From 68b2315d44b8df80d87b9fd050fe21aeea144c8f Mon Sep 17 00:00:00 2001 From: Instrumental Date: Tue, 1 May 2018 15:03:25 -0500 Subject: Update Certificate for all FQDNs Issue-ID: AAF-114 Change-Id: I0b73d55b471e0438bb4beb901a992be88e1e5f11 Signed-off-by: Instrumental --- conf/CA/manual.sh | 36 +++++++++++++++++++++++++++++++----- conf/CA/san.conf | 15 +++++++++++++++ 2 files changed, 46 insertions(+), 5 deletions(-) create mode 100644 conf/CA/san.conf (limited to 'conf') diff --git a/conf/CA/manual.sh b/conf/CA/manual.sh index 7b75fbc9..00a23ec8 100644 --- a/conf/CA/manual.sh +++ b/conf/CA/manual.sh @@ -13,10 +13,30 @@ else FQDN=$1 NAME=$FQDN shift + + echo "Enter any SANS, delimited by spaces: " + read SANS +fi + +# Do SANs +if [ "$SANS" = "" ]; then + echo no SANS + if [ -e $NAME.san ]; then + rm $NAME.san + fi + else + echo some SANS + cp ../san.conf $NAME.san + NUM=1 + for D in $SANS; do + echo "DNS.$NUM = $D" >> $NAME.san + NUM=$((NUM+1)) + done fi + echo $SUBJECT -if [ -e $FQI.csr ]; then +if [ -e $NAME.csr ]; then SIGN_IT=true else if [ "$1" = "-local" ]; then @@ -46,13 +66,19 @@ fi if [ "$SIGN_IT" = "true" ]; then # Sign it - openssl ca -config ../openssl.conf -extensions server_cert -out $NAME.crt \ + if [ -e $NAME.san ]; then + openssl ca -config ../openssl.conf -extensions server_cert -out $NAME.crt \ -cert certs/ca.crt -keyfile private/ca.key \ -policy policy_loose \ -days 360 \ + -extfile $NAME.san \ -infiles $NAME.csr + else + openssl ca -config ../openssl.conf -extensions server_cert -out $NAME.crt \ + -cert certs/ca.crt -keyfile private/ca.key \ + -policy policy_loose \ + -days 360 \ + -infiles $NAME.csr + fi fi - - - diff --git a/conf/CA/san.conf b/conf/CA/san.conf new file mode 100644 index 00000000..de9f62f9 --- /dev/null +++ b/conf/CA/san.conf @@ -0,0 +1,15 @@ +# SAN Extension +# Copy, then add DNS.1 = name, etc +# +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server, client +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment, nonRepudiation +extendedKeyUsage = serverAuth, clientAuth +subjectAltName = @alt_names + +[ alt_names ] -- cgit 1.2.3-korg