--- /dev/null
+Basic bootstrapping
+
+ - Customize config/core/core.sml and configDefault/ as needed
+ - Use config.sml for changes other than core. At least set defaultDomain.
+ - Create a user for domtool
+ - `make install' domtool
+ - Run domtool-create-shared-root to bootstrap shared directories
+ - Run domtool-create-local-root to bootstrap local work directories if this machine will be a node
+ - Customize and copy test.domain.core.conf to $defaultDomain.core.ssl.conf
+ - You unfortunately have to duplicate the value of Config.caPath here
+ - Run domtool-create-ca to boostrap your local domtool ca
+ - Run domtool-init-truststore to initialize the trust store
+ - Run domtool-init-acl $user to add yourself as an administrator of domtool
+ - Create needed work directories
+ - In theory, domtool should start and you should be able to grant
+ yourself domains and configure things
\ No newline at end of file
--- /dev/null
+#!/bin/sh
+
+# Bootstrap everything for a DEVELOPMENT ENVIRONMENT (an insecure one
+# at that), assuming you are going to be domtool root
+
+if [ -z "`getent passwd domtool`" ]; then
+ adduser --disabled-password domtool
+fi
+
+./domtool-create-shared-root
+./domtool-create-local-root
+./domtool-create-ca -force
+./domtool-init-truststore
+./domtool-init-acl `whoami`
--- /dev/null
+# Minimal openssl configuration needed to be a CA for domtool
+
+# intentionally not setting RANDFILE, because it is useless on modern
+# machines.
+
+[ ca ]
+default_ca = Domtool_CA
+
+[ Domtool_CA ]
+dir = ${Domtool_Defaults::ca_dir}
+
+certs = $dir/certs
+crl_dir = $dir/crl
+database = $dir/index
+
+# Needed because domtool does not revoke certs before
+# reissuing. Possibly bad behavior, if a private key were to leak.
+unique_subject = no
+
+new_certs_dir = $dir/newcerts
+
+certificate = $dir/ca-cert.pem
+serial = $dir/serial
+crlnumber = $dir/crlnumber
+
+crl = $dir/crl.pem
+private_key = $dir/private/ca-key.pem
+RANDFILE = $dir/private/.rand
+
+x509_extensions = usr_cert
+
+name_opt = ca_default
+cert_opt = ca_default
+
+crl_extensions = crl_ext
+
+default_days = 365
+default_crl_days= 30
+default_md = sha1
+preserve = no
+
+policy = policy_domtool
+
+[ policy_domtool ]
+# Domtool doesn't care where you claim to live
+#countryName = optional
+#stateOrProvinceName = optional
+#localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = supplied
+
+# req section is only used when generating the request for the CA to sign itself!
+[ req ]
+default_bits = 4096
+default_keyfile = ${Domtool_Defaults::ca_dir}/private/ca-key.pem
+default_md = sha1
+
+prompt = no
+distinguished_name = root_ca_distinguished_name
+string_mask = nombstr
+
+# Extensions to add to the self-signed cert generated to certificate the CA
+x509_extensions = v3_ca
+
+[ usr_cert ]
+# These extensions are added when 'ca' signs a request.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+# leaving nsCaRevocationUrl unset, since domtool isn't checking revocations
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+
+[ v3_ca ]
+# These extensions are added when the CA signs itself
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+# Ensure only user certificates and not another ca can be signed
+basicConstraints = critical,CA:true,pathlen:0
+
+[ root_ca_distinguished_name ]
+commonName = ${Domtool_Defaults::org_name}
+#countryName = US
+#stateOrProvinceName = CA
+#localityName = Berkeley
+0.organizationName = ${Domtool_Defaults::org_domain}
+emailAddress = ca@${Domtool_Defaults::org_domain}
+
+[ crl_ext ]
+authorityKeyIdentifier=keyid:always,issuer:always
--- /dev/null
+#!/bin/bash
+# -*- sh -*-
+
+# Create a domtool certificate authority
+# WARNING: Will not create a secure CA if it is in afs space
+
+if [[ `whoami` != "root" && "$1" != "-force" ]]; then
+ echo "This should be run as root. Use -force to force creating a CA"
+ echo "as a normal user"
+ exit 1
+fi
+
+# use domtool-config to extract ca path and site domain
+
+CAPATH=`../bin/domtool-config -path cert ca`
+BASE_OPENSSL_CONFIG=`../bin/domtool-config -domain`.core.ssl.conf
+
+cat $BASE_OPENSSL_CONFIG common.ssl.conf > domtool-openssl.conf
+
+if [ -z "$CAPATH" ]; then
+ echo "No CA path set. Domtool has not yet been built?"
+ exit 1
+fi
+
+# 1. Create directory structure
+
+mkdir -p $CAPATH
+for d in crl newcerts private; do
+ mkdir $CAPATH/$d
+done
+
+chmod go-rwx $CAPATH/private
+echo '01' > $CAPATH/serial
+touch $CAPATH/index
+
+# 2. Generate private key
+
+openssl req -nodes -config domtool-openssl.conf -days 1825 -x509 -newkey rsa -out $CAPATH/ca-cert.pem -outform PEM
+
+# 3. Copy ssl configuration to ca dir
+
+# In general, publishing the openssl config for a domain in the ca
+# directory might not be the best idea, but since this is a limited
+# use internal CA, it is probably not a big deal.
+cp domtool-openssl.conf $CAPATH/
+chmod 600 $CAPATH/domtool-openssl.conf
+
+# Does the CA need to be readable by domtool? Issues with sudo and
+# tickets, but those could be solved by creating a 700
+# /tmp/domtool-ca-out/ and chowning to the actual user after for the
+# copy/delete. Or maybe the ca ought to live in afs
+# space... generality issues arise, probably just do option #1.
--- /dev/null
+#!/bin/bash
+
+# ideally: domtool-create-local-root service+
+# service = bind, apache, exim, courier, etc.
+# actually: domtool-create-local-root -> every possible service dir is created
+
+LOCALROOT=`domtool-config -path local-root`
+
+if [ -z "$LOCALROOT" ]; then
+ echo "ERROR: local root not set. Domtool not built?"
+ exit 1
+fi
+
+set -x
+
+mkdir -p $LOCALROOT
+
+for d in firewall vhosts zones; do
+ mkdir $LOCALROOT/$d
+done
+
+# domtool probably ought to ensure directories exist, since the
+# services configured by a worker are set statically. It makes little
+# sense for a worker to advertise that it can configure a service, and
+# not actually be able to do so.
+
--- /dev/null
+#!/bin/bash
+
+# Create shared directories, set permissions
+
+SHAREDROOT=`../bin/domtool-config -path shared-root`
+
+if [ -z "$SHAREDROOT" ]; then
+ echo "shared-root not set, domtool not built?"
+ exit 1
+fi
+
+function if_afs () {
+ if [[ $SHAREDROOT == /afs/* ]]; then
+ $*
+ fi
+}
+
+if_afs echo "AFS in use. This will not work correctly."
+
+set -x
+
+mkdir -p $SHAREDROOT
+
+for d in backup certs email firewall keys lib logs nodes nodes.old serials webalizer; do
+ mkdir $SHAREDROOT/$d
+done
+
+touch $SHAREDROOT/firewall/user.rules
+
--- /dev/null
+#!/bin/bash
+
+SHAREDROOT=`../bin/domtool-config -path shared-root`
+DOMTOOLROOT="$1"
+
+if [ -z "$SHAREDROOT" ]; then
+ echo "shared-root not set, domtool not built?"
+ exit 1
+fi
+
+if [ -z "$DOMTOOLROOT" ]; then
+ echo "Usage: $0 USER"
+ exit 1
+fi
+
+if [ -f $SHAREDROOT/acl ]; then
+ echo "acl file already exists. Refusing to overwrite"
+ exit 1
+fi
+
+cat > $SHAREDROOT/acl <<EOF
+$USER
+priv all
+
+EOF
--- /dev/null
+#!/bin/bash
+
+# After creating CA, add certificate to the trust store.
+
+# This is its own script because root will likely not have afs tokens
+# and be unable to write to the truststore if it is stored in afs
+
+CAPATH=`../bin/domtool-config -path cert ca`
+TRUSTSTORE=`../bin/domtool-config -path cert truststore`
+
+if [ -f "$TRUSTSTORE" ]; then
+ echo "Warning: $TRUSTSTORE exists, appending new cert instead of overwriting."
+fi
+
+cat $CAPATH/ca-cert.pem >> $TRUSTSTORE
--- /dev/null
+# You should be able to customize the settings in Domtool_Defaults and
+# have everything Just Work (tm)
+[ Domtool_Defaults ]
+ca_dir = ${ENV::HOME}/domtool/ca
+org_domain = test.domain
+org_name = Foo Hacker, Inc.
+#ca_dir = /etc/domtool/ca
+#org_domain = hcoop.net
+#org_name = HCoop, Inc.
\ No newline at end of file
HCoop / clinton / domtool2.git / commitdiff