MeshCentral can now issue AMT TLS certificates using a specified custom root cert.

This commit is contained in:
Ylian Saint-Hilaire 2021-01-20 09:54:51 -08:00
parent 62aa5e76cc
commit d3fd8e7311
4 changed files with 71 additions and 3 deletions

View File

@ -862,8 +862,14 @@ module.exports.CreateAmtManager = function (parent) {
var serverName = 'MeshCentral'; var serverName = 'MeshCentral';
if ((domain != null) && (domain.title != null)) { serverName = domain.title; } if ((domain != null) && (domain.title != null)) { serverName = domain.title; }
const certattributes = { 'CN': commonName, 'O': serverName, 'ST': 'MC', 'C': 'MC' }; const certattributes = { 'CN': commonName, 'O': serverName, 'ST': 'MC', 'C': 'MC' };
const issuerattributes = { 'CN': obj.rootCertCN };
const xxCaPrivateKey = obj.parent.certificates.root.key; // See what root certificate to use to sign the TLS cert
var xxCaPrivateKey = obj.parent.certificates.root.key; // Use our own root by default
var issuerattributes = { 'CN': obj.rootCertCN };
if (domain.amtmanager.tlsrootcert2 != null) {
xxCaPrivateKey = domain.amtmanager.tlsrootcert2.key;
issuerattributes = domain.amtmanager.tlsrootcert2.attributes;
}
// Set the extended key usages // Set the extended key usages
var extKeyUsage = { name: 'extKeyUsage', serverAuth: true, clientAuth: true } var extKeyUsage = { name: 'extKeyUsage', serverAuth: true, clientAuth: true }

View File

@ -212,6 +212,30 @@ module.exports.CertificateOperations = function (parent) {
} }
} }
// Load a generic certificate and key from PFX/P12 or PEM format. Load both keys and attributes.
obj.loadGenericCertAndKey = function (config) {
if ((typeof config.certpfx == 'string') || (typeof config.certpfxpass == 'string')) {
// Load a PFX certificate
var r = null;
try { r = obj.loadPfxCertificate(parent.getConfigFilePath(config.certpfx), config.certpfxpass); } catch (ex) { console.log(ex); }
if ((r != null) && (r.keys.length > 0) && (r.certs.length > 0)) {
var attributes = {};
for (var j in r.certs[0].subject.attributes) { attributes[r.certs[0].subject.attributes[j].shortName] = r.certs[0].subject.attributes[j].value; }
return { cert: obj.pki.certificateToPem(r.certs[0]), key: obj.pki.privateKeyToPem(r.keys[0]), attributes: attributes };
}
}
if ((typeof config.certfile == 'string') || (typeof config.keyfile == 'string')) {
// Load a PEM certificate
var r = {}
r.cert = obj.fs.readFileSync(parent.getConfigFilePath(config.certfile), 'utf8');
r.key = obj.fs.readFileSync(parent.getConfigFilePath(config.keyfile), 'utf8');
var cert = obj.pki.certificateFromPem(r.cert);
r.attributes = {};
for (var j in cert.subject.attributes) { r.attributes[cert.subject.attributes[j].shortName] = cert.subject.attributes[j].value; }
return r;
}
return null;
}
// Get the setup.bin file // Get the setup.bin file
obj.GetSetupBinFile = function (amtacmactivation, oldmebxpass, newmebxpass, domain, user) { obj.GetSetupBinFile = function (amtacmactivation, oldmebxpass, newmebxpass, domain, user) {

View File

@ -337,6 +337,28 @@
"uniqueItems": true "uniqueItems": true
} }
}, },
"TlsRootCert": {
"description": "Specifies a certificate and private key to use to issue Intel AMT TLS certificates. By default the MeshCentral self-signed root certificate is used.",
"type": "object",
"properties": {
"certpfx": {
"description": "Name of the certificate file that is in .p12 or .pfx format in meshcentral-data, use this with certpfxpass.",
"type": "string"
},
"certpfxpass": {
"description": "Password for the file specified in certpfx.",
"type": "string"
},
"certfile": {
"description": "Name of the certificate file in PEM format located in meshcentral-data. Using this with keyfile.",
"type": "string"
},
"keyfile": {
"description": "Name of the private key file in PEM format located in meshcentral-data. Using this with certfile.",
"type": "string"
}
}
},
"WifiProfiles": { "WifiProfiles": {
"description": "List of WIFI profiles to setup in any managed Intel AMT device with a WIFI network interface.", "description": "List of WIFI profiles to setup in any managed Intel AMT device with a WIFI network interface.",
"type": "array", "type": "array",

View File

@ -1119,6 +1119,9 @@ function CreateMeshCentralServer(config, args) {
obj.StartEx1b = function () { obj.StartEx1b = function () {
var i; var i;
// Setup certificate operations
obj.certificateOperations = require('./certoperations.js').CertificateOperations(obj);
// Linux format /var/log/auth.log // Linux format /var/log/auth.log
if (obj.config.settings.authlog != null) { if (obj.config.settings.authlog != null) {
obj.fs.open(obj.config.settings.authlog, 'a', function (err, fd) { obj.fs.open(obj.config.settings.authlog, 'a', function (err, fd) {
@ -1224,6 +1227,20 @@ function CreateMeshCentralServer(config, args) {
if (obj.config.domains[i].userconsentflags.desktopprivacybar == true) { flags |= 64; } if (obj.config.domains[i].userconsentflags.desktopprivacybar == true) { flags |= 64; }
obj.config.domains[i].userconsentflags = flags; obj.config.domains[i].userconsentflags = flags;
} }
// If we have Intel AMT manager settings, take a look at them here.
if (typeof obj.config.domains[i].amtmanager == 'object') {
if (typeof obj.config.domains[i].amtmanager.tlsrootcert == 'object') {
obj.config.domains[i].amtmanager.tlsrootcert2 = obj.certificateOperations.loadGenericCertAndKey(obj.config.domains[i].amtmanager.tlsrootcert);
if (obj.config.domains[i].amtmanager.tlsrootcert2 == null) { // Show an error message if needed
if (i == '') {
addServerWarning("Unable to load Intel AMT TLS root certificate for default domain.");
} else {
addServerWarning("Unable to load Intel AMT TLS root certificate for domain " + i + ".");
}
}
}
}
} }
// Log passed arguments into Windows Service Log // Log passed arguments into Windows Service Log
@ -1340,7 +1357,6 @@ function CreateMeshCentralServer(config, args) {
// Done starting the redirection server, go on to load the server certificates // Done starting the redirection server, go on to load the server certificates
obj.StartEx2 = function () { obj.StartEx2 = function () {
// Load server certificates // Load server certificates
obj.certificateOperations = require('./certoperations.js').CertificateOperations(obj);
obj.certificateOperations.GetMeshServerCertificate(obj.args, obj.config, function (certs) { obj.certificateOperations.GetMeshServerCertificate(obj.args, obj.config, function (certs) {
// Get the current node version // Get the current node version
const nodeVersion = Number(process.version.match(/^v(\d+\.\d+)/)[1]); const nodeVersion = Number(process.version.match(/^v(\d+\.\d+)/)[1]);