Update PKI: CA is generated with raw dates

2015-01-17 13:05:04 +01:00 · 2015-01-17 13:05:04 +01:00 · 96815e15cc
commit 96815e15cc
parent ab7ca08a23
2 changed files with 10 additions and 3 deletions
--- a/pki/CA.sh
+++ b/pki/CA.sh
@ -21,6 +21,10 @@ SRVCRT=${SHARED_DIR}/server.crt

 # Generate certificates valid for:
 DAYS=2
+STARTDATE=150117000000Z
+ENDDATE=150120235959Z
+VALIDITY="-startdate ${STARTDATE} -enddate ${ENDDATE}"
+#VALIDITY="-days ${DAYS}"

 if [ -z "$PS1" ]
 then
@ -85,6 +89,7 @@ case $1 in
        echo $ECHO_OPTS "${GREEN}Making CA key and csr${COLOR_RST}"
        sed -i 's/=.*#COMMONNAME/= FIC CA #COMMONNAME/' $OPENSSL_CONF
        sed -i "s/=.*#DIR/= ${ESCAPED} #DIR/" $OPENSSL_CONF
+        sed -i "s/=.*#DAYS/= ${DAYS} #DAYS/" $OPENSSL_CONF

        type pwgen > /dev/null
        if [ $? -ne 0 ]; then
@ -113,7 +118,7 @@ case $1 in

        echo $ECHO_OPTS "${GREEN}Self signes the CA certificate${COLOR_RST}"
        if ! openssl ca -batch -create_serial -out ${CACRT}           \
-                -days ${DAYS} -keyfile ${CAKEY}                       \
+                ${VALIDITY} -keyfile ${CAKEY}                         \
                -selfsign -extensions CORE_CA -config ${OPENSSL_CONF} \
                -infiles ${CAREQ} > $OUTPUT 2>&1
 	then
@ -140,6 +145,7 @@ case $1 in
            exit 2
        fi
        sed -i "s/=.*#COMMONNAME/=$2#COMMONNAME/" $OPENSSL_CONF
+        sed -i "s/=.*#DAYS/= ${DAYS} #DAYS/" $OPENSSL_CONF
        if ! openssl req -batch -new -keyout ${SRVKEY} -out ${SRVREQ} \
                     -days ${DAYS} -config ${OPENSSL_CONF} -extensions SERVER_SSL > $OUTPUT 2>&1
 	then
@ -195,6 +201,7 @@ case $1 in

        ESCAPED=$(echo "${PKI_DIR}" | sed 's/[\/\.]/\\&/g')
        sed -i "s/=.*#DIR/= ${ESCAPED} #DIR/" $OPENSSL_CONF
+        sed -i "s/=.*#DAYS/= ${DAYS} #DAYS/" $OPENSSL_CONF

        if ! [ -f ${CAKEY} ]; then
            echo $ECHO_OPTS "${RED}Can not found the CA's key${COLOR_RST}"
--- a/pki/openssl.cnf
+++ b/pki/openssl.cnf
@ -68,8 +68,8 @@ cert_opt 	= ca_default		# Certificate field options
 # crlnumber must also be commented out to leave a V1 CRL.
 # crl_extensions	= crl_ext

-default_days	= 2			# how long to certify for
-default_crl_days= 30			# how long before next CRL
+default_days	= 2 #DAYS
+default_crl_days= 1			# how long before next CRL
 default_md	= default		# use public key default MD
 preserve	= no			# keep passed DN ordering