY: /srv/certs/csr CRT_DIRECTORY: /srv/certs/crt + CRL_DIRECTORY: /srv/certs/crl volumes: - certstaging:/srv/certs - signersockets:/srv/sockets @@ -109,6 +111,7 @@ services: environment: SIGNER_WORKDIR: /srv/ca/work SIGNER_CA_CONFIG: /srv/caconfig + SIGNER_BASEDIR: /srv/ca volumes: - signersockets:/srv/sockets - signerdata:/srv/ca diff --git a/docker/apache-webdb-foreground b/docker/apache-webdb-foreground index f83ae5a..052a532 100755 --- a/docker/apache-webdb-foreground +++ b/docker/apache-webdb-foreground @@ -8,6 +8,10 @@ cp /usr/local/etc/application/feed.rss /www/pages/index/feed.rss make -C /www/locale +mkdir -p "$CSR_DIRECTORY" "$CRT_DIRECTORY" +chown www-data "$CSR_DIRECTORY" "$CRT_DIRECTORY" +chmod 0755 "$CSR_DIRECTORY" "$CRT_DIRECTORY" + apache2ctl start "$@" exec tail -F --follow=name --retry /var/log/apache2/error.log /var/log/apache2/phperror.log diff --git a/docker/run-signer b/docker/run-signer index 95a0487..c977edd 100755 --- a/docker/run-signer +++ b/docker/run-signer @@ -8,6 +8,20 @@ sleep 1 export SERIAL_PORT=/dev/ttyUSB0 +mkdir -p /srv/ca/CA/certs /srv/ca/CA/private /srv/ca/CA/newcerts +cp /srv/testca/root/ca.crt.pem /srv/ca/CA/ca.crt.pem +cp /srv/testca/root/private/ca.key.pem /srv/ca/CA/private/ca.key.pem +if [ ! -f /srv/ca/CA/index.txt ]; then cp /srv/testca/root/index.txt /srv/ca/CA/index.txt; fi +if [ ! -f /srv/ca/CA/serial ]; then echo 1 > /srv/ca/CA/serial; fi +if [ ! -f /srv/ca/CA/crlnumber ]; then echo 1000 > /srv/ca/CA/crlnumber; fi + +mkdir -p /srv/ca/class3/certs /srv/ca/class3/private /srv/ca/class3/newcerts +cp /srv/testca/class3/ca.crt.pem /srv/ca/class3/ca.crt.pem +cp /srv/testca/class3/private/ca.key.pem /srv/ca/class3/private/ca.key.pem +if [ ! -f /srv/ca/class3/index.txt ]; then cp /srv/testca/class3/index.txt /srv/ca/class3/index.txt; fi +if [ ! -f /srv/ca/class3/serial ]; then echo 1 > /srv/ca/class3/serial; fi +if [ ! -f /srv/ca/class3/crlnumber ]; then echo 1000 > /srv/ca/class3/crlnumber; fi + cd /srv/CommModule/ touch server.pl-active diff --git a/docker/signer-config/class3-client-codesign.cnf b/docker/signer-config/class3-client-codesign.cnf new file mode 100644 index 0000000..c6713c3 --- /dev/null +++ b/docker/signer-config/class3-client-codesign.cnf @@ -0,0 +1,40 @@ +[ ca ] +default_ca = CA_default # The default ca section + +[ CA_default ] +dir = /srv/ca/class3 # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir/newcerts # default place for new certs. +certificate = $dir/ca.crt.pem # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/ca.key.pem # The private key +RANDFILE = $dir/private/.rand # private random number file +x509_extensions = usr_cert # The extentions to add to the cert +default_days = 200 # how long to certify for +default_crl_days = 30 # how long before next CRL +default_md = sha512 # which md to use. +preserve = no # keep passed DN ordering +policy = policy_anything + +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = optional +emailAddress = optional + +[ usr_cert ] +basicConstraints = critical, CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = emailProtection, clientAuth, codeSigning, msCodeInd, msCodeCom, msEFS, msSGC, nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.localhost/test-class3-revoke.crl +subjectAltName = email:copy + +[ crl_ext ] \ No newline at end of file diff --git a/docker/signer-config/class3-client-org.cnf b/docker/signer-config/class3-client-org.cnf new file mode 100644 index 0000000..ebb09a2 --- /dev/null +++ b/docker/signer-config/class3-client-org.cnf @@ -0,0 +1,40 @@ +[ ca ] +default_ca = CA_default # The default ca section + +[ CA_default ] +dir = /srv/ca/class3 # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir/newcerts # default place for new certs. +certificate = $dir/ca.crt.pem # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/ca.key.pem # The private key +RANDFILE = $dir/private/.rand # private random number file +x509_extensions = usr_cert # The extentions to add to the cert +default_days = 200 # how long to certify for +default_crl_days = 30 # how long before next CRL +default_md = sha512 # which md to use. +preserve = no # keep passed DN ordering +policy = policy_anything + +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = optional +emailAddress = optional + +[ usr_cert ] +basicConstraints = critical, CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.localhost/class3-revoke.crl +subjectAltName = email:copy + +[ crl_ext ] \ No newline at end of file diff --git a/docker/signer-config/class3-client.cnf b/docker/signer-config/class3-client.cnf index d2b25d6..b9624f8 100644 --- a/docker/signer-config/class3-client.cnf +++ b/docker/signer-config/class3-client.cnf @@ -1,23 +1,23 @@ [ ca ] -default_ca = CA_default # The default ca section +default_ca = CA_default # The default ca section [ CA_default ] -dir = /srv/ca/class3 # Where everything is kept -certs = $dir/certs # Where the issued certs are kept -crl_dir = $dir/crl # Where the issued crl are kept -crlnumber = $dir/crlnumber # bug-1438 -database = $dir/index.txt # database index file. -new_certs_dir = $dir/newcerts # default place for new certs. -certificate = $dir/ca.crt.pem # The CA certificate -serial = $dir/serial # The current serial number -crl = $dir/crl.pem # The current CRL -private_key = $dir/ca.key.pem # The private key -RANDFILE = $dir/private/.rand # private random number file -x509_extensions = usr_cert # The extentions to add to the cert -default_days = 200 # how long to certify for -default_crl_days = 30 # how long before next CRL -default_md = sha512 # which md to use. -preserve = no # keep passed DN ordering +dir = /srv/ca/class3 # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +crlnumber = $dir/crlnumber # Where the current CRL-number is stored (bug-1438) +database = $dir/index.txt # database index file. +new_certs_dir = $dir/newcerts # default place for new certs. +certificate = $dir/ca.crt.pem # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/ca.key.pem # The private key +RANDFILE = $dir/private/.rand # private random number file +x509_extensions = usr_cert # The extentions to add to the cert +default_days = 200 # how long to certify for +default_crl_days = 30 # how long before next CRL +default_md = sha512 # which md to use. +preserve = no # keep passed DN ordering policy = policy_anything [ policy_anything ] @@ -37,3 +37,5 @@ extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org crlDistributionPoints = URI:http://crl.cacert.localhost/class3-revoke.crl subjectAltName = email:copy + +[ crl_ext ] \ No newline at end of file diff --git a/docker/signer-config/class3-ocsp.cnf b/docker/signer-config/class3-ocsp.cnf new file mode 100644 index 0000000..5840e11 --- /dev/null +++ b/docker/signer-config/class3-ocsp.cnf @@ -0,0 +1,38 @@ +[ ca ] +default_ca = CA_default # The default ca section + +[ CA_default ] +dir = /srv/ca/class3 # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir/newcerts # default place for new certs. +certificate = $dir/ca.crt.pem # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/ca.key.pem # The private key +RANDFILE = $dir/private/.rand # private random number file +x509_extensions = usr_cert # The extentions to add to the cert +default_days = 200 # how long to certify for +default_crl_days = 30 # how long before next CRL +default_md = sha512 # which md to use. +preserve = no # keep passed DN ordering +policy = policy_anything + +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = optional +emailAddress = optional + +[ usr_cert ] +basicConstraints = critical,CA:FALSE +keyUsage = critical,digitalSignature,keyEncipherment,keyAgreement +extendedKeyUsage = serverAuth,OCSPSigning,nsSGC,msSGC +# no authorityInfoAccess to avoid loops +crlDistributionPoints = URI:http://crl.cacert.localhost/class3-revoke.crl + +[ crl_ext ] \ No newline at end of file diff --git a/docker/signer-config/class3-server-org.cnf b/docker/signer-config/class3-server-org.cnf new file mode 100644 index 0000000..a22d2c0 --- /dev/null +++ b/docker/signer-config/class3-server-org.cnf @@ -0,0 +1,39 @@ +[ ca ] +default_ca = CA_default # The default ca section + +[ CA_default ] +dir = /srv/ca/class3 # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir/newcerts # default place for new certs. +certificate = $dir/ca.crt.pem # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/ca.key.pem # The private key +RANDFILE = $dir/private/.rand # private random number file +x509_extensions = usr_cert # The extentions to add to the cert +default_days = 180 # how long to certify for +default_crl_days = 30 # how long before next CRL +default_md = sha512 # which md to use. +preserve = no # keep passed DN ordering +policy = policy_anything + +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = optional +subjectAltName = optional +emailAddress = optional + +[ usr_cert ] +basicConstraints = critical,CA:FALSE +keyUsage = critical,digitalSignature,keyEncipherment,keyAgreement +extendedKeyUsage = clientAuth,serverAuth,nsSGC,msSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.localhost +crlDistributionPoints = URI:http://crl.cacert.localhost/class3-revoke.crl + +[ crl_ext ] \ No newline at end of file diff --git a/docker/signer-config/class3-server.cnf b/docker/signer-config/class3-server.cnf new file mode 100644 index 0000000..32dc3b5 --- /dev/null +++ b/docker/signer-config/class3-server.cnf @@ -0,0 +1,34 @@ +[ ca ] +default_ca = CA_default # The default ca section + +[ CA_default ] +dir = /srv/ca/class3 # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +crlnumber = $dir/crlnumber # Where the current CRL-number is stored (bug-1438) +database = $dir/index.txt # database index file. +new_certs_dir = $dir/newcerts # default place for new certs. +certificate = $dir/ca.crt.pem # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/ca.key.pem # The private key +RANDFILE = $dir/private/.rand # private random number file +x509_extensions = usr_cert # The extentions to add to the cert +default_days = 180 # how long to certify for +default_crl_days = 30 # how long before next CRL +default_md = sha512 # which md to use. +preserve = no # keep passed DN ordering +policy = policy_anything + +[ policy_anything ] +commonName = optional +subjectAltName = optional + +[ usr_cert ] +basicConstraints = critical,CA:FALSE +keyUsage = critical,digitalSignature,keyEncipherment,keyAgreement +extendedKeyUsage = clientAuth,serverAuth,nsSGC,msSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.localhost +crlDistributionPoints = URI:http://crl.cacert.localhost/class3-revoke.crl + +[ crl_ext ] \ No newline at end of file diff --git a/docker/signer-config/class3-subca.cnf b/docker/signer-config/class3-subca.cnf new file mode 100644 index 0000000..62be4a5 --- /dev/null +++ b/docker/signer-config/class3-subca.cnf @@ -0,0 +1,33 @@ +[ ca ] +default_ca = CA_default # The default ca section + +[ CA_default ] +dir = /srv/ca/class3 # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir/newcerts # default place for new certs. +certificate = $dir/ca.crt.pem # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/ca.key.pem # The private key +RANDFILE = $dir/private/.rand # private random number file +x509_extensions = usr_cert # The extentions to add to the cert +default_days = 180 # how long to certify for +default_crl_days = 30 # how long before next CRL +default_md = sha512 # which md to use. +preserve = no # keep passed DN ordering +policy = policy_anything + +[ policy_anything ] +commonName = optional +subjectAltName = optional + +[ usr_cert ] +basicConstraints = critical,CA:TRUE +extendedKeyUsage = clientAuth,serverAuth,nsSGC,msSGC +keyUsage = digitalSignature,keyEncipherment +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.localhost +crlDistributionPoints = URI:http://crl.cacert.localhost/class3-revoke.crl + +[ crl_ext ] \ No newline at end of file diff --git a/docker/signer-config/class3-timestamp.cnf b/docker/signer-config/class3-timestamp.cnf new file mode 100644 index 0000000..82b98da --- /dev/null +++ b/docker/signer-config/class3-timestamp.cnf @@ -0,0 +1,38 @@ +[ ca ] +default_ca = CA_default # The default ca section + +[ CA_default ] +dir = /srv/ca/class3 # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir/newcerts # default place for new certs. +certificate = $dir/ca.crt.pem # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/ca.key.pem # The private key +RANDFILE = $dir/private/.rand # private random number file +x509_extensions = usr_cert # The extentions to add to the cert +default_days = 200 # how long to certify for +default_crl_days = 30 # how long before next CRL +default_md = sha512 # which md to use. +preserve = no # keep passed DN ordering +policy = policy_anything + +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = optional +emailAddress = optional + +[ usr_cert ] +basicConstraints = critical,CA:FALSE +extendedKeyUsage = clientAuth,serverAuth,timeStamping +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.localhost +crlDistributionPoints = URI:http://crl.cacert.localhost/class3-revoke.crl +subjectAltName = email:copy + +[ crl_ext ] \ No newline at end of file diff --git a/docker/signer-config/openssl-client-codesign.cnf b/docker/signer-config/openssl-client-codesign.cnf new file mode 100644 index 0000000..bfcb557 --- /dev/null +++ b/docker/signer-config/openssl-client-codesign.cnf @@ -0,0 +1,40 @@ +[ ca ] +default_ca = CA_default # The default ca section + +[ CA_default ] +dir = /srv/ca/CA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir/newcerts # default place for new certs. +certificate = $dir/ca.crt.pem # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/ca.key.pem # The private key +RANDFILE = $dir/private/.rand # private random number file +x509_extensions = usr_cert # The extentions to add to the cert +default_days = 200 # how long to certify for +default_crl_days = 30 # how long before next CRL +default_md = sha512 # which md to use. +preserve = no # keep passed DN ordering +policy = policy_anything + +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = optional +emailAddress = optional + +[ usr_cert ] +basicConstraints = critical,CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical,digitalSignature,keyEncipherment,keyAgreement +extendedKeyUsage = emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.localhost +crlDistributionPoints = URI:http://crl.cacert.localhost/revoke.crl +subjectAltName = email:copy + +[ crl_ext ] \ No newline at end of file diff --git a/docker/signer-config/openssl-client-org.cnf b/docker/signer-config/openssl-client-org.cnf new file mode 100644 index 0000000..e7e5ce8 --- /dev/null +++ b/docker/signer-config/openssl-client-org.cnf @@ -0,0 +1,40 @@ +[ ca ] +default_ca = CA_default # The default ca section + +[ CA_default ] +dir = /srv/ca/CA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir/newcerts # default place for new certs. +certificate = $dir/ca.crt.pem # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/ca.key.pem # The private key +RANDFILE = $dir/private/.rand # private random number file +x509_extensions = usr_cert # The extentions to add to the cert +default_days = 200 # how long to certify for +default_crl_days = 30 # how long before next CRL +default_md = sha512 # which md to use. +preserve = no # keep passed DN ordering +policy = policy_anything + +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = optional +emailAddress = optional + +[ usr_cert ] +basicConstraints = critical,CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical,digitalSignature,keyEncipherment,keyAgreement +extendedKeyUsage = emailProtection,clientAuth,msEFS,msSGC,nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.localhost +crlDistributionPoints = URI:http://crl.cacert.localhost/revoke.crl +subjectAltName = email:copy + +[ crl_ext ] \ No newline at end of file diff --git a/docker/signer-config/openssl-client.cnf b/docker/signer-config/openssl-client.cnf index ec2a975..5fb7fc4 100644 --- a/docker/signer-config/openssl-client.cnf +++ b/docker/signer-config/openssl-client.cnf @@ -1,23 +1,23 @@ [ ca ] -default_ca = CA_default # The default ca section +default_ca = CA_default # The default ca section [ CA_default ] -dir = /srv/ca/CA # Where everything is kept -certs = $dir/certs # Where the issued certs are kept -crl_dir = $dir/crl # Where the issued crl are kept -crlnumber = $dir/crlnumber # bug-1438 -database = $dir/index.txt # database index file. -new_certs_dir = $dir/newcerts # default place for new certs. -certificate = $dir/ca.crt.pem # The CA certificate -serial = $dir/serial # The current serial number -crl = $dir/crl.pem # The current CRL -private_key = $dir/ca.key.pem # The private key -RANDFILE = $dir/private/.rand # private random number file -x509_extensions = usr_cert # The extentions to add to the cert -default_days = 200 # how long to certify for -default_crl_days = 30 # how long before next CRL -default_md = sha512 # which md to use. -preserve = no # keep passed DN ordering +dir = /srv/ca/CA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +crlnumber = $dir/crlnumber # bug-1438 +database = $dir/index.txt # database index file. +new_certs_dir = $dir/newcerts # default place for new certs. +certificate = $dir/ca.crt.pem # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/ca.key.pem # The private key +RANDFILE = $dir/private/.rand # private random number file +x509_extensions = usr_cert # The extentions to add to the cert +default_days = 200 # how long to certify for +default_crl_days = 30 # how long before next CRL +default_md = sha512 # which md to use. +preserve = no # keep passed DN ordering policy = policy_anything [ policy_anything ] @@ -30,10 +30,12 @@ commonName = optional emailAddress = optional [ usr_cert ] -basicConstraints = critical, CA:FALSE +basicConstraints = critical,CA:FALSE nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" -keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement -extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +keyUsage = critical,digitalSignature,keyEncipherment,keyAgreement +extendedKeyUsage = emailProtection,clientAuth,msEFS,msSGC,nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.localhost crlDistributionPoints = URI:http://crl.cacert.localhost/revoke.crl subjectAltName = email:copy + +[ crl_ext ] \ No newline at end of file diff --git a/docker/signer-config/openssl-ocsp.cnf b/docker/signer-config/openssl-ocsp.cnf new file mode 100644 index 0000000..a9c6e70 --- /dev/null +++ b/docker/signer-config/openssl-ocsp.cnf @@ -0,0 +1,38 @@ +[ ca ] +default_ca = CA_default # The default ca section + +[ CA_default ] +dir = /srv/ca/CA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir/newcerts # default place for new certs. +certificate = $dir/ca.crt.pem # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/ca.key.pem # The private key +RANDFILE = $dir/private/.rand # private random number file +x509_extensions = usr_cert # The extentions to add to the cert +default_days = 200 # how long to certify for +default_crl_days = 30 # how long before next CRL +default_md = sha512 # which md to use. +preserve = no # keep passed DN ordering +policy = policy_anything + +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = optional +emailAddress = optional + +[ usr_cert ] +basicConstraints = critical,CA:FALSE +keyUsage = critical,digitalSignature,keyEncipherment,keyAgreement +extendedKeyUsage = serverAuth,OCSPSigning,nsSGC,msSGC +# no authorityInfoAccess to avoid loops +crlDistributionPoints = URI:http://crl.cacert.localhost/revoke.crl + +[ crl_ext ] \ No newline at end of file diff --git a/docker/signer-config/openssl-server-org.cnf b/docker/signer-config/openssl-server-org.cnf new file mode 100644 index 0000000..ff07959 --- /dev/null +++ b/docker/signer-config/openssl-server-org.cnf @@ -0,0 +1,39 @@ +[ ca ] +default_ca = CA_default # The default ca section + +[ CA_default ] +dir = /srv/ca/CA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir/newcerts # default place for new certs. +certificate = $dir/ca.crt.pem # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/ca.key.pem # The private key +RANDFILE = $dir/private/.rand # private random number file +x509_extensions = usr_cert # The extentions to add to the cert +default_days = 200 # how long to certify for +default_crl_days = 30 # how long before next CRL +default_md = sha512 # which md to use. +preserve = no # keep passed DN ordering +policy = policy_anything + +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = optional +subjectAltName = optional +emailAddress = optional + +[ usr_cert ] +basicConstraints = critical,CA:FALSE +keyUsage = critical,digitalSignature,keyEncipherment,keyAgreement +extendedKeyUsage = clientAuth,serverAuth,nsSGC,msSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.localhost +crlDistributionPoints = URI:http://crl.cacert.localhost/revoke.crl + +[ crl_ext ] \ No newline at end of file diff --git a/docker/signer-config/openssl-server.cnf b/docker/signer-config/openssl-server.cnf new file mode 100644 index 0000000..7067255 --- /dev/null +++ b/docker/signer-config/openssl-server.cnf @@ -0,0 +1,34 @@ +[ ca ] +default_ca = CA_default # The default ca section + +[ CA_default ] +dir = /srv/ca/CA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +crlnumber = $dir/crlnumber # Where the current CRL-number is stored (bug-1438) +database = $dir/index.txt # database index file. +new_certs_dir = $dir/newcerts # default place for new certs. +certificate = $dir/ca.crt.pem # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/ca.key.pem # The private key +RANDFILE = $dir/private/.rand # private random number file +x509_extensions = usr_cert # The extentions to add to the cert +default_days = 200 # how long to certify for +default_crl_days = 30 # how long before next CRL +default_md = sha512 # which md to use. +preserve = no # keep passed DN ordering +policy = policy_anything + +[ policy_anything ] +commonName = optional +subjectAltName = optional + +[ usr_cert ] +basicConstraints = critical,CA:FALSE +keyUsage = critical,digitalSignature,keyEncipherment,keyAgreement +extendedKeyUsage = clientAuth,serverAuth,nsSGC,msSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.localhost +crlDistributionPoints = URI:http://crl.cacert.localhost/revoke.crl + +[ crl_ext ] \ No newline at end of file diff --git a/docker/signer-config/openssl-subca.cnf b/docker/signer-config/openssl-subca.cnf new file mode 100644 index 0000000..b74a4e8 --- /dev/null +++ b/docker/signer-config/openssl-subca.cnf @@ -0,0 +1,34 @@ +[ ca ] +default_ca = CA_default # The default ca section + +[ CA_default ] +dir = /srv/ca/CA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +crlnumber = $dir/crlnumber # Where the current CRL-number is stored (bug-1438) +database = $dir/index.txt # database index file. +new_certs_dir = $dir/newcerts # default place for new certs. +certificate = $dir/ca.crt.pem # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/ca.key.pem # The private key +RANDFILE = $dir/private/.rand # private random number file +x509_extensions = usr_cert # The extentions to add to the cert +default_days = 200 # how long to certify for +default_crl_days = 30 # how long before next CRL +default_md = sha512 # which md to use. +preserve = no # keep passed DN ordering +policy = policy_anything + +[ policy_anything ] +commonName = optional +subjectAltName = optional + +[ usr_cert ] +basicConstraints = critical,CA:TRUE +extendedKeyUsage = clientAuth,serverAuth,nsSGC,msSGC +keyUsage = digitalSignature,keyEncipherment +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.localhost +crlDistributionPoints = URI:http://crl.cacert.localhost/revoke.crl + +[ crl_ext ] \ No newline at end of file diff --git a/docker/signer-config/openssl-timestamp.cnf b/docker/signer-config/openssl-timestamp.cnf new file mode 100644 index 0000000..d335f51 --- /dev/null +++ b/docker/signer-config/openssl-timestamp.cnf @@ -0,0 +1,38 @@ +[ ca ] +default_ca = CA_default # The default ca section + +[ CA_default ] +dir = /srv/ca/CA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +crlnumber = $dir/crlnumber # Where the current CRL-number is stored (bug-1438) +database = $dir/index.txt # database index file. +new_certs_dir = $dir/newcerts # default place for new certs. +certificate = $dir/ca.crt.pem # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/ca.key.pem # The private key +RANDFILE = $dir/private/.rand # private random number file +x509_extensions = usr_cert # The extentions to add to the cert +default_days = 200 # how long to certify for +default_crl_days = 30 # how long before next CRL +default_md = sha512 # which md to use. +preserve = no # keep passed DN ordering +policy = policy_anything + +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = optional +emailAddress = optional + +[ usr_cert ] +basicConstraints = critical,CA:FALSE +extendedKeyUsage = clientAuth,serverAuth,timeStamping +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.localhost +subjectAltName = email:copy + +[ crl_ext ] \ No newline at end of file diff --git a/mgr.Dockerfile b/mgr.Dockerfile index 16d9ba8..e258fc3 100644 --- a/mgr.Dockerfile +++ b/mgr.Dockerfile @@ -29,7 +29,7 @@ COPY testca/class3/ca.crt.pem /etc/apache2/ssl/certs/clientca.crt COPY docker/apache-mgr-virtualhost.conf /etc/apache2/sites-available/mgr.cacert.localhost.conf COPY docker/mgr-application.ini /usr/local/etc/ -VOLUME /var/www +VOLUME /var/www/mgr RUN a2ensite mgr.cacert.localhost ; \ a2dissite 000-default ; \ diff --git a/signer.Dockerfile b/signer.Dockerfile index 989702f..448dff2 100644 --- a/signer.Dockerfile +++ b/signer.Dockerfile @@ -10,15 +10,18 @@ RUN apt-get update \ openssl \ perl \ socat \ + xdelta \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* -VOLUME /srv/ca - COPY cacert-software/CommModule/server.pl \ cacert-software/CommModule/logclean.sh \ /srv/CommModule/ COPY docker/run-signer usr/local/bin/ COPY docker/signer-config/* /srv/caconfig/ +COPY testca /srv/testca/ + +VOLUME /srv/ca + CMD ["/usr/local/bin/run-signer"] diff --git a/signer_client.Dockerfile b/signer_client.Dockerfile index af0d786..2b00748 100644 --- a/signer_client.Dockerfile +++ b/signer_client.Dockerfile @@ -11,6 +11,7 @@ RUN apt-get update \ openssl \ perl \ socat \ + xdelta \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* diff --git a/webdb.Dockerfile b/webdb.Dockerfile index 7cf73c5..5e3e5bd 100644 --- a/webdb.Dockerfile +++ b/webdb.Dockerfile @@ -12,6 +12,8 @@ RUN apt-get update \ make \ netbase \ nullmailer \ + openssl-blacklist \ + openssl-blacklist-extra \ php-apc \ php-fpdf \ php-gettext \