Enhance SSL building scripts.

Refs #4948
This commit is contained in:
Ricardo Bartels 2013-10-23 13:02:38 +02:00
parent 9a031efb75
commit 047d5db1a4
5 changed files with 36 additions and 12 deletions

View File

@ -5,6 +5,7 @@ bin_SCRIPTS = \
icinga2pkidir = ${pkgdatadir}/pki
icinga2pki_DATA = \
pkifuncs \
vars \
openssl.cnf
CLEANFILES = $(bin_SCRIPTS)

View File

@ -14,7 +14,13 @@ if [ $(ls -1 -- $ICINGA_CA | wc -l) != 0 ]; then
exit 1
fi
chmod 700 $ICINGA_CA >/dev/null 2>&1
echo '01' > $ICINGA_CA/serial
touch $ICINGA_CA/index.txt
CN_DEFAULT="Icinga CA" KEY_DIR=$ICINGA_CA openssl req -config $ICINGA2PKIDIR/openssl.cnf -new -newkey rsa:4096 -x509 -nodes -days 3650 -keyform PEM -keyout $ICINGA_CA/ca.key -outform PEM -out $ICINGA_CA/ca.crt
cp $ICINGA2PKIDIR/vars $ICINGA_CA/
source $ICINGA_CA/vars
KEY_DIR=$ICINGA_CA openssl req -config $ICINGA2PKIDIR/openssl.cnf -new -newkey rsa:4096 -x509 -days 3650 -keyform PEM -keyout $ICINGA_CA/ca.key -outform PEM -out $ICINGA_CA/ca.crt && \
echo -e "\n\tIf you want to change the default settings for server certificates check out \"$ICINGA_CA/vars\".\n"

View File

@ -21,7 +21,16 @@ if [ ! -f $ICINGA_CA/ca.crt -o ! -f $ICINGA_CA/ca.key ]; then
exit 1
fi
CN_DEFAULT=$name KEY_DIR=$ICINGA_CA openssl req -config $ICINGA2PKIDIR/openssl.cnf -new -newkey rsa:4096 -keyform PEM -keyout $ICINGA_CA/$name.key -outform PEM -out $ICINGA_CA/$name.csr -nodes && \
openssl x509 -days 3650 -CA $ICINGA_CA/ca.crt -CAkey $ICINGA_CA/ca.key -req -in $ICINGA_CA/$name.csr -outform PEM -out $ICINGA_CA/$name.crt -CAserial $ICINGA_CA/serial
[ -f $ICINGA_CA/vars ] && source $ICINGA_CA/vars
[ -z "$REQ_COUNTRY_NAME" ] && export REQ_COUNTRY_NAME="AU"
[ -z "$REQ_STATE" ] && export REQ_STATE="Some-State"
[ -z "$REQ_ORGANISATION" ] && export REQ_ORGANISATION="Internet Widgits Pty Ltd"
[ -z "$REQ_ORG_UNIT" ] && export REQ_ORG_UNIT="Monitoring"
[ -z "$REQ_COMMON_NAME"] && export REQ_COMMON_NAME="Icinga CA"
[ -z "$REQ_DAYS" ] && export REQ_DAYS="3650"
REQ_COMMON_NAME="$name" KEY_DIR="$ICINGA_CA" openssl req -config $ICINGA2PKIDIR/openssl.cnf -new -newkey rsa:4096 -keyform PEM -keyout $ICINGA_CA/$name.key -outform PEM -out $ICINGA_CA/$name.csr -nodes && \
openssl x509 -days "$REQ_DAYS" -CA $ICINGA_CA/ca.crt -CAkey $ICINGA_CA/ca.key -req -in $ICINGA_CA/$name.csr -outform PEM -out $ICINGA_CA/$name.tmp -CAserial $ICINGA_CA/serial && \
openssl x509 -in $ICINGA_CA/$name.tmp -text > $ICINGA_CA/$name.crt && \
rm -f $ICINGA_CA/$name.csr $ICINGA_CA/$name.tmp

View File

@ -78,7 +78,7 @@ preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
policy = policy_anything
# For the CA policy
[ policy_match ]
@ -126,28 +126,28 @@ string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_default = $ENV::REQ_COUNTRY_NAME
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
stateOrProvinceName_default = $ENV::REQ_STATE
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
0.organizationName_default = $ENV::REQ_ORGANISATION
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Icinga
organizationalUnitName_default = $ENV::REQ_ORG_UNIT
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = $ENV::CN_DEFAULT
commonName_default = $ENV::REQ_COMMON_NAME
#emailAddress = Email Address
#emailAddress_max = 64
@ -155,9 +155,9 @@ commonName_default = $ENV::CN_DEFAULT
# SET-ex3 = SET extension number 3
[ req_attributes ]
#challengePassword = A challenge password
#challengePassword_min = 4
#challengePassword_max = 20
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name

8
pki/vars Normal file
View File

@ -0,0 +1,8 @@
# Icinga 2 default CA vars
export REQ_COUNTRY_NAME="AU"
export REQ_STATE="Some-State"
export REQ_ORGANISATION="Internet Widgits Pty Ltd"
export REQ_ORG_UNIT="Monitoring"
export REQ_COMMON_NAME="Icinga CA"
export REQ_DAYS="3650"