make expiration and key length changeable by DAYS and KEYLEN
variables in the certificate Makefile (#1058108) - change default hash to sha256 (#1062325)
This commit is contained in:
Tomas Mraz
parent
40825564d8
commit
abe62302b2
@ -1,5 +1,8 @@
|
|||||||
UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
|
UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
|
||||||
SERIAL=0
|
SERIAL=0
|
||||||
|
DAYS=365
|
||||||
|
KEYLEN=2048
|
||||||
|
TYPE=rsa:$(KEYLEN)
|
||||||
|
|
||||||
.PHONY: usage
|
.PHONY: usage
|
||||||
.SUFFIXES: .key .csr .crt .pem
|
.SUFFIXES: .key .csr .crt .pem
|
||||||
@ -21,6 +24,7 @@ usage:
|
|||||||
@echo "To create a test certificate for use with Apache, run \"make testcert\"."
|
@echo "To create a test certificate for use with Apache, run \"make testcert\"."
|
||||||
@echo
|
@echo
|
||||||
@echo "To create a test certificate with serial number other than zero, add SERIAL=num"
|
@echo "To create a test certificate with serial number other than zero, add SERIAL=num"
|
||||||
|
@echo "You can also specify key length with KEYLEN=n and expiration in days with DAYS=n"
|
||||||
@echo
|
@echo
|
||||||
@echo Examples:
|
@echo Examples:
|
||||||
@echo " make server.key"
|
@echo " make server.key"
|
||||||
@ -38,7 +42,7 @@ usage:
|
|||||||
umask 77 ; \
|
umask 77 ; \
|
||||||
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
|
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
|
||||||
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
|
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
|
||||||
/usr/bin/openssl req $(UTF8) -newkey rsa:2048 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \
|
/usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 -set_serial $(SERIAL) ; \
|
||||||
cat $$PEM1 > $@ ; \
|
cat $$PEM1 > $@ ; \
|
||||||
echo "" >> $@ ; \
|
echo "" >> $@ ; \
|
||||||
cat $$PEM2 >> $@ ; \
|
cat $$PEM2 >> $@ ; \
|
||||||
@ -46,7 +50,7 @@ usage:
|
|||||||
|
|
||||||
%.key:
|
%.key:
|
||||||
umask 77 ; \
|
umask 77 ; \
|
||||||
/usr/bin/openssl genrsa -aes128 2048 > $@
|
/usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@
|
||||||
|
|
||||||
%.csr: %.key
|
%.csr: %.key
|
||||||
umask 77 ; \
|
umask 77 ; \
|
||||||
@ -54,7 +58,7 @@ usage:
|
|||||||
|
|
||||||
%.crt: %.key
|
%.crt: %.key
|
||||||
umask 77 ; \
|
umask 77 ; \
|
||||||
/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days 365 -out $@ -set_serial $(SERIAL)
|
/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ -set_serial $(SERIAL)
|
||||||
|
|
||||||
TLSROOT=/etc/pki/tls
|
TLSROOT=/etc/pki/tls
|
||||||
KEY=$(TLSROOT)/private/localhost.key
|
KEY=$(TLSROOT)/private/localhost.key
|
||||||
@ -71,4 +75,4 @@ $(CSR): $(KEY)
|
|||||||
|
|
||||||
$(CRT): $(KEY)
|
$(CRT): $(KEY)
|
||||||
umask 77 ; \
|
umask 77 ; \
|
||||||
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days 365 -out $(CRT) -set_serial $(SERIAL)
|
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out $(CRT) -set_serial $(SERIAL)
|
||||||
|
|||||||
@ -1,13 +1,22 @@
|
|||||||
diff -up openssl-1.0.0f/apps/openssl.cnf.defaults openssl-1.0.0f/apps/openssl.cnf
|
diff -up openssl-1.0.1e/apps/openssl.cnf.defaults openssl-1.0.1e/apps/openssl.cnf
|
||||||
--- openssl-1.0.0f/apps/openssl.cnf.defaults 2011-12-06 01:01:00.000000000 +0100
|
--- openssl-1.0.1e/apps/openssl.cnf.defaults 2013-02-11 16:26:04.000000000 +0100
|
||||||
+++ openssl-1.0.0f/apps/openssl.cnf 2012-01-05 13:16:15.000000000 +0100
|
+++ openssl-1.0.1e/apps/openssl.cnf 2014-02-06 18:00:00.170929334 +0100
|
||||||
|
@@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate fi
|
||||||
|
|
||||||
|
default_days = 365 # how long to certify for
|
||||||
|
default_crl_days= 30 # how long before next CRL
|
||||||
|
-default_md = default # use public key default MD
|
||||||
|
+default_md = sha256 # use SHA-256 by default
|
||||||
|
preserve = no # keep passed DN ordering
|
||||||
|
|
||||||
|
# A few difference way of specifying how similar the request should look
|
||||||
@@ -103,7 +103,8 @@ emailAddress = optional
|
@@ -103,7 +103,8 @@ emailAddress = optional
|
||||||
|
|
||||||
####################################################################
|
####################################################################
|
||||||
[ req ]
|
[ req ]
|
||||||
-default_bits = 1024
|
-default_bits = 1024
|
||||||
+default_bits = 2048
|
+default_bits = 2048
|
||||||
+default_md = sha1
|
+default_md = sha256
|
||||||
default_keyfile = privkey.pem
|
default_keyfile = privkey.pem
|
||||||
distinguished_name = req_distinguished_name
|
distinguished_name = req_distinguished_name
|
||||||
attributes = req_attributes
|
attributes = req_attributes
|
||||||
@ -42,3 +51,12 @@ diff -up openssl-1.0.0f/apps/openssl.cnf.defaults openssl-1.0.0f/apps/openssl.cn
|
|||||||
commonName_max = 64
|
commonName_max = 64
|
||||||
|
|
||||||
emailAddress = Email Address
|
emailAddress = Email Address
|
||||||
|
@@ -339,7 +341,7 @@ signer_key = $dir/private/tsakey.pem # T
|
||||||
|
default_policy = tsa_policy1 # Policy if request did not specify it
|
||||||
|
# (optional)
|
||||||
|
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
|
||||||
|
-digests = md5, sha1 # Acceptable message digests (mandatory)
|
||||||
|
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
|
||||||
|
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
|
||||||
|
clock_precision_digits = 0 # number of digits after dot. (optional)
|
||||||
|
ordering = yes # Is ordering defined for timestamps?
|
||||||
@ -21,7 +21,7 @@
|
|||||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 1.0.1e
|
Version: 1.0.1e
|
||||||
Release: 38%{?dist}
|
Release: 39%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
# We have to remove certain patented algorithms from the openssl source
|
# We have to remove certain patented algorithms from the openssl source
|
||||||
# tarball with the hobble-openssl script which is included below.
|
# tarball with the hobble-openssl script which is included below.
|
||||||
@ -39,7 +39,7 @@ Source12: ec_curve.c
|
|||||||
Source13: ectest.c
|
Source13: ectest.c
|
||||||
# Build changes
|
# Build changes
|
||||||
Patch1: openssl-1.0.1-beta2-rpmbuild.patch
|
Patch1: openssl-1.0.1-beta2-rpmbuild.patch
|
||||||
Patch2: openssl-1.0.0f-defaults.patch
|
Patch2: openssl-1.0.1e-defaults.patch
|
||||||
Patch4: openssl-1.0.0-beta5-enginesdir.patch
|
Patch4: openssl-1.0.0-beta5-enginesdir.patch
|
||||||
Patch5: openssl-0.9.8a-no-rpath.patch
|
Patch5: openssl-0.9.8a-no-rpath.patch
|
||||||
Patch6: openssl-0.9.8b-test-use-localhost.patch
|
Patch6: openssl-0.9.8b-test-use-localhost.patch
|
||||||
@ -474,6 +474,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||||||
%postun libs -p /sbin/ldconfig
|
%postun libs -p /sbin/ldconfig
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Feb 6 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-39
|
||||||
|
- make expiration and key length changeable by DAYS and KEYLEN
|
||||||
|
variables in the certificate Makefile (#1058108)
|
||||||
|
- change default hash to sha256 (#1062325)
|
||||||
|
|
||||||
* Wed Jan 22 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-38
|
* Wed Jan 22 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-38
|
||||||
- make 3des strength to be 128 bits instead of 168 (#1056616)
|
- make 3des strength to be 128 bits instead of 168 (#1056616)
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user