Committing some small, forgotten modifications
This commit is contained in:
parent
52746fd980
commit
1bfeac8900
4 changed files with 26 additions and 8 deletions
|
|
@ -177,13 +177,13 @@ case $1 in
|
|||
exit $RET
|
||||
;;
|
||||
-sign|-signreq)
|
||||
# Display a notice/warning when copy_extensions is disabled/enabled
|
||||
# FIXME: we grep on the whole openssl.cnf file instead of just the 'ca' -> 'CA_default' section
|
||||
if grep -q '^[[:space:]]*copy_extensions[[:space:]]*=[[:space:]]*copy' $( echo "$SSLEAY_CONFIG" | sed 's/-config//' ); then
|
||||
echo "warning: copy_extensions is enabled, read the certificate carefully before signing."
|
||||
else
|
||||
echo "notice: copy_extensions disabled, extension such as SubjectAltName will be stripped."
|
||||
fi
|
||||
# Display a notice/warning when copy_extensions is disabled/enabled
|
||||
# FIXME: we grep on the whole openssl.cnf file instead of just the 'ca' -> 'CA_default' section
|
||||
if grep -q '^[[:space:]]*copy_extensions[[:space:]]*=[[:space:]]*copy' $( echo "$SSLEAY_CONFIG" | sed 's/-config//' ); then
|
||||
echo "warning: copy_extensions is enabled, read the certificate carefully before signing."
|
||||
else
|
||||
echo "notice: copy_extensions disabled, extension such as SubjectAltName will be stripped."
|
||||
fi
|
||||
$CA -policy policy_anything -out newcert.pem -days "$DAYS" -infiles newreq.pem
|
||||
RET=$?
|
||||
cat newcert.pem
|
||||
|
|
|
|||
|
|
@ -17,3 +17,19 @@ Champs déjà customisés :
|
|||
- default_bits : par défaut, il était à 2048. Mis à 4096 parce que j'aime bien pousser les limites :)
|
||||
Champs à revoir en général :
|
||||
- countryName_default, stateOrProvinceName_default, etc. : permet d'éviter de les rentrer à chaque génération de certificate request.
|
||||
|
||||
Aide mémoire :
|
||||
- CSR rapide :
|
||||
```
|
||||
# Génération de la clef (au choix: RSA, ECDSA, ...)
|
||||
# - RSA
|
||||
openssl genrsa -out $( hostname -f ).key 2048
|
||||
# - ECDSA
|
||||
openssl ecparam -name prime256v1 -genkey -out $( hostname -f ).key
|
||||
|
||||
# Génération du CSR :
|
||||
openssl req -new -sha256 -key $( hostname -f ).key -subj "/CN=$( hostname -f )" > $( hostname -f ).csr
|
||||
# ou, via les subjectAltName :
|
||||
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:yoursite.com,DNS:www.yoursite.com")) > domain.csr
|
||||
# + copy_extensions = copy dans openssl.cnf
|
||||
```
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue