mirror of
https://github.com/tips-of-mine/gestion-certificats2.git
synced 2025-06-28 01:18:42 +02:00
d4516e87ae
1. **`intermediate_cert_name` unique constraint violation**:
When creating a perimeter, the intermediate certificate name (`intermediate_cert_name`) stored in the `functional_perimeters` table was always `"intermediate.cert.pem"`. This caused a duplicate error if a unique constraint existed on this column.
* Fixed in `PerimeterController.php` by using `$perimeterName . "_intermediate.cert.pem"` as the value for `intermediate_cert_name`, ensuring uniqueness. The physical file name remains `intermediate.cert.pem` in the perimeter's subdirectory.
2. **`Undefined variable $userRole` warning**:
On the page listing perimeters (`app/src/Views/perimeters/index.php`), the `$userRole` variable was not defined by the controller.
* Fixed in `PerimeterController.php` (method `index()`) by initializing `$userRole = $this->authService->getUserRole();`.
3. **SQL error `Unknown column 'common_name'` during initialization**:
During the application initialization process (if no user or root certificate exists), an attempt to insert into the `certificates` table included a `common_name` column that does not exist.
* Fixed in `app/public/index.php` by removing the `common_name` column and its value from the insert query for the root certificate.
These corrections improve the robustness of perimeter creation and make the application initialization process more reliable.
107 lines
4.5 KiB
Bash
107 lines
4.5 KiB
Bash
#!/bin/bash
|
|
set -e
|
|
|
|
# Ce script crée un certificat CA intermédiaire signé par le Root CA.
|
|
# Il est appelé par l'application PHP lors de la création d'un nouveau "périmètre fonctionnel".
|
|
|
|
# Arguments :
|
|
# $1: Nom du périmètre fonctionnel (utilisé comme nom du dossier et dans le CN du certificat)
|
|
# $2: (Optionnel) Phrase secrète pour la clé privée de l'intermédiaire
|
|
# $3: Domaine racine (ex: exemple.com)
|
|
|
|
FUNCTIONAL_PERIMETER_NAME="$1"
|
|
INTERMEDIATE_KEY_PASSPHRASE="$2" # Optional, can be empty string if no passphrase
|
|
ROOT_DOMAIN="$3"
|
|
|
|
if [ -z "$FUNCTIONAL_PERIMETER_NAME" ] || [ -z "$ROOT_DOMAIN" ]; then
|
|
echo "Usage: $0 <functional_perimeter_name> <key_passphrase|EMPTY_STRING> <root_domain>"
|
|
echo "Error: Functional perimeter name and root domain are required."
|
|
exit 1
|
|
fi
|
|
# If INTERMEDIATE_KEY_PASSPHRASE is the literal "EMPTY_STRING", set it to an actual empty string.
|
|
if [ "$INTERMEDIATE_KEY_PASSPHRASE" == "EMPTY_STRING" ]; then
|
|
INTERMEDIATE_KEY_PASSPHRASE=""
|
|
fi
|
|
|
|
ROOT_CA_DIR="/opt/tls/root"
|
|
INTERMEDIATE_CA_DIR="/opt/tls/intermediate/$FUNCTIONAL_PERIMETER_NAME"
|
|
|
|
# Vérifier si le répertoire de la CA intermédiaire existe déjà
|
|
if [ -d "$INTERMEDIATE_CA_DIR" ]; then
|
|
echo "Erreur : Le répertoire pour le périmètre '$FUNCTIONAL_PERIMETER_NAME' existe déjà. Veuillez le supprimer ou choisir un autre nom."
|
|
exit 1
|
|
fi
|
|
|
|
INTERMEDIATE_KEY="$INTERMEDIATE_CA_DIR/private/intermediate.key.pem"
|
|
INTERMEDIATE_CSR="$INTERMEDIATE_CA_DIR/csr/intermediate.csr.pem"
|
|
INTERMEDIATE_CERT="$INTERMEDIATE_CA_DIR/certs/intermediate.cert.pem"
|
|
INTERMEDIATE_CHAIN="$INTERMEDIATE_CA_DIR/certs/ca-chain.cert.pem"
|
|
INTERMEDIATE_CNF="$INTERMEDIATE_CA_DIR/openssl.cnf"
|
|
|
|
ROOT_CERT="$ROOT_CA_DIR/certs/ca.cert.pem"
|
|
ROOT_KEY="$ROOT_CA_DIR/private/ca.key.pem"
|
|
ROOT_CNF="$ROOT_CA_DIR/openssl.cnf"
|
|
|
|
echo "Démarrage de la création du certificat Intermédiaire pour '$FUNCTIONAL_PERIMETER_NAME'..."
|
|
|
|
# Créer les dossiers nécessaires pour la PKI Intermédiaire
|
|
mkdir -p "$INTERMEDIATE_CA_DIR/certs" "$INTERMEDIATE_CA_DIR/crl" "$INTERMEDIATE_CA_DIR/newcerts" "$INTERMEDIATE_CA_DIR/private" "$INTERMEDIATE_CA_DIR/csr"
|
|
|
|
# Copier le fichier de configuration OpenSSL pour l'intermédiaire
|
|
cp /opt/scripts/configs/intermediate-openssl.conf "$INTERMEDIATE_CNF"
|
|
|
|
# Adjust the 'dir' variable in the copied OpenSSL config to point to the specific intermediate CA directory
|
|
sed -i "s|^dir\s*=\s*/opt/tls/intermediate.*|dir = $INTERMEDIATE_CA_DIR|" "$INTERMEDIATE_CNF"
|
|
|
|
# Initialiser les fichiers requis par OpenSSL pour une CA intermédiaire
|
|
chmod 700 "$INTERMEDIATE_CA_DIR/private"
|
|
touch "$INTERMEDIATE_CA_DIR/index.txt"
|
|
|
|
#
|
|
echo 1000 > "$INTERMEDIATE_CA_DIR/serial"
|
|
echo 1000 > "$INTERMEDIATE_CA_DIR/crlnumber"
|
|
|
|
#
|
|
touch "$INTERMEDIATE_CA_DIR/certs.db"
|
|
|
|
# Générer la clé privée de l'Intermédiaire CA (avec ou sans passphrase)
|
|
if [ -n "$INTERMEDIATE_KEY_PASSPHRASE" ]; then
|
|
openssl genrsa -aes256 -passout pass:"$INTERMEDIATE_KEY_PASSPHRASE" -out "$INTERMEDIATE_KEY" 4096
|
|
else
|
|
openssl genrsa -out "$INTERMEDIATE_KEY" 4096
|
|
fi
|
|
chmod 400 "$INTERMEDIATE_KEY"
|
|
|
|
# Générer la CSR (Certificate Signing Request) pour l'Intermédiaire CA
|
|
openssl req -new -sha256 \
|
|
-key "$INTERMEDIATE_KEY" $([ -n "$INTERMEDIATE_KEY_PASSPHRASE" ] && echo "-passin pass:\"$INTERMEDIATE_KEY_PASSPHRASE\"") \
|
|
-out "$INTERMEDIATE_CSR" \
|
|
-subj "/C=FR/ST=NORD/L=ROUBAIX/O=IT/OU=IT/emailAddress=sec@tips-mine.com/CN=$FUNCTIONAL_PERIMETER_NAME.intermediate.$ROOT_DOMAIN/" \
|
|
-config "$INTERMEDIATE_CNF" # Utilise le CNF de l'intermédiaire pour la création de la CSR
|
|
|
|
# Signer la CSR de l'Intermédiaire avec le Root CA
|
|
openssl ca -batch -config "$ROOT_CNF" -extensions v3_intermediate_ca -days 3650 -notext -md sha256 \
|
|
-in "$INTERMEDIATE_CSR" \
|
|
-out "$INTERMEDIATE_CERT"
|
|
|
|
chmod 444 "$INTERMEDIATE_CERT"
|
|
|
|
# Créer le fichier de chaîne de certificats (Intermediate + Root)
|
|
cat "$INTERMEDIATE_CERT" "$ROOT_CERT" > "$INTERMEDIATE_CHAIN"
|
|
chmod 444 "$INTERMEDIATE_CHAIN"
|
|
|
|
# Create a Certificate revocation list of the intermediate CA
|
|
openssl ca -config "$INTERMEDIATE_CNF" -gencrl -out "$INTERMEDIATE_CA_DIR/crl/intermediate.crl.pem"
|
|
|
|
# Create OSCP key pair
|
|
openssl genrsa -out "$INTERMEDIATE_CA_DIR/private/ocsp.key.pem" 4096
|
|
|
|
# Create the OSCP CSR
|
|
openssl req -new -sha256 \
|
|
-key "$INTERMEDIATE_CA_DIR/private/ocsp.key.pem" \
|
|
-out "$INTERMEDIATE_CA_DIR/csr/ocsp.csr.pem" -nodes \
|
|
-subj "/C=FR/ST=NORD/L=ROUBAIX/O=IT/OU=IT/emailAddress=sec@tips-mine.com/CN=$FUNCTIONAL_PERIMETER_NAME.ocsp.$ROOT_DOMAIN/"\
|
|
-config "$INTERMEDIATE_CNF"
|
|
|
|
echo "Certificat Intermédiaire CA pour '$FUNCTIONAL_PERIMETER_NAME' créé : $INTERMEDIATE_CERT"
|