From: Joni Hahkala <joni.hahkala@cern.ch>
Date: Wed, 18 Nov 2009 17:49:32 +0000 (+0000)
Subject: combine conf files, cleanup scripts, namespaces, simplify, more test certs, bad certs... 
X-Git-Url: http://scientific.zcu.cz/git/?a=commitdiff_plain;h=01d86a739f85d6c3942b0a8ea88ecbb87d726eb3;p=glite-security-test-utils.git

combine conf files, cleanup scripts, namespaces, simplify, more test certs, bad certs for each CA, bad ca removed
---

diff --git a/bin/generate-ca-certificates-for-cvs.sh b/bin/generate-ca-certificates-for-cvs.sh
index bbbb58d..aebb19e 100755
--- a/bin/generate-ca-certificates-for-cvs.sh
+++ b/bin/generate-ca-certificates-for-cvs.sh
@@ -16,18 +16,12 @@
 CONFIGDIR=$PWD/$(dirname $0)/../config
 BASEDIR=$PWD/$(dirname $0)/../test
 CONFIGFILES="index.txt serial.txt req_conf.cnf"
-export PASSWORD='changeit'
-CATYPES='trusted fake big expired bad nokeyusage root subca subsubca'
+PASSWORD='changeit'
+CATYPES='trusted fake big expired nokeyusage root subca subsubca'
 BIG_BITS=8192
 SMALL_BITS=1024
 
-## dummy values for unused env variables in conf file
-export PROXYNAME=dummyprox
-export CA_DIR=dummyCAdir
-export CATYPE_dummyCAtype
-
 function create_ca {
-    export CATYPE=$1
     catype=$1
     echo "+-----------------------"
     echo "| $catype"
@@ -41,9 +35,9 @@ function create_ca {
         done
 
         if [ "$catype" = "big" ]; then
-            export BITS=$BIG_BITS
+            BITS=$BIG_BITS
         else
-            export BITS=$SMALL_BITS
+            BITS=$SMALL_BITS
         fi
 
         if [ "$catype" = "expired" ]; then
@@ -54,28 +48,32 @@ function create_ca {
 
         export CN="the $catype CA"
 	if [ "$catype" = "subca" ]; then
-	    export CA_DIR=../root-ca
-	    export CATYPE=root
-	    openssl req -new -out ${catype}.req $DAYS -nodes \
-		-keyout ${catype}.priv -config req_conf.cnf
-	    openssl ca -in ${catype}.req -out ${catype}.cert -outdir . \
-                         -md md5 -config req_conf.cnf -batch -extensions ca_cert_req -days 10000
+	    generate_ca_cert "$catype" root "${DAYS}" false $BITS
 	else
 	    if [ "$catype" = "subsubca" ]; then
-		export CA_DIR=../subca-ca
-		export CATYPE=subca
-		openssl req -new -out ${catype}.req $DAYS -nodes \
-		    -keyout ${catype}.priv -config req_conf.cnf
-		openssl ca -in ${catype}.req -out ${catype}.cert -outdir . \
-		    -md md5 -config req_conf.cnf -batch -extensions ca_cert_req -days 10000
+		generate_ca_cert "$catype" subca "${DAYS}" false $BITS
 
 	    else
-		openssl req -new -x509 -out ${catype}.cert $DAYS -nodes \
-		    -keyout ${catype}.priv -config req_conf.cnf -extensions ca_cert_req
-		openssl pkcs12 -export -in ${catype}.cert -inkey ${catype}.priv \
-		    -out ${catype}.p12 -passin "pass:$PASSWORD" -passout "pass:$PASSWORD"
+		generate_ca_cert "$catype" $catype "${DAYS}" true $BITS
 	    fi
 	fi
+
+    # generating a signing_policy file
+    subject_name=`openssl x509 -in ${catype}.cert -subject -noout| sed 's/^subject= //'`
+    cat <<EOF > ${catype}.signing_policy
+# Signing policy file for the $subject_name"
+access_id_CA            X509    '${subject_name}'
+pos_rights              globus  CA:sign
+cond_subjects           globus  '"$(echo "${subject_name}" | sed -e 's#/CN=.*$##')/*"'
+EOF
+
+    cat <<EOF > ${catype}.namespaces
+# Namespace for the $subject_name"
+TO Issuer "${subject_name}" \
+  PERMIT Subject "$(echo "${subject_name}" | sed -e 's#/CN=.*$##')/*"
+ 
+EOF
+
         echo -n "Generated CA certificate with "
         openssl x509 -noout -subject -in ${catype}.cert
     else
@@ -83,6 +81,51 @@ function create_ca {
     fi
 }
 
+function generate_ca_cert {
+    catype=$1         # current CA to generate
+    export CATYPE=$2  # parent CA if applicable
+    DAYS=$3           # days flag
+    selfsign=$4       # whether to generate self signed CA or hierarchical
+    bits=$5           # number of bits for the CA cert
+    export CASROOT=../
+    
+
+    echo `pwd`
+
+    dn="/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the ${catype} CA"
+
+    echo $dn
+
+    if [ x$selfsign == "xfalse" ]; then
+	openssl req -new -out ${catype}.req ${DAYS} -nodes -keyout ${catype}.priv \
+	    -config req_conf.cnf -newkey rsa:$bits -subj "$dn"
+	if [ $? -ne "0" ]; then
+	    echo CA certificate request generation failed!
+	    exit 1
+	fi
+	openssl ca -in ${catype}.req -out ${catype}.cert -outdir . \
+	    -md md5 -config req_conf.cnf -batch -extensions ca_cert_req ${DAYS}
+	if [ $? -ne "0" ]; then
+	    echo CA certificate signing failed!
+	    exit 1
+	fi
+    else
+	openssl req -new -x509 -out ${catype}.cert $DAYS -nodes \
+	    -keyout ${catype}.priv -config req_conf.cnf -newkey rsa:$bits -extensions ca_cert_req -subj "${dn}"
+	if [ $? -ne "0" ]; then
+	    echo CA certificate generation failed!
+	    exit 1
+	fi
+    fi
+
+    openssl pkcs12 -export -in ${catype}.cert -inkey ${catype}.priv \
+	-out ${catype}.p12 -passin "pass:$PASSWORD" -passout "pass:$PASSWORD"
+    if [ $? -ne "0" ]; then
+	echo CA certificate packing into pkcs12 keystore failed!
+	exit 1
+    fi
+}
+
 ############################## main ################################
 
 if [ "$1" != "--i-know-what-i-am-doing" ]; then
diff --git a/bin/generate-test-certificates.sh b/bin/generate-test-certificates.sh
index 7eae449..09ce658 100755
--- a/bin/generate-test-certificates.sh
+++ b/bin/generate-test-certificates.sh
@@ -24,12 +24,12 @@ function create_p12 {
 
 function create_cert {
     filebase=$1
-    ##export CN="$VERSION "$2
-    export CN=$2
     flags=$3
     validity=$4
     bits=${5:-1024}
 
+    dn="/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=$2"
+
     echo "Creating a cert for '$CN' in files named $filebase.(cert|priv)"
     echo "                with $flags flags and $validity days validity time"
 
@@ -39,58 +39,86 @@ function create_cert {
         return 
     fi
 
-    if [ $flags == "bigclient" ]; then
-        flags="client"
-    fi
+    castring=""
 
     # if we are in a state where we are generating proxies (${CA_DIR}/serial_proxy.txt exists)
     # then let's transfer the serial number of the last proxy to the serial.txt file for the 
     # next new certificate...
-
+    CMD="openssl req -out $filebase.req -newkey rsa:$bits -new -keyout $filebase.priv -config $REQ_CONFIG_FILE -subj \"$dn\" -passout pass:$PASSWORD"
 
     case $flags in
         clientserial)
 	    echo serial cert $flags
 	    flags="client"
-	    CMD="openssl req -out $filebase.req -newkey rsa:$bits -new -keyout $filebase.priv -config $REQ_CONFIG_FILE_SERIAL"
-	    echo $CMD; $CMD;
+	    CMD="$CMD -subj \"$dn/serialNumber=12341\""
             ;;
         clientemail)
 	    echo email cert $flags
 	    flags="client"
-	    CMD="openssl req -out $filebase.req -newkey rsa:$bits -new -keyout $filebase.priv -config $REQ_CONFIG_FILE_EMAIL"
-	    echo $CMD; $CMD;
+	    CMD="$CMD -subj \"$dn/emailAddress=john.doe@foo.bar\""
             ;;
         clientuid)
 	    echo UID cert $flags
 	    flags="client"
-	    CMD="openssl req -out $filebase.req -newkey rsa:$bits -new -keyout $filebase.priv -config $REQ_CONFIG_FILE_UID"
-	    echo $CMD; $CMD;
+	    CMD="$CMD -subj \"$dn/UID=haahaa\""
             ;;
+	clientbaddn)
+	    echo bad DN cert $flags
+	    flags="client"
+	    CMD="$CMD -subj \"`echo $dn | sed 's/Relaxation/Chilling/'`\""
+	    ;;
+	hostbaddn)
+	    echo bad DN cert $flags
+	    flags="server"
+	    CMD="$CMD -subj \"`echo $dn | sed 's/Relaxation/Chilling/'`\""
+	    ;;
+	clientfuture)
+	    echo bad DN cert $flags
+	    flags="client"
+	    CMD="$CMD "
+	    castring=" -startdate 350101000000Z"
+	    ;;
         *)
 	    echo normal cert $flags
-	    CMD="openssl req -out $filebase.req -newkey rsa:$bits -new -keyout $filebase.priv -config $REQ_CONFIG_FILE"
-	    echo $CMD; $CMD;
+	    CMD="$CMD -subj \"$dn\""
     esac
+    
+    echo $CMD;eval $CMD;
+    if [ $? != 0 ]; then
+	echo Certification request generation failed!
+	exit 1
+    fi
 
     case $flags in
         client|server|clientserver|fclient|none|altname)
             echo "Generating a $flags certificate"
             echo $CA_DIR
+	    echo PDW=`pwd`
             CMD="openssl ca -in $filebase.req -out $filebase.cert -outdir $tmpdir \
-                         -md md5 -config $CA_CONF -batch -extensions ca_$flags -days $validity"
-            echo $CMD; $CMD
+                         -md md5 -config $REQ_CONFIG_FILE -batch -preserveDN -extensions ca_$flags -passin pass:$PASSWORD -days $validity $castring"
             ;;
         *)
             echo "Unknown flags: $flags"
             echo "No certificate is generated."
+	    exit 1
     esac
 
+    # save the index and serial for the possible proxy to be generated next
+    echo save the index and serial
+    cp $CA_DIR/index.txt $CA_DIR/index_proxy.txt
+    cp $CA_DIR/serial.txt $CA_DIR/serial_proxy.txt
+
+    echo $CMD; eval $CMD
+    if [ $? != 0 ]; then
+	echo Certificate signing failed!
+	exit 1
+    fi
+
     # Get the serial number of the certificate that will eventually sign the proxy.
     # Put it into a temporary file to be read by the ca command later.
 
-        SERIAL=$(openssl x509 -in ${filebase}.cert -noout -serial | sed 's/^serial=//')
-        echo ${SERIAL} > ${CA_DIR}/serial_proxy.txt
+#        SERIAL=$(openssl x509 -in ${filebase}.cert -noout -serial | sed 's/^serial=//')
+#        echo ${SERIAL} > ${CA_DIR}/serial_proxy.txt
         # cat ${CA_DIR}/serial_proxy.txt
 
     # some minor cleanup
@@ -104,16 +132,9 @@ function create_cert_proxy {
     echo "create_cert_proxy Start"
 
     filebase=$1
-    export FILEBASE=${filebase}
-    export CN=$2
     ident=$3
-    export PROXYNAME=$4
     validity=$5
 
-
-#   create_cert_proxy $CERT_DIR/${catype}_client "$catype client" proxy "proxy" 1
-#   create_cert_proxy $CERT_DIR/${catype}_client "$catype client" proxy_exp "expired proxy" -1
-
     ending="grid_proxy"
 
     # This really depends on if we make a proxy or a proxy-proxy
@@ -124,6 +145,8 @@ function create_cert_proxy {
     X509_PROX_KEY=${filebase}.${ident}.priv
     X509_PROX_REQ=${filebase}.${ident}.req
     X509_PROX_GRID=${filebase}.${ident}.${ending}
+
+    dn="`openssl x509 -in ${X509_SIGNING_CERT} -subject -noout| sed 's/^subject= //'`/CN=$4"
  
     echo "Creating a proxy cert ${X509_PROX_CERT} for '$CN/CN=$PROXYNAME'"
     echo "         in files named $filebase.(cert|priv)"
@@ -138,49 +161,89 @@ function create_cert_proxy {
 
     # Have to 'edit' the ca database to remove the entry for the signing certificate.
     # maybe no need... make a dummy database, touch and then delete afterwards...
-    touch ${CA_DIR}/index_proxy.txt
+#    touch ${CA_DIR}/index_proxy.txt
 
+    # instead save the ones for real certs and copy the ones saved before and use them and later switch back
+    cp ${CA_DIR}/index.txt ${CA_DIR}/index_cert_save.txt
+    cp ${CA_DIR}/serial.txt ${CA_DIR}/serial_cert_save.txt
+    cp ${CA_DIR}/index_proxy.txt ${CA_DIR}/index.txt 
+    cp ${CA_DIR}/serial_proxy.txt ${CA_DIR}/serial.txt 
+    
     CMD="openssl genrsa -f4 -out ${X509_PROX_KEY} ${PROXY_BITS}; chmod 400 ${filebase}.proxy.priv"
     echo $CMD; $CMD
+    if [ $? != 0 ]; then
+	echo Private key generation for proxy failed!
+	exit 1
+    fi
 
     # Create the certificate request.
     CMD="openssl req -new -out ${X509_PROX_REQ} \
                  -key ${X509_PROX_KEY} \
-                 -config ${REQ_PROXY_CONFIG_FILE}"
-    echo $CMD; $CMD
+                 -config ${REQ_CONFIG_FILE} -subj \"$dn\""
+    echo $CMD; eval $CMD
+
+    if [ $? != 0 ]; then
+	echo Certificate generation for proxy failed!
+	exit 1
+    fi
 
     # Sign the cert request with the user cert and key. Set the serial number here!
 
-    CMD="openssl ca -in ${X509_PROX_REQ} \
+    CMD="openssl ca -verbose -in ${X509_PROX_REQ} \
                     -cert ${X509_SIGNING_CERT} \
                     -keyfile ${X509_SIGNING_KEY} \
                     -out ${X509_PROX_CERT} \
                     -outdir $tmpdir \
-                    -config ${CA_PROXY_CONF} -md md5 -days ${validity} -batch \
-                    -passin pass:${PASSWORD} -notext \
-                    -extensions proxy_none "
+                    -preserveDN \
+                    -config ${REQ_CONFIG_FILE} -md md5 -days ${validity} -batch \
+                    -passin pass:${PASSWORD} -notext"
     echo $CMD; $CMD
 
+    if [ $? != 0 ]; then
+	echo Proxy certificate signing failed!
+	exit 1
+    fi
+
     # Add the user and proxy certs and the proxy private key to the keystore
-    openssl pkcs12 -in ${X509_PROX_CERT} \
+    CMD="openssl pkcs12 -in ${X509_PROX_CERT} \
                    -out ${filebase}.proxy.p12 -export \
                    -inkey ${X509_PROX_KEY} \
                    -passin pass:${PASSWORD} -passout pass:${PASSWORD} \
-                   -name "${catype} proxy certificate" -certfile ${filebase}.cert
+                   -name \"${catype} proxy certificate\" -certfile ${filebase}.cert"
+
+    echo $CMD; eval $CMD
 
     # Create a grid proxy file... 
     # Copy the proxy cert to the grid proxy file.
     cp ${X509_PROX_CERT} ${X509_PROX_GRID}
     
+    if [ $? != 0 ]; then
+	echo Proxy file generation failed!
+	exit 1
+    fi
+
     # Now add the proxy private key to the grid proxy file.
     openssl rsa -in ${X509_PROX_KEY} -passin pass:${PASSWORD} >> ${X509_PROX_GRID}
     
+    if [ $? != 0 ]; then
+	echo Proxy file generation failed!
+	exit 1
+    fi
+
     # Now add the original certificate used to sign the request to the proxy file.
     # This should be the certificate issued by the CA to the 'user'.
     openssl x509 -in ${X509_SIGNING_CERT} >> ${X509_PROX_GRID}
+
+    if [ $? != 0 ]; then
+	echo Proxy file generation failed!
+	exit 1
+    fi
+
     chmod 600 ${X509_PROX_GRID}
 
-    cp ${CA_DIR}/serial_proxy.txt ${CA_DIR}/serial.txt
+    # copy the normal cert files back
+    cp ${CA_DIR}/index_cert_save.txt ${CA_DIR}/index.txt
+    cp ${CA_DIR}/serial_cert_save.txt ${CA_DIR}/serial.txt
 
     # Clean up stuff
     # rm ${CA_DIR}/serial_proxy.txt ${CA_DIR}/index_proxy.txt
@@ -196,8 +259,6 @@ function create_cert_proxy_proxy {
     export FILEBASE=${filebase}
     export CN=$2
     ident=$3
-    export PROXYNAME=$4
-    export PROXYPROXYNAME=$4
     validity=$5
     signing_pair=$6
  
@@ -214,10 +275,12 @@ function create_cert_proxy_proxy {
     X509_PROX_REQ=${filebase}.${ident}.proxy.req
     X509_PROX_GRID=${filebase}.${ident}.${ending}
 
+    dn="`openssl x509 -in ${X509_SIGNING_CERT} -subject -noout| sed 's/^subject= //'`/CN=$4"
+
     if [ -r "${X509_PROX_CERT}" ]; then
         echo "There already exists a file named ${X509_PROX_CERT}"
         echo "file. Proxy-proxy certificate is not generated for '$CN'"
-        return 
+        return 0
     fi
 
     # Get the serial number of the certificate that will eventually sign the proxy.
@@ -227,16 +290,31 @@ function create_cert_proxy_proxy {
 
     # Have to 'edit' the ca database to remove the entry for the signing certificate.
     # maybe no need... make a dummy database, touch and then delete afterwards...
-    touch ${CA_DIR}/index_proxy.txt
+    #touch ${CA_DIR}/index_proxy.txt
 
+    # instead save the ones for real certs and copy the ones saved before and use them and later switch back
+    cp ${CA_DIR}/index.txt ${CA_DIR}/index_cert_save.txt
+    cp ${CA_DIR}/serial.txt ${CA_DIR}/serial_cert_save.txt
+    cp ${CA_DIR}/index_proxy.txt ${CA_DIR}/index.txt 
+    cp ${CA_DIR}/serial_proxy.txt ${CA_DIR}/serial.txt 
+    
     CMD="openssl genrsa -f4 -out ${X509_PROX_KEY} ${PROXY_BITS}; chmod 400 ${X509_PROX_KEY}"
     echo $CMD; $CMD
+    if [ $? != 0 ]; then
+	echo Private key generation for proxy failed!
+	exit 1
+    fi
 
     # Create the certificate request.
     CMD="openssl req -new -out ${X509_PROX_REQ} \
                  -key ${X509_PROX_KEY} \
-                 -config ${REQ_PROXY_PROXY_CONFIG_FILE}"
-    echo $CMD; $CMD
+                 -config ${REQ_CONFIG_FILE} -subj \"$dn\""
+    echo $CMD; eval $CMD
+
+    if [ $? != 0 ]; then
+	echo Certificate generation for proxy failed!
+	exit 1
+    fi
 
     # Sign the cert request with the user cert and key. Set the serial number here!
 
@@ -245,25 +323,42 @@ function create_cert_proxy_proxy {
                     -keyfile ${X509_SIGNING_KEY} \
                     -out ${X509_PROX_CERT} \
                     -outdir $tmpdir \
-                    -config ${CA_PROXY_CONF} -md md5 -days ${validity} -batch \
-                    -passin pass:${PASSWORD} -notext \
-                    -extensions proxy_none "
+                    -preserveDN \
+                    -config ${REQ_CONFIG_FILE} -md md5 -days ${validity} -batch \
+                    -passin pass:${PASSWORD} -notext"
     echo $CMD; $CMD
 
+    if [ $? != 0 ]; then
+	echo Proxy certificate signing failed!
+	exit 1
+    fi
+
     # Add the user and proxy certs and the proxy private key to the keystore
-    openssl pkcs12 -in ${X509_PROX_CERT} \
+    CMD="openssl pkcs12 -in ${X509_PROX_CERT} \
                    -out ${filebase}.proxy.proxy.p12 -export \
                    -inkey ${X509_PROX_KEY} \
                    -passin pass:${PASSWORD} -passout pass:${PASSWORD} \
-                   -name "${catype} proxy certificate" -certfile ${X509_SIGNING_CERT}
+                   -name \"${catype} proxy certificate\" -certfile ${X509_SIGNING_CERT}"
+
+    echo $CMD; eval $CMD
 
     # Create a grid proxy file... 
     # Copy the proxy cert to the grid proxy file.
     cp ${X509_PROX_CERT} ${X509_PROX_GRID}
     
+    if [ $? != 0 ]; then
+	echo Proxy file generation failed!
+	exit 1
+    fi
+
     # Now add the proxy private key to the grid proxy file.
     openssl rsa -in ${X509_PROX_KEY} -passin pass:${PASSWORD} >> ${X509_PROX_GRID}
     
+    if [ $? != 0 ]; then
+	echo Proxy file generation failed!
+	exit 1
+    fi
+
     # Now add the original certificate used to sign the request to the proxy file.
     # In this case it is the proxy certificate!
     openssl x509 -in ${X509_SIGNING_CERT} >> ${X509_PROX_GRID}
@@ -271,9 +366,17 @@ function create_cert_proxy_proxy {
     # adding in the original certificate to the chain. 03/06/05
     openssl x509 -in ${filebase}.cert >> ${X509_PROX_GRID}
 
+    if [ $? != 0 ]; then
+	echo Proxy file generation failed!
+	exit 1
+    fi
+
     chmod 600 ${X509_PROX_GRID}
 
-    cp ${CA_DIR}/serial_proxy.txt ${CA_DIR}/serial.txt
+#    cp ${CA_DIR}/serial_proxy.txt ${CA_DIR}/serial.txt
+    # copy the normal cert files back
+    cp ${CA_DIR}/index_cert_save.txt ${CA_DIR}/index.txt
+    cp ${CA_DIR}/serial_cert_save.txt ${CA_DIR}/serial.txt
 
     # Clean up stuff
     # rm ${CA_DIR}/serial_proxy.txt ${CA_DIR}/index_proxy.txt \
@@ -363,7 +466,7 @@ function create_some {
     create_cert $CERT_DIR/${catype}_host "$HOSTNAME" server $DAYS
 
     # generating CRL
-    openssl ca -gencrl -crldays 10000 -out $CA_DIR/${catype}.crl -config $CA_CONF
+    openssl ca -gencrl -crldays 10000 -out $CA_DIR/${catype}.crl -config $REQ_CONFIG_FILE
 
     # make it user friendly
     if [ ! -d 'grid-security/certificates' ]; then
@@ -442,66 +545,19 @@ EOF
 
 function create_bad {
 
-    # generating client certificate
-    create_cert $CERT_DIR/${catype}_client00 "$LOGNAME" client $DAYS
-
-    # create cert with mismatched signing_policy
-    export CN="bad policy client"
-    CMD="openssl req -out $CERT_DIR/bad_policy.req -newkey rsa:$bits -new -keyout $CERT_DIR/bad_policy.priv -config $CA_DIR/req_conf_policy.cnf"
-    echo $CMD; $CMD
-    CMD="openssl ca -in $CERT_DIR/bad_policy.req -out $CERT_DIR/bad_policy.cert -outdir $tmpdir -md md5 -config $CA_CONF -batch -days $DAYS"
-    echo $CMD; $CMD
-
-    # create a cert which is not vaild yet
-    export CN="bad future client"
-    theyear=`date +%Y` 
-    let "theyear += 10 "
-    valid=${theyear:2}`date +%m%d`000000Z
-    CMD="openssl req -out $CERT_DIR/bad_future.req -newkey rsa:$bits -new -keyout $CERT_DIR/bad_future.priv -config $CA_DIR/req_conf_future.cnf"
-    echo $CMD; eval $CMD
-    CMD="openssl ca -in $CERT_DIR/bad_future.req -out $CERT_DIR/bad_future.cert -outdir $tmpdir -md md5 -config $CA_CONF -batch -startdate $valid -days $DAYS"
-    echo $CMD; $CMD
- 
-    # create host cert with mismatched signing_policy
-    export CN="$HOSTNAME"
-    CMD="openssl req -out $CERT_DIR/bad_policy_host.req -newkey rsa:$bits -new -keyout $CERT_DIR/bad_policy_host.priv -config $CA_DIR/req_conf_policy.cnf"
-    echo $CMD; $CMD
-    CMD="openssl ca -in $CERT_DIR/bad_policy_host.req -out $CERT_DIR/bad_policy_host.cert -outdir $tmpdir -md md5 -config $CA_CONF -batch -days $DAYS"
-    echo $CMD; $CMD
-
-    # create revoked host cert 
-    export CN="$HOSTNAME"
-    CMD="openssl req -out $CERT_DIR/bad_revoked_host.req -newkey rsa:$bits -new -keyout $CERT_DIR/bad_revoked_host.priv -config $CA_DIR/req_conf.cnf"
-    echo $CMD; $CMD
-    CMD="openssl ca -in $CERT_DIR/bad_revoked_host.req -out $CERT_DIR/bad_revoked_host.cert -outdir $tmpdir -md md5 -config $CA_CONF -batch -days $DAYS"
-    echo $CMD; $CMD
-
-    openssl ca -revoke $CERT_DIR/bad_revoked_host.cert -config $CA_CONF
-
-    # create expired host cert 
-    export CN="$HOSTNAME"
-    CMD="openssl req -out $CERT_DIR/bad_expired_host.req -newkey rsa:$bits -new -keyout $CERT_DIR/bad_expired_host.priv -config $CA_DIR/req_conf.cnf"
-    echo $CMD; $CMD
-    CMD="openssl ca -in $CERT_DIR/bad_expired_host.req -out $CERT_DIR/bad_expired_host.cert -outdir $tmpdir -md md5 -config $CA_CONF -batch -days -1"
-    echo $CMD; $CMD
-
-
-    # generating CRL
-    openssl ca -gencrl -crldays 10000 -out $CA_DIR/${catype}.crl -config $CA_CONF
-
     # generating a signing_policy file
-    subject_name=$(openssl x509 -in $CA_DIR/${catype}.cert -subject -noout)
+    subject_name=`openssl x509 -in $CA_DIR/${catype}.cert -subject -noout| sed 's/^subject= //'`
     cat <<EOF > $CA_DIR/${catype}.signing_policy
-# Signing policy file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
-access_id_CA            X509    '${subject_name:9}'
+# Signing policy file for the $subject_name"
+access_id_CA            X509    '${subject_name}'
 pos_rights              globus  CA:sign
-cond_subjects           globus  '"$(echo "${subject_name:9}" | sed -e 's#/CN=.*$##')/*"'
+cond_subjects           globus  '"$(echo "${subject_name}" | sed -e 's#/CN=.*$##')/*"'
 EOF
 
     cat <<EOF > $CA_DIR/${catype}.namespaces
-# Namespace for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
-TO Issuer "${subject_name:9}" \
-  PERMIT Subject "$(echo "${subject_name:9}" | sed -e 's#/CN=.*$##')/*"
+# Namespace for the $subject_name"
+TO Issuer "${subject_name}" \
+  PERMIT Subject "$(echo "${subject_name}" | sed -e 's#/CN=.*$##')/*"
  
 EOF
     
@@ -527,21 +583,28 @@ function create_all {
     TYPE="client"
     CTYPE="client"
 
-    # i=0;
-    # let "i += 1"; echo "State : $i"; cat ${CA_DIR}/serial_proxy.txt; echo;
-    # ls -l  ${CA_DIR}/.
-   
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS
-
-    # let "i += 1"; echo "State : $i"; cat ${CA_DIR}/serial_proxy.txt; echo;
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
+    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
+
+    TYPE="clientbaddn"
+    CTYPE="client with bad DN"
 
-    # let "i += 1"; echo "State : $i"; cat ${CA_DIR}/serial_proxy.txt; echo;
+    create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS
+    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
 
-    # let "i += 1"; echo "State : $i"; cat ${CA_DIR}/serial_proxy.txt; echo;
+    TYPE="clientfuture"
+    CTYPE="client future"
+
+    create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS
+    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
+    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
     create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
-    # let "i += 1"; echo "State : $i"; cat ${CA_DIR}/serial_proxy.txt; echo;
     create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
 
     TYPE="clientserial"
@@ -574,27 +637,29 @@ function create_all {
     TYPE="fclient"
     CTYPE="flag client"
 
-    # let "i += 1"; echo "State : $i"; cat ${CA_DIR}/serial_proxy.txt; echo;
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS
-    # Is there a problem here? The serial # does not advance after writing the certificate. Check later.
-    # let "i += 1"; echo "State : $i"; cat ${CA_DIR}/serial_proxy.txt; echo;
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
-    # let "i += 1"; echo "State : $i"; cat ${CA_DIR}/serial_proxy.txt; echo;
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
-
-    # let "i += 1"; echo "State : $i"; cat ${CA_DIR}/serial_proxy.txt; echo;
     create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
-    # let "i += 1"; echo "State : $i"; cat ${CA_DIR}/serial_proxy.txt; echo;
     create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
 
     TYPE="bigclient"
     CTYPE="bigclient"
+    TYPE2="client"
 
-    create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS 4096
-
+    create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS 4096
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
 
+    TYPE="verybigclient"
+    CTYPE="very big client"
+    TYPE2="client"
+
+    create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS 8192
+    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
+    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
     create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
     create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
 
@@ -602,17 +667,41 @@ function create_all {
     CTYPE="server"
 
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS
-
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
-
     create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
     create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
 
+    TYPE="host"
+    CTYPE="$HOSTNAME"
+    TYPE2="server"
+
+    create_cert $CERT_DIR/${catype}_${TYPE} "${CTYPE}" ${TYPE2} $DAYS
+
+    TYPE="host_rev"
+    CTYPE="$HOSTNAME"
+    TYPE2="server"
+
+    create_cert $CERT_DIR/${catype}_${TYPE} "${CTYPE}" ${TYPE2} $DAYS
+    openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE
+
+
+    TYPE="host_exp"
+    CTYPE="$HOSTNAME"
+    TYPE2="server"
+
+    create_cert $CERT_DIR/${catype}_${TYPE} "${CTYPE}" ${TYPE2} -1
+
+    TYPE="host_baddn"
+    CTYPE="$HOSTNAME"
+    TYPE2="hostbaddn"
+
+    create_cert $CERT_DIR/${catype}_${TYPE} "${CTYPE}" ${TYPE2} $DAYS
+
     TYPE="altname"
     CTYPE="altname"
 
-    create_cert $CERT_DIR/${catype}_${TYPE} "$catype/xxx.foo.bar" ${TYPE} $DAYS
+    create_cert $CERT_DIR/${catype}_${TYPE} "$catype\/xxx.foo.bar" ${TYPE} $DAYS
 
     TYPE="altname"
     CTYPE="altname2"
@@ -628,10 +717,8 @@ function create_all {
     CTYPE="clientserver"
 
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS
-
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
-
     create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
     create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
 
@@ -639,10 +726,8 @@ function create_all {
     CTYPE="none"
 
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS
-
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
-
     create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
     create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
 
@@ -688,7 +773,7 @@ function create_all {
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
     create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
 
-# Create revoked certificates
+    # Create revoked certificates with otherwise valid proxies
 
     TYPE="client_rev"
     CTYPE="client revoked"
@@ -697,7 +782,7 @@ function create_all {
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
     create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
-    openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $CA_CONF
+    openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE
 
     TYPE="fclient_rev"
     CTYPE="flag client revoked"
@@ -706,7 +791,7 @@ function create_all {
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
     create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
-    openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $CA_CONF
+    openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE
 
     TYPE="server_rev"
     CTYPE="server revoked"
@@ -715,7 +800,7 @@ function create_all {
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
     create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
-    openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $CA_CONF
+    openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE
 
     TYPE="clientserver_rev"
     CTYPE="clientserver revoked"
@@ -724,7 +809,7 @@ function create_all {
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
     create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
-    openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $CA_CONF
+    openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE
 
     TYPE="none_rev"
     CTYPE="none revoked"
@@ -733,27 +818,21 @@ function create_all {
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
     create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
-    openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $CA_CONF
+    openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE
 
     # some extra certificates
     
-    TYPE="client"
-    CTYPE="client dnerror"
-    TYPE2="proxy_dnerror"
-    create_cert_proxy $CERT_DIR/${catype}_client "$catype client dnerror" ${TYPE2} "proxy" $DAYS
-
     # generating CRL
-    openssl ca -gencrl -crldays 10000 -out $CA_DIR/${catype}.crl -config $CA_CONF
+    openssl ca -gencrl -crldays 10000 -out $CA_DIR/${catype}.crl -config $REQ_CONFIG_FILE
 
     # now do the clean-up?
-    
-    rm ${CA_DIR}/serial_proxy.txt ${CA_DIR}/index_proxy.txt
+    rm ${CA_DIR}/serial_proxy.txt ${CA_DIR}/index_proxy.txt ${CA_DIR}/serial_cert_save.txt ${CA_DIR}/index_cert_save.txt
 
 }
 
 ############################## main ################################
 
-USAGE="$0 [--help] [--all|--some] [--voms] [--onlyenv] [--extra #extra-user-certs]"
+USAGE="$0 [--help] [--all|--some] [--voms] [--onlyenv] [--extra #extra-user-certs] target_dir"
 
 TEMP=$(getopt -o hasvoe: --long help,all,some,voms,onlyenv,extra: -- "$@")
 eval set -- "$TEMP"
@@ -773,7 +852,7 @@ while true; do
     case "$1" in
         -a|--all)
             ALL='yes'
-            CATYPES='trusted fake big expired bad'
+            CATYPES='trusted fake big expired nokeyusage subsubca'
             shift
             ;;
         -s|--some)
@@ -820,7 +899,7 @@ openssl version
 TARGETDIR=$1
 CONFIGDIR=$(cd $(dirname $0)/..; echo $PWD)/test
 
-export PASSWORD='changeit'
+PASSWORD='changeit'
 DAYS=10000
 
 if [ -z "$TARGETDIR" ]; then
@@ -850,22 +929,9 @@ for catype in $CATYPES; do
     export CATYPE=${catype}
     export CA_DIR=${catype}-ca
     export CERT_DIR=${catype}-certs
-    export CA_CONF=$CA_DIR/ca_conf.cnf
-    export CA_PROXY_CONF=$CA_DIR/ca_proxy_conf.cnf
     export REQ_CONFIG_FILE=$CA_DIR/req_conf.cnf
-    export REQ_CONFIG_FILE_SERIAL=$CA_DIR/req_conf_sn.cnf
-    export REQ_CONFIG_FILE_EMAIL=$CA_DIR/req_conf_email.cnf
-    export REQ_CONFIG_FILE_UID=$CA_DIR/req_conf_uid.cnf
-    export REQ_CONFIG_FILE_ALTNAME=$CA_DIR/req_conf_altname.cnf
-    export REQ_PROXY_CONFIG_FILE=$CA_DIR/req_proxy_conf.cnf
-    export REQ_PROXY_PROXY_CONFIG_FILE=$CA_DIR/req_proxy_proxy_conf.cnf
-    export PROXY_BITS=512
-
-    if [ "$catype" = "big" ]; then
-        export BITS=8192
-    else
-        export BITS=1024
-    fi
+    export PROXY_BITS=1024
+    export CASROOT=./
 
     # putting the CA certificate to the right place
     if [ ! -d "$CONFIGDIR/${catype}-ca" ]; then
diff --git a/config/ca_conf.cnf b/config/ca_conf.cnf
deleted file mode 100644
index 42d548d..0000000
--- a/config/ca_conf.cnf
+++ /dev/null
@@ -1,60 +0,0 @@
-[ca]
-default_ca = CA_default
-
-[CA_default]
-dir = $ENV::CA_DIR
-database = $dir/index.txt
-serial = $dir/serial.txt
-default_md = sha1
-
-certificate = $dir/$ENV::CATYPE.cert
-private_key = $dir/$ENV::CATYPE.priv
-
-policy = policy_any
-
-[policy_any]
-countryName            = supplied
-stateOrProvinceName    = optional
-localityName           = optional
-organizationName       = optional
-organizationalUnitName = optional
-commonName             = supplied
-emailAddress           = optional
-
-[ ca_cert ]
-basicConstraints=CA:TRUE
-
-
-[ ca_server ]
-# This is OK for an SSL server.
-nsCertType			= server
-nsComment			= "OpenSSL Generated Server Certificate"
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-[ ca_client ]
-# For normal client use this is typical
-nsCertType = client, email
-nsComment			= "OpenSSL Generated Client Certificate"
-
-[ ca_clientserver ]
-# For normal client use this is typical
-nsCertType = server, client, email
-nsComment			= "OpenSSL Generated Client Server Certificate"
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-[ ca_fclient ]
-# This is typical in keyUsage for a client certificate.
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Client Certificate with Flags"
-
-[ ca_none ]
-nsComment			= "OpenSSL Generated Client Certificate with Flags"
-
-[ proxy_none ]
-keyUsage=critical,digitalSignature,keyEncipherment
diff --git a/config/ca_proxy_conf.cnf b/config/ca_proxy_conf.cnf
deleted file mode 100644
index 465a9a0..0000000
--- a/config/ca_proxy_conf.cnf
+++ /dev/null
@@ -1,27 +0,0 @@
-[ca]
-default_ca = CA_default
-
-[CA_default]
-dir = $ENV::CA_DIR
-database = $dir/index_proxy.txt
-serial = $dir/serial_proxy.txt
-
-certificate = $dir/$ENV::CATYPE.cert
-private_key = $dir/$ENV::CATYPE.priv
-
-policy = policy_any
-
-[policy_any]
-countryName            = supplied
-stateOrProvinceName    = optional
-localityName           = optional
-organizationName       = optional
-organizationalUnitName = optional
-commonName             = supplied
-emailAddress           = optional
-
-[ ca_cert ]
-basicConstraints=CA:TRUE
-
-[ proxy_none ]
-
diff --git a/config/req_conf.cnf b/config/req_conf.cnf
index 2495b5f..2262038 100644
--- a/config/req_conf.cnf
+++ b/config/req_conf.cnf
@@ -1,19 +1,10 @@
 ### req command
 
 [ req ]
-default_bits		= $ENV::BITS
-default_keyfile		= keyfile.pem
+default_bits		= 1024
 distinguished_name	= req_distinguished_name
-prompt			= no
-output_password		= $ENV::PASSWORD
-ca_cert			= ca_cert
 
 [ req_distinguished_name ]
-countryName		= UG
-localityName		= Tropic
-organizationName	= Utopia
-organizationalUnitName	= Relaxation
-0.commonName		= $ENV::CN
 
 [ ca_cert_req ]
 basicConstraints	= CA:true
@@ -21,21 +12,18 @@ subjectKeyIdentifier	= hash
 authorityKeyIdentifier	= keyid:always,issuer:always
 keyUsage		= cRLSign, keyCertSign
 
-[ serial_cert_req ]
-serialNumber		= 12341324
+#[ serial_cert_req ]
+#serialNumber		= 12341324
 
-[ email_cert_req ]
-emailAddress		= test@home.org
+#[ email_cert_req ]
+#emailAddress		= test@home.org
 
-[ uid_cert_req ]
-userId			= testuserid
+#[ uid_cert_req ]
+#userId			= testuserid
 
 [ proxy_cert_req ]
-1.commonName		= $ENV::PROXYNAME
 
 [ proxy_proxy_cert_req ]
-1.commonName		= $ENV::PROXYNAME
-2.commonName		= $ENV::PROXYNAME
 
 #### ca command
 
@@ -43,7 +31,7 @@ userId			= testuserid
 default_ca 		= CA_default
 
 [CA_default]
-dir 			= $ENV::CA_DIR
+dir 			= $ENV::CASROOT/$ENV::CATYPE-ca
 database 		= $dir/index.txt
 serial 			= $dir/serial.txt
 default_md 		= sha1
@@ -62,6 +50,7 @@ organizationalUnitName	= optional
 commonName		= supplied
 emailAddress		= optional
 userId			= optional
+serialNumber		= optional
 
 [ ca_cert ]
 basicConstraints	= CA:TRUE
@@ -74,6 +63,12 @@ nsComment		= "OpenSSL Generated Server Certificate"
 # For an object signing certificate this would be used.
 # nsCertType 		= objsign
 
+[ ca_altname ]
+# This is OK for an SSL server.
+nsCertType			= server
+nsComment			= "OpenSSL Generated Server Certificate"
+subjectAltName = DNS:*.hoo.org,DNS:joo.haa.org,IP:123.124.220.1,DNS:g*a.e*.com
+
 [ ca_client ]
 # For normal client use this is typical
 nsCertType 		= client, email
@@ -83,8 +78,6 @@ nsComment		= "OpenSSL Generated Client Certificate"
 # For normal client use this is typical
 nsCertType 		= server, client, email
 nsComment		= "OpenSSL Generated Client Server Certificate"
-# and for everything including object signing:
-# nsCertType 		= client, email, objsign
 
 [ ca_fclient ]
 # This is typical in keyUsage for a client certificate.
@@ -96,3 +89,4 @@ nsComment		= "OpenSSL Generated Client Certificate without Flags"
 
 [ proxy_none ]
 keyUsage		= critical,digitalSignature,keyEncipherment
+
diff --git a/config/req_proxy_conf.cnf b/config/req_proxy_conf.cnf
deleted file mode 100644
index 61a1812..0000000
--- a/config/req_proxy_conf.cnf
+++ /dev/null
@@ -1,46 +0,0 @@
-[ca]
-default_ca = CA_default
-
-[CA_default]
-dir = $ENV::CA_DIR
-database = $dir/index.txt
-serial = $dir/serial.txt
-
-certificate = $dir/$ENV::CATYPE.cert
-private_key = $dir/$ENV::CATYPE.priv
-
-[ req ]
-
-default_bits           = 1024
-default_keyfile        = keyfile.pem
-distinguished_name     = req_distinguished_name
-attributes             = req_attributes
-prompt                 = no
-output_password        = $ENV::PASSWORD
-# ca_cert		     = CA_cert
-
-[ req_distinguished_name ]
-
-countryName                    = UG
-
-#stateOrProvinceName	       = South area
-
-localityName                   = Tropic
-
-organizationName		       = Utopia
-
-organizationalUnitName         = Relaxation
-
-0.commonName                     = $ENV::CN
-
-1.commonName                     = $ENV::PROXYNAME
-
-#emailAddress                   = Email Address
-
-[ req_attributes ]
-
-[ CA_cert]
-
-basicConstraints = CA:true
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
diff --git a/config/req_proxy_proxy_conf.cnf b/config/req_proxy_proxy_conf.cnf
deleted file mode 100644
index f95b0ca..0000000
--- a/config/req_proxy_proxy_conf.cnf
+++ /dev/null
@@ -1,35 +0,0 @@
-[ req ]
-default_bits           = 1024
-default_keyfile        = keyfile.pem
-distinguished_name     = req_distinguished_name
-attributes             = req_attributes
-prompt                 = no
-output_password        = $ENV::PASSWORD
-ca_cert		     = CA_cert
-
-[ req_distinguished_name ]
-countryName                    = UG
-
-#stateOrProvinceName	       = South area
-
-localityName                   = Tropic
-
-organizationName		       = Utopia
-
-organizationalUnitName         = Relaxation
-
-0.commonName                     = $ENV::CN
-
-1.commonName                     = $ENV::PROXYNAME
-
-2.commonName                     = $ENV::PROXYNAME
- 
-#emailAddress                   = Email Address
-
-[ req_attributes ]
-#challengePassword              = $ENV::PASSWORD
-
-[ CA_cert]
-basicConstraints = CA:true
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always