summaryrefslogtreecommitdiffstats
path: root/conf/CA
diff options
context:
space:
mode:
Diffstat (limited to 'conf/CA')
-rw-r--r--conf/CA/manual.sh56
-rw-r--r--conf/CA/san.conf15
-rw-r--r--conf/CA/truststore.sh2
3 files changed, 58 insertions, 15 deletions
diff --git a/conf/CA/manual.sh b/conf/CA/manual.sh
index eb391591..00a23ec8 100644
--- a/conf/CA/manual.sh
+++ b/conf/CA/manual.sh
@@ -6,15 +6,37 @@ read FQI
if [ "$1" = "" -o "$1" = "-local" ]; then
echo "Personal Certificate"
SUBJECT="/CN=$FQI/OU=V1`cat subject.aaf`"
+ NAME=$FQI
else
echo "Application Certificate"
SUBJECT="/CN=$1/OU=$FQI`cat subject.aaf`"
- FQI=$1
+ FQDN=$1
+ NAME=$FQDN
shift
+
+ echo "Enter any SANS, delimited by spaces: "
+ read SANS
+fi
+
+# Do SANs
+if [ "$SANS" = "" ]; then
+ echo no SANS
+ if [ -e $NAME.san ]; then
+ rm $NAME.san
+ fi
+ else
+ echo some SANS
+ cp ../san.conf $NAME.san
+ NUM=1
+ for D in $SANS; do
+ echo "DNS.$NUM = $D" >> $NAME.san
+ NUM=$((NUM+1))
+ done
fi
+
echo $SUBJECT
-if [ -e $FQI.csr ]; then
+if [ -e $NAME.csr ]; then
SIGN_IT=true
else
if [ "$1" = "-local" ]; then
@@ -25,32 +47,38 @@ else
`stty echo`
# remove any previous Private key
- rm private/$FQI.key
+ rm private/$NAME.key
# Create j regaular rsa encrypted key
- openssl req -new -newkey rsa:2048 -sha256 -keyout private/$FQI.key \
- -out $FQI.csr -outform PEM -subj "$SUBJECT" \
+ openssl req -new -newkey rsa:2048 -sha256 -keyout private/$NAME.key \
+ -out $NAME.csr -outform PEM -subj "$SUBJECT" \
-passout stdin << EOF
$PASSPHRASE
EOF
- chmod 400 private/$FQI.key
+ chmod 400 private/$NAME.key
SIGN_IT=true
else
- echo openssl req -newkey rsa:2048 -sha256 -keyout $FQI.key -out $FQI.csr -outform PEM -subj '"'$SUBJECT'"'
- echo chmod 400 $FQI.key
+ echo openssl req -newkey rsa:2048 -sha256 -keyout $NAME.key -out $NAME.csr -outform PEM -subj '"'$SUBJECT'"'
+ echo chmod 400 $NAME.key
echo "# All done, print result"
- echo openssl req -verify -text -noout -in $FQI.csr
+ echo openssl req -verify -text -noout -in $NAME.csr
fi
fi
if [ "$SIGN_IT" = "true" ]; then
# Sign it
- openssl ca -config ../openssl.conf -extensions server_cert -out $FQI.crt \
+ if [ -e $NAME.san ]; then
+ openssl ca -config ../openssl.conf -extensions server_cert -out $NAME.crt \
+ -cert certs/ca.crt -keyfile private/ca.key \
+ -policy policy_loose \
+ -days 360 \
+ -extfile $NAME.san \
+ -infiles $NAME.csr
+ else
+ openssl ca -config ../openssl.conf -extensions server_cert -out $NAME.crt \
-cert certs/ca.crt -keyfile private/ca.key \
-policy policy_loose \
-days 360 \
- -infiles $FQI.csr
+ -infiles $NAME.csr
+ fi
fi
-
-
-
diff --git a/conf/CA/san.conf b/conf/CA/san.conf
new file mode 100644
index 00000000..de9f62f9
--- /dev/null
+++ b/conf/CA/san.conf
@@ -0,0 +1,15 @@
+# SAN Extension
+# Copy, then add DNS.1 = name, etc
+#
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server, client
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment, nonRepudiation
+extendedKeyUsage = serverAuth, clientAuth
+subjectAltName = @alt_names
+
+[ alt_names ]
diff --git a/conf/CA/truststore.sh b/conf/CA/truststore.sh
index 397f7e70..399048cb 100644
--- a/conf/CA/truststore.sh
+++ b/conf/CA/truststore.sh
@@ -1,2 +1,2 @@
echo "FYI, by convention, truststore passwords are 'changeit', but you may add something more sophisticated"
-openssl pkcs12 -export -name AAF_Root_CA -in certs/ca.crt -inkey private/ca.key -out truststore.p12
+openssl pkcs12 -export -name AAF_Root_CA -in certs/ca.crt -nokeys -out truststore.p12