diff --git a/scripts/gentls_cert.in b/scripts/gentls_cert.in index 1c40133989..e102a964ef 100644 --- a/scripts/gentls_cert.in +++ b/scripts/gentls_cert.in @@ -1,7 +1,8 @@ #!/bin/sh CONFDIR=@prefix@/conf/ssl -DAYS=365 +DAYS=2190 +KEY_SIZE=2048 TMPFILE="/tmp/fs-ca-$$-$(date +%Y%m%d%H%M%S)" @@ -38,7 +39,7 @@ setup_ca() { if [ ! -e "${CONFDIR}/CA/config.tpl" ]; then cat > "${CONFDIR}/CA/config.tpl" <<-EOF [ req ] - default_bits = 1024 + default_bits = $ENV::KEY_SIZE prompt = no distinguished_name = req_dn @@ -46,11 +47,23 @@ setup_ca() { commonName = %CN% organizationName = %ORG% - [ ext ] + [ server ] + nsComment="FS Server Cert" basicConstraints=CA:FALSE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always subjectAltName=%ALTNAME% + nsCertType=server + extendedKeyUsage=serverAuth + + [ client ] + nsComment="FS Client Cert" + basicConstraints=CA:FALSE + subjectKeyIdentifier=hash + authorityKeyIdentifier=keyid,issuer:always + subjectAltName=%ALTNAME% + nsCertType=client + extendedKeyUsage=clientAuth EOF fi @@ -62,14 +75,10 @@ setup_ca() { "${CONFDIR}/CA/config.tpl" \ > "${TMPFILE}.cfg" || exit 1 - openssl req -new -out "${CONFDIR}/CA/careq.pem" \ - -newkey rsa:1024 -keyout "${CONFDIR}/CA/cakey.pem" \ + openssl req -out "${CONFDIR}/CA/cacert.pem" \ + -new -x509 -keyout "${CONFDIR}/CA/cakey.pem" \ -config "${TMPFILE}.cfg" -nodes -sha1 >/dev/null || exit 1 - - openssl x509 -req -signkey "${CONFDIR}/CA/cakey.pem" -in "${CONFDIR}/CA/careq.pem" \ - -out "${CONFDIR}/CA/cacert.pem" -extfile "${TMPFILE}.cfg" \ - -extensions ext -days ${DAYS} -sha1 >/dev/null || exit 1 - + cat "${CONFDIR}/CA/cacert.pem" > "${CONFDIR}/cafile.pem" rm "${TMPFILE}.cfg" echo "DONE" @@ -108,14 +117,13 @@ generate_cert() { > "${TMPFILE}.cfg" || exit 1 openssl req -new -out "${TMPFILE}.req" \ - -newkey rsa:1024 -keyout "${TMPFILE}.key" \ + -newkey rsa: -keyout "${TMPFILE}.key" \ -config "${TMPFILE}.cfg" -nodes -sha1 >/dev/null || exit 1 openssl x509 -req -CAkey "${CONFDIR}/CA/cakey.pem" -CA "${CONFDIR}/CA/cacert.pem" -CAcreateserial \ -in "${TMPFILE}.req" -out "${TMPFILE}.crt" -extfile "${TMPFILE}.cfg" \ - -extensions ext -days ${DAYS} -sha1 >/dev/null || exit 1 + -extensions "${EXTENSIONS}" -days ${DAYS} -sha1 >/dev/null || exit 1 - cat "${CONFDIR}/CA/cacert.pem" > "${CONFDIR}/cafile.pem" cat "${TMPFILE}.crt" "${TMPFILE}.key" > "${CONFDIR}/${OUTFILE}" rm "${TMPFILE}.cfg" "${TMPFILE}.crt" "${TMPFILE}.key" "${TMPFILE}.req" @@ -133,7 +141,7 @@ remove_ca() { echo "DONE" } - +OUTFILESET="0" command="$1" shift @@ -154,6 +162,7 @@ while [ $# -gt 0 ]; do -out) shift OUTFILE="$1" + OUTFILESET="1" ;; -days) shift @@ -170,6 +179,18 @@ case ${command} in ;; create) + EXTENSIONS="server" + generate_cert + ;; + create_server) + EXTENSIONS="server" + generate_cert + ;; + create_client) + EXTENSIONS="client" + if [ "${OUTFILESET}" = "0" ]; then + OUTFILE="client.pem" + fi generate_cert ;; @@ -185,15 +206,15 @@ case ${command} in *) cat <<-EOF - $0 [options] + $0 [options] * commands: setup - Setup new CA remove - Remove CA - create - Create new certificate (overwriting old!) - + create_server - Create new certificate (overwriting existing!) + create_client - Create a new client certificate (overwrites existing!) * options: