110 lines
7.0 KiB
Batchfile
110 lines
7.0 KiB
Batchfile
:: Demo script for creating CA structure as part of masters thesis
|
|
:: Author: Jozef Simko
|
|
:: School year: 5., Master study, 2023/24
|
|
:: Study program: Computer Networks
|
|
:: Organization: Technical University of Kosice (TUKE), Faculty of Electrical Engineering and Informatics (FEI)
|
|
|
|
:: STRUKTURA PRIECINKOV
|
|
:: Tento skript vytvori nasledovnu strukturu priecinkov a suborov:
|
|
|
|
:: myCA
|
|
:: |
|
|
:: |_ rootCA
|
|
:: | |_certs -> priecinok s CA certikatom
|
|
:: | |_newcerts -> priecinok s podpisanymi certifikatmi, ich nazov sa rovna ich seriovemu cislu
|
|
:: | |_private -> priecinok pre privatne kluce (mal by mat obmedzeny pristup)
|
|
:: | |_index/index.txt -> databaza podpisanych certifikatov, ktora obsahuje detaily o podpisanych certifikatoch
|
|
:: | |_serial -> pocitadlo podpisanych certifikatov
|
|
:: | |_crlnumber -> pocitadlo zneplatnenych certifikatov
|
|
:: | |_root.cnf -> konfiguracny subor pre hlavnu CA
|
|
:: |
|
|
:: |_ intermediateCA
|
|
:: | |_certs -> priecinok s CA certikatom
|
|
:: | |_newcerts -> priecinok s podpisanymi certifikatmi, ich nazov sa rovna ich seriovemu cislu
|
|
:: | |_private -> priecinok pre privatne kluce (mal by mat obmedzeny pristup)
|
|
:: | |_index/index.txt -> databaza podpisanych certifikatov, ktora obsahuje detaily o podpisanych certifikatoch
|
|
:: | |_serial -> pocitadlo podpisanych certifikatov
|
|
:: | |_crlnumber -> pocitadlo zneplatnenych certifikatov
|
|
:: | |_intermediateCA.cnf -> konfiguracny subor pre sekundarnu CA
|
|
|
|
:: ---------------------------------------------------------------------------------------------------------------------------
|
|
|
|
:: Vytvorenie struktury priecinkov
|
|
mkdir .\myCA\rootCA\certs , .\myCA\rootCA\private , .\myCA\rootCA\newcerts , .\myCA\rootCA\index
|
|
mkdir .\myCA\intermediateCA\certs , .\myCA\intermediateCA\private , .\myCA\intermediateCA\newcerts , .\myCA\intermediateCA\index , .\myCA\intermediateCA\csr
|
|
|
|
:: PowerShell prikazy - prikaz 'echo' vytvara v PS subory s UTF-16 kodovanim
|
|
::"00" | Out-File -encoding ascii -NoNewline ".\myCA\rootCA\serial"
|
|
::"0100" | Out-File -encoding ascii -NoNewline ".\myCA\rootCA\crlnumber"
|
|
::New-Item -Path ".\myCA\rootCA\index" -Name "index.txt" -ItemType File
|
|
|
|
::"00" | Out-File -encoding ascii -NoNewline ".\myCA\intermediateCA\serial"
|
|
::"0100" | Out-File -encoding ascii -NoNewline ".\myCA\intermediateCA\crlnumber"
|
|
::New-Item -Path ".\myCA\intermediateCA\index" -Name "index.txt" -ItemType File
|
|
|
|
:: Vytvorenie dodatocnych suborov pre rootCA a intermediateCA
|
|
:: @serial - zaznamenava aktualne seriove cislo, ktore bude pouzite pre novy certifikatov
|
|
:: kazdy certifikat je mozne identifikovat pomocou serioveho cisla - zaznam sa nachadza v subore index.txt
|
|
:: @ crlnumber - pocitadlo zrusenych/zneplatnenych certifikatov
|
|
:: zneplatnenie moze nastat ak doslo k prezradeniu privatneho kluca, ide o podvodny certifikat alebo sa zmenili informacie ziadatela certifikatu
|
|
:: @ index.txt - subory pouzity ako databaza vsetkych podpisanych certifikatov
|
|
:: databaza v indexe zaznamenava tieto informacie: status certifikatu, datum platnosti, seriove cislo a doplnkove informacie
|
|
echo 00 > .\myCA\rootCA\serial
|
|
echo 0100 > .\myCA\rootCA\crlnumber
|
|
type NUL > .\myCA\rootCA\index\index.txt
|
|
|
|
echo 00 > .\myCA\intermediateCA\serial
|
|
echo 0100 > .\myCA\intermediateCA\crlnumber
|
|
type NUL > .\myCA\intermediateCA\index\index.txt
|
|
|
|
:: Skopirovanie konfiguracnych suborov do prislusnych zloziek
|
|
:: Pre presunutie suborov staci pouzit nahradit prikaz copy prikazom move
|
|
copy .\root.cnf .\myCA\rootCA\
|
|
copy .\intermediate.cnf .\myCA\intermediateCA\
|
|
|
|
:: ROOT CA
|
|
:: Vygenerovanie sukromneho kluca a certifikatu pre root CA
|
|
:: Pouzity algoritmus - PQ algoritmus falcon512
|
|
openssl req -config ./myCA/rootCA/root.cnf -new -x509 -days 365 -newkey falcon512 -keyout ./myCA/rootCA/private/falcon512_CA.key -out ./myCA/rootCA/certs/falcon512_CA.crt -nodes
|
|
|
|
:: INT CA
|
|
:: Vygenerovanie sukromneho kluca a certifikatu pre intermediate CA
|
|
:: Podpisanie vygenerovaneho certifikatu pre intCA sukromnym klucom root CA
|
|
:: Overenie podpisu
|
|
openssl req -config ./myCA/intermediateCA/intermediate.cnf -new -newkey falcon512 -keyout ./myCA/intermediateCA/private/falcon512_intCA.key -out ./myCA/intermediateCA/certs/falcon512_intCA.csr -nodes
|
|
openssl ca -batch -config ./myCA/rootCA/root.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in ./myCA/intermediateCA/certs/falcon512_intCA.csr -out ./myCA/intermediateCA/certs/falcon512_intCA.crt
|
|
openssl verify -CAfile ./myCA/rootCA/certs/falcon512_CA.crt ./myCA/intermediateCA/certs/falcon512_intCA.crt
|
|
|
|
:: CERT-CHAIN
|
|
:: Vytvorenie zretazeneho certifikatu z certifikatov root CA a int CA
|
|
:: Overenie vygenerovaneho zretazeneho certifikatu
|
|
type .\myCA\rootCA\certs\falcon512_CA.crt , .\myCA\intermediateCA\certs\falcon512_intCA.crt > .\myCA\intermediateCA\certs\falcon512_certchain.pem
|
|
openssl verify -CAfile ./myCA/intermediateCA/certs/falcon512_certchain.pem ./myCA/intermediateCA/certs/falcon512_intCA.crt
|
|
|
|
|
|
:: SERVER CERTIFICATE
|
|
:: Vygenerovanie sukromneho kluca a certifikatu pre server
|
|
:: Overenie podpisu vysledneho certifikatu
|
|
openssl req -new -newkey falcon512 -keyout ./myCA/intermediateCA/private/falcon512_server.key -out ./myCA/intermediateCA/csr/falcon512_server.csr -nodes -subj "/CN=test server"
|
|
openssl ca -batch -config ./myCA/intermediateCA/intermediate.cnf -extensions server_cert -days 375 -notext -md sha256 -in ./myCA/intermediateCA/csr/falcon512_server.csr -out ./myCA/intermediateCA/csr/falcon512_server.crt
|
|
openssl verify -CAfile .\myCA\intermediateCA\certs\falcon512_certchain.pem ./myCA/intermediateCA/csr/falcon512_server.crt
|
|
|
|
:: CLIENT CERTIFICATE
|
|
:: Vygenerovanie sukromneho kluca a certifikatu pre klienta
|
|
:: Overenie podpisu vysledneho certifikatu
|
|
openssl req -new -newkey falcon512 -keyout ./myCA/intermediateCA/private/falcon512_client.key -out ./myCA/intermediateCA/csr/falcon512_client.csr -nodes -subj "/CN=www.testclient.com"
|
|
openssl ca -batch -config ./myCA/intermediateCA/intermediate.cnf -extensions client_cert -days 375 -notext -md sha256 -in ./myCA/intermediateCA/csr/falcon512_client.csr -out ./myCA/intermediateCA/csr/falcon512_client.crt
|
|
openssl verify -CAfile .\myCA\intermediateCA\certs\falcon512_certchain.pem ./myCA/intermediateCA/csr/falcon512_client.crt
|
|
|
|
|
|
:: REVOKE CERTIFICATE
|
|
:: Vygenerovanie dalsieho certifikatu pre "fake" server
|
|
:: Podpisanie vygenerovaneho certifikatu
|
|
:: Zneplatnenie vytvoreného certifikátu s dôvodom "affiliationChanged" (zmena vlastnosti koncoveho serveru)
|
|
::openssl req -new -newkey falcon512 -keyout ./myCA/intermediateCA/private/falcon512_fakeserver.key -out ./myCA/intermediateCA/csr/falcon512_fakeserver.csr -nodes -subj "/CN=fake server"
|
|
::openssl ca -batch -config ./myCA/intermediateCA/intermediate.cnf -extensions server_cert -days 375 -notext -md sha256 -in ./myCA/intermediateCA/csr/falcon512_fakeserver.csr -out ./myCA/intermediateCA/csr/falcon512_fakeserver.crt
|
|
::openssl ca -config ./myCA/intermediateCA/intermediate.cnf -revoke ./myCA/intermediateCA/csr/falcon512_fakeserver.crt -crl_reason affiliationChanged
|
|
|
|
:: REMOVE SCRIPT
|
|
:: del ./gen_CA.bat
|