Loading ...
Sorry, an error occurred while loading the content.

Re: generating the TLS cert

Expand Messages
  • Robert Moskowitz
    ... True. Just the user experience thing and server maintainer costs. This is not the place to debate the whole X.509 world; I live it as part of my day job.
    Message 1 of 34 , Dec 19, 2012
    • 0 Attachment
      On 12/19/2012 06:40 PM, Reindl Harald wrote:
      >
      > Am 20.12.2012 00:31, schrieb /dev/rob0:
      >
      >> We don't know what you want. What is this certificate to be used for?
      >> Do you want a self-signed certificate, or to run your own CA, or to
      >> submit your CSR to an external CA?
      > there is no difference between self-signed and submit to external CA

      True. Just the user experience thing and server maintainer costs. This
      is not the place to debate the whole X.509 world; I live it as part of
      my day job.

      > the script below makes crt/csr/pem for any usecase

      Thank you Harald.

      >
      > [root@buildserver:~]$ cat /buildserver/ssl-cert/generate-cert.sh
      > #!/usr/bin/bash
      > WORKING_DIR="/buildserver/ssl-cert"
      > OUT_DIR="$WORKING_DIR/$1"
      > mkdir $OUT_DIR 2> /dev/null
      > chmod 700 $OUT_DIR
      > if [ "$1" == "" ]; then
      > echo "Wie soll ich bitte Dateien ohne Servernamen benennen?"
      > echo ""
      > exit
      > fi
      > rm -f $OUT_DIR/$1.key
      > rm -f $OUT_DIR/$1.csr
      > rm -f $OUT_DIR/$1.crt
      > rm -f $OUT_DIR/$1.pem
      > sed "s/my_common_name/$1/g" $WORKING_DIR/openssl.conf.template > $WORKING_DIR/openssl.conf
      > openssl genrsa -out $OUT_DIR/$1.key 2048
      > openssl req -config $WORKING_DIR/openssl.conf -new -key $OUT_DIR/$1.key -out $OUT_DIR/$1.csr
      > openssl x509 -req -days 3650 -in $OUT_DIR/$1.csr -signkey $OUT_DIR/$1.key -out $OUT_DIR/$1.crt
      > cat $OUT_DIR/$1.crt $OUT_DIR/$1.key > $OUT_DIR/$1.pem
      > echo ""
      > echo "Zertifikate wurden unter '$OUT_DIR/' erstellt."
      > echo $OUT_DIR/$1.key
      > echo $OUT_DIR/$1.csr
      > echo $OUT_DIR/$1.crt
      > echo $OUT_DIR/$1.pem
      > echo ""
      >
      > chmod 600 $OUT_DIR/*
      > ls -l -h --color=tty -X --group-directories-first --time-style=long-iso $OUT_DIR/
      > echo ""
      > rm -f $WORKING_DIR/openssl.conf
      >
      >
      > [root@buildserver:~]$ cat /buildserver/ssl-cert/openssl.conf.template
      > [ req ]
      > prompt = yes
      > default_bits = 1024
      > distinguished_name = req_DN
      > string_mask = nombstr
      > [ req_DN ]
      > countryName = "1. Landeskennung "
      > countryName_default = "AT"
      > countryName_min = 2
      > countryName_max = 2
      > stateOrProvinceName = "2. Bundesland "
      > stateOrProvinceName_default = "Vienna"
      > localityName = "3. Stadt "
      > localityName_default = "Vienna"
      > 0.organizationName = "4. Firmenname "
      > 0.organizationName_default = "the lounge interactive design gmbh"
      > organizationalUnitName = "5. Abteilung "
      > organizationalUnitName_default = "Administration"
      > commonName = "6. Server-Name "
      > commonName_max = 64
      > commonName_default = "my_common_name"
      > emailAddress = "7. Mail-Adresse "
      > emailAddress_max = 40
      > emailAddress_default = "hostmaster@..."
      >
    • Viktor Dukhovni
      ... What meetings you happened to attend is of no consequence. ... It is usr_cert , not user_cert . The difference in the resulting extensions is: v3_req:
      Message 34 of 34 , Jan 4, 2013
      • 0 Attachment
        On Fri, Jan 04, 2013 at 12:30:50PM -0500, Robert Moskowitz wrote:

        > >There is nothing wrong with "CA:true" in a self-signed SSL certificate.
        >
        > By some definitions of 'wrong' :)
        >
        > You may not have attended the same sort of PKI policy meetings that
        > I lived through! But since this is in large measure a policy issue,
        > we will leave it there.

        What meetings you happened to attend is of no consequence.

        > I will test with user_cert over v3_req that I learned about over on
        > the OpenSSL list. See how they compare.

        It is "usr_cert", not "user_cert". The difference in the resulting
        extensions is:

        v3_req:
        X509v3 Basic Constraints:
        CA:FALSE
        X509v3 Key Usage:
        Digital Signature, Non Repudiation, Key Encipherment

        usr_cert:
        X509v3 Basic Constraints:
        CA:FALSE
        Netscape Comment:
        OpenSSL Generated Certificate
        X509v3 Subject Key Identifier:
        AD:3C:28:E3:E5:B5:F3:0A:5C:63:AB:08:15:4E:1C:42:A3:D5:83:E6
        X509v3 Authority Key Identifier:
        keyid:AD:3C:28:E3:E5:B5:F3:0A:5C:63:AB:08:15:4E:1C:42:A3:D5:83:E6

        default (v3_ca):
        X509v3 Subject Key Identifier:
        EC:1C:FE:EE:26:9E:09:44:8C:75:5C:F7:1E:38:32:4A:FA:93:FA:E6
        X509v3 Authority Key Identifier:
        keyid:EC:1C:FE:EE:26:9E:09:44:8C:75:5C:F7:1E:38:32:4A:FA:93:FA:E6
        X509v3 Basic Constraints:
        CA:TRUE

        Perhaps of the three "v3_req" is the closest to a sensible set of
        extensions for an endpoint certificate.

        --
        Viktor.
      Your message has been successfully submitted and would be delivered to recipients shortly.