diff --git a/get_guid.sh b/get_guid.sh new file mode 100644 index 0000000..c128036 --- /dev/null +++ b/get_guid.sh @@ -0,0 +1,37 @@ +#/usr/bin/env bash + +# You no longer need Windows for aquiring DCs GUID +IFS=' +' + +convertToHex() { + # Inspired by https://docs.microsoft.com/en-us/troubleshoot/windows-server/admin-development/convert-string-guid-to-hexadecimal-string + RAW="$1" + GUID=$(echo "$RAW" | sed 's/\-//g') + + HEX="${GUID:6:2}" + HEX="${HEX}${GUID:4:2}" + HEX="${HEX}${GUID:2:2}" + HEX="${HEX}${GUID:0:2}" + HEX="${HEX}${GUID:10:2}" + HEX="${HEX}${GUID:8:2}" + HEX="${HEX}${GUID:14:2}" + HEX="${HEX}${GUID:12:2}" + len=${#HEX} + HEX="${HEX}${GUID:16:${len}}" + + echo "$HEX" +} + + +# apt install ldb-tools +realm=$(grep -i realm /etc/samba/smb.conf | awk '{print $3}' | tr '[:upper:]' '[:lower:]') +dc=$(echo $realm | awk -F '.' '{for(i = 1; i <= NF; i++) {printf ",DC=" $i}}') +base="OU=Domain Controllers${dc}" +cn=$(hostname -s) +#cn=$(srvads2) +GUID=$(ldbsearch -H /var/lib/samba/private/sam.ldb --basedn="$base" "CN=${cn}" objectGUID \ + | grep '^objectGUID:' \ + | awk '{print $2}' \ +) +convertToHex "$GUID" diff --git a/samba-pki-tools.ini.sample b/samba-pki-tools.ini.sample index 8a94567..8ff352f 100644 --- a/samba-pki-tools.ini.sample +++ b/samba-pki-tools.ini.sample @@ -3,21 +3,26 @@ pki_dir = /opt/pki [openssl_config] -root_name = KG TIS +root_name = Tranquil IT country = FR state = Pays de la Loire city = Saint Sebastien Sur Loire -organization_name = KG Tranquil IT -organization_ou = KG Tranquil IT CA -organization_cn = KG Tranquil IT Root CA +organization_name = Tranquil IT +organization_ou = Tranquil IT CA +organization_cn = Tranquil IT Root CA default_cert_duration = 730 +default_crl_duration = 90 -crl_uri = URI:http://crl.kg.tranquil.it/crl/root_ca.crl +crl_uri = URI:http://crl.ad.tranquil.it/crl/tranquilit_root.crl create_intermediate = True -intermediate_organization_cn = INFOLIX Authentication CA -intermediate_crl_uri = URI:http://crl.infolix.lan/crl/infolix_authentication.crl +intermediate_organization_cn = Tranquil IT Authentication CA +intermediate_crl_uri = URI:http://crl.ad.tranquil.it/crl/tranquilit_authentication.crl + +# If you use Yubikey, max value is 2048 ; Nitrokey can be 4096 +default_bits_user = 2048 [samba_ad] -dc_list = +dc_list = srvads1.ad.tranquil.it,srvads2.ad.tranquil.it +upn_suffix = ad.tranquil.it diff --git a/templates/openssl_create_intermediate_ca.tmpl b/templates/openssl_create_intermediate_ca.tmpl new file mode 100644 index 0000000..f7f761a --- /dev/null +++ b/templates/openssl_create_intermediate_ca.tmpl @@ -0,0 +1,24 @@ +[ req ] +default_bits = 4096 +distinguished_name = req_distinguished_name +string_mask = utf8only +prompt = no + +[ v3_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign +default_md = sha512 +crlDistributionPoints = {{ intermediate_crl_uri }} +nsCertType = sslCA, emailCA +issuerAltName = issuer:copy + +[ req_distinguished_name ] +C = {{ country }} +ST = {{ state }} +L = {{ city }} +O = {{ organization_name }} +OU = {{ organization_ou }} +CN = {{ intermediate_organization_cn }} + diff --git a/templates/openssl_root_ca.tmpl b/templates/openssl_root_ca.tmpl index 5d96489..36bc1f2 100644 --- a/templates/openssl_root_ca.tmpl +++ b/templates/openssl_root_ca.tmpl @@ -1,5 +1,5 @@ [ ca ] -default_ca = {{ organization_ou }} +default_ca = CA_default [ CA_default ] dir = {{ pki_dir }} diff --git a/templates/openssl_server_cert.tmpl b/templates/openssl_server_cert.tmpl index b529787..e1dc564 100644 --- a/templates/openssl_server_cert.tmpl +++ b/templates/openssl_server_cert.tmpl @@ -24,8 +24,8 @@ serial = $dir/serial private = $dir/private # The root key and root certificate. -private_key = $dir/private/root_ca.key -certificate = $dir/certs/root_ca.crt +private_key = {{ dc_ca_keyfile }} +certificate = {{ dc_ca_certfile }} # SHA-1 is deprecated, so use SHA-2 instead. default_md = sha512 @@ -36,7 +36,7 @@ default_days = {{ default_crl_duration }} preserve = no policy = policy_loose -default_crl_days = 90 +default_crl_days = {{ default_crl_duration }} [ req ] default_bits = 4096 diff --git a/templates/openssl_sign_intermediate_csr.tmpl b/templates/openssl_sign_intermediate_csr.tmpl new file mode 100644 index 0000000..0dcf6b7 --- /dev/null +++ b/templates/openssl_sign_intermediate_csr.tmpl @@ -0,0 +1,43 @@ +[ ca ] + +default_ca = CA_default + +[ CA_default ] +dir = {{ pki_dir }} +certs = $dir/certs +crl_dir = $dir/crl +new_certs_dir = $dir/newcerts +database = $dir/index.txt +serial = $dir/serial + +private_key = {{ root_ca_keyfile }} +certificate = {{ root_ca_certfile }} + +default_md = sha512 + +name_opt = ca_default +cert_opt = ca_default +default_days = 1825 +preserve = no +policy = policy_loose +default_crl_days = {{ default_crl_duration }} + +[ policy_loose ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = optional +emailAddress = optional + +[ v3_intermediate_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +crlDistributionPoints = {{ intermediate_crl_uri }} +nsCertType = sslCA, emailCA +issuerAltName = issuer:copy + diff --git a/templates/openssl_user_cert.tmpl b/templates/openssl_user_cert.tmpl index c984fc6..defeaab 100644 --- a/templates/openssl_user_cert.tmpl +++ b/templates/openssl_user_cert.tmpl @@ -16,8 +16,8 @@ serial = $dir/serial private = $dir/private # The root key and root certificate. -private_key = $dir/private/root_ca.key -certificate = $dir/certs/root_ca.crt +private_key = {{ dc_ca_keyfile }} +certificate = {{ dc_ca_certfile }} # SHA-1 is deprecated, so use SHA-2 instead. default_md = sha512 @@ -28,10 +28,10 @@ default_days = {{ default_crl_duration }} preserve = no policy = policy_loose -default_crl_days = 90 +default_crl_days = {{ default_crl_duration }} [ req ] -default_bits = 4096 +default_bits = {{ default_bits_user }} distinguished_name = req_distinguished_name [ policy_loose ] @@ -73,9 +73,12 @@ organizationalUnitName_default = {{ organization_unit }} commonName = Common Name (eg, Your Name or server name) commonName_max = 64 +commonName_default = {{ commonName }} emailAddress = Email Address emailAddress_max = 64 +emailAddress_default = {{ emailAddress }} + ########################################### User Certificates ################################################ [ usr_cert_scarduser ] diff --git a/tis-pki.py b/tis-pki.py index ba1449e..2d48acb 100644 --- a/tis-pki.py +++ b/tis-pki.py @@ -23,6 +23,9 @@ class TisPKI: def root_ca_certfile(): return os.path.join(TisPKI.pki_dir(),'certs','root_ca.crt') + def root_ca_keyfile(): + return os.path.join(TisPKI.pki_dir(),'private','root_ca.key') + def keyout_path(): return os.path.join(TisPKI.pki_dir(),'private') @@ -35,6 +38,16 @@ class TisPKI: def p12_path(): return os.path.join(TisPKI.pki_dir(),'p12') + def config_path(): + return os.path.join(TisPKI.pki_dir(),'config') + + def crl_path(): + return os.path.join(TisPKI.pki_dir(),'crl') + + + def intermediate_ca(): + if config.getboolean('openssl_config','create_intermediate'): + return True def pki_intermediate_dir(): return os.path.join(config.get('general','pki_dir'),'intermediate_ca') @@ -54,11 +67,17 @@ class TisPKI: def intermediate_p12_path(): return os.path.join(TisPKI.pki_intermediate_dir(),'p12') + def intermediate_config_path(): + return os.path.join(TisPKI.pki_intermediate_dir(),'config') + + def intermediate_crl_path(): + return os.path.join(TisPKI.pki_intermediate_dir(),'crl') + def check_directories(root_path): print('Check directories') - + directories_list = ['certs','config','crl','newcerts','private','csr','crl','p12'] if not os.path.isdir(root_path): @@ -80,8 +99,7 @@ def create_openssl_config(): print('Check Root CA OpenSSL Config') root_ca_config = os.path.join(TisPKI.pki_dir(),'config','openssl_root_ca.ini') - root_ca_keyfile = os.path.join(TisPKI.pki_dir(),'private','root_ca.key') - root_ca_sign_intermediate = os.path.join(TisPKI.pki_dir(),'config','openssl_root_ca_sign_intermediate.ini') + if not os.path.isfile(root_ca_config): print('Root CA OpenSSL configfile not exist. Creating...') @@ -91,6 +109,7 @@ def create_openssl_config(): root_ca_tmpl_var = { 'organization_ou': config.get('openssl_config','organization_name') + ' CA', 'default_cert_duration': config.get('openssl_config','default_cert_duration'), + 'default_crl_duration' : config.get('openssl_config','default_crl_duration'), 'pki_dir': TisPKI.pki_dir(), 'country': config.get('openssl_config','country'), 'state': config.get('openssl_config','state'), @@ -105,33 +124,18 @@ def create_openssl_config(): file.write(config_string) if os.path.isfile(root_ca_config): print('Root CA OpenSSL config file is correctly generated !') - - if config.getboolean('openssl_config','create_intermediate'): - template_dir = os.path.join('templates') - jinja_env = jinja2.Environment(loader=jinja2.FileSystemLoader(template_dir)) - root_ca_tmpl = jinja_env.get_template('openssl_sign_intermediate_csr.tmpl') - root_ca_tmpl_var = { - 'organization_ou': config.get('openssl_config','organization_name') + ' CA', - 'pki_dir': TisPKI.pki_dir(), - 'root_ca_keyfile': root_ca_keyfile, - 'root_ca_certfile': TisPKI.root_ca_certfile(), - 'intermediate_crl_uri': config.get('openssl_config','intermediate_crl_uri') - } - - config_string = root_ca_tmpl.render(root_ca_tmpl_var) - with open(root_ca_sign_intermediate,'wt') as file: - file.write(config_string) - if os.path.isfile(root_ca_sign_intermediate): - print('Root CA OpenSSL sign intermediate config file is correctly generated !') else: print('Root CA OpenSSL config already exist. Skip.') + # Generate privkey and cert for Root CA - if not os.path.isfile(root_ca_keyfile) and not os.path.isfile(TisPKI.root_ca_certfile()): - print('Generate CA private key') - gen_root_ca = subprocess.run(f'/usr/bin/openssl req -x509 -new -sha512 -config {root_ca_config} -days 3650 -extensions v3_ca -keyout {root_ca_keyfile} -out {TisPKI.root_ca_certfile()} -passout pass:calimero', shell=True, check=True, executable='/bin/bash') + if not os.path.isfile(TisPKI.root_ca_keyfile()) and not os.path.isfile(TisPKI.root_ca_certfile()): + print('Generate Root CA private key') + gen_root_ca = subprocess.run(f'/usr/bin/openssl req -x509 -new -sha512 -config {root_ca_config} -days 3650 -extensions v3_ca -keyout {TisPKI.root_ca_keyfile()} -out {TisPKI.root_ca_certfile()}', shell=True, check=True, executable='/bin/bash') if gen_root_ca.returncode == 0: - print(subprocess.run(f'openssl x509 -in {TisPKI.root_ca_certfile()} -text -noout', shell=True, check=True, executable='/bin/bash')) + print(f'Root CA Certfile is stored in {TisPKI.root_ca_certfile()}') + print(subprocess.run(f'openssl x509 -in {TisPKI.root_ca_certfile()} -text', shell=True, check=True, executable='/bin/bash')) + input("Press Enter to continue...") else: print('Error on generating Root CA private key') sys.exit(1) @@ -144,6 +148,29 @@ def create_openssl_intermediate(): check_directories(TisPKI.pki_intermediate_dir()) intermediate_ca_config = os.path.join(TisPKI.pki_intermediate_dir(),'config','create_intermediate_ca.ini') intermediate_ca_keyfile = os.path.join(TisPKI.pki_intermediate_dir(),'private','intermediate_ca.key') + crl_file = os.path.join(TisPKI.pki_intermediate_dir(),'crl','intermediate_ca.crl') + root_ca_sign_intermediate = os.path.join(TisPKI.pki_dir(),'config','openssl_root_ca_sign_intermediate.ini') + + if not os.path.isfile(root_ca_sign_intermediate): + if TisPKI.intermediate_ca: + template_dir = os.path.join('templates') + jinja_env = jinja2.Environment(loader=jinja2.FileSystemLoader(template_dir)) + root_ca_tmpl = jinja_env.get_template('openssl_sign_intermediate_csr.tmpl') + root_ca_tmpl_var = { + 'organization_ou': config.get('openssl_config','organization_name') + ' CA', + 'pki_dir': TisPKI.pki_dir(), + 'root_ca_keyfile': TisPKI.root_ca_keyfile(), + 'root_ca_certfile': TisPKI.root_ca_certfile(), + 'intermediate_crl_uri': config.get('openssl_config','intermediate_crl_uri'), + 'default_crl_duration' : config.get('openssl_config','default_crl_duration'), + } + + config_string = root_ca_tmpl.render(root_ca_tmpl_var) + with open(root_ca_sign_intermediate,'wt') as file: + file.write(config_string) + if os.path.isfile(root_ca_sign_intermediate): + print('Root CA OpenSSL sign intermediate config file is correctly generated !') + if not os.path.isfile(intermediate_ca_config): print('Intermediate CA OpenSSL configfile not exist. Creating...') template_dir = os.path.join('templates') @@ -156,7 +183,7 @@ def create_openssl_intermediate(): 'organization_name': config.get('openssl_config','organization_name'), 'organization_ou': config.get('openssl_config','organization_ou'), 'intermediate_organization_cn': config.get('openssl_config','intermediate_organization_cn'), - 'intermediate_crl_uri': config.get('openssl_config','intermediate_crl_uri') + 'intermediate_crl_uri': config.get('openssl_config','intermediate_crl_uri') } config_string = intermediate_ca_tmpl.render(intermediate_ca_tmpl_var) with open(intermediate_ca_config,'wt') as file: @@ -172,44 +199,63 @@ def create_openssl_intermediate(): print('Sign Intermediate CA with Root CA') sign_intermediate_ca = subprocess.run(f"/usr/bin/openssl ca -config {os.path.join(TisPKI.pki_dir(),'config','openssl_root_ca_sign_intermediate.ini')} -extensions v3_intermediate_ca -days 1825 -notext -md sha512 -create_serial -in {TisPKI.intermediate_csr_path()}/intermediate_ca.csr -out {TisPKI.intermediate_ca_certfile()}", shell=True, check=True, executable='/bin/bash' ) if sign_intermediate_ca.returncode == 0: + print(f'Intermediate CA Certfile is stored in : {TisPKI.intermediate_ca_certfile()}') print(subprocess.run(f'openssl x509 -in {TisPKI.intermediate_ca_certfile()} -text -noout', shell=True, check=True, executable='/bin/bash')) + input("Press Enter to continue...") else: print('Error on generating Intermediate CA private key') sys.exit(1) else: print('Intermediate CA private key and certificate already exist. Skip.') - - + +## if not os.path.isfile(crl_file): +## print('Generate CRL') +## subprocess.run(f'openssl ca -config {intermediate_ca_config} -gencrl -out {crl_file}',shell=True) + + def generate_dc_certificate(): dc_list = config.get('samba_ad','dc_list') for dc in dc_list.split(','): - dc_certfile = os.path.join(TisPKI.pki_dir(),'certs',f'{dc}.crt') - dc_keyfile = os.path.join(TisPKI.pki_dir(),'private',f'{dc}.key') - dc_csrfile = os.path.join(TisPKI.pki_dir(),'csr',f'{dc}.csr') - dc_openssl_configfile = os.path.join(TisPKI.pki_dir(),'config',f'openssl_{dc}.ini') - crl_file = os.path.join(TisPKI.pki_dir(),'crl','root_ca.crl') - - if config.getboolean('openssl_config','create_intermediate'): - dc_ca_keyfile = os.path.join(TisPKI.pki_dir(),'intermediate_ca','private','intermediate_ca.key') - dc_ca_certfile = os.path.join(TisPKI.pki_dir(),'intermediate_ca','certs','intermediate_ca.crt') + if TisPKI.intermediate_ca: + dc_certfile = os.path.join(TisPKI.intermediate_cert_path(),f'{dc}.crt') + dc_keyfile = os.path.join(TisPKI.intermediate_keyout_path(),f'{dc}.key') + dc_csrfile = os.path.join(TisPKI.intermediate_csr_path(),f'{dc}.csr') + dc_openssl_configfile = os.path.join(TisPKI.intermediate_config_path(),f'openssl_{dc}.ini') + crl_file = os.path.join(TisPKI.intermediate_crl_path(),'intermediate_ca.crl') + dc_ca_keyfile = os.path.join(TisPKI.intermediate_keyout_path(),'intermediate_ca.key') + dc_ca_certfile = os.path.join(TisPKI.intermediate_cert_path(),'intermediate_ca.crt') + crl_uri = config.get('openssl_config','intermediate_crl_uri') + pki_dir = TisPKI.pki_intermediate_dir() else: - dc_ca_keyfile = os.path.join(TisPKI.pki_dir(),'private','root_ca.key') - dc_ca_certfile = os.path.join(TisPKI.pki_dir(),'certs','root_ca.crt') + dc_certfile = os.path.join(TisPKI.cert_path(),f'{dc}.crt') + dc_keyfile = os.path.join(TisPKI.keyout_path(),f'{dc}.key') + dc_csrfile = os.path.join(TisPKI.csr_path(),f'{dc}.csr') + dc_openssl_configfile = os.path.join(TisPKI.config_path(),f'openssl_{dc}.ini') + crl_file = os.path.join(TisPKI.crl_path(),'root_ca.crl') + dc_ca_keyfile = os.path.join(TisPKI.keyout_path(),'root_ca.key') + dc_ca_certfile = os.path.join(TisPKI.cert_path(),'root_ca.crt') + crl_uri = config.get('openssl_config','crl_uri') + pki_dir = TisPKI.pki_dir() if not os.path.isfile(dc_certfile) and not os.path.isfile(dc_keyfile): print(f'Generate certificate for {dc}') - #dc_guid = subprocess.run(f'get_guid.sh {dc}',shell=True) - dc_guid = '3375a41d7acaa545994ffe4d94bda8ce' - print(dc_guid) + input("Press Enter to continue...") + dc_guid = subprocess.run('/bin/bash get_guid.sh',shell=True, check=True, executable='/bin/bash') + if dc_guid.returncode != 0: + print('Unable to find dc_guid') + sys.exit(1) + else: + dc_guid = str(subprocess.check_output(f'/bin/bash get_guid.sh',shell=True).decode("utf-8")).strip() + print(str(dc_guid).strip()) template_dir = ('templates') jinja_env = jinja2.Environment(loader=jinja2.FileSystemLoader(template_dir)) dc_tmpl = jinja_env.get_template('openssl_server_cert.tmpl') dc_tmpl_var = { 'dc_name': f"{dc}", - 'dc_guid': dc_guid, - 'crl_uri': config.get('openssl_config','crl_uri'), - 'pki_dir': TisPKI.pki_dir(), + 'dc_guid': str(dc_guid), + 'crl_uri': crl_uri, + 'pki_dir': pki_dir, 'default_cert_duration': config.get('openssl_config','default_cert_duration'), 'country': config.get('openssl_config','country'), 'state': config.get('openssl_config','state'), @@ -228,7 +274,7 @@ def generate_dc_certificate(): print(f'{dc} OpenSSL configfile is correctly generated !') print(f'Generate private key and CSR for {dc}') - print(subprocess.run(f"openssl req -new -addext 'subjectAltName = email:copy' -newkey rsa:4096 -keyout {dc_keyfile} -out {dc_csrfile} -config {dc_openssl_configfile} -passout pass:calimero" , shell=True, check=True, executable='/bin/bash')) + print(subprocess.run(f"openssl req -new -addext 'subjectAltName = email:copy' -newkey rsa:4096 -keyout {dc_keyfile} -out {dc_csrfile} -config {dc_openssl_configfile}" , shell=True, check=True, executable='/bin/bash')) if os.path.isfile(dc_csrfile): print(f'Sign certificate for {dc}') @@ -238,30 +284,42 @@ def generate_dc_certificate(): print('Concatenation of DC and Root cert') subprocess.run(f'cat {dc_certfile} {TisPKI.root_ca_certfile()} > {dc_certfile}_full',shell=True) - else: - print(f'{dc} private key and certificate already exist ! Revoke certificate before regenerate') - - print('Generate CRL') - subprocess.run(f'openssl ca -config {dc_openssl_configfile} -gencrl -out {crl_file}',shell=True) - def generate_user_certificate(): - - openssl_user_file = os.path.join(TisPKI.pki_dir(),'config','openssl_user.ini') - if config.getboolean('openssl_config','create_intermediate'): - dc_ca_keyfile = os.path.join(TisPKI.pki_dir(),'intermediate_ca','private','intermediate_ca.key') - dc_ca_certfile = os.path.join(TisPKI.pki_dir(),'intermediate_ca','certs','intermediate_ca.crt') + + default_bits_user = config.get('openssl_config','default_bits_user') + + username = input('Enter username') + + upn_suffix = config.get('samba_ad','upn_suffix') + upn = f'{username}@{upn_suffix}' + + if TisPKI.intermediate_ca: + crl_file = os.path.join(TisPKI.intermediate_crl_path(),'intermediate_ca.crl') + dc_ca_keyfile = os.path.join(TisPKI.intermediate_keyout_path(),'intermediate_ca.key') + dc_ca_certfile = os.path.join(TisPKI.intermediate_cert_path(),'intermediate_ca.crt') + crl_uri = config.get('openssl_config','intermediate_crl_uri') + pki_dir = TisPKI.pki_intermediate_dir() + openssl_user_file = os.path.join(TisPKI.intermediate_config_path(),'openssl_user.ini') + emailAddress = upn + commonName = username else: - dc_ca_keyfile = os.path.join(TisPKI.pki_dir(),'private','root_ca.key') - dc_ca_certfile = os.path.join(TisPKI.pki_dir(),'certs','root_ca.crt') + crl_file = os.path.join(TisPKI.crl_path(),'root_ca.crl') + dc_ca_keyfile = os.path.join(TisPKI.keyout_path(),'root_ca.key') + dc_ca_certfile = os.path.join(TisPKI.cert_path(),'root_ca.crt') + crl_uri = config.get('openssl_config','crl_uri') + pki_dir = TisPKI.pki_dir() + openssl_user_file = os.path.join(TisPKI.config_path(),'openssl_user.ini') + emailAddress = upn + commonName = username template_dir = ('templates') jinja_env = jinja2.Environment(loader=jinja2.FileSystemLoader(template_dir)) user_tmpl = jinja_env.get_template('openssl_user_cert.tmpl') user_tmpl_var = { - 'crl_uri': config.get('openssl_config','crl_uri'), - 'pki_dir': TisPKI.pki_dir(), + 'crl_uri': crl_uri, + 'pki_dir': pki_dir, 'default_cert_duration': config.get('openssl_config','default_cert_duration'), 'country': config.get('openssl_config','country'), 'state': config.get('openssl_config','state'), @@ -269,7 +327,11 @@ def generate_user_certificate(): 'organization_name': config.get('openssl_config','organization_name'), 'organization_ou': config.get('openssl_config','organization_ou'), 'dc_ca_keyfile': dc_ca_keyfile, - 'dc_ca_certfile': dc_ca_certfile + 'dc_ca_certfile': dc_ca_certfile, + 'default_bits_user': config.get('openssl_config','default_bits_user'), + 'emailAddress' : emailAddress, + 'commonName' : commonName + } config_string = user_tmpl.render(user_tmpl_var) @@ -278,19 +340,16 @@ def generate_user_certificate(): if os.path.isfile(openssl_user_file): print(f'User OpenSSL configfile is correctly generated !') - - print('Enter username') - username = input() - upn = f'{username}@infolix.lan' + print(f'Generate private key for {upn}') - print(subprocess.run(f"openssl req -new -newkey rsa:4096 -keyout {TisPKI.keyout_path()}/{username}.key -out {TisPKI.csr_path()}/{username}.csr -config <(cat {openssl_user_file} <(cat <<-EOF\n[ sanuser ]\notherName=msUPN;UTF8:{upn}\nemail=copy\nEOF\n)\n)",shell=True,check=True, executable='/bin/bash')) + print(subprocess.run(f"openssl req -new -newkey rsa:{default_bits_user} -keyout {TisPKI.keyout_path()}/{username}.key -out {TisPKI.csr_path()}/{username}.csr -config <(cat {openssl_user_file} <(cat <<-EOF\n[ sanuser ]\notherName=msUPN;UTF8:{upn}\nemail=copy\nEOF\n)\n)",shell=True,check=True, executable='/bin/bash')) print(f'Sign certificate') print(subprocess.run(f'openssl ca -extensions usr_cert_scarduser -days 730 -notext -md sha512 -create_serial -in {TisPKI.csr_path()}/{username}.csr -out {TisPKI.cert_path()}/{username}.crt -config <(cat {openssl_user_file} <(cat <<-EOF\n[ sanuser ]\notherName=msUPN;UTF8:{upn}\nemail=copy\nEOF\n)\n)',shell=True,check=True, executable='/bin/bash')) - + print('Remove password in rsa key') print(subprocess.run(f'openssl rsa -in {TisPKI.keyout_path()}/{username}.key -out {TisPKI.keyout_path()}/{username}-nopasswd.key',shell=True,check=True, executable='/bin/bash'))