support for generating additional client certs

[mihaj]

@lukebakken please check it out.

[mihaj]

closes #18

[mihaj]

Ups, I've put it back.

[michaelklishin]

It's an interesting feature, will take a look soon.

[johnvanham]

@mihaj Just tried your fork as I want to generate additional client certs as I need 3 clients to talk to a RabbitMQ server but I can't generate the initial certs as it returns the following error:

jvh@jvh-laptop-lin:~/tls-gen/basic$ make PASSWORD=bunnies
python3 profile.py regenerate --password "bunnies" \
--common-name jvh-laptop-lin \
--client-alt-name jvh-laptop-lin \
--server-alt-name jvh-laptop-lin \
--days-of-validity 3650 \
--key-bits 2048 
Traceback (most recent call last):
  File "/home/jvh/tls-gen/basic/profile.py", line 93, in <module>
    cli.run(commands)
  File "/home/jvh/tls-gen/basic/../tls_gen/cli.py", line 71, in run
    dispatch_command(commands, parser, args, options)
  File "/home/jvh/tls-gen/basic/../tls_gen/cli.py", line 45, in dispatch_command
    fn(options)
  File "/home/jvh/tls-gen/basic/profile.py", line 56, in regenerate
    clean(opts)
  File "/home/jvh/tls-gen/basic/profile.py", line 47, in clean
    paths.leaf_pair_path('server'.format(cn)),
NameError: name 'cn' is not defined
make: *** [../common.mk:74: regen] Error 1

I've tried with CN= and cn= also but same error.

[mihaj]

@johnvanham you need to specify the command. In your case you probably want to use gen-client command like this:

 make gen-client PASSWORD=bunnies

[johnvanham]

@johnvanham you need to specify the command. In your case you probably want to use gen-client command like this:

 make gen-client PASSWORD=bunnies

How do you generate CA and server certs as well? My point is that the original documented instructions no longer seem to work - so I assume that's a bug in this PR?

Also, if I run

make gen-client PASSWORD=bunnies

I get...

jvh@jvh-laptop-lin:~/tls-gen/basic$ make gen-client PASSWORD=bunnies
python3 profile.py generate-client --password "bunnies" \
--common-name jvh-laptop-lin \
--client-alt-name jvh-laptop-lin \
--days-of-validity 3650 \
--key-bits 2048 
Will generate a certificate/key pair (client only)
Will generate leaf certificate and key pair for client
Using jvh-laptop-lin for Common Name (CN)
Using parent certificate path at /home/jvh/tls-gen/basic/testca/cacert.pem
Using parent key path at /home/jvh/tls-gen/basic/testca/private/cakey.pem
Will use RSA...
=>  [openssl_genpkey]
...+++++
...........................................................................................................................................+++++
=>  [openssl_req]
=>  [openssl_ca]
ca: Not a directory: /home/jvh/tls-gen/basic/testca/certs
ca: Use -help for summary.
=>  [openssl_pkcs12]
Can't open /home/jvh/tls-gen/basic/client_jvh-laptop-lin/cert.pem for reading, No such file or directory
140411806438784:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('/home/jvh/tls-gen/basic/client_jvh-laptop-lin/cert.pem','r')
140411806438784:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:76:
Traceback (most recent call last):
  File "/home/jvh/tls-gen/basic/profile.py", line 93, in <module>
    cli.run(commands)
  File "/home/jvh/tls-gen/basic/../tls_gen/cli.py", line 71, in run
    dispatch_command(commands, parser, args, options)
  File "/home/jvh/tls-gen/basic/../tls_gen/cli.py", line 45, in dispatch_command
    fn(options)
  File "/home/jvh/tls-gen/basic/profile.py", line 41, in generate_client
    gen.copy_leaf_certificate_and_key_pair(name)
  File "/home/jvh/tls-gen/basic/../tls_gen/gen.py", line 57, in copy_leaf_certificate_and_key_pair
    copy_tuple_path((peer, "cert.pem"),    (result_dir_name, "{}_certificate.pem".format(peer)))
  File "/home/jvh/tls-gen/basic/../tls_gen/paths.py", line 24, in copy_tuple_path
    shutil.copy(relative_path(*from_tuple), relative_path(*to_tuple))
  File "/usr/lib/python3.9/shutil.py", line 418, in copy
    copyfile(src, dst, follow_symlinks=follow_symlinks)
  File "/usr/lib/python3.9/shutil.py", line 264, in copyfile
    with open(src, 'rb') as fsrc, open(dst, 'wb') as fdst:
FileNotFoundError: [Errno 2] No such file or directory: '/home/jvh/tls-gen/basic/client_jvh-laptop-lin/cert.pem'
make: *** [../common.mk:67: gen-client] Error 1

[mihaj]

@johnvanham

If you want to generate client certificates (with gen-client), you first need CA and server certificates. Then you can generate additional client certificates. So first you need to:

1. Make sure that /basic folder is empty
2. Run the generator for example: make gen USE_ECC=true DAYS_OF_VALIDITY=365 CN=guest PASSWORD=bunnies. That will generate CA certificate, server certificate, and client certificate for (guest user). If you want to use different CN, specify it in the command above. Also look into setting SERVER_ALT_NAME property, to add the server hostname or IP address.
3. Then you can make additional client certificates from the certs in step 2 for example: make gen-client USE_ECC=true DAYS_OF_VALIDITY=365 CN=aternativeclient PASSWORD=bunnies

[johnvanham]

@mihaj Great, that works!

So does the documentation need to be updated? Both https://github.com/mihaj/tls-gen/blob/133dc2eb2652e0ba1bc5c034cdcd078c0acd89c1/README.md and https://github.com/mihaj/tls-gen/blob/133dc2eb2652e0ba1bc5c034cdcd078c0acd89c1/basic/README.md say to use:

make PASSWORD=bunnies

But this no longer works without using gen

I also noticed that..

make info does not work. But make verify does work.

Thanks for the update to generate multiple client certs! :smiley:

[michaelklishin]

Closed due to inactivity.

[lukebakken]

I will finish this up this week.

[lukebakken]

See #37