Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Get the OpenSSL setup to create a simple CA, pkg-vulnerabilities signing
and package signing keys under version control.
- Loading branch information
joerg
committed
Aug 6, 2008
1 parent
d4e1615
commit 9bd2d3e
Showing
2 changed files
with
199 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,136 @@ | ||
# $NetBSD: pkgsrc.cnf,v 1.1.2.1 2008/08/06 23:51:32 joerg Exp $ | ||
# | ||
# OpenSSL sample configuration file for use by pkgsrc.sh | ||
# | ||
|
||
# This definition stops the following lines choking if HOME isn't | ||
# defined. | ||
HOME = . | ||
RANDFILE = $ENV::HOME/.rnd | ||
|
||
#################################################################### | ||
[ ca ] | ||
default_ca = CA_default # The default ca section | ||
|
||
#################################################################### | ||
[ CA_default ] | ||
|
||
dir = ./pkgsrc # Where everything is kept | ||
certs = $dir/certs # Where the issued certs are kept | ||
crl_dir = $dir/crl # Where the issued crl are kept | ||
database = $dir/index.txt # database index file. | ||
#unique_subject = no # Set to 'no' to allow creation of | ||
# several ctificates with same subject. | ||
new_certs_dir = $dir/newcerts # default place for new certs. | ||
|
||
certificate = $dir/cacert.pem # The CA certificate | ||
serial = $dir/serial # The current serial number | ||
crlnumber = $dir/crlnumber # the current crl number | ||
# must be commented out to leave a V1 CRL | ||
crl = $dir/crl.pem # The current CRL | ||
private_key = $dir/private/cakey.pem# The private key | ||
RANDFILE = $dir/private/.rand # private random number file | ||
|
||
# Comment out the following two lines for the "traditional" | ||
# (and highly broken) format. | ||
name_opt = ca_default # Subject Name options | ||
cert_opt = ca_default # Certificate field options | ||
|
||
# Extension copying option: use with caution. | ||
# copy_extensions = copy | ||
|
||
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs | ||
# so this is commented out by default to leave a V1 CRL. | ||
# crlnumber must also be commented out to leave a V1 CRL. | ||
# crl_extensions = crl_ext | ||
|
||
default_days = 365 # how long to certify for | ||
default_crl_days= 30 # how long before next CRL | ||
default_md = default # use public key default MD | ||
preserve = no # keep passed DN ordering | ||
|
||
# A few difference way of specifying how similar the request should look | ||
# For type CA, the listed attributes must be the same, and the optional | ||
# and supplied fields are just that :-) | ||
policy = policy_match | ||
|
||
# For the CA policy | ||
[ policy_match ] | ||
countryName = match | ||
stateOrProvinceName = match | ||
organizationName = match | ||
organizationalUnitName = optional | ||
commonName = supplied | ||
emailAddress = optional | ||
|
||
# For the 'anything' policy | ||
# At this point in time, you must list all acceptable 'object' | ||
# types. | ||
[ policy_anything ] | ||
countryName = optional | ||
stateOrProvinceName = optional | ||
localityName = optional | ||
organizationName = optional | ||
organizationalUnitName = optional | ||
commonName = supplied | ||
emailAddress = optional | ||
|
||
#################################################################### | ||
[ req ] | ||
default_bits = 2048 | ||
default_keyfile = privkey.pem | ||
default_md = sha1 | ||
distinguished_name = req_distinguished_name | ||
x509_extensions = v3_ca # The extentions to add to the self signed cert | ||
|
||
string_mask = utf8only | ||
|
||
[ req_distinguished_name ] | ||
countryName = Country Name (2 letter code) | ||
countryName_default = AU | ||
countryName_min = 2 | ||
countryName_max = 2 | ||
|
||
stateOrProvinceName = State or Province Name (full name) | ||
stateOrProvinceName_default = Some-State | ||
|
||
localityName = Locality Name (eg, city) | ||
|
||
0.organizationName = Organization Name (eg, company) | ||
0.organizationName_default = Internet Widgits Pty Ltd | ||
|
||
# we can do this but it is not needed normally :-) | ||
#1.organizationName = Second Organization Name (eg, company) | ||
#1.organizationName_default = World Wide Web Pty Ltd | ||
|
||
organizationalUnitName = Organizational Unit Name (eg, section) | ||
#organizationalUnitName_default = | ||
|
||
commonName = Common Name (eg, YOUR name) | ||
commonName_max = 64 | ||
|
||
emailAddress = Email Address | ||
emailAddress_max = 64 | ||
|
||
[ pkgkey ] | ||
nsComment = "Certificate for binary pkgsrc packages" | ||
|
||
subjectKeyIdentifier=hash | ||
authorityKeyIdentifier=keyid,issuer | ||
|
||
subjectAltName=email:move | ||
|
||
extendedKeyUsage = codeSigning, emailProtection | ||
|
||
[ pkgsec ] | ||
nsComment = "Certificate for pkg-vulnerabilities" | ||
|
||
subjectKeyIdentifier=hash | ||
authorityKeyIdentifier=keyid,issuer | ||
|
||
subjectAltName=email:move | ||
|
||
[ v3_ca ] | ||
subjectKeyIdentifier=hash | ||
authorityKeyIdentifier=keyid:always,issuer:always | ||
basicConstraints = critical,CA:true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
#!/bin/sh | ||
# | ||
# $NetBSD: pkgsrc.sh,v 1.1.2.1 2008/08/06 23:51:32 joerg Exp $ | ||
# | ||
|
||
CA="openssl ca -config pkgsrc.cnf" | ||
REQ="openssl req -config pkgsrc.cnf" | ||
|
||
set -e | ||
|
||
new_ca() { | ||
if [ -f $1/serial ]; then | ||
echo "CA already exists, exiting" >& 2 | ||
exit 1 | ||
fi | ||
|
||
mkdir -p $1/certs $1/crl $1/newcerts $1/private | ||
echo "00" > $1/serial | ||
touch $1/index.txt | ||
|
||
echo "Making CA certificate ..." | ||
$REQ -new -keyout $1/private/cakey.pem \ | ||
-out $1/careq.pem | ||
$CA -out $1/cacert.pem -batch \ | ||
-keyfile $1/private/cakey.pem -selfsign \ | ||
-infiles $1/careq.pem | ||
} | ||
|
||
new_pkgkey() { | ||
$REQ -new -keyout pkgkey_key.pem -out pkgkey_req.pem | ||
$CA -extensions pkgkey -policy policy_match -out pkgkey_cert.pem.pem -infiles pkgkey_req.pem | ||
rm pkgkey_req.pem | ||
echo "Signed certificate is in pkgkey_cert.pem.pem, key in pkgkey_key.pem" | ||
} | ||
|
||
new_pkgsec() { | ||
$REQ -new -keyout pkgsec_key.pem -out pkgsec_req.pem | ||
$CA -extensions pkgsec -policy policy_match -out pkgsec_cert.pem.pem -infiles pkgsec_req.pem | ||
rm pkgsec_req.pem | ||
echo "Signed certificate is in pkgsec_cert.pem.pem, key in pkgsec_key.pem" | ||
} | ||
|
||
usage() { | ||
echo "$0:" | ||
echo "setup - create new CA in ./pkgsrc for use by pkg_install" | ||
echo "pkgkey - create and sign a certificate for binary packages" | ||
echo "pkgsec - create and sign a certificate for pkg-vulnerabilities" | ||
} | ||
|
||
case "$1" in | ||
setup) | ||
new_ca ./pkgsrc | ||
;; | ||
pkgkey) | ||
new_pkgkey | ||
;; | ||
pkgsec) | ||
new_pkgsec | ||
;; | ||
*) | ||
usage | ||
;; | ||
esac |