merge ca configs

3 files changed, 51 insertions, 119 deletions

diff --git a/etc/signing-ca.conf b/etc/ca.conf
index ebba5d0..0b768e0 100644
--- a/etc/signing-ca.conf
+++ b/etc/ca.conf
@@ -1,11 +1,11 @@
-# Simple Signing CA
+# Simple Root & Signing CA
 
 # The [default] section contains global constants that can be referred to from
 # the entire configuration file. It may also hold settings pertaining to more
 # than one openssl command.
 
 [ default ]
-ca                      = signing-ca            # CA name
+ca                      = $ENV::CA
 dir                     = .                     # Top dir
 
 # The next part of the configuration file is used by the openssl req command.
@@ -27,19 +27,36 @@ req_extensions          = ca_reqext             # Desired extensions
 1.domainComponent       = "eckner"
 organizationName        = "Eckner Net"
 organizationalUnitName  = "Eckner Net CA"
-commonName              = "Eckner Net Signing CA"
+commonName              = "Eckner Net Root CA"
 
 [ ca_reqext ]
 keyUsage                = critical,keyCertSign,cRLSign
-basicConstraints        = critical,CA:true,pathlen:0
+basicConstraints        = critical,CA:true
 subjectKeyIdentifier    = hash
 
 # The remainder of the configuration file is used by the openssl ca command.
 # The CA section defines the locations of CA assets, as well as the policies
 # applying to the CA.
 
-[ ca ]
-default_ca              = signing_ca            # The default CA section
+[ root_ca ]
+certificate             = $dir/ca/$ca.crt       # The CA cert
+private_key             = $dir/ca/$ca/private/$ca.key # CA private key
+new_certs_dir           = $dir/ca/$ca           # Certificate archive
+serial                  = $dir/ca/$ca/db/$ca.crt.srl # Serial number file
+crlnumber               = $dir/ca/$ca/db/$ca.crl.srl # CRL number file
+database                = $dir/ca/$ca/db/$ca.db # Index file
+unique_subject          = no                    # Require unique subject
+default_days            = 3652                  # How long to certify for
+default_md              = sha1                  # MD to use
+policy                  = match_pol             # Default naming policy
+email_in_dn             = no                    # Add email to cert DN
+preserve                = no                    # Keep passed DN ordering
+name_opt                = ca_default            # Subject DN display options
+cert_opt                = ca_default            # Certificate display options
+copy_extensions         = none                  # Copy extensions from CSR
+x509_extensions         = signing_ca_ext        # Default cert extensions
+default_crl_days        = 365                   # How long before next CRL
+crl_extensions          = crl_ext               # CRL extensions
 
 [ signing_ca ]
 certificate             = $dir/ca/$ca.crt       # The CA cert
@@ -83,6 +100,21 @@ emailAddress            = optional
 # Certificate extensions define what types of certificates the CA is able to
 # create.
 
+[ root_ca_ext ]
+keyUsage                = critical,keyCertSign,cRLSign
+basicConstraints        = critical,CA:true
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always
+
+[ signing_ca_ext ]
+keyUsage                = critical,keyCertSign,cRLSign
+basicConstraints        = critical,CA:true,pathlen:0
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always
+
+# Certificate extensions define what types of certificates the CA is able to
+# create.
+
 [ email_ext ]
 keyUsage                = critical,digitalSignature,keyEncipherment
 basicConstraints        = CA:false
diff --git a/etc/root-ca.conf b/etc/root-ca.conf
deleted file mode 100644
index 70df9cf..0000000
--- a/etc/root-ca.conf
+++ /dev/null
@@ -1,102 +0,0 @@
-# Simple Root CA
-
-# The [default] section contains global constants that can be referred to from
-# the entire configuration file. It may also hold settings pertaining to more
-# than one openssl command.
-
-[ default ]
-ca                      = root-ca               # CA name
-dir                     = .                     # Top dir
-
-# The next part of the configuration file is used by the openssl req command.
-# It defines the CA's key pair, its DN, and the desired extensions for the CA
-# certificate.
-
-[ req ]
-default_bits            = 4096                  # RSA key size
-encrypt_key             = no                    # Protect private key
-default_md              = sha1                  # MD to use
-utf8                    = yes                   # Input is UTF-8
-string_mask             = utf8only              # Emit UTF-8 strings
-prompt                  = no                    # Don't prompt for DN
-distinguished_name      = ca_dn                 # DN section
-req_extensions          = ca_reqext             # Desired extensions
-
-[ ca_dn ]
-0.domainComponent       = "net"
-1.domainComponent       = "eckner"
-organizationName        = "Eckner Net"
-organizationalUnitName  = "Eckner Net CA"
-commonName              = "Eckner Net Root CA"
-
-[ ca_reqext ]
-keyUsage                = critical,keyCertSign,cRLSign
-basicConstraints        = critical,CA:true
-subjectKeyIdentifier    = hash
-
-# The remainder of the configuration file is used by the openssl ca command.
-# The CA section defines the locations of CA assets, as well as the policies
-# applying to the CA.
-
-[ ca ]
-default_ca              = root_ca               # The default CA section
-
-[ root_ca ]
-certificate             = $dir/ca/$ca.crt       # The CA cert
-private_key             = $dir/ca/$ca/private/$ca.key # CA private key
-new_certs_dir           = $dir/ca/$ca           # Certificate archive
-serial                  = $dir/ca/$ca/db/$ca.crt.srl # Serial number file
-crlnumber               = $dir/ca/$ca/db/$ca.crl.srl # CRL number file
-database                = $dir/ca/$ca/db/$ca.db # Index file
-unique_subject          = no                    # Require unique subject
-default_days            = 3652                  # How long to certify for
-default_md              = sha1                  # MD to use
-policy                  = match_pol             # Default naming policy
-email_in_dn             = no                    # Add email to cert DN
-preserve                = no                    # Keep passed DN ordering
-name_opt                = ca_default            # Subject DN display options
-cert_opt                = ca_default            # Certificate display options
-copy_extensions         = none                  # Copy extensions from CSR
-x509_extensions         = signing_ca_ext        # Default cert extensions
-default_crl_days        = 365                   # How long before next CRL
-crl_extensions          = crl_ext               # CRL extensions
-
-# Naming policies control which parts of a DN end up in the certificate and
-# under what circumstances certification should be denied.
-
-[ match_pol ]
-domainComponent         = match                 # Must match 'simple.org'
-organizationName        = match                 # Must match 'Simple Inc'
-organizationalUnitName  = optional              # Included if present
-commonName              = supplied              # Must be present
-
-[ any_pol ]
-domainComponent         = optional
-countryName             = optional
-stateOrProvinceName     = optional
-localityName            = optional
-organizationName        = optional
-organizationalUnitName  = optional
-commonName              = optional
-emailAddress            = optional
-
-# Certificate extensions define what types of certificates the CA is able to
-# create.
-
-[ root_ca_ext ]
-keyUsage                = critical,keyCertSign,cRLSign
-basicConstraints        = critical,CA:true
-subjectKeyIdentifier    = hash
-authorityKeyIdentifier  = keyid:always
-
-[ signing_ca_ext ]
-keyUsage                = critical,keyCertSign,cRLSign
-basicConstraints        = critical,CA:true,pathlen:0
-subjectKeyIdentifier    = hash
-authorityKeyIdentifier  = keyid:always
-
-# CRL extensions exist solely to point to the CA certificate that has issued
-# the CRL.
-
-[ crl_ext ]
-authorityKeyIdentifier  = keyid:always
diff --git a/website-run-through b/website-run-through
index 0432ba1..9903bd6 100755
--- a/website-run-through
+++ b/website-run-through
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+set -e
+
 rm -rf --one-file-system ca certs
 
 mkdir -p ca/root-ca/private ca/root-ca/db crl certs
@@ -10,13 +12,13 @@ cp /dev/null ca/root-ca/db/root-ca.db.attr
 echo 01 > ca/root-ca/db/root-ca.crt.srl
 echo 01 > ca/root-ca/db/root-ca.crl.srl
 
-openssl req -new \
-    -config etc/root-ca.conf \
+CA=root-ca openssl req -new \
+    -config etc/ca.conf \
     -out ca/root-ca.csr \
     -keyout ca/root-ca/private/root-ca.key
 
-openssl ca -batch -selfsign \
-    -config etc/root-ca.conf \
+CA=root-ca openssl ca -batch -name root_ca -selfsign \
+    -config etc/ca.conf \
     -in ca/root-ca.csr \
     -out ca/root-ca.crt \
     -extensions root_ca_ext
@@ -29,13 +31,13 @@ cp /dev/null ca/signing-ca/db/signing-ca.db.attr
 echo 01 > ca/signing-ca/db/signing-ca.crt.srl
 echo 01 > ca/signing-ca/db/signing-ca.crl.srl
 
-openssl req -new \
-    -config etc/signing-ca.conf \
+CA=signing-ca openssl req -new \
+    -config etc/ca.conf \
     -out ca/signing-ca.csr \
     -keyout ca/signing-ca/private/signing-ca.key
 
-openssl ca -batch \
-    -config etc/root-ca.conf \
+CA=root-ca openssl ca -batch -name root_ca \
+    -config etc/ca.conf \
     -in ca/signing-ca.csr \
     -out ca/signing-ca.crt \
     -extensions signing_ca_ext
@@ -47,8 +49,8 @@ openssl req -new \
     -out /tmp/nginx.csr \
     -keyout /tmp/nginx.key
 
-openssl ca -batch \
-    -config etc/signing-ca.conf \
+CA=signing-ca openssl ca -batch -name signing_ca \
+    -config etc/ca.conf \
     -in /tmp/nginx.csr \
     -out /tmp/nginx.crt \
     -extensions server_ext
@@ -62,6 +64,6 @@ curl -Ss https://test.local --cacert ca/root-ca.crt
 exit 0
 
 openssl ca \
-    -config etc/signing-ca.conf \
+    -config etc/ca.conf \
     -revoke ca/signing-ca/01.pem \
     -crl_reason superseded