d21c1baf70
This will allow us to use the CA:FALSE extension, enabling us to safely store the generated certificates into the trust store automatically.
168 lines
7.3 KiB
Diff
168 lines
7.3 KiB
Diff
From 3a3e6ecb1ab65513625732e11a0da2b42328107b Mon Sep 17 00:00:00 2001
|
|
From: Stephen Gallagher <sgallagh@redhat.com>
|
|
Date: Tue, 10 Dec 2013 09:09:58 -0500
|
|
Subject: [PATCH] Update SSL certificate generation
|
|
|
|
We will now generate x509v3 certificates with the CA:FALSE
|
|
constraint. This will allow us to automatically load it into a
|
|
local trust store safely. In order to do this, instead of creating
|
|
a true self-signed certificate, we will generate a private CA
|
|
certificate and sign the service with that.
|
|
---
|
|
rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec | 118 +++++++++++++++++++------
|
|
1 file changed, 89 insertions(+), 29 deletions(-)
|
|
mode change 100644 => 100755 rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
|
|
|
|
diff --git a/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec b/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
|
|
old mode 100644
|
|
new mode 100755
|
|
index 81e6635936b77ddc486b217260fba59b23cf2a20..cd7e9b8e9ad9d0da95efc6d4e70dd77bda15278e
|
|
--- a/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
|
|
+++ b/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
|
|
@@ -4,22 +4,31 @@
|
|
# Creates a default ssl.cnf file.
|
|
# Generates a self-signed certificate for use by the cimserver.
|
|
#
|
|
-cnfChanged=0;
|
|
-if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then
|
|
- mkdir -p ${PEGASUS_INSTALL_LOG%/*}
|
|
- mkdir -p $PEGASUS_CONFIG_DIR
|
|
- echo "[ req ]" > $PEGASUS_CONFIG_DIR/ssl.cnf
|
|
+
|
|
+function create_ssl_cnf #(config_file, CN)
|
|
+{
|
|
+ SSL_CFG=$1
|
|
+ CA=$2 # Add a second argument to differentiate issuer from subject
|
|
+
|
|
+ # Create OpenSSL configuration files for generating certificates
|
|
+ echo "[ req ]" > $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
echo "distinguished_name = req_distinguished_name" >> \
|
|
- $PEGASUS_CONFIG_DIR/ssl.cnf
|
|
- echo "prompt = no" >> $PEGASUS_CONFIG_DIR/ssl.cnf
|
|
- echo "[ req_distinguished_name ]" >> $PEGASUS_CONFIG_DIR/ssl.cnf
|
|
- echo "C = UK" >> $PEGASUS_CONFIG_DIR/ssl.cnf
|
|
- echo "ST = Berkshire" >> $PEGASUS_CONFIG_DIR/ssl.cnf
|
|
- echo "L = Reading" >> $PEGASUS_CONFIG_DIR/ssl.cnf
|
|
+ $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
+ echo "prompt = no" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
+
|
|
+ # Include support for x509v3 so we can differentiate CA certificates
|
|
+ # from service certificates
|
|
+ echo "req_extensions = v3_req" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
+ echo "x509_extensions = v3_ca" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
+
|
|
+ echo "[ req_distinguished_name ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
+ echo "C = UK" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
+ echo "ST = Berkshire" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
+ echo "L = Reading" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
echo "O = The Open Group" >> \
|
|
- $PEGASUS_CONFIG_DIR/ssl.cnf
|
|
+ $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
echo "OU = The OpenPegasus Project" >> \
|
|
- $PEGASUS_CONFIG_DIR/ssl.cnf
|
|
+ $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
DN=`hostname`;
|
|
if [ -z "$DN" ] || [ "$DN" = "(none)" ]; then
|
|
DN='localhost.localdomain';
|
|
@@ -30,30 +39,81 @@ if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then
|
|
FQDN="$DN";
|
|
fi;
|
|
# cannot use 'hostname --fqdn' because this can hang indefinitely
|
|
- echo "CN = $FQDN" >> $PEGASUS_CONFIG_DIR/ssl.cnf
|
|
- chmod 400 $PEGASUS_CONFIG_DIR/ssl.cnf
|
|
- chown root $PEGASUS_CONFIG_DIR/ssl.cnf
|
|
- chgrp root $PEGASUS_CONFIG_DIR/ssl.cnf
|
|
+ # Hack the $CA onto the end of the CN so we differentiate the issuer
|
|
+ # of the signature from the subject
|
|
+ echo "CN = $FQDN$CA" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
+
|
|
+ # Add x509v3 extensions
|
|
+ echo "[ v3_req ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
+ echo "basicConstraints = CA:FALSE" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
+ echo "[ v3_ca ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
+ echo "subjectKeyIdentifier=hash" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
+ echo "authorityKeyIdentifier=keyid:always,issuer" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
+ echo "basicConstraints = CA:TRUE" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
+}
|
|
+
|
|
+cnfChanged=0;
|
|
+if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then
|
|
+ mkdir -p ${PEGASUS_INSTALL_LOG%/*}
|
|
+ mkdir -p $PEGASUS_CONFIG_DIR
|
|
+
|
|
+ create_ssl_cnf ssl-ca.cnf CA
|
|
+ create_ssl_cnf ssl-service.cnf
|
|
+
|
|
+ chmod 400 $PEGASUS_CONFIG_DIR/ssl-*.cnf
|
|
+ chown root $PEGASUS_CONFIG_DIR/ssl-*.cnf
|
|
+ chgrp root $PEGASUS_CONFIG_DIR/ssl-*.cnf
|
|
cnfChanged=1;
|
|
fi
|
|
if [ $cnfChanged -eq 1 ] || \
|
|
[ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE ] || \
|
|
[ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE ]; then
|
|
- /usr/bin/openssl req -x509 -days 3650 -newkey rsa:2048 \
|
|
- -nodes -config $PEGASUS_CONFIG_DIR/ssl.cnf \
|
|
- -keyout $PEGASUS_PEM_DIR/key.pem \
|
|
- -out $PEGASUS_PEM_DIR/cert.pem 2>>$PEGASUS_INSTALL_LOG
|
|
- chmod 700 $PEGASUS_PEM_DIR/*.pem
|
|
- cp -fp $PEGASUS_PEM_DIR/cert.pem \
|
|
- $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE
|
|
- cp -fp $PEGASUS_PEM_DIR/key.pem \
|
|
- $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE
|
|
+ # Create private key for the CA certificate
|
|
+ /usr/bin/openssl genrsa -out $PEGASUS_PEM_DIR/ca-key.pem 2048
|
|
+
|
|
+ # Create CA certificate:
|
|
+ /usr/bin/openssl req -new -x509 -days 3650 \
|
|
+ -key $PEGASUS_PEM_DIR/ca-key.pem \
|
|
+ -out $PEGASUS_PEM_DIR/ca.crt \
|
|
+ -config $PEGASUS_CONFIG_DIR/ssl-ca.cnf
|
|
+
|
|
+ # Create private key for the service certificate
|
|
+ /usr/bin/openssl genrsa -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE 2048
|
|
+
|
|
+ # Create a signing request for the service certificate
|
|
+ /usr/bin/openssl req -new \
|
|
+ -config $PEGASUS_CONFIG_DIR/ssl-service.cnf \
|
|
+ -key $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE \
|
|
+ -out $PEGASUS_PEM_DIR/server.csr
|
|
+
|
|
+ # Sign the request with the CA certificate
|
|
+ /usr/bin/openssl x509 -req -days 3650 \
|
|
+ -in $PEGASUS_PEM_DIR/server.csr \
|
|
+ -CA $PEGASUS_PEM_DIR/ca.crt \
|
|
+ -CAkey $PEGASUS_PEM_DIR/ca-key.pem \
|
|
+ -CAcreateserial \
|
|
+ -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE \
|
|
+ -extfile $PEGASUS_CONFIG_DIR/ssl-ca.cnf
|
|
+
|
|
+ # Set file permissions appropriately
|
|
chmod 400 $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE
|
|
- chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE
|
|
- rm -f $PEGASUS_PEM_DIR/key.pem $PEGASUS_PEM_DIR/cert.pem
|
|
+ chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE
|
|
+
|
|
+ # Remove the certificate signing request
|
|
+ # It is not needed after the signature is complete
|
|
+ rm -f $PEGASUS_PEM_DIR/server.csr
|
|
+
|
|
+ # Remove the private key for the CA certificate
|
|
+ # This will ensure that it cannot be used to sign any other
|
|
+ # (possibly suspicious) certificates
|
|
+ # This does mean that generating a new certificate for this
|
|
+ # service will need a new CA cert, but most real deployments
|
|
+ # will use real infrastructure.
|
|
+ rm -f $PEGASUS_PEM_DIR/ca-key.pem
|
|
+
|
|
fi;
|
|
if [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE ]; then
|
|
- cp -fp $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE \
|
|
+ cp -fp $PEGASUS_PEM_DIR/ca.crt \
|
|
$PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE
|
|
chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE;
|
|
fi;
|
|
--
|
|
1.8.4.2
|
|
|