diff options
| author |   Instrumental <jonathan.gathman@att.com> | 2018-05-01 15:03:25 -0500 |
|---|---|---|
| committer | Instrumental <jonathan.gathman@att.com> | 2018-05-01 15:03:38 -0500 |
| commit | 68b2315d44b8df80d87b9fd050fe21aeea144c8f (patch) | |
| tree | 6a492217784988e503f7a57224c5d56a5afe66bc /conf | |
| parent | 0af1db4fda4667244af0cec983293aefa203d710 (diff) | |
Update Certificate for all FQDNs
Issue-ID: AAF-114
Change-Id: I0b73d55b471e0438bb4beb901a992be88e1e5f11
Signed-off-by: Instrumental <jonathan.gathman@att.com>
Diffstat (limited to 'conf')
| -rw-r--r-- | conf/CA/manual.sh | 36 | ||||
| -rw-r--r-- | conf/CA/san.conf | 15 |
2 files changed, 46 insertions, 5 deletions
diff --git a/conf/CA/manual.sh b/conf/CA/manual.sh index 7b75fbc9..00a23ec8 100644 --- a/conf/CA/manual.sh +++ b/conf/CA/manual.sh @@ -13,10 +13,30 @@ else FQDN=$1 NAME=$FQDN shift + + echo "Enter any SANS, delimited by spaces: " + read SANS +fi + +# Do SANs +if [ "$SANS" = "" ]; then + echo no SANS + if [ -e $NAME.san ]; then + rm $NAME.san + fi + else + echo some SANS + cp ../san.conf $NAME.san + NUM=1 + for D in $SANS; do + echo "DNS.$NUM = $D" >> $NAME.san + NUM=$((NUM+1)) + done fi + echo $SUBJECT -if [ -e $FQI.csr ]; then +if [ -e $NAME.csr ]; then SIGN_IT=true else if [ "$1" = "-local" ]; then @@ -46,13 +66,19 @@ fi if [ "$SIGN_IT" = "true" ]; then # Sign it - openssl ca -config ../openssl.conf -extensions server_cert -out $NAME.crt \ + if [ -e $NAME.san ]; then + openssl ca -config ../openssl.conf -extensions server_cert -out $NAME.crt \ -cert certs/ca.crt -keyfile private/ca.key \ -policy policy_loose \ -days 360 \ + -extfile $NAME.san \ -infiles $NAME.csr + else + openssl ca -config ../openssl.conf -extensions server_cert -out $NAME.crt \ + -cert certs/ca.crt -keyfile private/ca.key \ + -policy policy_loose \ + -days 360 \ + -infiles $NAME.csr + fi fi - - - diff --git a/conf/CA/san.conf b/conf/CA/san.conf new file mode 100644 index 00000000..de9f62f9 --- /dev/null +++ b/conf/CA/san.conf @@ -0,0 +1,15 @@ +# SAN Extension +# Copy, then add DNS.1 = name, etc +# +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server, client +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment, nonRepudiation +extendedKeyUsage = serverAuth, clientAuth +subjectAltName = @alt_names + +[ alt_names ] |