diff options
author | Erich Eckner <git@eckner.net> | 2019-09-02 10:45:14 +0200 |
---|---|---|
committer | Erich Eckner <git@eckner.net> | 2019-09-02 12:03:10 +0200 |
commit | 70171c27198eaafbc16ec7c65706eab7485916f4 (patch) | |
tree | ad5de2576012e1ce048e9fdd22002d8253563a67 | |
parent | 4cb7f201a74ebd1709f544f79cdff6855f853e0d (diff) | |
download | simple-pki-70171c27198eaafbc16ec7c65706eab7485916f4.tar.xz |
merge ca configs
-rw-r--r-- | etc/ca.conf (renamed from etc/signing-ca.conf) | 44 | ||||
-rw-r--r-- | etc/root-ca.conf | 102 | ||||
-rwxr-xr-x | website-run-through | 24 |
3 files changed, 51 insertions, 119 deletions
diff --git a/etc/signing-ca.conf b/etc/ca.conf index ebba5d0..0b768e0 100644 --- a/etc/signing-ca.conf +++ b/etc/ca.conf @@ -1,11 +1,11 @@ -# Simple Signing CA +# Simple Root & Signing CA # The [default] section contains global constants that can be referred to from # the entire configuration file. It may also hold settings pertaining to more # than one openssl command. [ default ] -ca = signing-ca # CA name +ca = $ENV::CA dir = . # Top dir # The next part of the configuration file is used by the openssl req command. @@ -27,19 +27,36 @@ req_extensions = ca_reqext # Desired extensions 1.domainComponent = "eckner" organizationName = "Eckner Net" organizationalUnitName = "Eckner Net CA" -commonName = "Eckner Net Signing CA" +commonName = "Eckner Net Root CA" [ ca_reqext ] keyUsage = critical,keyCertSign,cRLSign -basicConstraints = critical,CA:true,pathlen:0 +basicConstraints = critical,CA:true subjectKeyIdentifier = hash # The remainder of the configuration file is used by the openssl ca command. # The CA section defines the locations of CA assets, as well as the policies # applying to the CA. -[ ca ] -default_ca = signing_ca # The default CA section +[ root_ca ] +certificate = $dir/ca/$ca.crt # The CA cert +private_key = $dir/ca/$ca/private/$ca.key # CA private key +new_certs_dir = $dir/ca/$ca # Certificate archive +serial = $dir/ca/$ca/db/$ca.crt.srl # Serial number file +crlnumber = $dir/ca/$ca/db/$ca.crl.srl # CRL number file +database = $dir/ca/$ca/db/$ca.db # Index file +unique_subject = no # Require unique subject +default_days = 3652 # How long to certify for +default_md = sha1 # MD to use +policy = match_pol # Default naming policy +email_in_dn = no # Add email to cert DN +preserve = no # Keep passed DN ordering +name_opt = ca_default # Subject DN display options +cert_opt = ca_default # Certificate display options +copy_extensions = none # Copy extensions from CSR +x509_extensions = signing_ca_ext # Default cert extensions +default_crl_days = 365 # How long before next CRL +crl_extensions = crl_ext # CRL extensions [ signing_ca ] certificate = $dir/ca/$ca.crt # The CA cert @@ -83,6 +100,21 @@ emailAddress = optional # Certificate extensions define what types of certificates the CA is able to # create. +[ root_ca_ext ] +keyUsage = critical,keyCertSign,cRLSign +basicConstraints = critical,CA:true +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +[ signing_ca_ext ] +keyUsage = critical,keyCertSign,cRLSign +basicConstraints = critical,CA:true,pathlen:0 +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +# Certificate extensions define what types of certificates the CA is able to +# create. + [ email_ext ] keyUsage = critical,digitalSignature,keyEncipherment basicConstraints = CA:false diff --git a/etc/root-ca.conf b/etc/root-ca.conf deleted file mode 100644 index 70df9cf..0000000 --- a/etc/root-ca.conf +++ /dev/null @@ -1,102 +0,0 @@ -# Simple Root CA - -# The [default] section contains global constants that can be referred to from -# the entire configuration file. It may also hold settings pertaining to more -# than one openssl command. - -[ default ] -ca = root-ca # CA name -dir = . # Top dir - -# The next part of the configuration file is used by the openssl req command. -# It defines the CA's key pair, its DN, and the desired extensions for the CA -# certificate. - -[ req ] -default_bits = 4096 # RSA key size -encrypt_key = no # Protect private key -default_md = sha1 # MD to use -utf8 = yes # Input is UTF-8 -string_mask = utf8only # Emit UTF-8 strings -prompt = no # Don't prompt for DN -distinguished_name = ca_dn # DN section -req_extensions = ca_reqext # Desired extensions - -[ ca_dn ] -0.domainComponent = "net" -1.domainComponent = "eckner" -organizationName = "Eckner Net" -organizationalUnitName = "Eckner Net CA" -commonName = "Eckner Net Root CA" - -[ ca_reqext ] -keyUsage = critical,keyCertSign,cRLSign -basicConstraints = critical,CA:true -subjectKeyIdentifier = hash - -# The remainder of the configuration file is used by the openssl ca command. -# The CA section defines the locations of CA assets, as well as the policies -# applying to the CA. - -[ ca ] -default_ca = root_ca # The default CA section - -[ root_ca ] -certificate = $dir/ca/$ca.crt # The CA cert -private_key = $dir/ca/$ca/private/$ca.key # CA private key -new_certs_dir = $dir/ca/$ca # Certificate archive -serial = $dir/ca/$ca/db/$ca.crt.srl # Serial number file -crlnumber = $dir/ca/$ca/db/$ca.crl.srl # CRL number file -database = $dir/ca/$ca/db/$ca.db # Index file -unique_subject = no # Require unique subject -default_days = 3652 # How long to certify for -default_md = sha1 # MD to use -policy = match_pol # Default naming policy -email_in_dn = no # Add email to cert DN -preserve = no # Keep passed DN ordering -name_opt = ca_default # Subject DN display options -cert_opt = ca_default # Certificate display options -copy_extensions = none # Copy extensions from CSR -x509_extensions = signing_ca_ext # Default cert extensions -default_crl_days = 365 # How long before next CRL -crl_extensions = crl_ext # CRL extensions - -# Naming policies control which parts of a DN end up in the certificate and -# under what circumstances certification should be denied. - -[ match_pol ] -domainComponent = match # Must match 'simple.org' -organizationName = match # Must match 'Simple Inc' -organizationalUnitName = optional # Included if present -commonName = supplied # Must be present - -[ any_pol ] -domainComponent = optional -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = optional -emailAddress = optional - -# Certificate extensions define what types of certificates the CA is able to -# create. - -[ root_ca_ext ] -keyUsage = critical,keyCertSign,cRLSign -basicConstraints = critical,CA:true -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always - -[ signing_ca_ext ] -keyUsage = critical,keyCertSign,cRLSign -basicConstraints = critical,CA:true,pathlen:0 -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always - -# CRL extensions exist solely to point to the CA certificate that has issued -# the CRL. - -[ crl_ext ] -authorityKeyIdentifier = keyid:always diff --git a/website-run-through b/website-run-through index 0432ba1..9903bd6 100755 --- a/website-run-through +++ b/website-run-through @@ -1,5 +1,7 @@ #!/bin/bash +set -e + rm -rf --one-file-system ca certs mkdir -p ca/root-ca/private ca/root-ca/db crl certs @@ -10,13 +12,13 @@ cp /dev/null ca/root-ca/db/root-ca.db.attr echo 01 > ca/root-ca/db/root-ca.crt.srl echo 01 > ca/root-ca/db/root-ca.crl.srl -openssl req -new \ - -config etc/root-ca.conf \ +CA=root-ca openssl req -new \ + -config etc/ca.conf \ -out ca/root-ca.csr \ -keyout ca/root-ca/private/root-ca.key -openssl ca -batch -selfsign \ - -config etc/root-ca.conf \ +CA=root-ca openssl ca -batch -name root_ca -selfsign \ + -config etc/ca.conf \ -in ca/root-ca.csr \ -out ca/root-ca.crt \ -extensions root_ca_ext @@ -29,13 +31,13 @@ cp /dev/null ca/signing-ca/db/signing-ca.db.attr echo 01 > ca/signing-ca/db/signing-ca.crt.srl echo 01 > ca/signing-ca/db/signing-ca.crl.srl -openssl req -new \ - -config etc/signing-ca.conf \ +CA=signing-ca openssl req -new \ + -config etc/ca.conf \ -out ca/signing-ca.csr \ -keyout ca/signing-ca/private/signing-ca.key -openssl ca -batch \ - -config etc/root-ca.conf \ +CA=root-ca openssl ca -batch -name root_ca \ + -config etc/ca.conf \ -in ca/signing-ca.csr \ -out ca/signing-ca.crt \ -extensions signing_ca_ext @@ -47,8 +49,8 @@ openssl req -new \ -out /tmp/nginx.csr \ -keyout /tmp/nginx.key -openssl ca -batch \ - -config etc/signing-ca.conf \ +CA=signing-ca openssl ca -batch -name signing_ca \ + -config etc/ca.conf \ -in /tmp/nginx.csr \ -out /tmp/nginx.crt \ -extensions server_ext @@ -62,6 +64,6 @@ curl -Ss https://test.local --cacert ca/root-ca.crt exit 0 openssl ca \ - -config etc/signing-ca.conf \ + -config etc/ca.conf \ -revoke ca/signing-ca/01.pem \ -crl_reason superseded |