From b95c8e27a34ecda8ea02e862e6c462a12434ace8 Mon Sep 17 00:00:00 2001 From: Joni Hahkala Date: Sun, 15 Nov 2009 15:17:37 +0000 Subject: [PATCH] add ca without key usage, root, subca, subsubca, move to single config file, use v3 ca files, use key usage flags and keyids. --- bin/generate-ca-certificates-for-cvs.sh | 54 +++++++++++----- config/req_conf.cnf | 106 +++++++++++++++++++++++++------- 2 files changed, 124 insertions(+), 36 deletions(-) diff --git a/bin/generate-ca-certificates-for-cvs.sh b/bin/generate-ca-certificates-for-cvs.sh index b4ba975..bbbb58d 100755 --- a/bin/generate-ca-certificates-for-cvs.sh +++ b/bin/generate-ca-certificates-for-cvs.sh @@ -15,18 +15,27 @@ CONFIGDIR=$PWD/$(dirname $0)/../config BASEDIR=$PWD/$(dirname $0)/../test -CONFIGFILES="index.txt serial.txt ca_conf.cnf ca_proxy_conf.cnf req_conf.cnf req_proxy_conf.cnf req_proxy_proxy_conf.cnf" +CONFIGFILES="index.txt serial.txt req_conf.cnf" export PASSWORD='changeit' -CATYPES='trusted fake big expired bad' +CATYPES='trusted fake big expired bad nokeyusage root subca subsubca' BIG_BITS=8192 SMALL_BITS=1024 +## dummy values for unused env variables in conf file +export PROXYNAME=dummyprox +export CA_DIR=dummyCAdir +export CATYPE_dummyCAtype + function create_ca { + export CATYPE=$1 catype=$1 - CADIR=${catype}-ca - if [ ! -f ${CADIR}/serial.txt ]; then - mkdir -p ${CADIR} - cd ${CADIR} + echo "+-----------------------" + echo "| $catype" + echo "+-----------------------" + cadir=${catype}-ca + if [ ! -f ${cadir}/serial.txt ]; then + mkdir -p ${cadir} + cd ${cadir} for config in ${CONFIGFILES}; do cp $CONFIGDIR/$config . done @@ -44,14 +53,33 @@ function create_ca { fi export CN="the $catype CA" - openssl req -new -x509 -out ${catype}.cert $DAYS -nodes \ - -keyout ${catype}.priv -config req_conf.cnf -extensions CA_cert - openssl pkcs12 -export -in ${catype}.cert -inkey ${catype}.priv \ - -out ${catype}.p12 -passin "pass:$PASSWORD" -passout "pass:$PASSWORD" + if [ "$catype" = "subca" ]; then + export CA_DIR=../root-ca + export CATYPE=root + openssl req -new -out ${catype}.req $DAYS -nodes \ + -keyout ${catype}.priv -config req_conf.cnf + openssl ca -in ${catype}.req -out ${catype}.cert -outdir . \ + -md md5 -config req_conf.cnf -batch -extensions ca_cert_req -days 10000 + else + if [ "$catype" = "subsubca" ]; then + export CA_DIR=../subca-ca + export CATYPE=subca + openssl req -new -out ${catype}.req $DAYS -nodes \ + -keyout ${catype}.priv -config req_conf.cnf + openssl ca -in ${catype}.req -out ${catype}.cert -outdir . \ + -md md5 -config req_conf.cnf -batch -extensions ca_cert_req -days 10000 + + else + openssl req -new -x509 -out ${catype}.cert $DAYS -nodes \ + -keyout ${catype}.priv -config req_conf.cnf -extensions ca_cert_req + openssl pkcs12 -export -in ${catype}.cert -inkey ${catype}.priv \ + -out ${catype}.p12 -passin "pass:$PASSWORD" -passout "pass:$PASSWORD" + fi + fi echo -n "Generated CA certificate with " openssl x509 -noout -subject -in ${catype}.cert else - echo "${CADIR}/serial.txt exists!" + echo "${cadir}/serial.txt exists!" fi } @@ -67,10 +95,6 @@ cd $BASEDIR ABSBASEDIR=$(pwd) for catype in $CATYPES; do - echo "+-----------------------" - echo "| $catype" - echo "+-----------------------" create_ca $catype cd $ABSBASEDIR done - diff --git a/config/req_conf.cnf b/config/req_conf.cnf index 45cac0e..2495b5f 100644 --- a/config/req_conf.cnf +++ b/config/req_conf.cnf @@ -1,34 +1,98 @@ +### req command + [ req ] -default_bits = $ENV::BITS -default_keyfile = keyfile.pem -distinguished_name = req_distinguished_name -attributes = req_attributes -prompt = no -output_password = $ENV::PASSWORD -ca_cert = CA_cert +default_bits = $ENV::BITS +default_keyfile = keyfile.pem +distinguished_name = req_distinguished_name +prompt = no +output_password = $ENV::PASSWORD +ca_cert = ca_cert [ req_distinguished_name ] -countryName = UG +countryName = UG +localityName = Tropic +organizationName = Utopia +organizationalUnitName = Relaxation +0.commonName = $ENV::CN + +[ ca_cert_req ] +basicConstraints = CA:true +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +keyUsage = cRLSign, keyCertSign + +[ serial_cert_req ] +serialNumber = 12341324 + +[ email_cert_req ] +emailAddress = test@home.org + +[ uid_cert_req ] +userId = testuserid + +[ proxy_cert_req ] +1.commonName = $ENV::PROXYNAME + +[ proxy_proxy_cert_req ] +1.commonName = $ENV::PROXYNAME +2.commonName = $ENV::PROXYNAME + +#### ca command + +[ca] +default_ca = CA_default + +[CA_default] +dir = $ENV::CA_DIR +database = $dir/index.txt +serial = $dir/serial.txt +default_md = sha1 + +certificate = $dir/$ENV::CATYPE.cert +private_key = $dir/$ENV::CATYPE.priv + +policy = policy_any -#stateOrProvinceName = South area +[policy_any] +countryName = supplied +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional +userId = optional -localityName = Tropic +[ ca_cert ] +basicConstraints = CA:TRUE -organizationName = Utopia -organizationalUnitName = Relaxation +[ ca_server ] +# This is OK for an SSL server. +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" +# For an object signing certificate this would be used. +# nsCertType = objsign -commonName = $ENV::CN +[ ca_client ] +# For normal client use this is typical +nsCertType = client, email +nsComment = "OpenSSL Generated Client Certificate" -#emailAddress = Email Address +[ ca_clientserver ] +# For normal client use this is typical +nsCertType = server, client, email +nsComment = "OpenSSL Generated Client Server Certificate" +# and for everything including object signing: +# nsCertType = client, email, objsign -[ req_attributes ] -#challengePassword = $ENV::PASSWORD +[ ca_fclient ] +# This is typical in keyUsage for a client certificate. +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +nsComment = "OpenSSL Generated Client Certificate with key usage" -[ CA_cert ] -basicConstraints = CA:true -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always,issuer:always -keyUsage = cRLSign, keyCertSign +[ ca_none ] +nsComment = "OpenSSL Generated Client Certificate without Flags" [ proxy_none ] +keyUsage = critical,digitalSignature,keyEncipherment -- 1.8.2.3