Skip to content
Permalink
Browse files

update self-signed ssl certificate routines in https_bench.sh

update self-signed ssl certificate routines to ensure generated ECDSA SSL certificates contain the V3 compatible subjectAltName field
  • Loading branch information...
centminmod committed Jul 10, 2019
1 parent 813cead commit 8dfa09479f205aaeff5159b9d44a19440acae7d3
Showing with 42 additions and 5 deletions.
  1. +42 −5 https_bench.sh
@@ -8,7 +8,7 @@
# variables
#############
DT=$(date +"%d%m%y-%H%M%S")
VER='1.3'
VER='1.4'
SLEEP_TIME='10'
HTTPS_BENCHCLEANUP='y'
TESTRUNS='5'
@@ -579,15 +579,52 @@ if [[ "$NON_CENTMINMOD" = [nN] ]]; then
SELFSIGNEDSSL_L='Los Angeles'
SELFSIGNEDSSL_O='HTTPS TEST ORG'
SELFSIGNEDSSL_OU='HTTPS TEST ORG UNIT'
# self-signed ssl cert with SANs
cat > /tmp/req.cnf <<EOF
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = ${SELFSIGNEDSSL_C}
ST = ${SELFSIGNEDSSL_ST}
L = ${SELFSIGNEDSSL_L}
O = ${vhostname}
OU = ${vhostname}
CN = ${vhostname}
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${vhostname}
DNS.2 = www.${vhostname}
EOF
cat > /tmp/v3ext.cnf <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${vhostname}
DNS.2 = www.${vhostname}
EOF
cd /usr/local/nginx/conf/ssl/${vhostname}
curve=prime256v1
echo "openssl ecparam -out ${vhostname}-ecc.key -name $curve -genkey"
openssl ecparam -out ${vhostname}-ecc.key -name $curve -genkey
echo "openssl req -new -sha256 -key ${vhostname}-ecc.key -nodes -out ${vhostname}-ecc.csr -subj \"/C=${SELFSIGNEDSSL_C}/ST=${SELFSIGNEDSSL_ST}/L=${SELFSIGNEDSSL_L}/O=${SELFSIGNEDSSL_O}/OU=${SELFSIGNEDSSL_OU}/CN=${vhostname}\""
openssl req -new -sha256 -key ${vhostname}-ecc.key -nodes -out ${vhostname}-ecc.csr -subj "/C=${SELFSIGNEDSSL_C}/ST=${SELFSIGNEDSSL_ST}/L=${SELFSIGNEDSSL_L}/O=${SELFSIGNEDSSL_O}/OU=${SELFSIGNEDSSL_OU}/CN=${vhostname}"
echo "openssl x509 -req -days 36500 -sha256 -in ${vhostname}-ecc.csr -signkey ${vhostname}-ecc.key -out ${vhostname}-ecc.crt"
openssl x509 -req -days 36500 -sha256 -in ${vhostname}-ecc.csr -signkey ${vhostname}-ecc.key -out ${vhostname}-ecc.crt
echo "openssl req -new -sha256 -key ${vhostname}-ecc.key -nodes -out ${vhostname}-ecc.csr -config /tmp/req.cnf"
openssl req -new -sha256 -key ${vhostname}-ecc.key -nodes -out ${vhostname}-ecc.csr -config /tmp/req.cnf
# echo "openssl req -new -sha256 -key ${vhostname}-ecc.key -nodes -out ${vhostname}-ecc.csr -subj \"/C=${SELFSIGNEDSSL_C}/ST=${SELFSIGNEDSSL_ST}/L=${SELFSIGNEDSSL_L}/O=${SELFSIGNEDSSL_O}/OU=${SELFSIGNEDSSL_OU}/CN=${vhostname}\""
# openssl req -new -sha256 -key ${vhostname}-ecc.key -nodes -out ${vhostname}-ecc.csr -subj "/C=${SELFSIGNEDSSL_C}/ST=${SELFSIGNEDSSL_ST}/L=${SELFSIGNEDSSL_L}/O=${SELFSIGNEDSSL_O}/OU=${SELFSIGNEDSSL_OU}/CN=${vhostname}"
openssl req -noout -text -in ${vhostname}.csr | grep DNS
echo "openssl x509 -req -days 36500 -sha256 -in ${vhostname}-ecc.csr -signkey ${vhostname}-ecc.key -out ${vhostname}-ecc.crt -extfile /tmp/v3ext.cnf"
openssl x509 -req -days 36500 -sha256 -in ${vhostname}-ecc.csr -signkey ${vhostname}-ecc.key -out ${vhostname}-ecc.crt -extfile /tmp/v3ext.cnf
s
ls -lah /usr/local/nginx/conf/ssl/${vhostname}
s

0 comments on commit 8dfa094

Please sign in to comment.
You can’t perform that action at this time.