infra/samba-pki-tools
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[IMP] add new work

Browse Source
This commit is contained in:
Kevin GUERINEAU
2024-05-07 14:56:21 +02:00
parent 7a4fe704bf
commit fa3dedd02f
8 changed files with 255 additions and 84 deletions
Download Patch File Download Diff File Expand all files Collapse all files
get_guid.sh
+37
View File
@@ -0,0 +1,37 @@
#/usr/bin/env bash
# You no longer need Windows for aquiring DCs GUID
IFS='
'
convertToHex() {
# Inspired by https://docs.microsoft.com/en-us/troubleshoot/windows-server/admin-development/convert-string-guid-to-hexadecimal-string
RAW="$1"
GUID=$(echo "$RAW" | sed 's/\-//g')
HEX="${GUID:6:2}"
HEX="${HEX}${GUID:4:2}"
HEX="${HEX}${GUID:2:2}"
HEX="${HEX}${GUID:0:2}"
HEX="${HEX}${GUID:10:2}"
HEX="${HEX}${GUID:8:2}"
HEX="${HEX}${GUID:14:2}"
HEX="${HEX}${GUID:12:2}"
len=${#HEX}
HEX="${HEX}${GUID:16:${len}}"
echo "$HEX"
}
# apt install ldb-tools
realm=$(grep -i realm /etc/samba/smb.conf | awk '{print $3}' | tr '[:upper:]' '[:lower:]')
dc=$(echo $realm | awk -F '.' '{for(i = 1; i <= NF; i++) {printf ",DC=" $i}}')
base="OU=Domain Controllers${dc}"
cn=$(hostname -s)
#cn=$(srvads2)
GUID=$(ldbsearch -H /var/lib/samba/private/sam.ldb --basedn="$base" "CN=${cn}" objectGUID \
| grep '^objectGUID:' \
| awk '{print $2}' \
)
convertToHex "$GUID"
samba-pki-tools.ini.sample
+13 -8
View File
@@ -3,21 +3,26 @@
pki_dir = /opt/pki
[openssl_config]
root_name = KG TIS
root_name = Tranquil IT
country = FR
state = Pays de la Loire
city = Saint Sebastien Sur Loire
organization_name = KG Tranquil IT
organization_ou = KG Tranquil IT CA
organization_cn = KG Tranquil IT Root CA
organization_name = Tranquil IT
organization_ou = Tranquil IT CA
organization_cn = Tranquil IT Root CA
default_cert_duration = 730
default_crl_duration = 90
crl_uri = URI:http://crl.kg.tranquil.it/crl/root_ca.crl
crl_uri = URI:http://crl.ad.tranquil.it/crl/tranquilit_root.crl
create_intermediate = True
intermediate_organization_cn = INFOLIX Authentication CA
intermediate_crl_uri = URI:http://crl.infolix.lan/crl/infolix_authentication.crl
intermediate_organization_cn = Tranquil IT Authentication CA
intermediate_crl_uri = URI:http://crl.ad.tranquil.it/crl/tranquilit_authentication.crl
# If you use Yubikey, max value is 2048 ; Nitrokey can be 4096
default_bits_user = 2048
[samba_ad]
dc_list =
dc_list = srvads1.ad.tranquil.it,srvads2.ad.tranquil.it
upn_suffix = ad.tranquil.it
templates/openssl_create_intermediate_ca.tmpl
+24
View File
@@ -0,0 +1,24 @@
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
string_mask = utf8only
prompt = no
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
default_md = sha512
crlDistributionPoints = {{ intermediate_crl_uri }}
nsCertType = sslCA, emailCA
issuerAltName = issuer:copy
[ req_distinguished_name ]
C = {{ country }}
ST = {{ state }}
L = {{ city }}
O = {{ organization_name }}
OU = {{ organization_ou }}
CN = {{ intermediate_organization_cn }}
templates/openssl_root_ca.tmpl
+1 -1
View File
@@ -1,5 +1,5 @@
[ ca ]
default_ca = {{ organization_ou }}
default_ca = CA_default
[ CA_default ]
dir = {{ pki_dir }}
templates/openssl_server_cert.tmpl
+3 -3
View File
@@ -24,8 +24,8 @@ serial = $dir/serial
private = $dir/private
# The root key and root certificate.
private_key = $dir/private/root_ca.key
certificate = $dir/certs/root_ca.crt
private_key = {{ dc_ca_keyfile }}
certificate = {{ dc_ca_certfile }}
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha512
@@ -36,7 +36,7 @@ default_days = {{ default_crl_duration }}
preserve = no
policy = policy_loose
default_crl_days = 90
default_crl_days = {{ default_crl_duration }}
[ req ]
default_bits = 4096
templates/openssl_sign_intermediate_csr.tmpl
+43
View File
@@ -0,0 +1,43 @@
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = {{ pki_dir }}
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
private_key = {{ root_ca_keyfile }}
certificate = {{ root_ca_certfile }}
default_md = sha512
name_opt = ca_default
cert_opt = ca_default
default_days = 1825
preserve = no
policy = policy_loose
default_crl_days = {{ default_crl_duration }}
[ policy_loose ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
[ v3_intermediate_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
crlDistributionPoints = {{ intermediate_crl_uri }}
nsCertType = sslCA, emailCA
issuerAltName = issuer:copy
templates/openssl_user_cert.tmpl
+7 -4
View File
@@ -16,8 +16,8 @@ serial = $dir/serial
private = $dir/private
# The root key and root certificate.
private_key = $dir/private/root_ca.key
certificate = $dir/certs/root_ca.crt
private_key = {{ dc_ca_keyfile }}
certificate = {{ dc_ca_certfile }}
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha512
@@ -28,10 +28,10 @@ default_days = {{ default_crl_duration }}
preserve = no
policy = policy_loose
default_crl_days = 90
default_crl_days = {{ default_crl_duration }}
[ req ]
default_bits = 4096
default_bits = {{ default_bits_user }}
distinguished_name = req_distinguished_name
[ policy_loose ]
@@ -73,9 +73,12 @@ organizationalUnitName_default = {{ organization_unit }}
commonName = Common Name (eg, Your Name or server name)
commonName_max = 64
commonName_default = {{ commonName }}
emailAddress = Email Address
emailAddress_max = 64
emailAddress_default = {{ emailAddress }}
########################################### User Certificates ################################################
[ usr_cert_scarduser ]
tis-pki.py
+120 -61
View File
@@ -23,6 +23,9 @@ class TisPKI:
def root_ca_certfile():
return os.path.join(TisPKI.pki_dir(),'certs','root_ca.crt')
def root_ca_keyfile():
return os.path.join(TisPKI.pki_dir(),'private','root_ca.key')
def keyout_path():
return os.path.join(TisPKI.pki_dir(),'private')
@@ -35,6 +38,16 @@ class TisPKI:
def p12_path():
return os.path.join(TisPKI.pki_dir(),'p12')
def config_path():
return os.path.join(TisPKI.pki_dir(),'config')
def crl_path():
return os.path.join(TisPKI.pki_dir(),'crl')
def intermediate_ca():
if config.getboolean('openssl_config','create_intermediate'):
return True
def pki_intermediate_dir():
return os.path.join(config.get('general','pki_dir'),'intermediate_ca')
@@ -54,6 +67,12 @@ class TisPKI:
def intermediate_p12_path():
return os.path.join(TisPKI.pki_intermediate_dir(),'p12')
def intermediate_config_path():
return os.path.join(TisPKI.pki_intermediate_dir(),'config')
def intermediate_crl_path():
return os.path.join(TisPKI.pki_intermediate_dir(),'crl')
def check_directories(root_path):
@@ -80,8 +99,7 @@ def create_openssl_config():
print('Check Root CA OpenSSL Config')
root_ca_config = os.path.join(TisPKI.pki_dir(),'config','openssl_root_ca.ini')
root_ca_keyfile = os.path.join(TisPKI.pki_dir(),'private','root_ca.key')
root_ca_sign_intermediate = os.path.join(TisPKI.pki_dir(),'config','openssl_root_ca_sign_intermediate.ini')
if not os.path.isfile(root_ca_config):
print('Root CA OpenSSL configfile not exist. Creating...')
@@ -91,6 +109,7 @@ def create_openssl_config():
root_ca_tmpl_var = {
'organization_ou': config.get('openssl_config','organization_name') + ' CA',
'default_cert_duration': config.get('openssl_config','default_cert_duration'),
'default_crl_duration' : config.get('openssl_config','default_crl_duration'),
'pki_dir': TisPKI.pki_dir(),
'country': config.get('openssl_config','country'),
'state': config.get('openssl_config','state'),
@@ -105,33 +124,18 @@ def create_openssl_config():
file.write(config_string)
if os.path.isfile(root_ca_config):
print('Root CA OpenSSL config file is correctly generated !')
if config.getboolean('openssl_config','create_intermediate'):
template_dir = os.path.join('templates')
jinja_env = jinja2.Environment(loader=jinja2.FileSystemLoader(template_dir))
root_ca_tmpl = jinja_env.get_template('openssl_sign_intermediate_csr.tmpl')
root_ca_tmpl_var = {
'organization_ou': config.get('openssl_config','organization_name') + ' CA',
'pki_dir': TisPKI.pki_dir(),
'root_ca_keyfile': root_ca_keyfile,
'root_ca_certfile': TisPKI.root_ca_certfile(),
'intermediate_crl_uri': config.get('openssl_config','intermediate_crl_uri')
}
config_string = root_ca_tmpl.render(root_ca_tmpl_var)
with open(root_ca_sign_intermediate,'wt') as file:
file.write(config_string)
if os.path.isfile(root_ca_sign_intermediate):
print('Root CA OpenSSL sign intermediate config file is correctly generated !')
else:
print('Root CA OpenSSL config already exist. Skip.')
# Generate privkey and cert for Root CA
if not os.path.isfile(root_ca_keyfile) and not os.path.isfile(TisPKI.root_ca_certfile()):
print('Generate CA private key')
gen_root_ca = subprocess.run(f'/usr/bin/openssl req -x509 -new -sha512 -config {root_ca_config} -days 3650 -extensions v3_ca -keyout {root_ca_keyfile} -out {TisPKI.root_ca_certfile()} -passout pass:calimero', shell=True, check=True, executable='/bin/bash')
if not os.path.isfile(TisPKI.root_ca_keyfile()) and not os.path.isfile(TisPKI.root_ca_certfile()):
print('Generate Root CA private key')
gen_root_ca = subprocess.run(f'/usr/bin/openssl req -x509 -new -sha512 -config {root_ca_config} -days 3650 -extensions v3_ca -keyout {TisPKI.root_ca_keyfile()} -out {TisPKI.root_ca_certfile()}', shell=True, check=True, executable='/bin/bash')
if gen_root_ca.returncode == 0:
print(subprocess.run(f'openssl x509 -in {TisPKI.root_ca_certfile()} -text -noout', shell=True, check=True, executable='/bin/bash'))
print(f'Root CA Certfile is stored in {TisPKI.root_ca_certfile()}')
print(subprocess.run(f'openssl x509 -in {TisPKI.root_ca_certfile()} -text', shell=True, check=True, executable='/bin/bash'))
input("Press Enter to continue...")
else:
print('Error on generating Root CA private key')
sys.exit(1)
@@ -144,6 +148,29 @@ def create_openssl_intermediate():
check_directories(TisPKI.pki_intermediate_dir())
intermediate_ca_config = os.path.join(TisPKI.pki_intermediate_dir(),'config','create_intermediate_ca.ini')
intermediate_ca_keyfile = os.path.join(TisPKI.pki_intermediate_dir(),'private','intermediate_ca.key')
crl_file = os.path.join(TisPKI.pki_intermediate_dir(),'crl','intermediate_ca.crl')
root_ca_sign_intermediate = os.path.join(TisPKI.pki_dir(),'config','openssl_root_ca_sign_intermediate.ini')
if not os.path.isfile(root_ca_sign_intermediate):
if TisPKI.intermediate_ca:
template_dir = os.path.join('templates')
jinja_env = jinja2.Environment(loader=jinja2.FileSystemLoader(template_dir))
root_ca_tmpl = jinja_env.get_template('openssl_sign_intermediate_csr.tmpl')
root_ca_tmpl_var = {
'organization_ou': config.get('openssl_config','organization_name') + ' CA',
'pki_dir': TisPKI.pki_dir(),
'root_ca_keyfile': TisPKI.root_ca_keyfile(),
'root_ca_certfile': TisPKI.root_ca_certfile(),
'intermediate_crl_uri': config.get('openssl_config','intermediate_crl_uri'),
'default_crl_duration' : config.get('openssl_config','default_crl_duration'),
}
config_string = root_ca_tmpl.render(root_ca_tmpl_var)
with open(root_ca_sign_intermediate,'wt') as file:
file.write(config_string)
if os.path.isfile(root_ca_sign_intermediate):
print('Root CA OpenSSL sign intermediate config file is correctly generated !')
if not os.path.isfile(intermediate_ca_config):
print('Intermediate CA OpenSSL configfile not exist. Creating...')
template_dir = os.path.join('templates')
@@ -172,44 +199,63 @@ def create_openssl_intermediate():
print('Sign Intermediate CA with Root CA')
sign_intermediate_ca = subprocess.run(f"/usr/bin/openssl ca -config {os.path.join(TisPKI.pki_dir(),'config','openssl_root_ca_sign_intermediate.ini')} -extensions v3_intermediate_ca -days 1825 -notext -md sha512 -create_serial -in {TisPKI.intermediate_csr_path()}/intermediate_ca.csr -out {TisPKI.intermediate_ca_certfile()}", shell=True, check=True, executable='/bin/bash' )
if sign_intermediate_ca.returncode == 0:
print(f'Intermediate CA Certfile is stored in : {TisPKI.intermediate_ca_certfile()}')
print(subprocess.run(f'openssl x509 -in {TisPKI.intermediate_ca_certfile()} -text -noout', shell=True, check=True, executable='/bin/bash'))
input("Press Enter to continue...")
else:
print('Error on generating Intermediate CA private key')
sys.exit(1)
else:
print('Intermediate CA private key and certificate already exist. Skip.')
## if not os.path.isfile(crl_file):
## print('Generate CRL')
## subprocess.run(f'openssl ca -config {intermediate_ca_config} -gencrl -out {crl_file}',shell=True)
def generate_dc_certificate():
dc_list = config.get('samba_ad','dc_list')
for dc in dc_list.split(','):
dc_certfile = os.path.join(TisPKI.pki_dir(),'certs',f'{dc}.crt')
dc_keyfile = os.path.join(TisPKI.pki_dir(),'private',f'{dc}.key')
dc_csrfile = os.path.join(TisPKI.pki_dir(),'csr',f'{dc}.csr')
dc_openssl_configfile = os.path.join(TisPKI.pki_dir(),'config',f'openssl_{dc}.ini')
crl_file = os.path.join(TisPKI.pki_dir(),'crl','root_ca.crl')
if config.getboolean('openssl_config','create_intermediate'):
dc_ca_keyfile = os.path.join(TisPKI.pki_dir(),'intermediate_ca','private','intermediate_ca.key')
dc_ca_certfile = os.path.join(TisPKI.pki_dir(),'intermediate_ca','certs','intermediate_ca.crt')
if TisPKI.intermediate_ca:
dc_certfile = os.path.join(TisPKI.intermediate_cert_path(),f'{dc}.crt')
dc_keyfile = os.path.join(TisPKI.intermediate_keyout_path(),f'{dc}.key')
dc_csrfile = os.path.join(TisPKI.intermediate_csr_path(),f'{dc}.csr')
dc_openssl_configfile = os.path.join(TisPKI.intermediate_config_path(),f'openssl_{dc}.ini')
crl_file = os.path.join(TisPKI.intermediate_crl_path(),'intermediate_ca.crl')
dc_ca_keyfile = os.path.join(TisPKI.intermediate_keyout_path(),'intermediate_ca.key')
dc_ca_certfile = os.path.join(TisPKI.intermediate_cert_path(),'intermediate_ca.crt')
crl_uri = config.get('openssl_config','intermediate_crl_uri')
pki_dir = TisPKI.pki_intermediate_dir()
else:
dc_ca_keyfile = os.path.join(TisPKI.pki_dir(),'private','root_ca.key')
dc_ca_certfile = os.path.join(TisPKI.pki_dir(),'certs','root_ca.crt')
dc_certfile = os.path.join(TisPKI.cert_path(),f'{dc}.crt')
dc_keyfile = os.path.join(TisPKI.keyout_path(),f'{dc}.key')
dc_csrfile = os.path.join(TisPKI.csr_path(),f'{dc}.csr')
dc_openssl_configfile = os.path.join(TisPKI.config_path(),f'openssl_{dc}.ini')
crl_file = os.path.join(TisPKI.crl_path(),'root_ca.crl')
dc_ca_keyfile = os.path.join(TisPKI.keyout_path(),'root_ca.key')
dc_ca_certfile = os.path.join(TisPKI.cert_path(),'root_ca.crt')
crl_uri = config.get('openssl_config','crl_uri')
pki_dir = TisPKI.pki_dir()
if not os.path.isfile(dc_certfile) and not os.path.isfile(dc_keyfile):
print(f'Generate certificate for {dc}')
#dc_guid = subprocess.run(f'get_guid.sh {dc}',shell=True)
dc_guid = '3375a41d7acaa545994ffe4d94bda8ce'
print(dc_guid)
input("Press Enter to continue...")
dc_guid = subprocess.run('/bin/bash get_guid.sh',shell=True, check=True, executable='/bin/bash')
if dc_guid.returncode != 0:
print('Unable to find dc_guid')
sys.exit(1)
else:
dc_guid = str(subprocess.check_output(f'/bin/bash get_guid.sh',shell=True).decode("utf-8")).strip()
print(str(dc_guid).strip())
template_dir = ('templates')
jinja_env = jinja2.Environment(loader=jinja2.FileSystemLoader(template_dir))
dc_tmpl = jinja_env.get_template('openssl_server_cert.tmpl')
dc_tmpl_var = {
'dc_name': f"{dc}",
'dc_guid': dc_guid,
'crl_uri': config.get('openssl_config','crl_uri'),
'pki_dir': TisPKI.pki_dir(),
'dc_guid': str(dc_guid),
'crl_uri': crl_uri,
'pki_dir': pki_dir,
'default_cert_duration': config.get('openssl_config','default_cert_duration'),
'country': config.get('openssl_config','country'),
'state': config.get('openssl_config','state'),
@@ -228,7 +274,7 @@ def generate_dc_certificate():
print(f'{dc} OpenSSL configfile is correctly generated !')
print(f'Generate private key and CSR for {dc}')
print(subprocess.run(f"openssl req -new -addext 'subjectAltName = email:copy' -newkey rsa:4096 -keyout {dc_keyfile} -out {dc_csrfile} -config {dc_openssl_configfile} -passout pass:calimero" , shell=True, check=True, executable='/bin/bash'))
print(subprocess.run(f"openssl req -new -addext 'subjectAltName = email:copy' -newkey rsa:4096 -keyout {dc_keyfile} -out {dc_csrfile} -config {dc_openssl_configfile}" , shell=True, check=True, executable='/bin/bash'))
if os.path.isfile(dc_csrfile):
print(f'Sign certificate for {dc}')
@@ -238,30 +284,42 @@ def generate_dc_certificate():
print('Concatenation of DC and Root cert')
subprocess.run(f'cat {dc_certfile} {TisPKI.root_ca_certfile()} > {dc_certfile}_full',shell=True)
else:
print(f'{dc} private key and certificate already exist ! Revoke certificate before regenerate')
print('Generate CRL')
subprocess.run(f'openssl ca -config {dc_openssl_configfile} -gencrl -out {crl_file}',shell=True)
def generate_user_certificate():
openssl_user_file = os.path.join(TisPKI.pki_dir(),'config','openssl_user.ini')
if config.getboolean('openssl_config','create_intermediate'):
dc_ca_keyfile = os.path.join(TisPKI.pki_dir(),'intermediate_ca','private','intermediate_ca.key')
dc_ca_certfile = os.path.join(TisPKI.pki_dir(),'intermediate_ca','certs','intermediate_ca.crt')
default_bits_user = config.get('openssl_config','default_bits_user')
username = input('Enter username')
upn_suffix = config.get('samba_ad','upn_suffix')
upn = f'{username}@{upn_suffix}'
if TisPKI.intermediate_ca:
crl_file = os.path.join(TisPKI.intermediate_crl_path(),'intermediate_ca.crl')
dc_ca_keyfile = os.path.join(TisPKI.intermediate_keyout_path(),'intermediate_ca.key')
dc_ca_certfile = os.path.join(TisPKI.intermediate_cert_path(),'intermediate_ca.crt')
crl_uri = config.get('openssl_config','intermediate_crl_uri')
pki_dir = TisPKI.pki_intermediate_dir()
openssl_user_file = os.path.join(TisPKI.intermediate_config_path(),'openssl_user.ini')
emailAddress = upn
commonName = username
else:
dc_ca_keyfile = os.path.join(TisPKI.pki_dir(),'private','root_ca.key')
dc_ca_certfile = os.path.join(TisPKI.pki_dir(),'certs','root_ca.crt')
crl_file = os.path.join(TisPKI.crl_path(),'root_ca.crl')
dc_ca_keyfile = os.path.join(TisPKI.keyout_path(),'root_ca.key')
dc_ca_certfile = os.path.join(TisPKI.cert_path(),'root_ca.crt')
crl_uri = config.get('openssl_config','crl_uri')
pki_dir = TisPKI.pki_dir()
openssl_user_file = os.path.join(TisPKI.config_path(),'openssl_user.ini')
emailAddress = upn
commonName = username
template_dir = ('templates')
jinja_env = jinja2.Environment(loader=jinja2.FileSystemLoader(template_dir))
user_tmpl = jinja_env.get_template('openssl_user_cert.tmpl')
user_tmpl_var = {
'crl_uri': config.get('openssl_config','crl_uri'),
'pki_dir': TisPKI.pki_dir(),
'crl_uri': crl_uri,
'pki_dir': pki_dir,
'default_cert_duration': config.get('openssl_config','default_cert_duration'),
'country': config.get('openssl_config','country'),
'state': config.get('openssl_config','state'),
@@ -269,7 +327,11 @@ def generate_user_certificate():
'organization_name': config.get('openssl_config','organization_name'),
'organization_ou': config.get('openssl_config','organization_ou'),
'dc_ca_keyfile': dc_ca_keyfile,
'dc_ca_certfile': dc_ca_certfile
'dc_ca_certfile': dc_ca_certfile,
'default_bits_user': config.get('openssl_config','default_bits_user'),
'emailAddress' : emailAddress,
'commonName' : commonName
}
config_string = user_tmpl.render(user_tmpl_var)
@@ -280,13 +342,10 @@ def generate_user_certificate():
print(f'User OpenSSL configfile is correctly generated !')
print('Enter username')
username = input()
upn = f'{username}@infolix.lan'
print(f'Generate private key for {upn}')
print(subprocess.run(f"openssl req -new -newkey rsa:4096 -keyout {TisPKI.keyout_path()}/{username}.key -out {TisPKI.csr_path()}/{username}.csr -config <(cat {openssl_user_file} <(cat <<-EOF\n[ sanuser ]\notherName=msUPN;UTF8:{upn}\nemail=copy\nEOF\n)\n)",shell=True,check=True, executable='/bin/bash'))
print(subprocess.run(f"openssl req -new -newkey rsa:{default_bits_user} -keyout {TisPKI.keyout_path()}/{username}.key -out {TisPKI.csr_path()}/{username}.csr -config <(cat {openssl_user_file} <(cat <<-EOF\n[ sanuser ]\notherName=msUPN;UTF8:{upn}\nemail=copy\nEOF\n)\n)",shell=True,check=True, executable='/bin/bash'))
print(f'Sign certificate')
print(subprocess.run(f'openssl ca -extensions usr_cert_scarduser -days 730 -notext -md sha512 -create_serial -in {TisPKI.csr_path()}/{username}.csr -out {TisPKI.cert_path()}/{username}.crt -config <(cat {openssl_user_file} <(cat <<-EOF\n[ sanuser ]\notherName=msUPN;UTF8:{upn}\nemail=copy\nEOF\n)\n)',shell=True,check=True, executable='/bin/bash'))