mirror of
https://github.com/brunoos/luasec.git
synced 2024-12-26 12:48:20 +01:00
Modernize certificate generation
- Use 2048 bit keys (required for modern OpenSSL) - Use SHA256 instead of SHA1 (required for modern OpenSSL) - Add a SubjectAltName to be able to trigger certain edge-cases - Add all.sh to conveniently re-generate certificates
This commit is contained in:
parent
550777a9d6
commit
8bcabff0c1
7
samples/certs/all.sh
Normal file
7
samples/certs/all.sh
Normal file
@ -0,0 +1,7 @@
|
||||
#!/bin/bash
|
||||
./rootA.sh
|
||||
./rootB.sh
|
||||
./clientA.sh
|
||||
./clientB.sh
|
||||
./serverA.sh
|
||||
./serverB.sh
|
@ -1,9 +1,9 @@
|
||||
#!/bin/sh
|
||||
|
||||
openssl req -newkey rsa:1024 -sha1 -keyout clientAkey.pem -out clientAreq.pem \
|
||||
openssl req -newkey rsa:2048 -sha256 -keyout clientAkey.pem -out clientAreq.pem \
|
||||
-nodes -config ./clientA.cnf -days 365 -batch
|
||||
|
||||
openssl x509 -req -in clientAreq.pem -sha1 -extfile ./clientA.cnf \
|
||||
openssl x509 -req -in clientAreq.pem -sha256 -extfile ./clientA.cnf \
|
||||
-extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial \
|
||||
-out clientAcert.pem -days 365
|
||||
|
||||
|
@ -1,9 +1,9 @@
|
||||
#!/bin/sh
|
||||
|
||||
openssl req -newkey rsa:1024 -sha1 -keyout clientBkey.pem -out clientBreq.pem \
|
||||
openssl req -newkey rsa:2048 -sha256 -keyout clientBkey.pem -out clientBreq.pem \
|
||||
-nodes -config ./clientB.cnf -days 365 -batch
|
||||
|
||||
openssl x509 -req -in clientBreq.pem -sha1 -extfile ./clientB.cnf \
|
||||
openssl x509 -req -in clientBreq.pem -sha256 -extfile ./clientB.cnf \
|
||||
-extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial \
|
||||
-out clientBcert.pem -days 365
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
#!/bin/sh
|
||||
|
||||
openssl req -newkey rsa:1024 -sha1 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
|
||||
openssl req -newkey rsa:2048 -sha256 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
|
||||
|
||||
openssl x509 -req -in rootAreq.pem -sha1 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
|
||||
openssl x509 -req -in rootAreq.pem -sha256 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
|
||||
|
||||
openssl x509 -subject -issuer -noout -in rootA.pem
|
||||
|
@ -1,7 +1,7 @@
|
||||
#!/bin/sh
|
||||
|
||||
openssl req -newkey rsa:1024 -sha1 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
|
||||
openssl req -newkey rsa:2048 -sha256 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
|
||||
|
||||
openssl x509 -req -in rootBreq.pem -sha1 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
|
||||
openssl x509 -req -in rootBreq.pem -sha256 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
|
||||
|
||||
openssl x509 -subject -issuer -noout -in rootB.pem
|
||||
|
@ -118,7 +118,7 @@ x509_extensions = v3_ca # The extensions to add to the self signed cert
|
||||
# so use this option with caution!
|
||||
string_mask = nombstr
|
||||
|
||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||
req_extensions = req_ext # The extensions to add to a certificate request
|
||||
|
||||
[ req_distinguished_name ]
|
||||
countryName = Country Name (2 letter code)
|
||||
@ -198,7 +198,7 @@ authorityKeyIdentifier=keyid,issuer
|
||||
# subjectAltName=email:copy
|
||||
# An alternative to produce certificates that aren't
|
||||
# deprecated according to PKIX.
|
||||
# subjectAltName=email:move
|
||||
subjectAltName=DNS:foo.bar.example
|
||||
|
||||
# Copy subject details
|
||||
# issuerAltName=issuer:copy
|
||||
|
@ -1,9 +1,9 @@
|
||||
#!/bin/sh
|
||||
|
||||
openssl req -newkey rsa:1024 -keyout serverAkey.pem -out serverAreq.pem \
|
||||
openssl req -newkey rsa:2048 -keyout serverAkey.pem -out serverAreq.pem \
|
||||
-config ./serverA.cnf -nodes -days 365 -batch
|
||||
|
||||
openssl x509 -req -in serverAreq.pem -sha1 -extfile ./serverA.cnf \
|
||||
openssl x509 -req -in serverAreq.pem -sha256 -extfile ./serverA.cnf \
|
||||
-extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial \
|
||||
-out serverAcert.pem -days 365
|
||||
|
||||
|
@ -195,7 +195,7 @@ authorityKeyIdentifier=keyid,issuer
|
||||
|
||||
# This stuff is for subjectAltName and issuerAltname.
|
||||
# Import the email address.
|
||||
# subjectAltName=email:copy
|
||||
subjectAltName=DNS:fnord.bar.example
|
||||
# An alternative to produce certificates that aren't
|
||||
# deprecated according to PKIX.
|
||||
# subjectAltName=email:move
|
||||
|
@ -1,9 +1,9 @@
|
||||
#!/bin/sh
|
||||
|
||||
openssl req -newkey rsa:1024 -keyout serverBkey.pem -out serverBreq.pem \
|
||||
openssl req -newkey rsa:2048 -keyout serverBkey.pem -out serverBreq.pem \
|
||||
-config ./serverB.cnf -nodes -days 365 -batch
|
||||
|
||||
openssl x509 -req -in serverBreq.pem -sha1 -extfile ./serverB.cnf \
|
||||
openssl x509 -req -in serverBreq.pem -sha256 -extfile ./serverB.cnf \
|
||||
-extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial \
|
||||
-out serverBcert.pem -days 365
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user