diff options
| author | elijah <elijah@riseup.net> | 2012-12-12 13:10:46 -0800 |
|---|---|---|
| committer | elijah <elijah@riseup.net> | 2012-12-12 13:10:46 -0800 |
| commit | cf236b4d253bcd779753acc1694f73ef13b56c95 (patch) | |
| tree | 55c15b18ff8111a9c58f85b77cac514774bff2e7 /lib/leap_cli/commands/ca.rb | |
| parent | aa2482f9a82af624a9af544b198c9adf654f0f6f (diff) | |
| download | leap_cli-cf236b4d253bcd779753acc1694f73ef13b56c95.tar.gz leap_cli-cf236b4d253bcd779753acc1694f73ef13b56c95.tar.bz2 | |
improved key usage parameters for x509 cert generation
Diffstat (limited to 'lib/leap_cli/commands/ca.rb')
| -rw-r--r-- | lib/leap_cli/commands/ca.rb | 34 |
1 files changed, 23 insertions, 11 deletions
diff --git a/lib/leap_cli/commands/ca.rb b/lib/leap_cli/commands/ca.rb index c87dcea..63749ca 100644 --- a/lib/leap_cli/commands/ca.rb +++ b/lib/leap_cli/commands/ca.rb @@ -58,14 +58,15 @@ module LeapCli; module Commands assert_config! 'provider.ca.server_certificates.life_span' assert_config! 'common.x509.use' - if args.first == 'all' || args.empty? - manager.each_node do |node| + nodes = manager.filter!(args) + if nodes.size == 1 + generate_cert_for_node(nodes.values.first) + else + nodes.each_node do |node| if cert_needs_updating?(node) generate_cert_for_node(node) end end - else - generate_cert_for_node(get_node_from_args(args)) end end end @@ -269,13 +270,24 @@ module LeapCli; module Commands # # For keyusage, openvpn server certs can have keyEncipherment or keyAgreement. # Web browsers seem to break without keyEncipherment. + # For now, I am using digitalSignature + keyEncipherment + # + # * digitalSignature -- for (EC)DHE cipher suites + # "The digitalSignature bit is asserted when the subject public key is used + # with a digital signature mechanism to support security services other + # than certificate signing (bit 5), or CRL signing (bit 6). Digital + # signature mechanisms are often used for entity authentication and data + # origin authentication with integrity." # - # * digitalSignature ==> for (EC)DHE cipher suites # * keyEncipherment ==> for plain RSA cipher suites - # * keyAgreement ==> for used with DH, not RSA. + # "The keyEncipherment bit is asserted when the subject public key is used for + # key transport. For example, when an RSA key is to be used for key management, + # then this bit is set." # - # I am including all three because that seems to work in all cases. I am not sure if this - # is the right thing to do. + # * keyAgreement ==> for used with DH, not RSA. + # "The keyAgreement bit is asserted when the subject public key is used for key + # agreement. For example, when a Diffie-Hellman key is to be used for key + # management, then this bit is set." # # digest options: SHA512, SHA256, SHA1 # @@ -284,7 +296,7 @@ module LeapCli; module Commands "digest" => manager.provider.ca.server_certificates.digest, "extensions" => { "keyUsage" => { - "usage" => ["digitalSignature", "keyEncipherment", "keyAgreement"] + "usage" => ["digitalSignature", "keyEncipherment"] }, "extendedKeyUsage" => { "usage" => ["serverAuth", "clientAuth"] @@ -307,7 +319,7 @@ module LeapCli; module Commands "digest" => "SHA256", "extensions" => { "keyUsage" => { - "usage" => ["digitalSignature", "keyAgreement"] + "usage" => ["digitalSignature", "keyEncipherment"] }, "extendedKeyUsage" => { "usage" => ["serverAuth"] @@ -325,7 +337,7 @@ module LeapCli; module Commands "digest" => "SHA256", "extensions" => { "keyUsage" => { - "usage" => ["digitalSignature", "keyAgreement"] + "usage" => ["digitalSignature", "keyEncipherment"] }, "extendedKeyUsage" => { "usage" => ["clientAuth"] |