#!/bin/sh
CONFDIR=@prefix@/conf/ssl
-DAYS=365
+DAYS=2190
+KEY_SIZE=2048
TMPFILE="/tmp/fs-ca-$$-$(date +%Y%m%d%H%M%S)"
if [ ! -e "${CONFDIR}/CA/config.tpl" ]; then
cat > "${CONFDIR}/CA/config.tpl" <<-EOF
[ req ]
- default_bits = 1024
+ default_bits = $ENV::KEY_SIZE
prompt = no
distinguished_name = req_dn
commonName = %CN%
organizationName = %ORG%
- [ ext ]
+ [ server ]
+ nsComment="FS Server Cert"
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
subjectAltName=%ALTNAME%
+ nsCertType=server
+ extendedKeyUsage=serverAuth
+
+ [ client ]
+ nsComment="FS Client Cert"
+ basicConstraints=CA:FALSE
+ subjectKeyIdentifier=hash
+ authorityKeyIdentifier=keyid,issuer:always
+ subjectAltName=%ALTNAME%
+ nsCertType=client
+ extendedKeyUsage=clientAuth
EOF
fi
"${CONFDIR}/CA/config.tpl" \
> "${TMPFILE}.cfg" || exit 1
- openssl req -new -out "${CONFDIR}/CA/careq.pem" \
- -newkey rsa:1024 -keyout "${CONFDIR}/CA/cakey.pem" \
+ openssl req -out "${CONFDIR}/CA/cacert.pem" \
+ -new -x509 -keyout "${CONFDIR}/CA/cakey.pem" \
-config "${TMPFILE}.cfg" -nodes -sha1 >/dev/null || exit 1
-
- openssl x509 -req -signkey "${CONFDIR}/CA/cakey.pem" -in "${CONFDIR}/CA/careq.pem" \
- -out "${CONFDIR}/CA/cacert.pem" -extfile "${TMPFILE}.cfg" \
- -extensions ext -days ${DAYS} -sha1 >/dev/null || exit 1
-
+ cat "${CONFDIR}/CA/cacert.pem" > "${CONFDIR}/cafile.pem"
rm "${TMPFILE}.cfg"
echo "DONE"
> "${TMPFILE}.cfg" || exit 1
openssl req -new -out "${TMPFILE}.req" \
- -newkey rsa:1024 -keyout "${TMPFILE}.key" \
+ -newkey rsa: -keyout "${TMPFILE}.key" \
-config "${TMPFILE}.cfg" -nodes -sha1 >/dev/null || exit 1
openssl x509 -req -CAkey "${CONFDIR}/CA/cakey.pem" -CA "${CONFDIR}/CA/cacert.pem" -CAcreateserial \
-in "${TMPFILE}.req" -out "${TMPFILE}.crt" -extfile "${TMPFILE}.cfg" \
- -extensions ext -days ${DAYS} -sha1 >/dev/null || exit 1
+ -extensions "${EXTENSIONS}" -days ${DAYS} -sha1 >/dev/null || exit 1
- cat "${CONFDIR}/CA/cacert.pem" > "${CONFDIR}/cafile.pem"
cat "${TMPFILE}.crt" "${TMPFILE}.key" > "${CONFDIR}/${OUTFILE}"
rm "${TMPFILE}.cfg" "${TMPFILE}.crt" "${TMPFILE}.key" "${TMPFILE}.req"
echo "DONE"
}
-
+OUTFILESET="0"
command="$1"
shift
-out)
shift
OUTFILE="$1"
+ OUTFILESET="1"
;;
-days)
shift
;;
create)
+ EXTENSIONS="server"
+ generate_cert
+ ;;
+ create_server)
+ EXTENSIONS="server"
+ generate_cert
+ ;;
+ create_client)
+ EXTENSIONS="client"
+ if [ "${OUTFILESET}" = "0" ]; then
+ OUTFILE="client.pem"
+ fi
generate_cert
;;
*)
cat <<-EOF
- $0 <setup|create|clean> [options]
+ $0 <setup|create_server|create_client|clean> [options]
* commands:
setup - Setup new CA
remove - Remove CA
- create - Create new certificate (overwriting old!)
-
+ create_server - Create new certificate (overwriting existing!)
+ create_client - Create a new client certificate (overwrites existing!)
* options:
projects / thirdparty / freeswitch.git / commitdiff
