diff --git a/scripts/gentls_cert.in b/scripts/gentls_cert.in
index 1c40133989..e102a964ef 100644
--- a/scripts/gentls_cert.in
+++ b/scripts/gentls_cert.in
@@ -1,7 +1,8 @@
#!/bin/sh
CONFDIR=@prefix@/conf/ssl
-DAYS=365
+DAYS=2190
+KEY_SIZE=2048
TMPFILE="/tmp/fs-ca-$$-$(date +%Y%m%d%H%M%S)"
@@ -38,7 +39,7 @@ setup_ca() {
if [ ! -e "${CONFDIR}/CA/config.tpl" ]; then
cat > "${CONFDIR}/CA/config.tpl" <<-EOF
[ req ]
- default_bits = 1024
+ default_bits = $ENV::KEY_SIZE
prompt = no
distinguished_name = req_dn
@@ -46,11 +47,23 @@ setup_ca() {
commonName = %CN%
organizationName = %ORG%
- [ ext ]
+ [ server ]
+ nsComment="FS Server Cert"
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
subjectAltName=%ALTNAME%
+ nsCertType=server
+ extendedKeyUsage=serverAuth
+
+ [ client ]
+ nsComment="FS Client Cert"
+ basicConstraints=CA:FALSE
+ subjectKeyIdentifier=hash
+ authorityKeyIdentifier=keyid,issuer:always
+ subjectAltName=%ALTNAME%
+ nsCertType=client
+ extendedKeyUsage=clientAuth
EOF
fi
@@ -62,14 +75,10 @@ setup_ca() {
"${CONFDIR}/CA/config.tpl" \
> "${TMPFILE}.cfg" || exit 1
- openssl req -new -out "${CONFDIR}/CA/careq.pem" \
- -newkey rsa:1024 -keyout "${CONFDIR}/CA/cakey.pem" \
+ openssl req -out "${CONFDIR}/CA/cacert.pem" \
+ -new -x509 -keyout "${CONFDIR}/CA/cakey.pem" \
-config "${TMPFILE}.cfg" -nodes -sha1 >/dev/null || exit 1
-
- openssl x509 -req -signkey "${CONFDIR}/CA/cakey.pem" -in "${CONFDIR}/CA/careq.pem" \
- -out "${CONFDIR}/CA/cacert.pem" -extfile "${TMPFILE}.cfg" \
- -extensions ext -days ${DAYS} -sha1 >/dev/null || exit 1
-
+ cat "${CONFDIR}/CA/cacert.pem" > "${CONFDIR}/cafile.pem"
rm "${TMPFILE}.cfg"
echo "DONE"
@@ -108,14 +117,13 @@ generate_cert() {
> "${TMPFILE}.cfg" || exit 1
openssl req -new -out "${TMPFILE}.req" \
- -newkey rsa:1024 -keyout "${TMPFILE}.key" \
+ -newkey rsa: -keyout "${TMPFILE}.key" \
-config "${TMPFILE}.cfg" -nodes -sha1 >/dev/null || exit 1
openssl x509 -req -CAkey "${CONFDIR}/CA/cakey.pem" -CA "${CONFDIR}/CA/cacert.pem" -CAcreateserial \
-in "${TMPFILE}.req" -out "${TMPFILE}.crt" -extfile "${TMPFILE}.cfg" \
- -extensions ext -days ${DAYS} -sha1 >/dev/null || exit 1
+ -extensions "${EXTENSIONS}" -days ${DAYS} -sha1 >/dev/null || exit 1
- cat "${CONFDIR}/CA/cacert.pem" > "${CONFDIR}/cafile.pem"
cat "${TMPFILE}.crt" "${TMPFILE}.key" > "${CONFDIR}/${OUTFILE}"
rm "${TMPFILE}.cfg" "${TMPFILE}.crt" "${TMPFILE}.key" "${TMPFILE}.req"
@@ -133,7 +141,7 @@ remove_ca() {
echo "DONE"
}
-
+OUTFILESET="0"
command="$1"
shift
@@ -154,6 +162,7 @@ while [ $# -gt 0 ]; do
-out)
shift
OUTFILE="$1"
+ OUTFILESET="1"
;;
-days)
shift
@@ -170,6 +179,18 @@ case ${command} in
;;
create)
+ EXTENSIONS="server"
+ generate_cert
+ ;;
+ create_server)
+ EXTENSIONS="server"
+ generate_cert
+ ;;
+ create_client)
+ EXTENSIONS="client"
+ if [ "${OUTFILESET}" = "0" ]; then
+ OUTFILE="client.pem"
+ fi
generate_cert
;;
@@ -185,15 +206,15 @@ case ${command} in
*)
cat <<-EOF
- $0 <setup|create|clean> [options]
+ $0 <setup|create_server|create_client|clean> [options]
* commands:
setup - Setup new CA
remove - Remove CA
- create - Create new certificate (overwriting old!)
-
+ create_server - Create new certificate (overwriting existing!)
+ create_client - Create a new client certificate (overwrites existing!)
* options: