Improve SSL testing

diff --git a/demo/init/node/.gitignore b/demo/init/node/.gitignore
index 07b78c238a7de954bf7cfc11bee0f85dff335b6b..f61974476984b419d4fcf0cd8a32dcdbe12154ee 100644 (file)
--- a/demo/init/node/.gitignore
+++ b/demo/init/node/.gitignore
@@ -1,2 +1,4 @@
 /krb5.keytab
 /krb5.keytab.old
+/*.p12
+/*.jks
\ No newline at end of file

diff --git a/demo/ssl/.gitignore b/demo/ssl/.gitignore
index 68cca7df070f9ee6105f40cd8be11e6046447765..6bff114ef1d588d8d011139381d8b58d160f5a1d 100644 (file)
--- a/demo/ssl/.gitignore
+++ b/demo/ssl/.gitignore
@@ -3,3 +3,4 @@
 /*.jks
 /nssdb/
 /*.pem
+/old/

diff --git a/demo/ssl/ssl.sh b/demo/ssl/ssl.sh
index f2bf1e6225de7ebd27428fa5128fbc6b360f817e..91690f02e520b9fab3ca5e7f2a79ea4a5ab80cd3 100644 (file)
--- a/demo/ssl/ssl.sh
+++ b/demo/ssl/ssl.sh
@@ -5,7 +5,7 @@
 # all *.p12 passwords are 'demo'
 # all *.jks passwords are 'changeit'
 
-SERVER_DN=/C=DE/O=Example/OU=Systems/CN=apps.example.com/
+SERVER_DN=/C=DE/O=Example/OU=Systems/CN=$HOSTNAME/
 USERS_BASE_DN=/DC=com/DC=example/OU=users
 
 export OPENSSL_CONF=./openssl.cnf
@@ -13,27 +13,38 @@ export CATOP=./CA
 
 /etc/pki/tls/misc/CA -newca
 
-openssl req -x509 -new -newkey rsa:1024 -extensions server_ext -days 365 \
- -subj $SERVER_DN \
- -keyout newkey.pem -passout pass:demo -out newcrt.pem
+#openssl req -x509 -new -newkey rsa:4096 -extensions server_ext -days 365 \
+# -subj $SERVER_DN \
+# -keyout newkey.pem -passout pass:demo -out newcrt.pem
  
-openssl pkcs12 -export -passin pass:demo -passout pass:changeit \
- -name "jetty" -inkey newkey.pem -in newcrt.pem \
- -certfile ./CA/cacert.pem \
- -out server.p12
+# Self-signed server certificate
+#openssl pkcs12 -export -passin pass:demo -passout pass:changeit \
+# -name "jetty" -inkey newkey.pem -in newcrt.pem \
+# -certfile ./CA/cacert.pem \
+# -out server.p12
  
  # Convert PKCS12 keystore into a JKS keystore
-keytool -importkeystore \
- -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass changeit \
- -alias jetty  -destkeystore server.jks -deststorepass changeit
+#keytool -importkeystore \
+# -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass changeit \
+# -alias jetty  -destkeystore server.jks -deststorepass changeit
 #rm -f server.p12
 
 # Import People CA
-keytool -importcert -keystore server.jks -storepass changeit \
- -alias CA -file CA/cacert.pem
+#keytool -importcert -keystore server.jks -storepass changeit \
+# -alias CA -file CA/cacert.pem
+
+openssl req -new -newkey rsa:4096 -extensions server_ext -days 365 \
+ -subj $SERVER_DN \
+ -keyout node_key.pem -passout pass:demo -out node_csr.pem
+openssl ca -batch -passin pass:demo -in node_csr.pem -out node_crt.pem
+cat node_crt.pem CA/cacert.pem > node.pem
+openssl pkcs12 -export -passin pass:demo -passout pass:demo \
+ -name "node" -inkey node_key.pem -in node.pem \
+ -out node.p12
+
 
 # root user
-openssl req -new -newkey rsa:1024 -extensions user_ext -days 365 \
+openssl req -new -newkey rsa:4096 -extensions user_ext -days 365 \
  -subj $USERS_BASE_DN/UID=root/ \
  -keyout newkey.pem -passout pass:demo -out newcsr.pem
 openssl ca -preserveDN -batch -passin pass:demo -in newcsr.pem -out newcrt.pem
@@ -42,7 +53,7 @@ openssl pkcs12 -export -passin pass:demo -passout pass:demo \
  -out root.p12
 
 # demo user
-#openssl req -new -newkey rsa:1024 -extensions user_ext -days 365 \
+#openssl req -new -newkey rsa:4096 -extensions user_ext -days 365 \
 # -subj $USERS_BASE_DN/UID=demo/ \
 # -keyout newkey.pem -passout pass:demo -out newcsr.pem
 #openssl ca -preserveDN -batch -passin pass:demo -in newcsr.pem -out newcrt.pem