diff options
| author | Silvio Rhatto <rhatto@riseup.net> | 2011-11-30 11:22:01 -0200 |
|---|---|---|
| committer | Silvio Rhatto <rhatto@riseup.net> | 2011-11-30 11:22:01 -0200 |
| commit | 1d9651516753307463ee581fd5012e46d3f5593a (patch) | |
| tree | 8bac654ff6c438d8f4e020849292fcede1eea867 | |
| parent | ff19dbc8518d5e7f7a6535f7bf651a245de51d35 (diff) | |
| download | keyringer-1d9651516753307463ee581fd5012e46d3f5593a.tar.gz keyringer-1d9651516753307463ee581fd5012e46d3f5593a.tar.bz2 | |
SSL Wildcard with SubjectAltNames support for genpair
| -rwxr-xr-x | share/keyringer/genpair | 50 |
1 files changed, 47 insertions, 3 deletions
diff --git a/share/keyringer/genpair b/share/keyringer/genpair index a5b06cc..76683d2 100755 --- a/share/keyringer/genpair +++ b/share/keyringer/genpair @@ -84,20 +84,64 @@ EOF } # Generate a keypair, ssl version -# TODO: add the possibility of SubjectAltNames also for ssl-self and ssl modes -# so wildcard certs can work correctly. function genpair_ssl { echo "Make sure that $KEYDIR is atop of an encrypted volume." read -p "Hit ENTER to continue." prompt + # Check for wildcard certs + if [ "`echo $NODE | cut -d . -f 1`" == "*" ]; then + WILDCARD="yes" + CNAME="$NODE" + NODE="`echo $NODE | sed -e 's/^\*\.//'`" + else + CNAME="${NODE}" + fi + # Setup cd "$TMPWORK" # Generate certificate if [ "$KEYTYPE" == "ssl-cacert" ]; then + # We use a custom script for CaCert "$LIB/csr.sh" "$NODE" else - openssl req -nodes -newkey rsa:2048 -keyout ${NODE}_privatekey.pem -out ${NODE}_csr.pem +cat <<EOF >> openssl.conf +[ req ] +default_keyfile = ${NODE}_privatekey.pem +distinguished_name = req_distinguished_name +encrypt_key = no +req_extensions = v3_req # Extensions to add to certificate request +string_mask = nombstr + +[ req_distinguished_name ] +commonName_default = ${CNAME} +organizationName = Organization Name +organizationalUnitName = Organizational Unit Name +emailAddress = Email Address +localityName = Locality +stateOrProvinceName = State +countryName = Country Name +commonName = Common Name + +[ v3_req ] +extendedKeyUsage=serverAuth,clientAuth +EOF + + # Add SubjectAltNames so wildcard certs can work correctly. + if [ "$WILDCARD" == "yes" ]; then +cat <<EOF >> openssl.conf +subjectAltName=DNS:${NODE}, DNS:${CNAME} +EOF + fi + + echo "Please review your OpenSSL configuration:" + cat openssl.conf + read -p "Hit ENTER to continue." prompt + + openssl req -batch -nodes -config openssl.conf -newkey rsa:2048 -sha256 \ + -keyout ${NODE}_privatekey.pem -out ${NODE}_csr.pem + + openssl req -noout -text -in ${NODE}_csr.pem fi # Self-sign |