From c4ec3f02627ad85f5794d457936ca125ce13e506 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Felix=20D=C3=B6rre?= Date: Tue, 7 Apr 2015 01:44:12 +0200 Subject: [PATCH] FIX: minor cert structure fixups --- generateInfra.sh | 13 ++++++++----- generateKeys.sh | 10 ++++++++-- generateTime.sh | 7 +++++-- 3 files changed, 21 insertions(+), 9 deletions(-) diff --git a/generateInfra.sh b/generateInfra.sh index bd1b872..e6b74fb 100755 --- a/generateInfra.sh +++ b/generateInfra.sh @@ -9,15 +9,16 @@ year=$1 . commonFunctions CRL=" -crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/$year/env.crl -authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/$year/env.crt" +crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/$year/env-1.crl +authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/$year/env-1.crt" cat < req.cnf basicConstraints = critical,CA:false keyUsage = keyEncipherment, digitalSignature extendedKeyUsage=serverAuth + subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer:always +authorityKeyIdentifier = keyid:always $CRL TESTCA @@ -25,8 +26,9 @@ cat < reqClient.cnf basicConstraints = critical,CA:false keyUsage = keyEncipherment, digitalSignature extendedKeyUsage=clientAuth + subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer:always +authorityKeyIdentifier = keyid:always $CRL TESTCA @@ -34,8 +36,9 @@ cat < reqMail.cnf basicConstraints = critical,CA:false keyUsage = keyEncipherment, digitalSignature extendedKeyUsage=emailProtection + subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer:always +authorityKeyIdentifier = keyid:always $CRL TESTCA diff --git a/generateKeys.sh b/generateKeys.sh index 353acb1..cf0fcad 100755 --- a/generateKeys.sh +++ b/generateKeys.sh @@ -9,16 +9,22 @@ set -e ####### create various extensions files for the various certificate types ###### cat < ca.cnf basicConstraints = CA:true -subjectKeyIdentifier = hash keyUsage = keyCertSign, cRLSign + +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/root.crl authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/root.crt TESTCA cat < subca.cnf basicConstraints = CA:true -subjectKeyIdentifier = hash keyUsage = keyCertSign, cRLSign + +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/root.crl authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/root.crt TESTCA diff --git a/generateTime.sh b/generateTime.sh index 71aa918..0b0b0b4 100755 --- a/generateTime.sh +++ b/generateTime.sh @@ -9,8 +9,11 @@ year=$1 genTimeCA(){ #csr,ca to sign with,start,end cat < timesubca.cnf basicConstraints = CA:true -subjectKeyIdentifier = hash keyUsage = keyCertSign, cRLSign + +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/$2.crl authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/$2.crt TESTCA @@ -22,7 +25,7 @@ mkdir -p $year/ca STARTDATE="${year}" -ENDDATE="$((${year} + 2))" +ENDDATE="$((${year} + 3))" for i in $TIME_IDX; do point=${points[${i}]} -- 2.39.2