Tweak SSL setup scripts to have a CA more convenient for server and client scripts

Sign server, ca, and client certificate with more unique attributes delineating roles

git-svn-id: https://svn.code.sf.net/p/xcat/code/xcat-core/trunk@14875 8638fb3e-16cb-4fca-ae20-7b5d299a9bcd

xCAT-server/share/xcat/ca/openssl.cnf.tmpl

@@ -156,6 +156,13 @@ commonName_max			= 64
 
 #unstructuredName		= An optional company name
 
+[ server ]
+basicConstraints=CA:FALSE
+nsCertType			= server, client, objsign
+nsComment			= "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
 [ usr_cert ]
 
 # These extensions are added when 'ca' signs a request.
@@ -178,13 +185,13 @@ basicConstraints=CA:FALSE
 # nsCertType = client, email
 
 # and for everything including object signing:
-# nsCertType = client, email, objsign
+nsCertType = client, email, objsign
 
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
 # This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Certificate"
+nsComment			= "OpenSSL Generated Client Certificate"
 
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
@@ -235,10 +242,10 @@ basicConstraints = CA:true
 # Key usage: this is typical for a CA certificate. However since it will
 # prevent it being used as an test self-signed certificate it is best
 # left out by default.
-# keyUsage = cRLSign, keyCertSign
+keyUsage = cRLSign, keyCertSign
 
 # Some might want this also
-# nsCertType = sslCA, emailCA
+nsCertType = sslCA, emailCA
 
 # Include email address in subject alt name: another PKIX recommendation
 # subjectAltName=email:copy

xCAT-server/share/xcat/scripts/setup-local-client.sh

@@ -51,7 +51,7 @@ done
 mkdir -p $USERHOME/.xcat
 cd $USERHOME/.xcat
 openssl genrsa -out client-key.pem 2048
-openssl req -config $XCATCADIR/openssl.cnf -new -key client-key.pem -out client-req.pem -subj "/CN=$CNA"
+openssl req -config $XCATCADIR/openssl.cnf -new -key client-key.pem -out client-req.pem -extensions usr_crt -subj "/CN=$CNA"
 cp client-req.pem  $XCATDIR/ca/root.csr
 cd -
 cd $XCATDIR/ca

xCAT-server/share/xcat/scripts/setup-server-cert.sh

@@ -23,7 +23,7 @@ fi
 mkdir -p $XCATDIR/cert
 cd $XCATDIR/cert
 openssl genrsa -out server-key.pem 2048
-openssl req -config $XCATCADIR/openssl.cnf -new -key server-key.pem -out server-req.pem -subj "/CN=$CNA"
+openssl req -config $XCATCADIR/openssl.cnf -new -key server-key.pem -out server-req.pem -extensions server -subj "/CN=$CNA"
 cp server-req.pem  $XCATDIR/ca/`hostname`.csr
 cd -
 cd $XCATDIR/ca
@@ -33,7 +33,7 @@ cd $XCATDIR/ca
 #   - call cmds directly instead - seems safe
 # make sign
 
-openssl ca -config openssl.cnf -in `hostname`.csr -out `hostname`.cert
+openssl ca -config openssl.cnf -in `hostname`.csr -out `hostname`.cert -extensions server
 if [ -f `hostname`.cert ]; then
     rm `hostname`.csr
 fi

xCAT-server/share/xcat/scripts/setup-xcat-ca.sh

@@ -30,5 +30,5 @@ sed -e "s@##XCATCADIR##@$XCATCADIR@" $XCATROOT/share/xcat/ca/openssl.cnf.tmpl >
 cp $XCATROOT/share/xcat/ca/Makefile $XCATCADIR/
 cd $XCATCADIR
 make init
-openssl req -nodes -config openssl.cnf -days 2650 -x509 -newkey rsa:2048 -out ca-cert.pem -outform PEM -subj /CN="$CNA"
+openssl req -nodes -config openssl.cnf -days 7300 -x509 -newkey rsa:2048 -out ca-cert.pem -extensions v3_ca -outform PEM -subj /CN="$CNA"
 cd -