Improve pseudo CA

diff --git a/demo/ssl/.gitignore b/demo/ssl/.gitignore
index d426c6263dc5b467c589c1b62a7817ad958851f0..68cca7df070f9ee6105f40cd8be11e6046447765 100644 (file)
--- a/demo/ssl/.gitignore
+++ b/demo/ssl/.gitignore
@@ -1,4 +1,5 @@
 /CA/
-/demo.p12
-/root.p12
-/server.jks
+/*.p12
+/*.jks
+/nssdb/
+/*.pem

diff --git a/demo/ssl/openssl.cnf b/demo/ssl/openssl.cnf
index 45cfea08cd46cf8d2cccf17df05b36b0cf9a3406..62f76bac03e08b3b357bc6f5f882c079ddc9b7f1 100644 (file)
--- a/demo/ssl/openssl.cnf
+++ b/demo/ssl/openssl.cnf
@@ -17,18 +17,18 @@ x509_extensions     = usr_cert              # The extentions to add to the cert
 name_opt       = ca_default            # Subject Name options
 cert_opt       = ca_default            # Certificate field options
 crl_extensions = crl_ext
-default_days   = 3650                  # how long to certify for
+default_days   = 365                   # how long to certify for
 default_crl_days= 30                   # how long before next CRL
 default_md     = default               # use public key default MD
 preserve       = no                    # keep passed DN ordering
 policy         = policy_match
 
 [ policy_match ]
-countryName            = match
-stateOrProvinceName    = match
-organizationName       = match
+countryName            = optional
+stateOrProvinceName    = optional
+organizationName       = optional
 organizationalUnitName = optional
-commonName             = supplied
+commonName             = optional
 emailAddress           = optional
 
 [ policy_anything ]
@@ -37,7 +37,7 @@ stateOrProvinceName   = optional
 localityName           = optional
 organizationName       = optional
 organizationalUnitName = optional
-commonName             = supplied
+commonName             = optional
 emailAddress           = optional
 
 [ req ]
@@ -59,10 +59,10 @@ req_extensions = v3_req # The extensions to add to a certificate request
 countryName                    = Country Name (2 letter code)
 countryName_min                        = 2
 countryName_max                        = 2
-stateOrProvinceName            = State or Province Name (full name)
+#stateOrProvinceName           = State or Province Name (full name)
 #localityName                  = Locality Name (eg, city)
 0.organizationName             = Organization Name (eg, company)
-organizationalUnitName         = Organizational Unit Name (eg, section)
+#organizationalUnitName                = Organizational Unit Name (eg, section)
 commonName                     = Common Name (eg, your name or your server\'s hostname)
 commonName_max                 = 64
 emailAddress                   = Email Address
@@ -73,10 +73,11 @@ emailAddress_max            = 64
 ## DEFAULT VALUES
 ##
 countryName_default            = DE
-stateOrProvinceName_default    = Berlin
+#stateOrProvinceName_default   = Berlin
 #localityName_default  = Berlin
 0.organizationName_default     = Example
-organizationalUnitName_default = People
+#organizationalUnitName_default        = Certificate Authorities
+commonName_default     = Certificate Authority
 
 [ req_attributes ]
 #challengePassword             = A challenge password
@@ -101,7 +102,7 @@ authorityKeyIdentifier=keyid:always,issuer
 basicConstraints = critical,CA:true
 # keyUsage = cRLSign, keyCertSign
 
-subjectAltName=email:copy
+#subjectAltName=email:copy
 issuerAltName=issuer:copy
 
 [ crl_ext ]

diff --git a/demo/ssl/ssl.sh b/demo/ssl/ssl.sh
index 89009735eb31d55bd2d5ac289c91053147099e36..f2bf1e6225de7ebd27428fa5128fbc6b360f817e 100644 (file)
--- a/demo/ssl/ssl.sh
+++ b/demo/ssl/ssl.sh
@@ -5,46 +5,50 @@
 # all *.p12 passwords are 'demo'
 # all *.jks passwords are 'changeit'
 
+SERVER_DN=/C=DE/O=Example/OU=Systems/CN=apps.example.com/
+USERS_BASE_DN=/DC=com/DC=example/OU=users
+
 export OPENSSL_CONF=./openssl.cnf
 export CATOP=./CA
 
 /etc/pki/tls/misc/CA -newca
 
-openssl req -x509 -new -newkey rsa:1024 -extensions server_ext -days 3650 \
- -subj /C=DE/ST=Berlin/O=Example/OU=Systems/CN=localhost/ \
+openssl req -x509 -new -newkey rsa:1024 -extensions server_ext -days 365 \
+ -subj $SERVER_DN \
  -keyout newkey.pem -passout pass:demo -out newcrt.pem
  
 openssl pkcs12 -export -passin pass:demo -passout pass:changeit \
  -name "jetty" -inkey newkey.pem -in newcrt.pem \
+ -certfile ./CA/cacert.pem \
  -out server.p12
  
  # Convert PKCS12 keystore into a JKS keystore
 keytool -importkeystore \
  -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass changeit \
  -alias jetty  -destkeystore server.jks -deststorepass changeit
-rm -f server.p12
+#rm -f server.p12
 
 # Import People CA
 keytool -importcert -keystore server.jks -storepass changeit \
  -alias CA -file CA/cacert.pem
 
 # root user
-openssl req -new -newkey rsa:1024 -extensions server_ext -days 3650 \
- -subj /C=DE/ST=Berlin/O=Example/OU=People/CN=root/ \
+openssl req -new -newkey rsa:1024 -extensions user_ext -days 365 \
+ -subj $USERS_BASE_DN/UID=root/ \
  -keyout newkey.pem -passout pass:demo -out newcsr.pem
-openssl ca -batch -passin pass:demo -in newcsr.pem -out newcrt.pem
+openssl ca -preserveDN -batch -passin pass:demo -in newcsr.pem -out newcrt.pem
 openssl pkcs12 -export -passin pass:demo -passout pass:demo \
  -name "root" -inkey newkey.pem -in newcrt.pem \
  -out root.p12
 
 # demo user
-openssl req -new -newkey rsa:1024 -extensions server_ext -days 3650 \
- -subj /C=DE/ST=Berlin/O=Example/OU=People/CN=demo/ \
- -keyout newkey.pem -passout pass:demo -out newcsr.pem
-openssl ca -batch -passin pass:demo -in newcsr.pem -out newcrt.pem
-openssl pkcs12 -export -passin pass:demo -passout pass:demo \
- -name "demo" -inkey newkey.pem -in newcrt.pem \
- -out demo.p12
+#openssl req -new -newkey rsa:1024 -extensions user_ext -days 365 \
+# -subj $USERS_BASE_DN/UID=demo/ \
+# -keyout newkey.pem -passout pass:demo -out newcsr.pem
+#openssl ca -preserveDN -batch -passin pass:demo -in newcsr.pem -out newcrt.pem
+#openssl pkcs12 -export -passin pass:demo -passout pass:demo \
+# -name "demo" -inkey newkey.pem -in newcrt.pem \
+# -out demo.p12
 
 # Clean up
-rm -vf new*.pem
+#rm -vf new*.pem