Add expanded openssl.conf to sources, use no location in certificate

2017-01-22 22:05:34 -08:00 · 2017-01-22 22:05:34 -08:00 · 703134b7c4
commit 703134b7c4
parent 74dabc2cd6
2 changed files with 48 additions and 2 deletions
--- a/openssl.conf
+++ b/openssl.conf
@ -0,0 +1,46 @@
+[req]
+distinguished_name = req_distinguished_name
+# The extensions to add to the self signed cert
+x509_extensions = v3_ca
+# Run non-interactively
+prompt = no
+
+[req_distinguished_name]
+# Certificate subject
+#countryName = US
+#stateOrProvinceName = CA
+#localityName = Sunnyvale
+#organizationName = xrdp
+#organizationalUnitName =
+commonName = XRDP
+#emailAddress =
+
+[v3_ca]
+# Extensions for a typical CA - PKIX recommendation.
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always, issuer
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical, CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+#keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+#nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+#subjectAltName = email:copy
+# Copy issuer details
+#issuerAltName = issuer:copy
+
+# DER hex encoding of an extension: experts only!
+#obj = DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+#basicConstraints = critical, DER:30:03:01:01:FF
--- a/xrdp.spec
+++ b/xrdp.spec
@ -10,6 +10,7 @@ Source0:   https://github.com/neutrinolabs/xrdp/releases/download/v%{version}/xr
 Source1:   xrdp-sesman.pamd
 Source2:   xrdp.sysconfig
 Source3:   xrdp.logrotate
+Source4:   openssl.conf
 Patch0:    xrdp-0.9.1-sesman.patch
 Patch1:    xrdp-0.9.1-xrdp-ini.patch
 Patch2:    xrdp-0.9.1-service.patch
@ -71,7 +72,7 @@ echo '#!/bin/bash -l
 %{__install} -Dp -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/xrdp

 #install openssl.conf /etc/xrdp
-%{__install} -Dp -m 644 keygen/openssl.conf %{buildroot}%{_sysconfdir}/xrdp/openssl.conf
+%{__install} -Dp -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/xrdp/openssl.conf

 #install log file /var/log/xrdp-sesman.log
 %{__mkdir} -p %{buildroot}%{_localstatedir}/log/
@ -97,7 +98,6 @@ if [ ! -f %{_sysconfdir}/xrdp/cert.pem ]; then
  openssl req -x509 -newkey rsa:2048 -sha256 -nodes -days 3652 \
    -keyout %{_sysconfdir}/xrdp/key.pem \
    -out %{_sysconfdir}/xrdp/cert.pem \
-    -subj /C=US/ST=CA/L=Sunnyvale/O=xrdp/CN=www.xrdp.org \
    -config %{_sysconfdir}/xrdp/openssl.conf
 fi