X-Git-Url: https://code.wpia.club/?a=blobdiff_plain;f=generateKeys.sh;h=d032a7b6aa832a6810acf28d41bda1af02cdfd9e;hb=33ef004d3397046e13bc94533c81ccc3261d6a9c;hp=d1b15ca1737b2b1217f2ac9941e4d3b208388d53;hpb=fd12e48f597a3edd99f8b235a897e36faa745ceb;p=nre.git

diff --git a/generateKeys.sh b/generateKeys.sh
index d1b15ca..d032a7b 100755
--- a/generateKeys.sh
+++ b/generateKeys.sh
@@ -5,11 +5,13 @@ set -e
 . structure
 . commonFunctions
 
+mkdir -p generated
+cd generated
 
 ####### create various extensions files for the various certificate types ######
 cat <<TESTCA > ca.cnf
-basicConstraints = CA:true
-keyUsage = keyCertSign, cRLSign
+basicConstraints = critical,CA:true
+keyUsage =critical, keyCertSign, cRLSign
 
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always
@@ -18,20 +20,33 @@ crlDistributionPoints=URI:http://g2.crl.${DOMAIN}/g2/root.crl
 authorityInfoAccess = OCSP;URI:http://g2.ocsp.${DOMAIN},caIssuers;URI:http://g2.crt.${DOMAIN}/g2/root.crt
 TESTCA
 
-cat <<TESTCA > subca.cnf
-basicConstraints = CA:true
-keyUsage = keyCertSign, cRLSign
+
+rootSign(){ # csr
+    POLICY=ca.cnf
+    if [[ "$1" != "root" ]] ; then
+	KNAME=$1
+	POLICY=subca.cnf
+	. ../CAs/${KNAME}
+	cat <<TESTCA > subca.cnf
+
+basicConstraints =critical, CA:true
+keyUsage =critical, keyCertSign, cRLSign
 
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always
 
 crlDistributionPoints=URI:http://g2.crl.${DOMAIN}/g2/root.crl
 authorityInfoAccess = OCSP;URI:http://g2.ocsp.${DOMAIN},caIssuers;URI:http://g2.crt.${DOMAIN}/g2/root.crt
-TESTCA
 
+certificatePolicies=@polsect
 
-rootSign(){ # csr
-    caSign "$1.ca/key" root subca.cnf
+[polsect]
+policyIdentifier = 1.3.6.1.4.1.18506.9.${CPSID}
+CPS.1="http://g2.cps.${DOMAIN}/g2/${KNAME}.cps"
+
+TESTCA
+    fi
+    caSign "$1.ca/key" root $POLICY
 }
 
 
@@ -42,7 +57,7 @@ rootSign root
 
 # generate the various sub-CAs
 for ca in $STRUCT_CAS; do
-    . CAs/$ca
+    . ../CAs/$ca
     genca "/CN=$name" $ca
     rootSign $ca
 done