make expiration and key length changeable by DAYS and KEYLEN
variables in the certificate Makefile (#1058108) - change default hash to sha256 (#1062325)
This commit is contained in:
parent
40825564d8
commit
abe62302b2
@ -1,5 +1,8 @@
|
||||
UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
|
||||
SERIAL=0
|
||||
DAYS=365
|
||||
KEYLEN=2048
|
||||
TYPE=rsa:$(KEYLEN)
|
||||
|
||||
.PHONY: usage
|
||||
.SUFFIXES: .key .csr .crt .pem
|
||||
@ -21,6 +24,7 @@ usage:
|
||||
@echo "To create a test certificate for use with Apache, run \"make testcert\"."
|
||||
@echo
|
||||
@echo "To create a test certificate with serial number other than zero, add SERIAL=num"
|
||||
@echo "You can also specify key length with KEYLEN=n and expiration in days with DAYS=n"
|
||||
@echo
|
||||
@echo Examples:
|
||||
@echo " make server.key"
|
||||
@ -38,7 +42,7 @@ usage:
|
||||
umask 77 ; \
|
||||
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
|
||||
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
|
||||
/usr/bin/openssl req $(UTF8) -newkey rsa:2048 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \
|
||||
/usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 -set_serial $(SERIAL) ; \
|
||||
cat $$PEM1 > $@ ; \
|
||||
echo "" >> $@ ; \
|
||||
cat $$PEM2 >> $@ ; \
|
||||
@ -46,7 +50,7 @@ usage:
|
||||
|
||||
%.key:
|
||||
umask 77 ; \
|
||||
/usr/bin/openssl genrsa -aes128 2048 > $@
|
||||
/usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@
|
||||
|
||||
%.csr: %.key
|
||||
umask 77 ; \
|
||||
@ -54,7 +58,7 @@ usage:
|
||||
|
||||
%.crt: %.key
|
||||
umask 77 ; \
|
||||
/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days 365 -out $@ -set_serial $(SERIAL)
|
||||
/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ -set_serial $(SERIAL)
|
||||
|
||||
TLSROOT=/etc/pki/tls
|
||||
KEY=$(TLSROOT)/private/localhost.key
|
||||
@ -71,4 +75,4 @@ $(CSR): $(KEY)
|
||||
|
||||
$(CRT): $(KEY)
|
||||
umask 77 ; \
|
||||
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days 365 -out $(CRT) -set_serial $(SERIAL)
|
||||
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out $(CRT) -set_serial $(SERIAL)
|
||||
|
@ -1,13 +1,22 @@
|
||||
diff -up openssl-1.0.0f/apps/openssl.cnf.defaults openssl-1.0.0f/apps/openssl.cnf
|
||||
--- openssl-1.0.0f/apps/openssl.cnf.defaults 2011-12-06 01:01:00.000000000 +0100
|
||||
+++ openssl-1.0.0f/apps/openssl.cnf 2012-01-05 13:16:15.000000000 +0100
|
||||
diff -up openssl-1.0.1e/apps/openssl.cnf.defaults openssl-1.0.1e/apps/openssl.cnf
|
||||
--- openssl-1.0.1e/apps/openssl.cnf.defaults 2013-02-11 16:26:04.000000000 +0100
|
||||
+++ openssl-1.0.1e/apps/openssl.cnf 2014-02-06 18:00:00.170929334 +0100
|
||||
@@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate fi
|
||||
|
||||
default_days = 365 # how long to certify for
|
||||
default_crl_days= 30 # how long before next CRL
|
||||
-default_md = default # use public key default MD
|
||||
+default_md = sha256 # use SHA-256 by default
|
||||
preserve = no # keep passed DN ordering
|
||||
|
||||
# A few difference way of specifying how similar the request should look
|
||||
@@ -103,7 +103,8 @@ emailAddress = optional
|
||||
|
||||
####################################################################
|
||||
[ req ]
|
||||
-default_bits = 1024
|
||||
+default_bits = 2048
|
||||
+default_md = sha1
|
||||
+default_md = sha256
|
||||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
@ -25,7 +34,7 @@ diff -up openssl-1.0.0f/apps/openssl.cnf.defaults openssl-1.0.0f/apps/openssl.cn
|
||||
+#stateOrProvinceName_default = Default Province
|
||||
|
||||
localityName = Locality Name (eg, city)
|
||||
+localityName_default = Default City
|
||||
+localityName_default = Default City
|
||||
|
||||
0.organizationName = Organization Name (eg, company)
|
||||
-0.organizationName_default = Internet Widgits Pty Ltd
|
||||
@ -42,3 +51,12 @@ diff -up openssl-1.0.0f/apps/openssl.cnf.defaults openssl-1.0.0f/apps/openssl.cn
|
||||
commonName_max = 64
|
||||
|
||||
emailAddress = Email Address
|
||||
@@ -339,7 +341,7 @@ signer_key = $dir/private/tsakey.pem # T
|
||||
default_policy = tsa_policy1 # Policy if request did not specify it
|
||||
# (optional)
|
||||
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
|
||||
-digests = md5, sha1 # Acceptable message digests (mandatory)
|
||||
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
|
||||
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
|
||||
clock_precision_digits = 0 # number of digits after dot. (optional)
|
||||
ordering = yes # Is ordering defined for timestamps?
|
@ -21,7 +21,7 @@
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 1.0.1e
|
||||
Release: 38%{?dist}
|
||||
Release: 39%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
@ -39,7 +39,7 @@ Source12: ec_curve.c
|
||||
Source13: ectest.c
|
||||
# Build changes
|
||||
Patch1: openssl-1.0.1-beta2-rpmbuild.patch
|
||||
Patch2: openssl-1.0.0f-defaults.patch
|
||||
Patch2: openssl-1.0.1e-defaults.patch
|
||||
Patch4: openssl-1.0.0-beta5-enginesdir.patch
|
||||
Patch5: openssl-0.9.8a-no-rpath.patch
|
||||
Patch6: openssl-0.9.8b-test-use-localhost.patch
|
||||
@ -474,6 +474,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
||||
%postun libs -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Thu Feb 6 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-39
|
||||
- make expiration and key length changeable by DAYS and KEYLEN
|
||||
variables in the certificate Makefile (#1058108)
|
||||
- change default hash to sha256 (#1062325)
|
||||
|
||||
* Wed Jan 22 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-38
|
||||
- make 3des strength to be 128 bits instead of 168 (#1056616)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user