From 1d9651516753307463ee581fd5012e46d3f5593a Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Wed, 30 Nov 2011 11:22:01 -0200
Subject: SSL Wildcard with SubjectAltNames support for genpair

---
 share/keyringer/genpair | 50 ++++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 47 insertions(+), 3 deletions(-)

diff --git a/share/keyringer/genpair b/share/keyringer/genpair
index a5b06cc..76683d2 100755
--- a/share/keyringer/genpair
+++ b/share/keyringer/genpair
@@ -84,20 +84,64 @@ EOF
 }
 
 # Generate a keypair, ssl version
-# TODO: add the possibility of SubjectAltNames also for ssl-self and ssl modes
-#       so wildcard certs can work correctly.
 function genpair_ssl {
   echo "Make sure that $KEYDIR is atop of an encrypted volume."
   read -p "Hit ENTER to continue." prompt
 
+  # Check for wildcard certs
+  if [ "`echo $NODE | cut -d . -f 1`" == "*" ]; then
+    WILDCARD="yes"
+    CNAME="$NODE"
+    NODE="`echo $NODE | sed -e 's/^\*\.//'`"
+  else
+    CNAME="${NODE}"
+  fi
+
   # Setup
   cd "$TMPWORK"
 
   # Generate certificate
   if [ "$KEYTYPE" == "ssl-cacert" ]; then
+    # We use a custom script for CaCert
     "$LIB/csr.sh" "$NODE"
   else
-    openssl req -nodes -newkey rsa:2048 -keyout ${NODE}_privatekey.pem -out ${NODE}_csr.pem
+cat <<EOF >> openssl.conf
+[ req ]
+default_keyfile         = ${NODE}_privatekey.pem
+distinguished_name      = req_distinguished_name
+encrypt_key             = no
+req_extensions          = v3_req # Extensions to add to certificate request
+string_mask             = nombstr
+
+[ req_distinguished_name ]
+commonName_default              = ${CNAME}
+organizationName                = Organization Name
+organizationalUnitName          = Organizational Unit Name
+emailAddress                    = Email Address
+localityName                    = Locality
+stateOrProvinceName             = State
+countryName                     = Country Name
+commonName                      = Common Name
+
+[ v3_req ]
+extendedKeyUsage=serverAuth,clientAuth
+EOF
+
+    # Add SubjectAltNames so wildcard certs can work correctly.
+    if [ "$WILDCARD" == "yes" ]; then
+cat <<EOF >> openssl.conf
+subjectAltName=DNS:${NODE}, DNS:${CNAME}
+EOF
+    fi
+
+    echo "Please review your OpenSSL configuration:"
+    cat openssl.conf
+    read -p "Hit ENTER to continue." prompt
+
+    openssl req -batch -nodes -config openssl.conf -newkey rsa:2048 -sha256 \
+            -keyout ${NODE}_privatekey.pem -out ${NODE}_csr.pem
+
+    openssl req -noout -text -in ${NODE}_csr.pem
   fi
 
   # Self-sign
-- 
cgit v1.2.3