Tweak SSL setup scripts to have a CA more convenient for server and client scripts

Sign server, ca, and client certificate with more unique attributes delineating roles git-svn-id: https://svn.code.sf.net/p/xcat/code/xcat-core/trunk@14875 8638fb3e-16cb-4fca-ae20-7b5d299a9bcd
2013-01-14 16:40:39 +00:00 · 2013-01-14 16:40:39 +00:00 · 92508cf564
commit 92508cf564
parent 0e92da0f5f
4 changed files with 15 additions and 8 deletions
--- a/xCAT-server/share/xcat/ca/openssl.cnf.tmpl
+++ b/xCAT-server/share/xcat/ca/openssl.cnf.tmpl
@ -156,6 +156,13 @@ commonName_max			= 64

 #unstructuredName		= An optional company name

+[ server ]
+basicConstraints=CA:FALSE
+nsCertType			= server, client, objsign
+nsComment			= "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
 [ usr_cert ]

 # These extensions are added when 'ca' signs a request.
@ -178,13 +185,13 @@ basicConstraints=CA:FALSE
 # nsCertType = client, email

 # and for everything including object signing:
-# nsCertType = client, email, objsign
+nsCertType = client, email, objsign

 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment

 # This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Certificate"
+nsComment			= "OpenSSL Generated Client Certificate"

 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
@ -235,10 +242,10 @@ basicConstraints = CA:true
 # Key usage: this is typical for a CA certificate. However since it will
 # prevent it being used as an test self-signed certificate it is best
 # left out by default.
-# keyUsage = cRLSign, keyCertSign
+keyUsage = cRLSign, keyCertSign

 # Some might want this also
-# nsCertType = sslCA, emailCA
+nsCertType = sslCA, emailCA

 # Include email address in subject alt name: another PKIX recommendation
 # subjectAltName=email:copy
--- a/xCAT-server/share/xcat/scripts/setup-local-client.sh
+++ b/xCAT-server/share/xcat/scripts/setup-local-client.sh
@ -51,7 +51,7 @@ done
 mkdir -p $USERHOME/.xcat
 cd $USERHOME/.xcat
 openssl genrsa -out client-key.pem 2048
-openssl req -config $XCATCADIR/openssl.cnf -new -key client-key.pem -out client-req.pem -subj "/CN=$CNA"
+openssl req -config $XCATCADIR/openssl.cnf -new -key client-key.pem -out client-req.pem -extensions usr_crt -subj "/CN=$CNA"
 cp client-req.pem  $XCATDIR/ca/root.csr
 cd -
 cd $XCATDIR/ca
--- a/xCAT-server/share/xcat/scripts/setup-server-cert.sh
+++ b/xCAT-server/share/xcat/scripts/setup-server-cert.sh
@ -23,7 +23,7 @@ fi
 mkdir -p $XCATDIR/cert
 cd $XCATDIR/cert
 openssl genrsa -out server-key.pem 2048
-openssl req -config $XCATCADIR/openssl.cnf -new -key server-key.pem -out server-req.pem -subj "/CN=$CNA"
+openssl req -config $XCATCADIR/openssl.cnf -new -key server-key.pem -out server-req.pem -extensions server -subj "/CN=$CNA"
 cp server-req.pem  $XCATDIR/ca/`hostname`.csr
 cd -
 cd $XCATDIR/ca
@ -33,7 +33,7 @@ cd $XCATDIR/ca
 #   - call cmds directly instead - seems safe
 # make sign

-openssl ca -config openssl.cnf -in `hostname`.csr -out `hostname`.cert
+openssl ca -config openssl.cnf -in `hostname`.csr -out `hostname`.cert -extensions server
 if [ -f `hostname`.cert ]; then
    rm `hostname`.csr
 fi
--- a/xCAT-server/share/xcat/scripts/setup-xcat-ca.sh
+++ b/xCAT-server/share/xcat/scripts/setup-xcat-ca.sh
@ -30,5 +30,5 @@ sed -e "s@##XCATCADIR##@$XCATCADIR@" $XCATROOT/share/xcat/ca/openssl.cnf.tmpl >
 cp $XCATROOT/share/xcat/ca/Makefile $XCATCADIR/
 cd $XCATCADIR
 make init
-openssl req -nodes -config openssl.cnf -days 2650 -x509 -newkey rsa:2048 -out ca-cert.pem -outform PEM -subj /CN="$CNA"
+openssl req -nodes -config openssl.cnf -days 7300 -x509 -newkey rsa:2048 -out ca-cert.pem -extensions v3_ca -outform PEM -subj /CN="$CNA"
 cd -