add_subdirectory(itl)
add_subdirectory(doc)
add_subdirectory(test)
-add_subdirectory(pki)
add_subdirectory(agent)
set(CPACK_PACKAGE_NAME "Icinga2")
debian/tmp/etc/logrotate.d
debian/tmp/etc/bash_completion.d
tools/syntax/* usr/share/icinga2-common/syntax
-usr/bin/icinga2-build*
-usr/bin/icinga2-sign-key
usr/sbin/icinga2-*-agent
usr/sbin/icinga2-list-agents
usr/share/icinga2
Example:
- # icinga2-build-key icinga2a
- ...
- Common Name (e.g. server FQDN or YOUR name) [icinga2a]:
+ # icinga2 pki new-cert --cn icinga2a --keyfile icinga2a.key --csrfile icinga2a.csr
+ # icinga2 pki sign-csr < icinga2a.csr > icinga2a.crt
# vim cluster.conf
> You're free to use your own method to generated a valid ca and signed client
> certificates.
-Please make sure to export the environment variable `ICINGA_CA` pointing to
-an empty folder for the newly created CA files:
-
- # export ICINGA_CA="/root/icinga-ca"
-
-The scripts will put all generated data and the required certificates in there.
-
-The first step is the creation of the certificate authority (CA) running the
+The first step is the creation of the certificate authority (CA) by running the
following command:
- # icinga2-build-ca
+ # icinga2 pki new-ca
Now create a certificate and key file for each node running the following command
(replace `icinga2a` with the required hostname):
- # icinga2-build-key icinga2a
+ # icinga2 pki new-cert --cn icinga2a --keyfile icinga2a.key --csrfile icinga2a.csr
+ # icinga2 pki sign-csr < icinga2a.csr > icinga2a.crt
Repeat the step for all nodes in your cluster scenario.
if(UNIX OR CYGWIN)
install(
- FILES icinga2.8 icinga2-build-ca.8 icinga2-build-key.8 icinga2-sign-key.8 icinga2-prepare-dirs.8
+ FILES icinga2.8 icinga2-prepare-dirs.8
DESTINATION ${CMAKE_INSTALL_MANDIR}/man8
)
endif()
+++ /dev/null
-.TH ICINGA2 "8" "June 2014" "icinga2 - The Icinga 2 network monitoring daemon." "System Administration Utilities"
-
-.SH NAME
-icinga2-build-ca \- Build Icinga 2 certificate authority
-
-.SH DESCRIPTION
-icinga2-build-ca \- Build Icinga 2 certificate authority
-
-Requires the environment variable ICINGA_CA set to an empty
-writable directory.
-
-.SH AUTHOR
-Icinga2 is maintained by the Icinga Project <info@icinga.org>.
-
-.SH "REPORTING BUGS"
-Report bugs at <https://dev.icinga.org/>
-.br
-Icinga home page: <http://www.icinga.org/>
-
-.SH COPYRIGHT
-Copyright \(co 2012\-2014 Icinga Development Team (http://www.icinga.org)
-License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl2.html>
-.br
-This is free software: you are free to change and redistribute it.
-There is NO WARRANTY, to the extent permitted by law.
+++ /dev/null
-.TH ICINGA2 "8" "June 2014" "icinga2 - The Icinga 2 network monitoring daemon." "System Administration Utilities"
-
-.SH NAME
-icinga2-build-key \- Build Icinga 2 certificate key
-
-.SH DESCRIPTION
-icinga2-build-key \- Build Icinga 2 certificate key
-
-Requires the environment variable ICINGA_CA set to an empty
-writable directory.
-
-.SH AUTHOR
-Icinga2 is maintained by the Icinga Project <info@icinga.org>.
-
-.SH "REPORTING BUGS"
-Report bugs at <https://dev.icinga.org/>
-.br
-Icinga home page: <http://www.icinga.org/>
-
-.SH COPYRIGHT
-Copyright \(co 2012\-2014 Icinga Development Team (http://www.icinga.org)
-License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl2.html>
-.br
-This is free software: you are free to change and redistribute it.
-There is NO WARRANTY, to the extent permitted by law.
+++ /dev/null
-.TH ICINGA2 "8" "June 2014" "icinga2 - The Icinga 2 network monitoring daemon." "System Administration Utilities"
-
-.SH NAME
-icinga2-sign-key \- Sign Icinga 2 certificate key
-
-.SH DESCRIPTION
-icinga2-sign-key \- Sign Icinga 2 certificate key
-
-Requires the environment variable ICINGA_CA set to an empty
-writable directory.
-
-.SH AUTHOR
-Icinga2 is maintained by the Icinga Project <info@icinga.org>.
-
-.SH "REPORTING BUGS"
-Report bugs at <https://dev.icinga.org/>
-.br
-Icinga home page: <http://www.icinga.org/>
-
-.SH COPYRIGHT
-Copyright \(co 2012\-2014 Icinga Development Team (http://www.icinga.org)
-License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl2.html>
-.br
-This is free software: you are free to change and redistribute it.
-There is NO WARRANTY, to the extent permitted by law.
%config(noreplace) %attr(0640,%{icinga_user},%{icinga_group}) %{_sysconfdir}/%{name}/zones.d/*
%config(noreplace) %{_sysconfdir}/%{name}/scripts/*
%{_sbindir}/%{name}
-%{_bindir}/%{name}-build-ca
-%{_bindir}/%{name}-build-key
-%{_bindir}/%{name}-sign-key
-%{_sbindir}/%{name}-list-objects
%{_sbindir}/%{name}-setup-agent
%{_sbindir}/%{name}-discover-agent
%{_sbindir}/%{name}-forget-agent
%{_datadir}/%{name}
%exclude %{_datadir}/%{name}/include
%{_mandir}/man8/%{name}.8.gz
-%{_mandir}/man8/%{name}-build-ca.8.gz
-%{_mandir}/man8/%{name}-build-key.8.gz
-%{_mandir}/man8/%{name}-sign-key.8.gz
%{_mandir}/man8/%{name}-prepare-dirs.8.gz
%attr(0750,%{icinga_user},%{icingacmd_group}) %{_localstatedir}/cache/%{name}
+++ /dev/null
-# Icinga 2
-# Copyright (C) 2012-2014 Icinga Development Team (http://www.icinga.org)
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License
-# as published by the Free Software Foundation; either version 2
-# of the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software Foundation
-# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
-
-if(UNIX OR CYGWIN)
- configure_file(icinga2-build-ca.cmake ${CMAKE_CURRENT_BINARY_DIR}/icinga2-build-ca @ONLY)
- configure_file(icinga2-build-key.cmake ${CMAKE_CURRENT_BINARY_DIR}/icinga2-build-key @ONLY)
- configure_file(icinga2-sign-key.cmake ${CMAKE_CURRENT_BINARY_DIR}/icinga2-sign-key @ONLY)
-
- install(
- FILES ${CMAKE_CURRENT_BINARY_DIR}/icinga2-build-ca ${CMAKE_CURRENT_BINARY_DIR}/icinga2-build-key
- ${CMAKE_CURRENT_BINARY_DIR}/icinga2-sign-key
- DESTINATION ${CMAKE_INSTALL_BINDIR}
- PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE
- )
-
- install(
- FILES openssl.cnf openssl-quiet.cnf pkifuncs vars
- DESTINATION ${CMAKE_INSTALL_DATADIR}/icinga2/pki
- )
-endif()
+++ /dev/null
-#!/bin/sh
-ICINGA2PKIDIR=@CMAKE_INSTALL_FULL_DATADIR@/icinga2/pki
-
-. $ICINGA2PKIDIR/pkifuncs
-
-check_pki_dir
-
-if [ `ls -1 -- $ICINGA_CA | wc -l` != 0 ]; then
- echo "The Icinga CA directory must be empty." >&2
- exit 1
-fi
-
-chmod 700 $ICINGA_CA >/dev/null 2>&1
-
-echo '01' > $ICINGA_CA/serial
-touch $ICINGA_CA/index.txt
-
-cp $ICINGA2PKIDIR/vars $ICINGA_CA/
-. $ICINGA_CA/vars
-
-KEY_DIR=$ICINGA_CA openssl req -config $ICINGA2PKIDIR/openssl-quiet.cnf -new -newkey rsa:4096 -x509 -days 3650 -keyform PEM -keyout $ICINGA_CA/ca.key -outform PEM -out $ICINGA_CA/ca.crt && \
- chmod 600 $ICINGA_CA/ca.key && \
- echo -e "\n\tIf you want to change the default settings for server certificates check out \"$ICINGA_CA/vars\".\n"
+++ /dev/null
-#!/bin/sh
-ICINGA2PKIDIR=@CMAKE_INSTALL_FULL_DATADIR@/icinga2/pki
-
-. $ICINGA2PKIDIR/pkifuncs
-
-if [ -z "$1" ]; then
- echo "Syntax: $0 <name>" >&2
- exit 1
-fi
-
-name=$1
-
-check_pki_dir
-
-if [ ! -f $ICINGA_CA/ca.crt -o ! -f $ICINGA_CA/ca.key ]; then
- echo "Please build a CA certificate first." >&2
- exit 1
-fi
-
-[ -f $ICINGA_CA/vars ] && . $ICINGA_CA/vars
-
-[ -z "$REQ_COUNTRY_NAME" ] && export REQ_COUNTRY_NAME="AU"
-[ -z "$REQ_STATE" ] && export REQ_STATE="Some-State"
-[ -z "$REQ_ORGANISATION" ] && export REQ_ORGANISATION="Internet Widgits Pty Ltd"
-[ -z "$REQ_ORG_UNIT" ] && export REQ_ORG_UNIT="Monitoring"
-[ -z "$REQ_COMMON_NAME" ] && export REQ_COMMON_NAME="Icinga CA"
-[ -z "$REQ_DAYS" ] && export REQ_DAYS="3650"
-
-REQ_COMMON_NAME="$name" KEY_DIR="$ICINGA_CA" openssl req -config $ICINGA2PKIDIR/openssl.cnf -new -newkey rsa:4096 -keyform PEM -keyout $ICINGA_CA/$name.key -outform PEM -out $ICINGA_CA/$name.csr -nodes && \
- openssl x509 -days "$REQ_DAYS" -CA $ICINGA_CA/ca.crt -CAkey $ICINGA_CA/ca.key -req -in $ICINGA_CA/$name.csr -outform PEM -out $ICINGA_CA/$name.tmp -CAserial $ICINGA_CA/serial && \
- chmod 600 $ICINGA_CA/$name.key && \
- openssl x509 -in $ICINGA_CA/$name.tmp -text > $ICINGA_CA/$name.crt && \
- rm -f $ICINGA_CA/$name.csr $ICINGA_CA/$name.tmp
+++ /dev/null
-#!/bin/sh
-ICINGA2PKIDIR=@CMAKE_INSTALL_FULL_DATADIR@/icinga2/pki
-
-. $ICINGA2PKIDIR/pkifuncs
-
-if [ -z "$1" ]; then
- echo "Syntax: $0 <csr-file>" >&2
- exit 1
-fi
-
-check_pki_dir
-
-csrfile=$1
-
-if [ ! -e "$ICINGA_CA/$csrfile" ]; then
- echo "The specified CSR file does not exist."
- exit 1
-fi
-
-pubkfile=${csrfile%.*}
-
-if [ ! -f $ICINGA_CA/ca.crt -o ! -f $ICINGA_CA/ca.key ]; then
- echo "Please build a CA certificate first." >&2
- exit 1
-fi
-
-[ -f $ICINGA_CA/vars ] && . $ICINGA_CA/vars
-
-if ! openssl x509 -days "$REQ_DAYS" -CA $ICINGA_CA/ca.crt -CAkey $ICINGA_CA/ca.key -req -in $ICINGA_CA/$csrfile -outform PEM -out $ICINGA_CA/$pubkfile.crt -CAserial $ICINGA_CA/serial; then
- echo "Signing the CSR failed." >&2
- exit 1
-fi
-
-cn=`openssl x509 -in $pubkfile.crt -subject | grep -Eo '/CN=[^ ]+' | cut -f2- -d=`
-
-case "$cn" in
- */*)
- echo "commonName contains invalid character (/)."
- exit 1
- ;;
-esac
-
-
-mv $pubkfile.crt $cn.crt
-pubkfile=$cn
-
-# Make an agent bundle file
-tar cz -C $ICINGA_CA $pubkfile.crt ca.crt | base64 > $ICINGA_CA/$pubkfile.bundle
-
-echo "Done. $pubkfile.crt and $pubkfile.bundle files were written."
-exit 0
+++ /dev/null
-#
-# OpenSSL example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-
-# This definition stops the following lines choking if HOME isn't
-# defined.
-HOME = .
-RANDFILE = $ENV::HOME/.rnd
-
-# Extra OBJECT IDENTIFIER info:
-#oid_file = $ENV::HOME/.oid
-oid_section = new_oids
-
-# To use this configuration file with the "-extfile" option of the
-# "openssl x509" utility, name here the section containing the
-# X.509v3 extensions to use:
-# extensions =
-# (Alternatively, use a configuration file that has only
-# X.509v3 extensions in its main [= default] section.)
-
-[ new_oids ]
-
-# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
-# Add a simple OID like this:
-# testoid1=1.2.3.4
-# Or use config file substitution like this:
-# testoid2=${testoid1}.5.6
-
-# Policies used by the TSA examples.
-tsa_policy1 = 1.2.3.4.1
-tsa_policy2 = 1.2.3.4.5.6
-tsa_policy3 = 1.2.3.4.5.7
-
-####################################################################
-[ ca ]
-default_ca = CA_default # The default ca section
-
-####################################################################
-[ CA_default ]
-
-dir = $ENV::KEY_DIR # Where everything is kept
-certs = $dir # Where the issued certs are kept
-crl_dir = $dir # Where the issued crl are kept
-database = $dir/index.txt # database index file.
-#unique_subject = no # Set to 'no' to allow creation of
- # several ctificates with same subject.
-new_certs_dir = $dir/newcerts # default place for new certs.
-
-certificate = $dir/ca.crt # The CA certificate
-serial = $dir/serial # The current serial number
-crlnumber = $dir/crlnumber # the current crl number
- # must be commented out to leave a V1 CRL
-crl = $dir/crl.pem # The current CRL
-private_key = $dir/ca.key # The private key
-RANDFILE = $dir/.rand # private random number file
-
-x509_extensions = usr_cert # The extentions to add to the cert
-
-# Comment out the following two lines for the "traditional"
-# (and highly broken) format.
-name_opt = ca_default # Subject Name options
-cert_opt = ca_default # Certificate field options
-
-# Extension copying option: use with caution.
-# copy_extensions = copy
-
-# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
-# so this is commented out by default to leave a V1 CRL.
-# crlnumber must also be commented out to leave a V1 CRL.
-# crl_extensions = crl_ext
-
-default_days = 365 # how long to certify for
-default_crl_days= 30 # how long before next CRL
-default_md = default # use public key default MD
-preserve = no # keep passed DN ordering
-
-# A few difference way of specifying how similar the request should look
-# For type CA, the listed attributes must be the same, and the optional
-# and supplied fields are just that :-)
-policy = policy_anything
-
-# For the CA policy
-[ policy_match ]
-countryName = match
-stateOrProvinceName = match
-organizationName = match
-organizationalUnitName = optional
-commonName = supplied
-emailAddress = optional
-
-# For the 'anything' policy
-# At this point in time, you must list all acceptable 'object'
-# types.
-[ policy_anything ]
-countryName = optional
-stateOrProvinceName = optional
-localityName = optional
-organizationName = optional
-organizationalUnitName = optional
-commonName = supplied
-emailAddress = optional
-
-####################################################################
-[ req ]
-default_bits = 2048
-default_keyfile = privkey.pem
-distinguished_name = req_distinguished_name
-prompt = no
-x509_extensions = v3_ca # The extentions to add to the self signed cert
-
-# Passwords for private keys if not present they will be prompted for
-# input_password = secret
-# output_password = secret
-
-# This sets a mask for permitted string types. There are several options.
-# default: PrintableString, T61String, BMPString.
-# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
-# utf8only: only UTF8Strings (PKIX recommendation after 2004).
-# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
-# MASK:XXXX a literal mask value.
-# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
-string_mask = utf8only
-
-# req_extensions = v3_req # The extensions to add to a certificate request
-
-[ req_distinguished_name ]
-CN = $ENV::REQ_COMMON_NAME
-
-# SET-ex3 = SET extension number 3
-
-[ usr_cert ]
-
-# These extensions are added when 'ca' signs a request.
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType = server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-nsComment = "OpenSSL Generated Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-extendedKeyUsage=clientAuth,serverAuth
-keyUsage=digitalSignature
-
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-# subjectAltName=email:copy
-# An alternative to produce certificates that aren't
-# deprecated according to PKIX.
-# subjectAltName=email:move
-
-# Copy subject details
-# issuerAltName=issuer:copy
-
-#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-# This is required for TSA certificates.
-# extendedKeyUsage = critical,timeStamping
-
-[ v3_req ]
-
-# Extensions to add to a certificate request
-
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-[ v3_ca ]
-
-
-# Extensions for a typical CA
-
-
-# PKIX recommendation.
-
-subjectKeyIdentifier=hash
-
-authorityKeyIdentifier=keyid:always,issuer
-
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
-
-# Key usage: this is typical for a CA certificate. However since it will
-# prevent it being used as an test self-signed certificate it is best
-# left out by default.
-# keyUsage = cRLSign, keyCertSign
-
-# Some might want this also
-# nsCertType = sslCA, emailCA
-
-# Include email address in subject alt name: another PKIX recommendation
-# subjectAltName=email:copy
-# Copy issuer details
-# issuerAltName=issuer:copy
-
-# DER hex encoding of an extension: beware experts only!
-# obj=DER:02:03
-# Where 'obj' is a standard or added object
-# You can even override a supported extension:
-# basicConstraints= critical, DER:30:03:01:01:FF
-
-[ crl_ext ]
-
-# CRL extensions.
-# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
-
-# issuerAltName=issuer:copy
-authorityKeyIdentifier=keyid:always
+++ /dev/null
-#
-# OpenSSL example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-
-# This definition stops the following lines choking if HOME isn't
-# defined.
-HOME = .
-RANDFILE = $ENV::HOME/.rnd
-
-# Extra OBJECT IDENTIFIER info:
-#oid_file = $ENV::HOME/.oid
-oid_section = new_oids
-
-# To use this configuration file with the "-extfile" option of the
-# "openssl x509" utility, name here the section containing the
-# X.509v3 extensions to use:
-# extensions =
-# (Alternatively, use a configuration file that has only
-# X.509v3 extensions in its main [= default] section.)
-
-[ new_oids ]
-
-# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
-# Add a simple OID like this:
-# testoid1=1.2.3.4
-# Or use config file substitution like this:
-# testoid2=${testoid1}.5.6
-
-# Policies used by the TSA examples.
-tsa_policy1 = 1.2.3.4.1
-tsa_policy2 = 1.2.3.4.5.6
-tsa_policy3 = 1.2.3.4.5.7
-
-####################################################################
-[ ca ]
-default_ca = CA_default # The default ca section
-
-####################################################################
-[ CA_default ]
-
-dir = $ENV::KEY_DIR # Where everything is kept
-certs = $dir # Where the issued certs are kept
-crl_dir = $dir # Where the issued crl are kept
-database = $dir/index.txt # database index file.
-#unique_subject = no # Set to 'no' to allow creation of
- # several ctificates with same subject.
-new_certs_dir = $dir/newcerts # default place for new certs.
-
-certificate = $dir/ca.crt # The CA certificate
-serial = $dir/serial # The current serial number
-crlnumber = $dir/crlnumber # the current crl number
- # must be commented out to leave a V1 CRL
-crl = $dir/crl.pem # The current CRL
-private_key = $dir/ca.key # The private key
-RANDFILE = $dir/.rand # private random number file
-
-x509_extensions = usr_cert # The extentions to add to the cert
-
-# Comment out the following two lines for the "traditional"
-# (and highly broken) format.
-name_opt = ca_default # Subject Name options
-cert_opt = ca_default # Certificate field options
-
-# Extension copying option: use with caution.
-# copy_extensions = copy
-
-# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
-# so this is commented out by default to leave a V1 CRL.
-# crlnumber must also be commented out to leave a V1 CRL.
-# crl_extensions = crl_ext
-
-default_days = 365 # how long to certify for
-default_crl_days= 30 # how long before next CRL
-default_md = default # use public key default MD
-preserve = no # keep passed DN ordering
-
-# A few difference way of specifying how similar the request should look
-# For type CA, the listed attributes must be the same, and the optional
-# and supplied fields are just that :-)
-policy = policy_anything
-
-# For the CA policy
-[ policy_match ]
-countryName = match
-stateOrProvinceName = match
-organizationName = match
-organizationalUnitName = optional
-commonName = supplied
-emailAddress = optional
-
-# For the 'anything' policy
-# At this point in time, you must list all acceptable 'object'
-# types.
-[ policy_anything ]
-countryName = optional
-stateOrProvinceName = optional
-localityName = optional
-organizationName = optional
-organizationalUnitName = optional
-commonName = supplied
-emailAddress = optional
-
-####################################################################
-[ req ]
-default_bits = 2048
-default_keyfile = privkey.pem
-distinguished_name = req_distinguished_name
-attributes = req_attributes
-x509_extensions = v3_ca # The extentions to add to the self signed cert
-
-# Passwords for private keys if not present they will be prompted for
-# input_password = secret
-# output_password = secret
-
-# This sets a mask for permitted string types. There are several options.
-# default: PrintableString, T61String, BMPString.
-# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
-# utf8only: only UTF8Strings (PKIX recommendation after 2004).
-# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
-# MASK:XXXX a literal mask value.
-# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
-string_mask = utf8only
-
-# req_extensions = v3_req # The extensions to add to a certificate request
-
-[ req_distinguished_name ]
-countryName = Country Name (2 letter code)
-countryName_default = $ENV::REQ_COUNTRY_NAME
-countryName_min = 2
-countryName_max = 2
-
-stateOrProvinceName = State or Province Name (full name)
-stateOrProvinceName_default = $ENV::REQ_STATE
-
-localityName = Locality Name (eg, city)
-
-0.organizationName = Organization Name (eg, company)
-0.organizationName_default = $ENV::REQ_ORGANISATION
-
-# we can do this but it is not needed normally :-)
-#1.organizationName = Second Organization Name (eg, company)
-#1.organizationName_default = World Wide Web Pty Ltd
-
-organizationalUnitName = Organizational Unit Name (eg, section)
-organizationalUnitName_default = $ENV::REQ_ORG_UNIT
-
-commonName = Common Name (e.g. server FQDN or YOUR name)
-commonName_max = 64
-commonName_default = $ENV::REQ_COMMON_NAME
-
-#emailAddress = Email Address
-#emailAddress_max = 64
-
-# SET-ex3 = SET extension number 3
-
-[ req_attributes ]
-challengePassword = A challenge password
-challengePassword_min = 4
-challengePassword_max = 20
-
-unstructuredName = An optional company name
-
-[ usr_cert ]
-
-# These extensions are added when 'ca' signs a request.
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType = server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-nsComment = "OpenSSL Generated Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-extendedKeyUsage=clientAuth,serverAuth
-keyUsage=digitalSignature
-
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-# subjectAltName=email:copy
-# An alternative to produce certificates that aren't
-# deprecated according to PKIX.
-# subjectAltName=email:move
-
-# Copy subject details
-# issuerAltName=issuer:copy
-
-#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-# This is required for TSA certificates.
-# extendedKeyUsage = critical,timeStamping
-
-[ v3_req ]
-
-# Extensions to add to a certificate request
-
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-[ v3_ca ]
-
-
-# Extensions for a typical CA
-
-
-# PKIX recommendation.
-
-subjectKeyIdentifier=hash
-
-authorityKeyIdentifier=keyid:always,issuer
-
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
-
-# Key usage: this is typical for a CA certificate. However since it will
-# prevent it being used as an test self-signed certificate it is best
-# left out by default.
-# keyUsage = cRLSign, keyCertSign
-
-# Some might want this also
-# nsCertType = sslCA, emailCA
-
-# Include email address in subject alt name: another PKIX recommendation
-# subjectAltName=email:copy
-# Copy issuer details
-# issuerAltName=issuer:copy
-
-# DER hex encoding of an extension: beware experts only!
-# obj=DER:02:03
-# Where 'obj' is a standard or added object
-# You can even override a supported extension:
-# basicConstraints= critical, DER:30:03:01:01:FF
-
-[ crl_ext ]
-
-# CRL extensions.
-# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
-
-# issuerAltName=issuer:copy
-authorityKeyIdentifier=keyid:always
+++ /dev/null
-check_pki_dir() {
- if [ -z "$ICINGA_CA" ]; then
- echo "Please set the ICINGA_CA environment variable to the path for your Icinga CA." >&2
- echo "e.g.: export ICINGA_CA=\"$HOME/icinga-ca\"" >&2
- exit 1
- fi
-
- if [ ! -d "$ICINGA_CA" ]; then
- echo "The path you specified in the ICINGA_CA environment variable ($ICINGA_CA) does not exist or is not a directory." >&2
- exit 1
- fi
-}
+++ /dev/null
-# Icinga 2 default CA vars
-
-export REQ_COUNTRY_NAME="AU"
-export REQ_STATE="Some-State"
-export REQ_ORGANISATION="Internet Widgits Pty Ltd"
-export REQ_ORG_UNIT="Monitoring"
-export REQ_COMMON_NAME="Icinga CA"
-export REQ_DAYS="3650"
projects / icinga2 / commitdiff