From 8bcabff0c10f948b9b19e1c6b6515d9777dd798d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonas=20Sch=C3=A4fer?= Date: Mon, 19 Nov 2018 15:56:42 +0100 Subject: [PATCH] Modernize certificate generation - Use 2048 bit keys (required for modern OpenSSL) - Use SHA256 instead of SHA1 (required for modern OpenSSL) - Add a SubjectAltName to be able to trigger certain edge-cases - Add all.sh to conveniently re-generate certificates --- samples/certs/all.sh | 7 +++++++ samples/certs/clientA.sh | 4 ++-- samples/certs/clientB.sh | 4 ++-- samples/certs/rootA.sh | 4 ++-- samples/certs/rootB.sh | 4 ++-- samples/certs/serverA.cnf | 4 ++-- samples/certs/serverA.sh | 4 ++-- samples/certs/serverB.cnf | 2 +- samples/certs/serverB.sh | 4 ++-- 9 files changed, 22 insertions(+), 15 deletions(-) create mode 100644 samples/certs/all.sh diff --git a/samples/certs/all.sh b/samples/certs/all.sh new file mode 100644 index 0000000..ac62af1 --- /dev/null +++ b/samples/certs/all.sh @@ -0,0 +1,7 @@ +#!/bin/bash +./rootA.sh +./rootB.sh +./clientA.sh +./clientB.sh +./serverA.sh +./serverB.sh diff --git a/samples/certs/clientA.sh b/samples/certs/clientA.sh index 0350ede..118e186 100755 --- a/samples/certs/clientA.sh +++ b/samples/certs/clientA.sh @@ -1,9 +1,9 @@ #!/bin/sh -openssl req -newkey rsa:1024 -sha1 -keyout clientAkey.pem -out clientAreq.pem \ +openssl req -newkey rsa:2048 -sha256 -keyout clientAkey.pem -out clientAreq.pem \ -nodes -config ./clientA.cnf -days 365 -batch -openssl x509 -req -in clientAreq.pem -sha1 -extfile ./clientA.cnf \ +openssl x509 -req -in clientAreq.pem -sha256 -extfile ./clientA.cnf \ -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial \ -out clientAcert.pem -days 365 diff --git a/samples/certs/clientB.sh b/samples/certs/clientB.sh index 94f8986..a39ae83 100755 --- a/samples/certs/clientB.sh +++ b/samples/certs/clientB.sh @@ -1,9 +1,9 @@ #!/bin/sh -openssl req -newkey rsa:1024 -sha1 -keyout clientBkey.pem -out clientBreq.pem \ +openssl req -newkey rsa:2048 -sha256 -keyout clientBkey.pem -out clientBreq.pem \ -nodes -config ./clientB.cnf -days 365 -batch -openssl x509 -req -in clientBreq.pem -sha1 -extfile ./clientB.cnf \ +openssl x509 -req -in clientBreq.pem -sha256 -extfile ./clientB.cnf \ -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial \ -out clientBcert.pem -days 365 diff --git a/samples/certs/rootA.sh b/samples/certs/rootA.sh index 7b588bf..fcfcd73 100755 --- a/samples/certs/rootA.sh +++ b/samples/certs/rootA.sh @@ -1,7 +1,7 @@ #!/bin/sh -openssl req -newkey rsa:1024 -sha1 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch +openssl req -newkey rsa:2048 -sha256 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch -openssl x509 -req -in rootAreq.pem -sha1 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365 +openssl x509 -req -in rootAreq.pem -sha256 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365 openssl x509 -subject -issuer -noout -in rootA.pem diff --git a/samples/certs/rootB.sh b/samples/certs/rootB.sh index 53969b3..07b53a4 100755 --- a/samples/certs/rootB.sh +++ b/samples/certs/rootB.sh @@ -1,7 +1,7 @@ #!/bin/sh -openssl req -newkey rsa:1024 -sha1 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch +openssl req -newkey rsa:2048 -sha256 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch -openssl x509 -req -in rootBreq.pem -sha1 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365 +openssl x509 -req -in rootBreq.pem -sha256 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365 openssl x509 -subject -issuer -noout -in rootB.pem diff --git a/samples/certs/serverA.cnf b/samples/certs/serverA.cnf index b9c736f..c95f27c 100644 --- a/samples/certs/serverA.cnf +++ b/samples/certs/serverA.cnf @@ -118,7 +118,7 @@ x509_extensions = v3_ca # The extensions to add to the self signed cert # so use this option with caution! string_mask = nombstr -# req_extensions = v3_req # The extensions to add to a certificate request +req_extensions = req_ext # The extensions to add to a certificate request [ req_distinguished_name ] countryName = Country Name (2 letter code) @@ -198,7 +198,7 @@ authorityKeyIdentifier=keyid,issuer # subjectAltName=email:copy # An alternative to produce certificates that aren't # deprecated according to PKIX. -# subjectAltName=email:move +subjectAltName=DNS:foo.bar.example # Copy subject details # issuerAltName=issuer:copy diff --git a/samples/certs/serverA.sh b/samples/certs/serverA.sh index 7fa04e0..ac2b09d 100755 --- a/samples/certs/serverA.sh +++ b/samples/certs/serverA.sh @@ -1,9 +1,9 @@ #!/bin/sh -openssl req -newkey rsa:1024 -keyout serverAkey.pem -out serverAreq.pem \ +openssl req -newkey rsa:2048 -keyout serverAkey.pem -out serverAreq.pem \ -config ./serverA.cnf -nodes -days 365 -batch -openssl x509 -req -in serverAreq.pem -sha1 -extfile ./serverA.cnf \ +openssl x509 -req -in serverAreq.pem -sha256 -extfile ./serverA.cnf \ -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial \ -out serverAcert.pem -days 365 diff --git a/samples/certs/serverB.cnf b/samples/certs/serverB.cnf index ec5d031..6af4159 100644 --- a/samples/certs/serverB.cnf +++ b/samples/certs/serverB.cnf @@ -195,7 +195,7 @@ authorityKeyIdentifier=keyid,issuer # This stuff is for subjectAltName and issuerAltname. # Import the email address. -# subjectAltName=email:copy +subjectAltName=DNS:fnord.bar.example # An alternative to produce certificates that aren't # deprecated according to PKIX. # subjectAltName=email:move diff --git a/samples/certs/serverB.sh b/samples/certs/serverB.sh index c75b00a..091f1ac 100755 --- a/samples/certs/serverB.sh +++ b/samples/certs/serverB.sh @@ -1,9 +1,9 @@ #!/bin/sh -openssl req -newkey rsa:1024 -keyout serverBkey.pem -out serverBreq.pem \ +openssl req -newkey rsa:2048 -keyout serverBkey.pem -out serverBreq.pem \ -config ./serverB.cnf -nodes -days 365 -batch -openssl x509 -req -in serverBreq.pem -sha1 -extfile ./serverB.cnf \ +openssl x509 -req -in serverBreq.pem -sha256 -extfile ./serverB.cnf \ -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial \ -out serverBcert.pem -days 365