Remove icinga2-build-ca, icinga2-build-key and icinga2-sign-key

refs #7244
2025-07-23 13:45:04 +02:00 · 2014-10-16 13:27:16 +02:00 · 2014-10-16 13:27:16 +02:00 · 5abc3cfe55
commit 5abc3cfe55
parent f67a11c183
16 changed files with 7 additions and 768 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -162,7 +162,6 @@ add_subdirectory(etc)
 add_subdirectory(itl)
 add_subdirectory(doc)
 add_subdirectory(test)
 add_subdirectory(pki)
 add_subdirectory(agent)
 set(CPACK_PACKAGE_NAME "Icinga2")
--- a/debian/icinga2-common.install
+++ b/debian/icinga2-common.install
@ -3,8 +3,6 @@ debian/tmp/etc/icinga2
 debian/tmp/etc/logrotate.d
 debian/tmp/etc/bash_completion.d
 tools/syntax/* 		      usr/share/icinga2-common/syntax
 usr/bin/icinga2-build*
 usr/bin/icinga2-sign-key
 usr/sbin/icinga2-*-agent
 usr/sbin/icinga2-list-agents
 usr/share/icinga2
--- a/doc/4-monitoring-remote-systems.md
+++ b/doc/4-monitoring-remote-systems.md
@ -197,9 +197,8 @@ object name.
 Example:
-    # icinga2-build-key icinga2a
+    # icinga2 pki new-cert --cn icinga2a --keyfile icinga2a.key --csrfile icinga2a.csr
-    ...
+    # icinga2 pki sign-csr < icinga2a.csr > icinga2a.crt
    Common Name (e.g. server FQDN or YOUR name) [icinga2a]:
    # vim cluster.conf
@ -234,22 +233,16 @@ for your Icinga 2 cluster.
 > You're free to use your own method to generated a valid ca and signed client
 > certificates.
-Please make sure to export the environment variable `ICINGA_CA` pointing to
+The first step is the creation of the certificate authority (CA) by running the
 an empty folder for the newly created CA files:
    # export ICINGA_CA="/root/icinga-ca"
 The scripts will put all generated data and the required certificates in there.
 The first step is the creation of the certificate authority (CA) running the
 following command:
-    # icinga2-build-ca
+    # icinga2 pki new-ca
 Now create a certificate and key file for each node running the following command
 (replace `icinga2a` with the required hostname):
-    # icinga2-build-key icinga2a
+    # icinga2 pki new-cert --cn icinga2a --keyfile icinga2a.key --csrfile icinga2a.csr
    # icinga2 pki sign-csr < icinga2a.csr > icinga2a.crt
 Repeat the step for all nodes in your cluster scenario.
--- a/doc/CMakeLists.txt
+++ b/doc/CMakeLists.txt
@ -19,7 +19,7 @@ file(GLOB DOCSRCS "*.md")
 if(UNIX OR CYGWIN)
  install(
-    FILES icinga2.8 icinga2-build-ca.8 icinga2-build-key.8 icinga2-sign-key.8 icinga2-prepare-dirs.8
+    FILES icinga2.8 icinga2-prepare-dirs.8
    DESTINATION ${CMAKE_INSTALL_MANDIR}/man8
  )
 endif()
--- a/doc/icinga2-build-ca.8
+++ b/doc/icinga2-build-ca.8
@ -1,25 +0,0 @@
 .TH ICINGA2 "8" "June 2014" "icinga2 - The Icinga 2 network monitoring daemon." "System Administration Utilities"
 .SH NAME
 icinga2-build-ca \- Build Icinga 2 certificate authority
 .SH DESCRIPTION
 icinga2-build-ca \- Build Icinga 2 certificate authority
 Requires the environment variable ICINGA_CA set to an empty
 writable directory.
 .SH AUTHOR
 Icinga2 is maintained by the Icinga Project <info@icinga.org>.
 .SH "REPORTING BUGS"
 Report bugs at <https://dev.icinga.org/>
 .br
 Icinga home page: <http://www.icinga.org/>
 .SH COPYRIGHT
 Copyright \(co 2012\-2014 Icinga Development Team (http://www.icinga.org)
 License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl2.html>
 .br
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.
--- a/doc/icinga2-build-key.8
+++ b/doc/icinga2-build-key.8
@ -1,25 +0,0 @@
 .TH ICINGA2 "8" "June 2014" "icinga2 - The Icinga 2 network monitoring daemon." "System Administration Utilities"
 .SH NAME
 icinga2-build-key \- Build Icinga 2 certificate key
 .SH DESCRIPTION
 icinga2-build-key \- Build Icinga 2 certificate key
 Requires the environment variable ICINGA_CA set to an empty
 writable directory.
 .SH AUTHOR
 Icinga2 is maintained by the Icinga Project <info@icinga.org>.
 .SH "REPORTING BUGS"
 Report bugs at <https://dev.icinga.org/>
 .br
 Icinga home page: <http://www.icinga.org/>
 .SH COPYRIGHT
 Copyright \(co 2012\-2014 Icinga Development Team (http://www.icinga.org)
 License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl2.html>
 .br
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.
--- a/doc/icinga2-sign-key.8
+++ b/doc/icinga2-sign-key.8
@ -1,25 +0,0 @@
 .TH ICINGA2 "8" "June 2014" "icinga2 - The Icinga 2 network monitoring daemon." "System Administration Utilities"
 .SH NAME
 icinga2-sign-key \- Sign Icinga 2 certificate key
 .SH DESCRIPTION
 icinga2-sign-key \- Sign Icinga 2 certificate key
 Requires the environment variable ICINGA_CA set to an empty
 writable directory.
 .SH AUTHOR
 Icinga2 is maintained by the Icinga Project <info@icinga.org>.
 .SH "REPORTING BUGS"
 Report bugs at <https://dev.icinga.org/>
 .br
 Icinga home page: <http://www.icinga.org/>
 .SH COPYRIGHT
 Copyright \(co 2012\-2014 Icinga Development Team (http://www.icinga.org)
 License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl2.html>
 .br
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.
--- a/icinga2.spec
+++ b/icinga2.spec
@ -453,10 +453,6 @@ exit 0
 %config(noreplace) %attr(0640,%{icinga_user},%{icinga_group}) %{_sysconfdir}/%{name}/zones.d/*
 %config(noreplace) %{_sysconfdir}/%{name}/scripts/*
 %{_sbindir}/%{name}
 %{_bindir}/%{name}-build-ca
 %{_bindir}/%{name}-build-key
 %{_bindir}/%{name}-sign-key
 %{_sbindir}/%{name}-list-objects
 %{_sbindir}/%{name}-setup-agent
 %{_sbindir}/%{name}-discover-agent
 %{_sbindir}/%{name}-forget-agent
@ -468,9 +464,6 @@ exit 0
 %{_datadir}/%{name}
 %exclude %{_datadir}/%{name}/include
 %{_mandir}/man8/%{name}.8.gz
 %{_mandir}/man8/%{name}-build-ca.8.gz
 %{_mandir}/man8/%{name}-build-key.8.gz
 %{_mandir}/man8/%{name}-sign-key.8.gz
 %{_mandir}/man8/%{name}-prepare-dirs.8.gz
 %attr(0750,%{icinga_user},%{icingacmd_group}) %{_localstatedir}/cache/%{name}
--- a/pki/CMakeLists.txt
+++ b/pki/CMakeLists.txt
@ -1,34 +0,0 @@
 # Icinga 2
 # Copyright (C) 2012-2014 Icinga Development Team (http://www.icinga.org)
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
 # as published by the Free Software Foundation; either version 2
 # of the License, or (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software Foundation
 # Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
 if(UNIX OR CYGWIN)
  configure_file(icinga2-build-ca.cmake ${CMAKE_CURRENT_BINARY_DIR}/icinga2-build-ca @ONLY)
  configure_file(icinga2-build-key.cmake ${CMAKE_CURRENT_BINARY_DIR}/icinga2-build-key @ONLY)
  configure_file(icinga2-sign-key.cmake ${CMAKE_CURRENT_BINARY_DIR}/icinga2-sign-key @ONLY)
  install(
    FILES ${CMAKE_CURRENT_BINARY_DIR}/icinga2-build-ca ${CMAKE_CURRENT_BINARY_DIR}/icinga2-build-key
          ${CMAKE_CURRENT_BINARY_DIR}/icinga2-sign-key
    DESTINATION ${CMAKE_INSTALL_BINDIR}
    PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE
  )
  install(
    FILES openssl.cnf openssl-quiet.cnf pkifuncs vars
    DESTINATION ${CMAKE_INSTALL_DATADIR}/icinga2/pki
  )
 endif()
--- a/pki/icinga2-build-ca.cmake
+++ b/pki/icinga2-build-ca.cmake
@ -1,23 +0,0 @@
 #!/bin/sh
 ICINGA2PKIDIR=@CMAKE_INSTALL_FULL_DATADIR@/icinga2/pki
 . $ICINGA2PKIDIR/pkifuncs
 check_pki_dir
 if [ `ls -1 -- $ICINGA_CA | wc -l` != 0 ]; then
 	echo "The Icinga CA directory must be empty." >&2
 	exit 1
 fi
 chmod 700 $ICINGA_CA >/dev/null 2>&1
 echo '01' > $ICINGA_CA/serial
 touch $ICINGA_CA/index.txt
 cp $ICINGA2PKIDIR/vars $ICINGA_CA/
 . $ICINGA_CA/vars
 KEY_DIR=$ICINGA_CA openssl req -config $ICINGA2PKIDIR/openssl-quiet.cnf -new -newkey rsa:4096 -x509 -days 3650 -keyform PEM -keyout $ICINGA_CA/ca.key -outform PEM -out $ICINGA_CA/ca.crt && \
 	chmod 600 $ICINGA_CA/ca.key && \
 	echo -e "\n\tIf you want to change the default settings for server certificates check out \"$ICINGA_CA/vars\".\n"
--- a/pki/icinga2-build-key.cmake
+++ b/pki/icinga2-build-key.cmake
@ -1,33 +0,0 @@
 #!/bin/sh
 ICINGA2PKIDIR=@CMAKE_INSTALL_FULL_DATADIR@/icinga2/pki
 . $ICINGA2PKIDIR/pkifuncs
 if [ -z "$1" ]; then
 	echo "Syntax: $0 <name>" >&2
 	exit 1
 fi
 name=$1
 check_pki_dir
 if [ ! -f $ICINGA_CA/ca.crt -o ! -f $ICINGA_CA/ca.key ]; then
 	echo "Please build a CA certificate first." >&2
 	exit 1
 fi
 [ -f $ICINGA_CA/vars ] && . $ICINGA_CA/vars
 [ -z "$REQ_COUNTRY_NAME" ] && export REQ_COUNTRY_NAME="AU"
 [ -z "$REQ_STATE" ] && export REQ_STATE="Some-State"
 [ -z "$REQ_ORGANISATION" ] && export REQ_ORGANISATION="Internet Widgits Pty Ltd"
 [ -z "$REQ_ORG_UNIT" ] && export REQ_ORG_UNIT="Monitoring"
 [ -z "$REQ_COMMON_NAME" ] && export REQ_COMMON_NAME="Icinga CA"
 [ -z "$REQ_DAYS" ] && export REQ_DAYS="3650"
 REQ_COMMON_NAME="$name" KEY_DIR="$ICINGA_CA" openssl req -config $ICINGA2PKIDIR/openssl.cnf -new -newkey rsa:4096 -keyform PEM -keyout $ICINGA_CA/$name.key -outform PEM -out $ICINGA_CA/$name.csr -nodes && \
 	openssl x509 -days "$REQ_DAYS" -CA $ICINGA_CA/ca.crt -CAkey $ICINGA_CA/ca.key -req -in $ICINGA_CA/$name.csr -outform PEM -out $ICINGA_CA/$name.tmp -CAserial $ICINGA_CA/serial && \
 	chmod 600 $ICINGA_CA/$name.key && \
 	openssl x509 -in $ICINGA_CA/$name.tmp -text > $ICINGA_CA/$name.crt && \
 	rm -f $ICINGA_CA/$name.csr $ICINGA_CA/$name.tmp
--- a/pki/icinga2-sign-key.cmake
+++ b/pki/icinga2-sign-key.cmake
@ -1,51 +0,0 @@
 #!/bin/sh
 ICINGA2PKIDIR=@CMAKE_INSTALL_FULL_DATADIR@/icinga2/pki
 . $ICINGA2PKIDIR/pkifuncs
 if [ -z "$1" ]; then
 	echo "Syntax: $0 <csr-file>" >&2
 	exit 1
 fi
 check_pki_dir
 csrfile=$1
 if [ ! -e "$ICINGA_CA/$csrfile" ]; then
 	echo "The specified CSR file does not exist."
 	exit 1
 fi
 pubkfile=${csrfile%.*}
 if [ ! -f $ICINGA_CA/ca.crt -o ! -f $ICINGA_CA/ca.key ]; then
 	echo "Please build a CA certificate first." >&2
 	exit 1
 fi
 [ -f $ICINGA_CA/vars ] && . $ICINGA_CA/vars
 if ! openssl x509 -days "$REQ_DAYS" -CA $ICINGA_CA/ca.crt -CAkey $ICINGA_CA/ca.key -req -in $ICINGA_CA/$csrfile -outform PEM -out $ICINGA_CA/$pubkfile.crt -CAserial $ICINGA_CA/serial; then
 	echo "Signing the CSR failed." >&2
 	exit 1
 fi
 cn=`openssl x509 -in $pubkfile.crt -subject | grep -Eo '/CN=[^ ]+' | cut -f2- -d=`
 case "$cn" in
  */*)
    echo "commonName contains invalid character (/)."
    exit 1
  ;;
 esac
 mv $pubkfile.crt $cn.crt
 pubkfile=$cn
 # Make an agent bundle file
 tar cz -C $ICINGA_CA $pubkfile.crt ca.crt | base64 > $ICINGA_CA/$pubkfile.bundle
 echo "Done. $pubkfile.crt and $pubkfile.bundle files were written."
 exit 0
--- a/pki/openssl-quiet.cnf
+++ b/pki/openssl-quiet.cnf
@ -1,238 +0,0 @@
 #
 # OpenSSL example configuration file.
 # This is mostly being used for generation of certificate requests.
 #
 # This definition stops the following lines choking if HOME isn't
 # defined.
 HOME			= .
 RANDFILE		= $ENV::HOME/.rnd
 # Extra OBJECT IDENTIFIER info:
 #oid_file		= $ENV::HOME/.oid
 oid_section		= new_oids
 # To use this configuration file with the "-extfile" option of the
 # "openssl x509" utility, name here the section containing the
 # X.509v3 extensions to use:
 # extensions		= 
 # (Alternatively, use a configuration file that has only
 # X.509v3 extensions in its main [= default] section.)
 [ new_oids ]
 # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
 # Add a simple OID like this:
 # testoid1=1.2.3.4
 # Or use config file substitution like this:
 # testoid2=${testoid1}.5.6
 # Policies used by the TSA examples.
 tsa_policy1 = 1.2.3.4.1
 tsa_policy2 = 1.2.3.4.5.6
 tsa_policy3 = 1.2.3.4.5.7
 ####################################################################
 [ ca ]
 default_ca	= CA_default		# The default ca section
 ####################################################################
 [ CA_default ]
 dir		= $ENV::KEY_DIR		# Where everything is kept
 certs		= $dir			# Where the issued certs are kept
 crl_dir		= $dir			# Where the issued crl are kept
 database	= $dir/index.txt	# database index file.
 #unique_subject	= no			# Set to 'no' to allow creation of
 					# several ctificates with same subject.
 new_certs_dir	= $dir/newcerts		# default place for new certs.
 certificate	= $dir/ca.crt 		# The CA certificate
 serial		= $dir/serial 		# The current serial number
 crlnumber	= $dir/crlnumber	# the current crl number
 					# must be commented out to leave a V1 CRL
 crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/ca.key		# The private key
 RANDFILE	= $dir/.rand		# private random number file
 x509_extensions	= usr_cert		# The extentions to add to the cert
 # Comment out the following two lines for the "traditional"
 # (and highly broken) format.
 name_opt 	= ca_default		# Subject Name options
 cert_opt 	= ca_default		# Certificate field options
 # Extension copying option: use with caution.
 # copy_extensions = copy
 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
 # so this is commented out by default to leave a V1 CRL.
 # crlnumber must also be commented out to leave a V1 CRL.
 # crl_extensions	= crl_ext
 default_days	= 365			# how long to certify for
 default_crl_days= 30			# how long before next CRL
 default_md	= default		# use public key default MD
 preserve	= no			# keep passed DN ordering
 # A few difference way of specifying how similar the request should look
 # For type CA, the listed attributes must be the same, and the optional
 # and supplied fields are just that :-)
 policy		= policy_anything
 # For the CA policy
 [ policy_match ]
 countryName		= match
 stateOrProvinceName	= match
 organizationName	= match
 organizationalUnitName	= optional
 commonName		= supplied
 emailAddress		= optional
 # For the 'anything' policy
 # At this point in time, you must list all acceptable 'object'
 # types.
 [ policy_anything ]
 countryName		= optional
 stateOrProvinceName	= optional
 localityName		= optional
 organizationName	= optional
 organizationalUnitName	= optional
 commonName		= supplied
 emailAddress		= optional
 ####################################################################
 [ req ]
 default_bits		= 2048
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 prompt                  = no
 x509_extensions	= v3_ca	# The extentions to add to the self signed cert
 # Passwords for private keys if not present they will be prompted for
 # input_password = secret
 # output_password = secret
 # This sets a mask for permitted string types. There are several options. 
 # default: PrintableString, T61String, BMPString.
 # pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
 # utf8only: only UTF8Strings (PKIX recommendation after 2004).
 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
 # MASK:XXXX a literal mask value.
 # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
 string_mask = utf8only
 # req_extensions = v3_req # The extensions to add to a certificate request
 [ req_distinguished_name ]
 CN                              = $ENV::REQ_COMMON_NAME
 # SET-ex3			= SET extension number 3
 [ usr_cert ]
 # These extensions are added when 'ca' signs a request.
 # This goes against PKIX guidelines but some CAs do it and some software
 # requires this to avoid interpreting an end user certificate as a CA.
 basicConstraints=CA:FALSE
 # Here are some examples of the usage of nsCertType. If it is omitted
 # the certificate can be used for anything *except* object signing.
 # This is OK for an SSL server.
 # nsCertType			= server
 # For an object signing certificate this would be used.
 # nsCertType = objsign
 # For normal client use this is typical
 # nsCertType = client, email
 # and for everything including object signing:
 # nsCertType = client, email, objsign
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 # This will be displayed in Netscape's comment listbox.
 nsComment			= "OpenSSL Generated Certificate"
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
 extendedKeyUsage=clientAuth,serverAuth
 keyUsage=digitalSignature
 # This stuff is for subjectAltName and issuerAltname.
 # Import the email address.
 # subjectAltName=email:copy
 # An alternative to produce certificates that aren't
 # deprecated according to PKIX.
 # subjectAltName=email:move
 # Copy subject details
 # issuerAltName=issuer:copy
 #nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
 #nsBaseUrl
 #nsRevocationUrl
 #nsRenewalUrl
 #nsCaPolicyUrl
 #nsSslServerName
 # This is required for TSA certificates.
 # extendedKeyUsage = critical,timeStamping
 [ v3_req ]
 # Extensions to add to a certificate request
 basicConstraints = CA:FALSE
 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 [ v3_ca ]
 # Extensions for a typical CA
 # PKIX recommendation.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer
 # This is what PKIX recommends but some broken software chokes on critical
 # extensions.
 #basicConstraints = critical,CA:true
 # So we do this instead.
 basicConstraints = CA:true
 # Key usage: this is typical for a CA certificate. However since it will
 # prevent it being used as an test self-signed certificate it is best
 # left out by default.
 # keyUsage = cRLSign, keyCertSign
 # Some might want this also
 # nsCertType = sslCA, emailCA
 # Include email address in subject alt name: another PKIX recommendation
 # subjectAltName=email:copy
 # Copy issuer details
 # issuerAltName=issuer:copy
 # DER hex encoding of an extension: beware experts only!
 # obj=DER:02:03
 # Where 'obj' is a standard or added object
 # You can even override a supported extension:
 # basicConstraints= critical, DER:30:03:01:01:FF
 [ crl_ext ]
 # CRL extensions.
 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
 # issuerAltName=issuer:copy
 authorityKeyIdentifier=keyid:always
--- a/pki/openssl.cnf
+++ b/pki/openssl.cnf
@ -1,270 +0,0 @@
 #
 # OpenSSL example configuration file.
 # This is mostly being used for generation of certificate requests.
 #
 # This definition stops the following lines choking if HOME isn't
 # defined.
 HOME			= .
 RANDFILE		= $ENV::HOME/.rnd
 # Extra OBJECT IDENTIFIER info:
 #oid_file		= $ENV::HOME/.oid
 oid_section		= new_oids
 # To use this configuration file with the "-extfile" option of the
 # "openssl x509" utility, name here the section containing the
 # X.509v3 extensions to use:
 # extensions		= 
 # (Alternatively, use a configuration file that has only
 # X.509v3 extensions in its main [= default] section.)
 [ new_oids ]
 # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
 # Add a simple OID like this:
 # testoid1=1.2.3.4
 # Or use config file substitution like this:
 # testoid2=${testoid1}.5.6
 # Policies used by the TSA examples.
 tsa_policy1 = 1.2.3.4.1
 tsa_policy2 = 1.2.3.4.5.6
 tsa_policy3 = 1.2.3.4.5.7
 ####################################################################
 [ ca ]
 default_ca	= CA_default		# The default ca section
 ####################################################################
 [ CA_default ]
 dir		= $ENV::KEY_DIR		# Where everything is kept
 certs		= $dir			# Where the issued certs are kept
 crl_dir		= $dir			# Where the issued crl are kept
 database	= $dir/index.txt	# database index file.
 #unique_subject	= no			# Set to 'no' to allow creation of
 					# several ctificates with same subject.
 new_certs_dir	= $dir/newcerts		# default place for new certs.
 certificate	= $dir/ca.crt 		# The CA certificate
 serial		= $dir/serial 		# The current serial number
 crlnumber	= $dir/crlnumber	# the current crl number
 					# must be commented out to leave a V1 CRL
 crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/ca.key		# The private key
 RANDFILE	= $dir/.rand		# private random number file
 x509_extensions	= usr_cert		# The extentions to add to the cert
 # Comment out the following two lines for the "traditional"
 # (and highly broken) format.
 name_opt 	= ca_default		# Subject Name options
 cert_opt 	= ca_default		# Certificate field options
 # Extension copying option: use with caution.
 # copy_extensions = copy
 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
 # so this is commented out by default to leave a V1 CRL.
 # crlnumber must also be commented out to leave a V1 CRL.
 # crl_extensions	= crl_ext
 default_days	= 365			# how long to certify for
 default_crl_days= 30			# how long before next CRL
 default_md	= default		# use public key default MD
 preserve	= no			# keep passed DN ordering
 # A few difference way of specifying how similar the request should look
 # For type CA, the listed attributes must be the same, and the optional
 # and supplied fields are just that :-)
 policy		= policy_anything
 # For the CA policy
 [ policy_match ]
 countryName		= match
 stateOrProvinceName	= match
 organizationName	= match
 organizationalUnitName	= optional
 commonName		= supplied
 emailAddress		= optional
 # For the 'anything' policy
 # At this point in time, you must list all acceptable 'object'
 # types.
 [ policy_anything ]
 countryName		= optional
 stateOrProvinceName	= optional
 localityName		= optional
 organizationName	= optional
 organizationalUnitName	= optional
 commonName		= supplied
 emailAddress		= optional
 ####################################################################
 [ req ]
 default_bits		= 2048
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
 x509_extensions	= v3_ca	# The extentions to add to the self signed cert
 # Passwords for private keys if not present they will be prompted for
 # input_password = secret
 # output_password = secret
 # This sets a mask for permitted string types. There are several options. 
 # default: PrintableString, T61String, BMPString.
 # pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
 # utf8only: only UTF8Strings (PKIX recommendation after 2004).
 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
 # MASK:XXXX a literal mask value.
 # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
 string_mask = utf8only
 # req_extensions = v3_req # The extensions to add to a certificate request
 [ req_distinguished_name ]
 countryName			= Country Name (2 letter code)
 countryName_default		= $ENV::REQ_COUNTRY_NAME
 countryName_min			= 2
 countryName_max			= 2
 stateOrProvinceName		= State or Province Name (full name)
 stateOrProvinceName_default	= $ENV::REQ_STATE
 localityName			= Locality Name (eg, city)
 0.organizationName		= Organization Name (eg, company)
 0.organizationName_default	= $ENV::REQ_ORGANISATION
 # we can do this but it is not needed normally :-)
 #1.organizationName		= Second Organization Name (eg, company)
 #1.organizationName_default	= World Wide Web Pty Ltd
 organizationalUnitName		= Organizational Unit Name (eg, section)
 organizationalUnitName_default	= $ENV::REQ_ORG_UNIT
 commonName			= Common Name (e.g. server FQDN or YOUR name)
 commonName_max			= 64
 commonName_default		= $ENV::REQ_COMMON_NAME
 #emailAddress			= Email Address
 #emailAddress_max		= 64
 # SET-ex3			= SET extension number 3
 [ req_attributes ]
 challengePassword		= A challenge password
 challengePassword_min		= 4
 challengePassword_max		= 20
 unstructuredName		= An optional company name
 [ usr_cert ]
 # These extensions are added when 'ca' signs a request.
 # This goes against PKIX guidelines but some CAs do it and some software
 # requires this to avoid interpreting an end user certificate as a CA.
 basicConstraints=CA:FALSE
 # Here are some examples of the usage of nsCertType. If it is omitted
 # the certificate can be used for anything *except* object signing.
 # This is OK for an SSL server.
 # nsCertType			= server
 # For an object signing certificate this would be used.
 # nsCertType = objsign
 # For normal client use this is typical
 # nsCertType = client, email
 # and for everything including object signing:
 # nsCertType = client, email, objsign
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 # This will be displayed in Netscape's comment listbox.
 nsComment			= "OpenSSL Generated Certificate"
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
 extendedKeyUsage=clientAuth,serverAuth
 keyUsage=digitalSignature
 # This stuff is for subjectAltName and issuerAltname.
 # Import the email address.
 # subjectAltName=email:copy
 # An alternative to produce certificates that aren't
 # deprecated according to PKIX.
 # subjectAltName=email:move
 # Copy subject details
 # issuerAltName=issuer:copy
 #nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
 #nsBaseUrl
 #nsRevocationUrl
 #nsRenewalUrl
 #nsCaPolicyUrl
 #nsSslServerName
 # This is required for TSA certificates.
 # extendedKeyUsage = critical,timeStamping
 [ v3_req ]
 # Extensions to add to a certificate request
 basicConstraints = CA:FALSE
 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 [ v3_ca ]
 # Extensions for a typical CA
 # PKIX recommendation.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer
 # This is what PKIX recommends but some broken software chokes on critical
 # extensions.
 #basicConstraints = critical,CA:true
 # So we do this instead.
 basicConstraints = CA:true
 # Key usage: this is typical for a CA certificate. However since it will
 # prevent it being used as an test self-signed certificate it is best
 # left out by default.
 # keyUsage = cRLSign, keyCertSign
 # Some might want this also
 # nsCertType = sslCA, emailCA
 # Include email address in subject alt name: another PKIX recommendation
 # subjectAltName=email:copy
 # Copy issuer details
 # issuerAltName=issuer:copy
 # DER hex encoding of an extension: beware experts only!
 # obj=DER:02:03
 # Where 'obj' is a standard or added object
 # You can even override a supported extension:
 # basicConstraints= critical, DER:30:03:01:01:FF
 [ crl_ext ]
 # CRL extensions.
 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
 # issuerAltName=issuer:copy
 authorityKeyIdentifier=keyid:always
--- a/pki/pkifuncs
+++ b/pki/pkifuncs
@ -1,12 +0,0 @@
 check_pki_dir() {
 	if [ -z "$ICINGA_CA" ]; then
 		echo "Please set the ICINGA_CA environment variable to the path for your Icinga CA." >&2
 		echo "e.g.: export ICINGA_CA=\"$HOME/icinga-ca\"" >&2
 		exit 1
 	fi
 	if [ ! -d "$ICINGA_CA" ]; then
 		echo "The path you specified in the ICINGA_CA environment variable ($ICINGA_CA) does not exist or is not a directory." >&2
 		exit 1
 	fi
 }
--- a/pki/vars
+++ b/pki/vars
@ -1,8 +0,0 @@
 # Icinga 2 default CA vars
 export REQ_COUNTRY_NAME="AU"
 export REQ_STATE="Some-State"
 export REQ_ORGANISATION="Internet Widgits Pty Ltd"
 export REQ_ORG_UNIT="Monitoring"
 export REQ_COMMON_NAME="Icinga CA"
 export REQ_DAYS="3650"