Skip to content

Commit ce903c6

Browse files
GiooDevGiooDev
committed
Story #15673: Updating PKI.
* Using get_authorities function as reference for generating expected authorities. * Simplification of scripts avoiding useless functions. * Keep translating to english.
1 parent e40bd57 commit ce903c6

File tree

11 files changed

+230
-235
lines changed

11 files changed

+230
-235
lines changed

deployment/pki/scripts/generate_ca.sh

Lines changed: 0 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -7,14 +7,6 @@ set -e
77

88
. $(dirname $0)/lib/ca.sh
99

10-
######################################################################
11-
######################### Overriding ###########################
12-
######################################################################
13-
14-
function get_autorities() {
15-
echo "vitamui-services client-external client-vitam"
16-
}
17-
1810
######################################################################
1911
############################# Main #############################
2012
######################################################################

deployment/pki/scripts/generate_ca_dev.sh

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -13,10 +13,6 @@ set -e
1313

1414
REPERTOIRE_ROOT="$( cd "$( readlink -f $(dirname ${BASH_SOURCE[0]}) )/../../../dev-deployment" ; pwd )"
1515

16-
function get_autorities() {
17-
echo "vitamui-services client-external client-vitam"
18-
}
19-
2016
######################################################################
2117
############################# Main #############################
2218
######################################################################

deployment/pki/scripts/generate_certs.sh

Lines changed: 10 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -13,18 +13,16 @@ set -e
1313

1414
function generateCerts {
1515

16-
# Copy CA
17-
pki_logger "Recopie des clés publiques des CA"
18-
copyCAFromPki client-external
19-
copyCAFromPki client-vitam
20-
copyCAFromPki vitamui-services
21-
22-
# Generate hosts certificates
23-
pki_logger "Génération des certificats serveurs"
24-
# Zone interne
16+
pki_logger "Copying CA certificates"
17+
for AUTHORITY_NAME in $(get_autorities); do
18+
copyCAFromPki "${AUTHORITY_NAME}"
19+
done
20+
21+
# VitamUI Services
22+
# Server Only for https
2523
generateServerCertAndStorePassphrase security vitamui-services
2624

27-
#Zone externe
25+
# Server and Client for https or mTLS
2826
generateServerAndClientCertAndStorePassphrase iam vitamui-services
2927
generateServerAndClientCertAndStorePassphrase referential vitamui-services
3028
generateServerAndClientCertAndStorePassphrase cas-server vitamui-services
@@ -34,7 +32,7 @@ function generateCerts {
3432
generateServerAndClientCertAndStorePassphrase pastis vitamui-services
3533
generateServerAndClientCertAndStorePassphrase api-gateway vitamui-services
3634

37-
#Zone UI
35+
# Zone UI - Client Only for mTLS
3836
generateClientCertAndStorePassphrase ui-portal vitamui-services
3937
generateClientCertAndStorePassphrase ui-identity vitamui-services
4038
generateClientCertAndStorePassphrase ui-identity-admin vitamui-services
@@ -44,7 +42,7 @@ function generateCerts {
4442
generateClientCertAndStorePassphrase ui-collect vitamui-services
4543
generateClientCertAndStorePassphrase ui-pastis vitamui-services
4644

47-
#Reverse
45+
# Reverse - Server Only for https
4846
generateServerCertAndStorePassphrase reverse vitamui-services
4947

5048
# Example of generated client cert for a customer allowing to perform request on external APIs

deployment/pki/scripts/generate_certs_dev.sh

Lines changed: 10 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -23,18 +23,16 @@ function getComponentCertificateSan {
2323

2424
function generateCerts {
2525

26-
# Copy CA
27-
pki_logger "Recopie des clés publiques des CA"
28-
copyCAFromPki client-external
29-
copyCAFromPki client-vitam
30-
copyCAFromPki vitamui-services
31-
32-
# Generate hosts certificates
33-
pki_logger "Génération des certificats serveurs"
34-
# Zone interne
26+
pki_logger "Copying CA certificates"
27+
for AUTHORITY_NAME in $(get_autorities); do
28+
copyCAFromPki "${AUTHORITY_NAME}"
29+
done
30+
31+
# VitamUI Services
32+
# Server Only for https
3533
generateServerCertAndStorePassphrase security vitamui-services
3634

37-
#Zone externe
35+
# Server and Client for https or mTLS
3836
generateServerAndClientCertAndStorePassphrase iam vitamui-services
3937
generateServerAndClientCertAndStorePassphrase cas-server vitamui-services
4038
generateServerAndClientCertAndStorePassphrase referential vitamui-services
@@ -44,7 +42,7 @@ function generateCerts {
4442
generateServerAndClientCertAndStorePassphrase pastis vitamui-services
4543
generateServerAndClientCertAndStorePassphrase api-gateway vitamui-services
4644

47-
#Zone UI
45+
# Zone UI - Client Only for mTLS
4846
generateClientCertAndStorePassphrase ui-portal vitamui-services
4947
generateClientCertAndStorePassphrase ui-identity vitamui-services
5048
generateClientCertAndStorePassphrase ui-identity-admin vitamui-services
@@ -54,7 +52,7 @@ function generateCerts {
5452
generateClientCertAndStorePassphrase ui-pastis vitamui-services
5553
generateClientCertAndStorePassphrase ui-collect vitamui-services
5654

57-
#Reverse
55+
# Reverse proxy - Server Only for https
5856
generateServerCertAndStorePassphrase reverse vitamui-services
5957

6058
# Example of generated client cert for a customer allowing to perform request on external APIs

deployment/pki/scripts/lib/ca.sh

Lines changed: 39 additions & 41 deletions
Original file line numberDiff line numberDiff line change
@@ -13,23 +13,27 @@ set -e
1313

1414
# Generate root CA
1515
function generate_ca_root {
16-
local CA_ROOT_PASS="${1}"
17-
local AUTHORITY="${2}"
16+
local AUTHORITY_NAME="${1}"
17+
18+
pki_logger "Creating CA-root for authority ${AUTHORITY_NAME}..."
19+
20+
# set passphrase for ca-root and store it in the vault-ca
21+
local CA_ROOT_PASS=$(setPassphrase ca "ca_root_${AUTHORITY_NAME}")
1822

1923
# Correctly set certificate CN (env var is read inside the openssl configuration file)
20-
export OPENSSL_CN="ca-root_${AUTHORITY}"
24+
export OPENSSL_CN="ca-root_${AUTHORITY_NAME}"
2125
pki_logger "OPENSSL_CN : ${OPENSSL_CN}"
2226
# Correctly set certificate DIRECTORY (env var is read inside the openssl configuration file)
23-
export OPENSSL_CA_DIR="${AUTHORITY}"
27+
export OPENSSL_CA_DIR="${AUTHORITY_NAME}"
2428
pki_logger "OPENSSL_CA_DIR : ${OPENSSL_CA_DIR}"
2529

2630
local CA_DIR=${CA_DIR}/${OPENSSL_CA_DIR}
2731
if [ ! -d ${CA_DIR} ]; then
28-
pki_logger "Create directory ${CA_DIR}"
32+
pki_logger "Creating directory ${CA_DIR}"
2933
mkdir -p ${CA_DIR};
3034
fi
3135

32-
pki_logger "Create CA-root request..."
36+
pki_logger "Creating CA-root request for authority ${AUTHORITY_NAME}..."
3337
openssl req \
3438
-config ${CONFIG_DIR}/ca-config \
3539
-new \
@@ -38,7 +42,7 @@ function generate_ca_root {
3842
-passout pass:${CA_ROOT_PASS} \
3943
-batch
4044

41-
pki_logger "Sign CA-root certificate..."
45+
pki_logger "Signing CA-root certificate for authority ${AUTHORITY_NAME}..."
4246
openssl ca \
4347
-config ${CONFIG_DIR}/ca-config \
4448
-selfsign \
@@ -51,24 +55,29 @@ function generate_ca_root {
5155

5256
# Generate intermediate CA
5357
function generate_ca_intermediate {
54-
local CA_INTERMEDIATE_PASS="${1}"
55-
local CA_ROOT_PASS="${2}"
56-
local AUTHORITY="${3}"
58+
local AUTHORITY_NAME="${1}"
59+
60+
pki_logger "Creating CA-intermediate for authority ${AUTHORITY_NAME}..."
61+
62+
# get passphrase for ca-root from the vault-ca
63+
local CA_ROOT_PASS=$(getPassphrase ca "ca_root_${AUTHORITY_NAME}")
64+
# set passphrase for ca-intermediate and store it in the vault-ca
65+
local CA_INTERMEDIATE_PASS=$(setPassphrase ca "ca_intermediate_${AUTHORITY_NAME}")
5766

5867
# Correctly set certificate CN (env var is read inside the openssl configuration file)
59-
export OPENSSL_CN="ca-intermediate_${AUTHORITY}"
68+
export OPENSSL_CN="ca-intermediate_${AUTHORITY_NAME}"
6069
pki_logger "OPENSSL_CN : ${OPENSSL_CN}"
6170
# Correctly set certificate DIRECTORY (env var is read inside the openssl configuration file)
62-
export OPENSSL_CA_DIR=${AUTHORITY}
71+
export OPENSSL_CA_DIR=${AUTHORITY_NAME}
6372
pki_logger "OPENSSL_CA_DIR : ${OPENSSL_CA_DIR}"
6473

6574
local CA_DIR=${CA_DIR}/${OPENSSL_CA_DIR}
6675
if [ ! -d ${CA_DIR} ]; then
67-
pki_logger "Create directory ${OPENSSL_CA_DIR}"
76+
pki_logger "Creating directory ${OPENSSL_CA_DIR}"
6877
mkdir -p ${CA_DIR};
6978
fi
7079

71-
pki_logger "Create CA-intermediate request..."
80+
pki_logger "Creating CA-intermediate request for authority ${AUTHORITY_NAME}..."
7281
openssl req \
7382
-config ${CONFIG_DIR}/ca-config \
7483
-new \
@@ -78,7 +87,7 @@ function generate_ca_intermediate {
7887
-passout pass:${CA_INTERMEDIATE_PASS} \
7988
-batch
8089

81-
pki_logger "Sign CA-intermediate certificate..."
90+
pki_logger "Signing CA-intermediate certificate for authority ${AUTHORITY_NAME}..."
8291
openssl ca \
8392
-config ${CONFIG_DIR}/ca-config \
8493
-extensions extension_ca_intermediate \
@@ -100,11 +109,6 @@ function init_config_ca {
100109
touch "${CONFIG_DIR}/${CA_DIR}/crlnumber"
101110
}
102111

103-
function get_autorities() {
104-
# To override
105-
echo ""
106-
}
107-
108112
################################################################################
109113
################################## Main ##################################
110114
################################################################################
@@ -152,30 +156,23 @@ function main() {
152156
fi
153157

154158
# Create CA per authorities
155-
AUTHORITIES="$(get_autorities)"
156-
for AUTHORITY in ${AUTHORITIES[@]}
157-
do
158-
mkdir -p ${CA_DIR}/${AUTHORITY}
159-
init_config_ca ${AUTHORITY}
160-
161-
if [ ! -f ${CA_DIR}/${AUTHORITY}/ca-root.crt ]; then
162-
pki_logger "Creation of CA-root for ${AUTHORITY}..."
163-
# Generate CA_ROOT_PASS & store it in the vault-ca
164-
CA_ROOT_PASS=$(setPassphrase ca "ca_root_${AUTHORITY}")
165-
generate_ca_root ${CA_ROOT_PASS} ${AUTHORITY}
159+
for AUTHORITY_NAME in $(get_autorities); do
160+
mkdir -p ${CA_DIR}/${AUTHORITY_NAME}
161+
init_config_ca ${AUTHORITY_NAME}
162+
163+
if [ ! -f ${CA_DIR}/${AUTHORITY_NAME}/ca-root.crt ]; then
164+
# Generate ca-root for authority & store passphrase in the vault-ca
165+
generate_ca_root ${AUTHORITY_NAME}
166166
else
167-
pki_logger "CA-root for ${AUTHORITY} already exists, it will not be recreated..."
167+
pki_logger "CA-root for authority ${AUTHORITY_NAME} already exists, it will not be recreated..."
168168
fi
169-
if [ ! -f ${CA_DIR}/${AUTHORITY}/ca-intermediate.crt ]; then
170-
pki_logger "Creation of CA-intermediate for ${AUTHORITY}..."
171-
# Generate CA_INTERMEDIATE_PASS & store it in the vault-ca
172-
CA_INTERMEDIATE_PASS=$(setPassphrase ca "ca_intermediate_${AUTHORITY}")
173-
generate_ca_intermediate ${CA_INTERMEDIATE_PASS} ${CA_ROOT_PASS} ${AUTHORITY}
174-
175-
purge_directory "${CONFIG_DIR}/${AUTHORITY}"
176-
purge_directory "${CA_DIR}/${AUTHORITY}"
169+
if [ ! -f ${CA_DIR}/${AUTHORITY_NAME}/ca-intermediate.crt ]; then
170+
# Generate ca-intermediate for authority & store passphrase in the vault-ca
171+
generate_ca_intermediate ${AUTHORITY_NAME}
172+
purge_directory "${CONFIG_DIR}/${AUTHORITY_NAME}"
173+
purge_directory "${CA_DIR}/${AUTHORITY_NAME}"
177174
else
178-
pki_logger "CA-intermediate for ${AUTHORITY} already exists, it will not be recreated..."
175+
pki_logger "CA-intermediate for authority ${AUTHORITY_NAME} already exists, it will not be recreated..."
179176
fi
180177
pki_logger "----------------------------------------------"
181178
done
@@ -186,4 +183,5 @@ function main() {
186183
fi
187184
pki_logger "=============================================="
188185
pki_logger "End of CA creation procedure"
186+
189187
}

0 commit comments

Comments
 (0)