From: Felix Dörre Date: Mon, 6 Apr 2015 23:44:12 +0000 (+0200) Subject: FIX: minor cert structure fixups X-Git-Url: https://code.wpia.club/?p=nre.git;a=commitdiff_plain;h=c4ec3f02627ad85f5794d457936ca125ce13e506;hp=b51fdc2141a76347d08b5938b4af47ba2f612067 FIX: minor cert structure fixups --- diff --git a/generateInfra.sh b/generateInfra.sh index bd1b872..e6b74fb 100755 --- a/generateInfra.sh +++ b/generateInfra.sh @@ -9,15 +9,16 @@ year=$1 . commonFunctions CRL=" -crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/$year/env.crl -authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/$year/env.crt" +crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/$year/env-1.crl +authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/$year/env-1.crt" cat < req.cnf basicConstraints = critical,CA:false keyUsage = keyEncipherment, digitalSignature extendedKeyUsage=serverAuth + subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer:always +authorityKeyIdentifier = keyid:always $CRL TESTCA @@ -25,8 +26,9 @@ cat < reqClient.cnf basicConstraints = critical,CA:false keyUsage = keyEncipherment, digitalSignature extendedKeyUsage=clientAuth + subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer:always +authorityKeyIdentifier = keyid:always $CRL TESTCA @@ -34,8 +36,9 @@ cat < reqMail.cnf basicConstraints = critical,CA:false keyUsage = keyEncipherment, digitalSignature extendedKeyUsage=emailProtection + subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer:always +authorityKeyIdentifier = keyid:always $CRL TESTCA diff --git a/generateKeys.sh b/generateKeys.sh index 353acb1..cf0fcad 100755 --- a/generateKeys.sh +++ b/generateKeys.sh @@ -9,16 +9,22 @@ set -e ####### create various extensions files for the various certificate types ###### cat < ca.cnf basicConstraints = CA:true -subjectKeyIdentifier = hash keyUsage = keyCertSign, cRLSign + +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/root.crl authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/root.crt TESTCA cat < subca.cnf basicConstraints = CA:true -subjectKeyIdentifier = hash keyUsage = keyCertSign, cRLSign + +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/root.crl authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/root.crt TESTCA diff --git a/generateTime.sh b/generateTime.sh index 71aa918..0b0b0b4 100755 --- a/generateTime.sh +++ b/generateTime.sh @@ -9,8 +9,11 @@ year=$1 genTimeCA(){ #csr,ca to sign with,start,end cat < timesubca.cnf basicConstraints = CA:true -subjectKeyIdentifier = hash keyUsage = keyCertSign, cRLSign + +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/$2.crl authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/$2.crt TESTCA @@ -22,7 +25,7 @@ mkdir -p $year/ca STARTDATE="${year}" -ENDDATE="$((${year} + 2))" +ENDDATE="$((${year} + 3))" for i in $TIME_IDX; do point=${points[${i}]}