fic/server
Archived
1
0
Fork 0
Code Issues Pull requests 10 Releases Wiki Activity

Ready to generate new certificates

Browse source
This commit is contained in:
nemunaire 2014-01-21 03:07:52 +01:00
commit cc588d51f9
7 changed files with 66 additions and 208 deletions
Download patch file Download diff file Expand all files Collapse all files

21
misc/CA.sh
View file

@ -11,7 +11,8 @@ fi
CAKEY=./cakey.key
CAREQ=./careq.csr
CACERT=./cacert.crt
DAYS=365
DAYS=2
#GREEN="\033[1;32m"
#RED="\033[1;31m"
@ -63,7 +64,6 @@ case $1 in
echo -e "${GREEN}Making CA key and csr${COLOR_RST}"
sed -i 's/=.*#COMMONNAME/= FIC2014 CA #COMMONNAME/' $OPENSSL_CONF
sed -i "s/=.*#DIR/= ${ESCAPED} #DIR/" $OPENSSL_CONF
sed -i "s/=.*#CERTTYPE/= objsign #CERTTYPE/" $OPENSSL_CONF
type pwgen > /dev/null
if [ $? -ne 0 ]; then
@ -72,10 +72,9 @@ case $1 in
fi
pass=`pwgen -n -B -y 12 1`
openssl req -batch -new -keyout ${TOP_DIR}/private/${CAKEY} \
-out ${TOP_DIR}/${CAREQ} -passout pass:$pass \
-config $OPENSSL_CONF > $OUTPUT 2>&1
-config $OPENSSL_CONF -extensions CORE_CA > $OUTPUT 2>&1
if [ $? -ne 0 ]; then
cat $OUTPUT
clean "ca"
@ -94,7 +93,7 @@ case $1 in
echo -e "${GREEN}Self signes the CA certificate${COLOR_RST}"
openssl ca -batch -create_serial -out ${TOP_DIR}/${CACERT} \
-days ${DAYS} -keyfile ${TOP_DIR}/private/${CAKEY} \
-selfsign -extensions v3_ca -config ${OPENSSL_CONF} \
-selfsign -extensions CORE_CA -config ${OPENSSL_CONF} \
-infiles ${TOP_DIR}/${CAREQ} > $OUTPUT 2>&1
if [ $? -ne 0 ]; then
cat $OUTPUT
@ -108,17 +107,16 @@ case $1 in
echo -e "${RED}Can not found the CA's key${COLOR_RST}"
exit 2
fi
sed -i 's/=.*#COMMONNAME/= FIC2014 Server #COMMONNAME/' $OPENSSL_CONF
sed -i "s/=.*#CERTTYPE/= server #CERTTYPE/" $OPENSSL_CONF
sed -i 's/=.*#COMMONNAME/=10.226.3.70#COMMONNAME/' $OPENSSL_CONF
openssl req -batch -new -keyout server.key -out server.csr \
-days ${DAYS} -config ${OPENSSL_CONF} > $OUTPUT 2>&1
-days ${DAYS} -config ${OPENSSL_CONF} -extensions SERVER_SSL > $OUTPUT 2>&1
if [ $? -ne 0 ]; then
cat $OUTPUT
exit 4
fi
echo -e "${GREEN}Signing the Server crt${COLOR_RST}"
openssl ca -policy policy_match -config ${OPENSSL_CONF} \
-out server.crt -infiles server.csr > $OUTPUT 2>&1
-out server.crt -extensions SERVER_SSL -infiles server.csr
if [ $? -ne 0 ]; then
echo -e "${RED}Signing failed for new server${COLOR_RST}"
rm -rf server.key server.crt server.csr
@ -145,7 +143,6 @@ case $1 in
exit 2
fi
sed -i "s/=.*#COMMONNAME/= $2#COMMONNAME/" $OPENSSL_CONF
sed -i "s/=.*#CERTTYPE/= client #CERTTYPE/" $OPENSSL_CONF
type pwgen > /dev/null
if [ $? -ne 0 ]; then
@ -156,7 +153,7 @@ case $1 in
pass=`pwgen -n -B -y 12 1`
openssl req -batch -new -keyout ${TOP_DIR}/${2}.key -out ${TOP_DIR}/${2}.csr \
-config ${OPENSSL_CONF} -passout pass:$pass -days ${DAYS} > $OUTPUT 2>&1
-config ${OPENSSL_CONF} -passout pass:$pass -days ${DAYS} -extensions CLIENT_SSL > $OUTPUT 2>&1
if [ $? -ne 0 ]; then
cat $OUTPUT
clean "client" $2
@ -165,7 +162,7 @@ case $1 in
echo -e "${GREEN}Signing the Client crt${COLOR_RST}"
openssl ca -batch -policy policy_match -out ${TOP_DIR}/${2}.crt \
-config ${OPENSSL_CONF} -infiles ${TOP_DIR}/${2}.csr > $OUTPUT 2>&1
-config ${OPENSSL_CONF} -extensions CLIENT_SSL -infiles ${TOP_DIR}/${2}.csr > $OUTPUT 2>&1
if [ $? -ne 0 ]; then
echo -e "${RED}Signing failed for $2 ${COLOR_RST}"
cat $OUTPUT

218
misc/openssl.cnf
View file

@ -55,8 +55,6 @@ crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.key # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
@ -70,7 +68,7 @@ cert_opt = ca_default # Certificate field options
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_days = 2 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
@ -147,7 +145,7 @@ organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = SRS
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = Groupe_8#COMMONNAME
commonName_default =10.226.3.70#COMMONNAME
commonName_max = 64
emailAddress = Email Address
@ -163,191 +161,37 @@ challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
nsCertType = client #CERTTYPE
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "FIC 2014 generated certificates"
# PKIX recommendations harmless if included in all certificates.
[CORE_CA]
nsComment = "FIC2014 CA"
basicConstraints = critical,CA:TRUE,pathlen:1
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
issuerAltName = issuer:copy
keyUsage = keyCertSign, cRLSign
nsCertType = sslCA
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
[SERVER_SSL]
nsComment = "FIC2014 Server"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
issuerAltName = issuer:copy
basicConstraints = critical,CA:FALSE
keyUsage = digitalSignature, keyEncipherment
nsCertType = server
extendedKeyUsage = serverAuth
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
authorityKeyIdentifier=keyid:always,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
####################################################################
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
# These are used by the TSA reply generation only.
dir = ./demoCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
# (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = md5, sha1 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)
[CLIENT_SSL]
nsComment = "FIC2014 Client"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
issuerAltName = issuer:copy
basicConstraints = critical,CA:FALSE
keyUsage = digitalSignature, nonRepudiation
nsCertType = client
extendedKeyUsage = clientAuth
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer