Enhance SSL building scripts.

Refs #4948

diff --git a/pki/Makefile.am b/pki/Makefile.am
index 2e7a03ae7ba12861e8c006e08d03484e5f421dad..9954c16e44065f5c7278cc961d6b862a941c9447 100644 (file)
--- a/pki/Makefile.am
+++ b/pki/Makefile.am
@@ -5,6 +5,7 @@ bin_SCRIPTS = \
 icinga2pkidir = ${pkgdatadir}/pki
 icinga2pki_DATA = \
        pkifuncs \
+       vars \
        openssl.cnf
 
 CLEANFILES = $(bin_SCRIPTS)

diff --git a/pki/icinga2-build-ca.in b/pki/icinga2-build-ca.in
index 5ca46a8965942954123740817f69f67bd7d1da7b..6de1fea510daeb034507d9782715c52eaad20408 100644 (file)
--- a/pki/icinga2-build-ca.in
+++ b/pki/icinga2-build-ca.in
@@ -14,7 +14,13 @@ if [ $(ls -1 -- $ICINGA_CA | wc -l) != 0 ]; then
        exit 1
 fi
 
+chmod 700 $ICINGA_CA >/dev/null 2>&1
+
 echo '01' > $ICINGA_CA/serial
 touch $ICINGA_CA/index.txt
 
-CN_DEFAULT="Icinga CA" KEY_DIR=$ICINGA_CA openssl req -config $ICINGA2PKIDIR/openssl.cnf -new -newkey rsa:4096 -x509 -nodes -days 3650 -keyform PEM -keyout $ICINGA_CA/ca.key -outform PEM -out $ICINGA_CA/ca.crt
+cp $ICINGA2PKIDIR/vars $ICINGA_CA/
+source $ICINGA_CA/vars
+
+KEY_DIR=$ICINGA_CA openssl req -config $ICINGA2PKIDIR/openssl.cnf -new -newkey rsa:4096 -x509 -days 3650 -keyform PEM -keyout $ICINGA_CA/ca.key -outform PEM -out $ICINGA_CA/ca.crt && \
+       echo -e "\n\tIf you want to change the default settings for server certificates check out \"$ICINGA_CA/vars\".\n"

diff --git a/pki/icinga2-build-key.in b/pki/icinga2-build-key.in
index 81c18bb9130443206398f10f32ff8f6eae448c08..de9931a0dc40926beee217534b24fc9a2651ffa4 100644 (file)
--- a/pki/icinga2-build-key.in
+++ b/pki/icinga2-build-key.in
@@ -21,7 +21,16 @@ if [ ! -f $ICINGA_CA/ca.crt -o ! -f $ICINGA_CA/ca.key ]; then
        exit 1
 fi
 
-CN_DEFAULT=$name KEY_DIR=$ICINGA_CA openssl req -config $ICINGA2PKIDIR/openssl.cnf -new -newkey rsa:4096 -keyform PEM -keyout $ICINGA_CA/$name.key -outform PEM -out $ICINGA_CA/$name.csr -nodes && \
-       openssl x509 -days 3650 -CA $ICINGA_CA/ca.crt -CAkey $ICINGA_CA/ca.key -req -in $ICINGA_CA/$name.csr -outform PEM -out $ICINGA_CA/$name.crt -CAserial $ICINGA_CA/serial
-
-
+[ -f $ICINGA_CA/vars ] && source $ICINGA_CA/vars
+
+[ -z "$REQ_COUNTRY_NAME" ] && export REQ_COUNTRY_NAME="AU"
+[ -z "$REQ_STATE" ] && export REQ_STATE="Some-State"
+[ -z "$REQ_ORGANISATION" ] && export REQ_ORGANISATION="Internet Widgits Pty Ltd"
+[ -z "$REQ_ORG_UNIT" ] && export REQ_ORG_UNIT="Monitoring"
+[ -z "$REQ_COMMON_NAME"] && export REQ_COMMON_NAME="Icinga CA"
+[ -z "$REQ_DAYS" ] && export REQ_DAYS="3650"
+
+REQ_COMMON_NAME="$name" KEY_DIR="$ICINGA_CA" openssl req -config $ICINGA2PKIDIR/openssl.cnf -new -newkey rsa:4096 -keyform PEM -keyout $ICINGA_CA/$name.key -outform PEM -out $ICINGA_CA/$name.csr -nodes && \
+       openssl x509 -days "$REQ_DAYS" -CA $ICINGA_CA/ca.crt -CAkey $ICINGA_CA/ca.key -req -in $ICINGA_CA/$name.csr -outform PEM -out $ICINGA_CA/$name.tmp -CAserial $ICINGA_CA/serial && \
+       openssl x509 -in $ICINGA_CA/$name.tmp -text >  $ICINGA_CA/$name.crt && \
+       rm -f $ICINGA_CA/$name.csr $ICINGA_CA/$name.tmp

diff --git a/pki/openssl.cnf b/pki/openssl.cnf
index f32bde23bc7fb38d5e3f0c6d9317c51e1a4ae334..072b2a9c1bc6a3417d3631aaf8b392f930b8e2f9 100644 (file)
--- a/pki/openssl.cnf
+++ b/pki/openssl.cnf
@@ -78,7 +78,7 @@ preserve      = no                    # keep passed DN ordering
 # A few difference way of specifying how similar the request should look
 # For type CA, the listed attributes must be the same, and the optional
 # and supplied fields are just that :-)
-policy         = policy_match
+policy         = policy_anything
 
 # For the CA policy
 [ policy_match ]
@@ -126,28 +126,28 @@ string_mask = utf8only
 
 [ req_distinguished_name ]
 countryName                    = Country Name (2 letter code)
-countryName_default            = AU
+countryName_default            = $ENV::REQ_COUNTRY_NAME
 countryName_min                        = 2
 countryName_max                        = 2
 
 stateOrProvinceName            = State or Province Name (full name)
-stateOrProvinceName_default    = Some-State
+stateOrProvinceName_default    = $ENV::REQ_STATE
 
 localityName                   = Locality Name (eg, city)
 
 0.organizationName             = Organization Name (eg, company)
-0.organizationName_default     = Internet Widgits Pty Ltd
+0.organizationName_default     = $ENV::REQ_ORGANISATION
 
 # we can do this but it is not needed normally :-)
 #1.organizationName            = Second Organization Name (eg, company)
 #1.organizationName_default    = World Wide Web Pty Ltd
 
 organizationalUnitName         = Organizational Unit Name (eg, section)
-organizationalUnitName_default = Icinga
+organizationalUnitName_default = $ENV::REQ_ORG_UNIT
 
 commonName                     = Common Name (e.g. server FQDN or YOUR name)
 commonName_max                 = 64
-commonName_default             = $ENV::CN_DEFAULT
+commonName_default             = $ENV::REQ_COMMON_NAME
 
 #emailAddress                  = Email Address
 #emailAddress_max              = 64
@@ -155,9 +155,9 @@ commonName_default          = $ENV::CN_DEFAULT
 # SET-ex3                      = SET extension number 3
 
 [ req_attributes ]
-#challengePassword             = A challenge password
-#challengePassword_min         = 4
-#challengePassword_max         = 20
+challengePassword              = A challenge password
+challengePassword_min          = 4
+challengePassword_max          = 20
 
 unstructuredName               = An optional company name
 

diff --git a/pki/vars b/pki/vars
new file mode 100644 (file)
index 0000000..a4e6506
--- /dev/null
+++ b/pki/vars
@@ -0,0 +1,8 @@
+# Icinga 2 default CA vars
+
+export REQ_COUNTRY_NAME="AU"
+export REQ_STATE="Some-State"
+export REQ_ORGANISATION="Internet Widgits Pty Ltd"
+export REQ_ORG_UNIT="Monitoring"
+export REQ_COMMON_NAME="Icinga CA"
+export REQ_DAYS="3650"