From 047d5db1a4326cb3f140e15038d8c2da8d446acb Mon Sep 17 00:00:00 2001 From: Ricardo Bartels Date: Wed, 23 Oct 2013 13:02:38 +0200 Subject: [PATCH] Enhance SSL building scripts. Refs #4948 --- pki/Makefile.am | 1 + pki/icinga2-build-ca.in | 8 +++++++- pki/icinga2-build-key.in | 17 +++++++++++++---- pki/openssl.cnf | 18 +++++++++--------- pki/vars | 8 ++++++++ 5 files changed, 38 insertions(+), 14 deletions(-) create mode 100644 pki/vars diff --git a/pki/Makefile.am b/pki/Makefile.am index 2e7a03ae7..9954c16e4 100644 --- a/pki/Makefile.am +++ b/pki/Makefile.am @@ -5,6 +5,7 @@ bin_SCRIPTS = \ icinga2pkidir = ${pkgdatadir}/pki icinga2pki_DATA = \ pkifuncs \ + vars \ openssl.cnf CLEANFILES = $(bin_SCRIPTS) diff --git a/pki/icinga2-build-ca.in b/pki/icinga2-build-ca.in index 5ca46a896..6de1fea51 100644 --- a/pki/icinga2-build-ca.in +++ b/pki/icinga2-build-ca.in @@ -14,7 +14,13 @@ if [ $(ls -1 -- $ICINGA_CA | wc -l) != 0 ]; then exit 1 fi +chmod 700 $ICINGA_CA >/dev/null 2>&1 + echo '01' > $ICINGA_CA/serial touch $ICINGA_CA/index.txt -CN_DEFAULT="Icinga CA" KEY_DIR=$ICINGA_CA openssl req -config $ICINGA2PKIDIR/openssl.cnf -new -newkey rsa:4096 -x509 -nodes -days 3650 -keyform PEM -keyout $ICINGA_CA/ca.key -outform PEM -out $ICINGA_CA/ca.crt +cp $ICINGA2PKIDIR/vars $ICINGA_CA/ +source $ICINGA_CA/vars + +KEY_DIR=$ICINGA_CA openssl req -config $ICINGA2PKIDIR/openssl.cnf -new -newkey rsa:4096 -x509 -days 3650 -keyform PEM -keyout $ICINGA_CA/ca.key -outform PEM -out $ICINGA_CA/ca.crt && \ + echo -e "\n\tIf you want to change the default settings for server certificates check out \"$ICINGA_CA/vars\".\n" diff --git a/pki/icinga2-build-key.in b/pki/icinga2-build-key.in index 81c18bb91..de9931a0d 100644 --- a/pki/icinga2-build-key.in +++ b/pki/icinga2-build-key.in @@ -21,7 +21,16 @@ if [ ! -f $ICINGA_CA/ca.crt -o ! -f $ICINGA_CA/ca.key ]; then exit 1 fi -CN_DEFAULT=$name KEY_DIR=$ICINGA_CA openssl req -config $ICINGA2PKIDIR/openssl.cnf -new -newkey rsa:4096 -keyform PEM -keyout $ICINGA_CA/$name.key -outform PEM -out $ICINGA_CA/$name.csr -nodes && \ - openssl x509 -days 3650 -CA $ICINGA_CA/ca.crt -CAkey $ICINGA_CA/ca.key -req -in $ICINGA_CA/$name.csr -outform PEM -out $ICINGA_CA/$name.crt -CAserial $ICINGA_CA/serial - - +[ -f $ICINGA_CA/vars ] && source $ICINGA_CA/vars + +[ -z "$REQ_COUNTRY_NAME" ] && export REQ_COUNTRY_NAME="AU" +[ -z "$REQ_STATE" ] && export REQ_STATE="Some-State" +[ -z "$REQ_ORGANISATION" ] && export REQ_ORGANISATION="Internet Widgits Pty Ltd" +[ -z "$REQ_ORG_UNIT" ] && export REQ_ORG_UNIT="Monitoring" +[ -z "$REQ_COMMON_NAME"] && export REQ_COMMON_NAME="Icinga CA" +[ -z "$REQ_DAYS" ] && export REQ_DAYS="3650" + +REQ_COMMON_NAME="$name" KEY_DIR="$ICINGA_CA" openssl req -config $ICINGA2PKIDIR/openssl.cnf -new -newkey rsa:4096 -keyform PEM -keyout $ICINGA_CA/$name.key -outform PEM -out $ICINGA_CA/$name.csr -nodes && \ + openssl x509 -days "$REQ_DAYS" -CA $ICINGA_CA/ca.crt -CAkey $ICINGA_CA/ca.key -req -in $ICINGA_CA/$name.csr -outform PEM -out $ICINGA_CA/$name.tmp -CAserial $ICINGA_CA/serial && \ + openssl x509 -in $ICINGA_CA/$name.tmp -text > $ICINGA_CA/$name.crt && \ + rm -f $ICINGA_CA/$name.csr $ICINGA_CA/$name.tmp diff --git a/pki/openssl.cnf b/pki/openssl.cnf index f32bde23b..072b2a9c1 100644 --- a/pki/openssl.cnf +++ b/pki/openssl.cnf @@ -78,7 +78,7 @@ preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) -policy = policy_match +policy = policy_anything # For the CA policy [ policy_match ] @@ -126,28 +126,28 @@ string_mask = utf8only [ req_distinguished_name ] countryName = Country Name (2 letter code) -countryName_default = AU +countryName_default = $ENV::REQ_COUNTRY_NAME countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Some-State +stateOrProvinceName_default = $ENV::REQ_STATE localityName = Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) -0.organizationName_default = Internet Widgits Pty Ltd +0.organizationName_default = $ENV::REQ_ORGANISATION # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Organizational Unit Name (eg, section) -organizationalUnitName_default = Icinga +organizationalUnitName_default = $ENV::REQ_ORG_UNIT commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 -commonName_default = $ENV::CN_DEFAULT +commonName_default = $ENV::REQ_COMMON_NAME #emailAddress = Email Address #emailAddress_max = 64 @@ -155,9 +155,9 @@ commonName_default = $ENV::CN_DEFAULT # SET-ex3 = SET extension number 3 [ req_attributes ] -#challengePassword = A challenge password -#challengePassword_min = 4 -#challengePassword_max = 20 +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 unstructuredName = An optional company name diff --git a/pki/vars b/pki/vars new file mode 100644 index 000000000..a4e650663 --- /dev/null +++ b/pki/vars @@ -0,0 +1,8 @@ +# Icinga 2 default CA vars + +export REQ_COUNTRY_NAME="AU" +export REQ_STATE="Some-State" +export REQ_ORGANISATION="Internet Widgits Pty Ltd" +export REQ_ORG_UNIT="Monitoring" +export REQ_COMMON_NAME="Icinga CA" +export REQ_DAYS="3650" -- 2.40.0