Set CA flag for new CA certificates

refs #7247

lib/base/tlsutility.cpp

@@ -22,7 +22,6 @@
 #include "base/logger_fwd.hpp"
 #include "base/context.hpp"
 
-
 namespace icinga
 {
 
@@ -246,7 +245,7 @@ shared_ptr<X509> GetX509Certificate(const String& pemfile)
 	return shared_ptr<X509>(cert, X509_free);
 }
 
-int MakeX509CSR(const String& cn, const String& keyfile, const String& csrfile, const String& certfile)
+int MakeX509CSR(const String& cn, const String& keyfile, const String& csrfile, const String& certfile, bool ca)
 {
 	InitializeOpenSSL();
 
@@ -281,6 +280,21 @@ int MakeX509CSR(const String& cn, const String& keyfile, const String& csrfile,
 		X509_NAME *name = X509_get_subject_name(cert);
 		X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, (unsigned char *)cn.CStr(), -1, -1, 0);
 		X509_set_issuer_name(cert, name);
+		
+		if (ca) {
+			X509_EXTENSION *ext;
+			X509V3_CTX ctx;
+			X509V3_set_ctx_nodb(&ctx);
+			X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0);
+			ext = X509V3_EXT_conf_nid(NULL, &ctx, NID_basic_constraints, const_cast<char *>("critical,CA:TRUE"));
+			
+			if (ext)
+				X509_add_ext(cert, ext, -1);
+			
+			X509_EXTENSION_free(ext);
+		}
+		
+		
 		X509_sign(cert, key, EVP_sha1());
 		
 		Log(LogInformation, "base", "Writing X509 certificate to '" + certfile + "'.");

lib/base/tlsutility.hpp

@@ -29,6 +29,7 @@
 #include <openssl/err.h>
 #include <openssl/comp.h>
 #include <openssl/sha.h>
+#include <openssl/x509v3.h>
 
 namespace icinga
 {
@@ -37,7 +38,7 @@ shared_ptr<SSL_CTX> I2_BASE_API MakeSSLContext(const String& pubkey, const Strin
 void I2_BASE_API AddCRLToSSLContext(const shared_ptr<SSL_CTX>& context, const String& crlPath);
 String I2_BASE_API GetCertificateCN(const shared_ptr<X509>& certificate);
 shared_ptr<X509> I2_BASE_API GetX509Certificate(const String& pemfile);
-int I2_BASE_API MakeX509CSR(const String& cn, const String& keyfile, const String& csrfile = String(), const String& certfile = String());
+int I2_BASE_API MakeX509CSR(const String& cn, const String& keyfile, const String& csrfile = String(), const String& certfile = String(), bool ca = false);
 String I2_BASE_API SHA256(const String& s);
 
 class I2_BASE_API openssl_error : virtual public std::exception, virtual public boost::exception { };

lib/cli/pkinewcacommand.cpp

@@ -63,7 +63,7 @@ int PKINewCACommand::Run(const boost::program_options::variables_map& vm) const
 		return 1;
 	}
 	
-	MakeX509CSR("Icinga CA", cadir + "/ca.key", String(), cadir + "/ca.crt");
+	MakeX509CSR("Icinga CA", cadir + "/ca.key", String(), cadir + "/ca.crt", true);
 	
 	String serialpath = cadir + "/serial.txt";