From: Mathieu Baudier Date: Sun, 5 Feb 2017 17:11:10 +0000 (+0100) Subject: Improve pseudo CA X-Git-Tag: argeo-commons-2.1.60~20 X-Git-Url: https://git.argeo.org/?p=lgpl%2Fargeo-commons.git;a=commitdiff_plain;h=18af628c072e386420f03261ab207a72341a0a1b Improve pseudo CA --- diff --git a/demo/ssl/.gitignore b/demo/ssl/.gitignore index d426c6263..68cca7df0 100644 --- a/demo/ssl/.gitignore +++ b/demo/ssl/.gitignore @@ -1,4 +1,5 @@ /CA/ -/demo.p12 -/root.p12 -/server.jks +/*.p12 +/*.jks +/nssdb/ +/*.pem diff --git a/demo/ssl/openssl.cnf b/demo/ssl/openssl.cnf index 45cfea08c..62f76bac0 100644 --- a/demo/ssl/openssl.cnf +++ b/demo/ssl/openssl.cnf @@ -17,18 +17,18 @@ x509_extensions = usr_cert # The extentions to add to the cert name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options crl_extensions = crl_ext -default_days = 3650 # how long to certify for +default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = default # use public key default MD preserve = no # keep passed DN ordering policy = policy_match [ policy_match ] -countryName = match -stateOrProvinceName = match -organizationName = match +countryName = optional +stateOrProvinceName = optional +organizationName = optional organizationalUnitName = optional -commonName = supplied +commonName = optional emailAddress = optional [ policy_anything ] @@ -37,7 +37,7 @@ stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional -commonName = supplied +commonName = optional emailAddress = optional [ req ] @@ -59,10 +59,10 @@ req_extensions = v3_req # The extensions to add to a certificate request countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 -stateOrProvinceName = State or Province Name (full name) +#stateOrProvinceName = State or Province Name (full name) #localityName = Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) -organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 emailAddress = Email Address @@ -73,10 +73,11 @@ emailAddress_max = 64 ## DEFAULT VALUES ## countryName_default = DE -stateOrProvinceName_default = Berlin +#stateOrProvinceName_default = Berlin #localityName_default = Berlin 0.organizationName_default = Example -organizationalUnitName_default = People +#organizationalUnitName_default = Certificate Authorities +commonName_default = Certificate Authority [ req_attributes ] #challengePassword = A challenge password @@ -101,7 +102,7 @@ authorityKeyIdentifier=keyid:always,issuer basicConstraints = critical,CA:true # keyUsage = cRLSign, keyCertSign -subjectAltName=email:copy +#subjectAltName=email:copy issuerAltName=issuer:copy [ crl_ext ] diff --git a/demo/ssl/ssl.sh b/demo/ssl/ssl.sh index 89009735e..f2bf1e622 100644 --- a/demo/ssl/ssl.sh +++ b/demo/ssl/ssl.sh @@ -5,46 +5,50 @@ # all *.p12 passwords are 'demo' # all *.jks passwords are 'changeit' +SERVER_DN=/C=DE/O=Example/OU=Systems/CN=apps.example.com/ +USERS_BASE_DN=/DC=com/DC=example/OU=users + export OPENSSL_CONF=./openssl.cnf export CATOP=./CA /etc/pki/tls/misc/CA -newca -openssl req -x509 -new -newkey rsa:1024 -extensions server_ext -days 3650 \ - -subj /C=DE/ST=Berlin/O=Example/OU=Systems/CN=localhost/ \ +openssl req -x509 -new -newkey rsa:1024 -extensions server_ext -days 365 \ + -subj $SERVER_DN \ -keyout newkey.pem -passout pass:demo -out newcrt.pem openssl pkcs12 -export -passin pass:demo -passout pass:changeit \ -name "jetty" -inkey newkey.pem -in newcrt.pem \ + -certfile ./CA/cacert.pem \ -out server.p12 # Convert PKCS12 keystore into a JKS keystore keytool -importkeystore \ -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass changeit \ -alias jetty -destkeystore server.jks -deststorepass changeit -rm -f server.p12 +#rm -f server.p12 # Import People CA keytool -importcert -keystore server.jks -storepass changeit \ -alias CA -file CA/cacert.pem # root user -openssl req -new -newkey rsa:1024 -extensions server_ext -days 3650 \ - -subj /C=DE/ST=Berlin/O=Example/OU=People/CN=root/ \ +openssl req -new -newkey rsa:1024 -extensions user_ext -days 365 \ + -subj $USERS_BASE_DN/UID=root/ \ -keyout newkey.pem -passout pass:demo -out newcsr.pem -openssl ca -batch -passin pass:demo -in newcsr.pem -out newcrt.pem +openssl ca -preserveDN -batch -passin pass:demo -in newcsr.pem -out newcrt.pem openssl pkcs12 -export -passin pass:demo -passout pass:demo \ -name "root" -inkey newkey.pem -in newcrt.pem \ -out root.p12 # demo user -openssl req -new -newkey rsa:1024 -extensions server_ext -days 3650 \ - -subj /C=DE/ST=Berlin/O=Example/OU=People/CN=demo/ \ - -keyout newkey.pem -passout pass:demo -out newcsr.pem -openssl ca -batch -passin pass:demo -in newcsr.pem -out newcrt.pem -openssl pkcs12 -export -passin pass:demo -passout pass:demo \ - -name "demo" -inkey newkey.pem -in newcrt.pem \ - -out demo.p12 +#openssl req -new -newkey rsa:1024 -extensions user_ext -days 365 \ +# -subj $USERS_BASE_DN/UID=demo/ \ +# -keyout newkey.pem -passout pass:demo -out newcsr.pem +#openssl ca -preserveDN -batch -passin pass:demo -in newcsr.pem -out newcrt.pem +#openssl pkcs12 -export -passin pass:demo -passout pass:demo \ +# -name "demo" -inkey newkey.pem -in newcrt.pem \ +# -out demo.p12 # Clean up -rm -vf new*.pem +#rm -vf new*.pem