js331zc/MastersThesis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
52c256d47b
MastersThesis/CertifikacnaAutorita/gen_CA.bat
Jozef Šimko e05eede82f pridane subory k CA
2024-04-14 08:43:58 +00:00

110 lines
7.0 KiB
Batchfile
Raw Blame History

:: Demo script for creating CA structure as part of masters thesis
:: Author: Jozef Simko
:: School year: 5., Master study, 2023/24
:: Study program: Computer Networks
:: Organization: Technical University of Kosice (TUKE), Faculty of Electrical Engineering and Informatics (FEI)
:: STRUKTURA PRIECINKOV
:: Tento skript vytvori nasledovnu strukturu priecinkov a suborov:
:: myCA
:: |
:: |_ rootCA
:: | |_certs -> priecinok s CA certikatom
:: | |_newcerts -> priecinok s podpisanymi certifikatmi, ich nazov sa rovna ich seriovemu cislu
:: | |_private -> priecinok pre privatne kluce (mal by mat obmedzeny pristup)
:: | |_index/index.txt -> databaza podpisanych certifikatov, ktora obsahuje detaily o podpisanych certifikatoch
:: | |_serial -> pocitadlo podpisanych certifikatov
:: | |_crlnumber -> pocitadlo zneplatnenych certifikatov
:: | |_root.cnf -> konfiguracny subor pre hlavnu CA
:: |
:: |_ intermediateCA
:: | |_certs -> priecinok s CA certikatom
:: | |_newcerts -> priecinok s podpisanymi certifikatmi, ich nazov sa rovna ich seriovemu cislu
:: | |_private -> priecinok pre privatne kluce (mal by mat obmedzeny pristup)
:: | |_index/index.txt -> databaza podpisanych certifikatov, ktora obsahuje detaily o podpisanych certifikatoch
:: | |_serial -> pocitadlo podpisanych certifikatov
:: | |_crlnumber -> pocitadlo zneplatnenych certifikatov
:: | |_intermediateCA.cnf -> konfiguracny subor pre sekundarnu CA
:: ---------------------------------------------------------------------------------------------------------------------------
:: Vytvorenie struktury priecinkov
mkdir .\myCA\rootCA\certs , .\myCA\rootCA\private , .\myCA\rootCA\newcerts , .\myCA\rootCA\index
mkdir .\myCA\intermediateCA\certs , .\myCA\intermediateCA\private , .\myCA\intermediateCA\newcerts , .\myCA\intermediateCA\index , .\myCA\intermediateCA\csr
:: PowerShell prikazy - prikaz 'echo' vytvara v PS subory s UTF-16 kodovanim
::"00" | Out-File -encoding ascii -NoNewline ".\myCA\rootCA\serial"
::"0100" | Out-File -encoding ascii -NoNewline ".\myCA\rootCA\crlnumber"
::New-Item -Path ".\myCA\rootCA\index" -Name "index.txt" -ItemType File
::"00" | Out-File -encoding ascii -NoNewline ".\myCA\intermediateCA\serial"
::"0100" | Out-File -encoding ascii -NoNewline ".\myCA\intermediateCA\crlnumber"
::New-Item -Path ".\myCA\intermediateCA\index" -Name "index.txt" -ItemType File
:: Vytvorenie dodatocnych suborov pre rootCA a intermediateCA
:: @serial - zaznamenava aktualne seriove cislo, ktore bude pouzite pre novy certifikatov
:: kazdy certifikat je mozne identifikovat pomocou serioveho cisla - zaznam sa nachadza v subore index.txt
:: @ crlnumber - pocitadlo zrusenych/zneplatnenych certifikatov
:: zneplatnenie moze nastat ak doslo k prezradeniu privatneho kluca, ide o podvodny certifikat alebo sa zmenili informacie ziadatela certifikatu
:: @ index.txt - subory pouzity ako databaza vsetkych podpisanych certifikatov
:: databaza v indexe zaznamenava tieto informacie: status certifikatu, datum platnosti, seriove cislo a doplnkove informacie
echo 00 > .\myCA\rootCA\serial
echo 0100 > .\myCA\rootCA\crlnumber
type NUL > .\myCA\rootCA\index\index.txt
echo 00 > .\myCA\intermediateCA\serial
echo 0100 > .\myCA\intermediateCA\crlnumber
type NUL > .\myCA\intermediateCA\index\index.txt
:: Skopirovanie konfiguracnych suborov do prislusnych zloziek
:: Pre presunutie suborov staci pouzit nahradit prikaz copy prikazom move
copy .\root.cnf .\myCA\rootCA\
copy .\intermediate.cnf .\myCA\intermediateCA\
:: ROOT CA
:: Vygenerovanie sukromneho kluca a certifikatu pre root CA
:: Pouzity algoritmus - PQ algoritmus falcon512
openssl req -config ./myCA/rootCA/root.cnf -new -x509 -days 365 -newkey falcon512 -keyout ./myCA/rootCA/private/falcon512_CA.key -out ./myCA/rootCA/certs/falcon512_CA.crt -nodes
:: INT CA
:: Vygenerovanie sukromneho kluca a certifikatu pre intermediate CA
:: Podpisanie vygenerovaneho certifikatu pre intCA sukromnym klucom root CA
:: Overenie podpisu
openssl req -config ./myCA/intermediateCA/intermediate.cnf -new -newkey falcon512 -keyout ./myCA/intermediateCA/private/falcon512_intCA.key -out ./myCA/intermediateCA/certs/falcon512_intCA.csr -nodes
openssl ca -batch -config ./myCA/rootCA/root.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in ./myCA/intermediateCA/certs/falcon512_intCA.csr -out ./myCA/intermediateCA/certs/falcon512_intCA.crt
openssl verify -CAfile ./myCA/rootCA/certs/falcon512_CA.crt ./myCA/intermediateCA/certs/falcon512_intCA.crt
:: CERT-CHAIN
:: Vytvorenie zretazeneho certifikatu z certifikatov root CA a int CA
:: Overenie vygenerovaneho zretazeneho certifikatu
type .\myCA\rootCA\certs\falcon512_CA.crt , .\myCA\intermediateCA\certs\falcon512_intCA.crt > .\myCA\intermediateCA\certs\falcon512_certchain.pem
openssl verify -CAfile ./myCA/intermediateCA/certs/falcon512_certchain.pem ./myCA/intermediateCA/certs/falcon512_intCA.crt
:: SERVER CERTIFICATE
:: Vygenerovanie sukromneho kluca a certifikatu pre server
:: Overenie podpisu vysledneho certifikatu
openssl req -new -newkey falcon512 -keyout ./myCA/intermediateCA/private/falcon512_server.key -out ./myCA/intermediateCA/csr/falcon512_server.csr -nodes -subj "/CN=test server"
openssl ca -batch -config ./myCA/intermediateCA/intermediate.cnf -extensions server_cert -days 375 -notext -md sha256 -in ./myCA/intermediateCA/csr/falcon512_server.csr -out ./myCA/intermediateCA/csr/falcon512_server.crt
openssl verify -CAfile .\myCA\intermediateCA\certs\falcon512_certchain.pem ./myCA/intermediateCA/csr/falcon512_server.crt
:: CLIENT CERTIFICATE
:: Vygenerovanie sukromneho kluca a certifikatu pre klienta
:: Overenie podpisu vysledneho certifikatu
openssl req -new -newkey falcon512 -keyout ./myCA/intermediateCA/private/falcon512_client.key -out ./myCA/intermediateCA/csr/falcon512_client.csr -nodes -subj "/CN=www.testclient.com"
openssl ca -batch -config ./myCA/intermediateCA/intermediate.cnf -extensions client_cert -days 375 -notext -md sha256 -in ./myCA/intermediateCA/csr/falcon512_client.csr -out ./myCA/intermediateCA/csr/falcon512_client.crt
openssl verify -CAfile .\myCA\intermediateCA\certs\falcon512_certchain.pem ./myCA/intermediateCA/csr/falcon512_client.crt
:: REVOKE CERTIFICATE
:: Vygenerovanie dalsieho certifikatu pre "fake" server
:: Podpisanie vygenerovaneho certifikatu
:: Zneplatnenie vytvoreného certifikátu s dôvodom "affiliationChanged" (zmena vlastnosti koncoveho serveru)
::openssl req -new -newkey falcon512 -keyout ./myCA/intermediateCA/private/falcon512_fakeserver.key -out ./myCA/intermediateCA/csr/falcon512_fakeserver.csr -nodes -subj "/CN=fake server"
::openssl ca -batch -config ./myCA/intermediateCA/intermediate.cnf -extensions server_cert -days 375 -notext -md sha256 -in ./myCA/intermediateCA/csr/falcon512_fakeserver.csr -out ./myCA/intermediateCA/csr/falcon512_fakeserver.crt
::openssl ca -config ./myCA/intermediateCA/intermediate.cnf -revoke ./myCA/intermediateCA/csr/falcon512_fakeserver.crt -crl_reason affiliationChanged
:: REMOVE SCRIPT
:: del ./gen_CA.bat
Reference in New Issue View Git Blame Copy Permalink