From: Felix Dörre Date: Sat, 3 Oct 2015 10:17:28 +0000 (+0200) Subject: marking extensions critical, adding CPS-identifiers, adding Country X-Git-Url: https://code.wpia.club/?p=nre.git;a=commitdiff_plain;h=33ef004d3397046e13bc94533c81ccc3261d6a9c marking extensions critical, adding CPS-identifiers, adding Country --- diff --git a/CAs/assured b/CAs/assured index 6750d88..5f99e41 100644 --- a/CAs/assured +++ b/CAs/assured @@ -1 +1,2 @@ name="Assured" +CPSID=2 diff --git a/CAs/codesign b/CAs/codesign index f7fcad0..4c87677 100644 --- a/CAs/codesign +++ b/CAs/codesign @@ -1 +1,2 @@ name="Codesigning" +CPSID=3 diff --git a/CAs/env b/CAs/env index 8362e32..905fb1a 100644 --- a/CAs/env +++ b/CAs/env @@ -1 +1,2 @@ name="Environment" +CPSID=4 diff --git a/CAs/orga b/CAs/orga index 101a52d..f415609 100644 --- a/CAs/orga +++ b/CAs/orga @@ -1 +1,2 @@ name="Orga" +CPSID=5 diff --git a/CAs/orgaSign b/CAs/orgaSign index 82f9373..265f164 100644 --- a/CAs/orgaSign +++ b/CAs/orgaSign @@ -1 +1,2 @@ name="Orga sign" +CPSID=6 diff --git a/CAs/unassured b/CAs/unassured index 4c34e42..8b2d5b9 100644 --- a/CAs/unassured +++ b/CAs/unassured @@ -1 +1,2 @@ name="Unassured" +CPSID=1 diff --git a/clear.sh b/clear.sh index 115cfd9..bd5a6f7 100755 --- a/clear.sh +++ b/clear.sh @@ -1,4 +1,4 @@ #!/bin/sh -rm -R generated +rm -fR generated diff --git a/commonFunctions b/commonFunctions index 168c610..f46505b 100644 --- a/commonFunctions +++ b/commonFunctions @@ -3,7 +3,7 @@ genKey(){ #subj, internalName openssl genrsa -out $2.key ${KEYSIZE} - openssl req -new -key $2.key -out $2.csr -subj "$1/O=Test Environment CA Ltd./OU=Test Environment CAs" + openssl req -new -key $2.key -out $2.csr -subj "$1/O=Test Environment CA Ltd./OU=Test Environment CAs/C=AU" } diff --git a/generateKeys.sh b/generateKeys.sh index d5d4750..d032a7b 100755 --- a/generateKeys.sh +++ b/generateKeys.sh @@ -10,8 +10,8 @@ cd generated ####### create various extensions files for the various certificate types ###### cat < ca.cnf -basicConstraints = CA:true -keyUsage = keyCertSign, cRLSign +basicConstraints = critical,CA:true +keyUsage =critical, keyCertSign, cRLSign subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always @@ -20,20 +20,33 @@ crlDistributionPoints=URI:http://g2.crl.${DOMAIN}/g2/root.crl authorityInfoAccess = OCSP;URI:http://g2.ocsp.${DOMAIN},caIssuers;URI:http://g2.crt.${DOMAIN}/g2/root.crt TESTCA -cat < subca.cnf -basicConstraints = CA:true -keyUsage = keyCertSign, cRLSign + +rootSign(){ # csr + POLICY=ca.cnf + if [[ "$1" != "root" ]] ; then + KNAME=$1 + POLICY=subca.cnf + . ../CAs/${KNAME} + cat < subca.cnf + +basicConstraints =critical, CA:true +keyUsage =critical, keyCertSign, cRLSign subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always crlDistributionPoints=URI:http://g2.crl.${DOMAIN}/g2/root.crl authorityInfoAccess = OCSP;URI:http://g2.ocsp.${DOMAIN},caIssuers;URI:http://g2.crt.${DOMAIN}/g2/root.crt -TESTCA +certificatePolicies=@polsect -rootSign(){ # csr - caSign "$1.ca/key" root subca.cnf +[polsect] +policyIdentifier = 1.3.6.1.4.1.18506.9.${CPSID} +CPS.1="http://g2.cps.${DOMAIN}/g2/${KNAME}.cps" + +TESTCA + fi + caSign "$1.ca/key" root $POLICY } diff --git a/generateTime.sh b/generateTime.sh index 300d823..26f3cdf 100755 --- a/generateTime.sh +++ b/generateTime.sh @@ -9,15 +9,24 @@ year=$1 cd generated genTimeCA(){ #csr,ca to sign with,start,end + KNAME=$2 + . ../CAs/${KNAME} cat < timesubca.cnf -basicConstraints = CA:true -keyUsage = keyCertSign, cRLSign +basicConstraints=critical,CA:true +keyUsage=critical,keyCertSign, cRLSign subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always crlDistributionPoints=URI:http://g2.crl.${DOMAIN}/g2/$2.crl authorityInfoAccess = OCSP;URI:http://g2.ocsp.${DOMAIN},caIssuers;URI:http://g2.crt.${DOMAIN}/g2/$2.crt + +certificatePolicies=@polsect + +[polsect] +policyIdentifier = 1.3.6.1.4.1.18506.9.${CPSID} +CPS.1="http://g2.cps.${DOMAIN}/g2/${KNAME}.cps" + TESTCA caSign $1 $2 timesubca.cnf "$3" "$4" rm timesubca.cnf