#! /bin/sh
-# Copyright (c) 2008, 2009, 2010, 2011, 2012 Nicira, Inc.
+# Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014 Nicira, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
prev=
force=no
batch=no
+unique_name=no
log='@LOGDIR@/ovs-pki.log'
keytype=rsa
bits=2048
# OS-specific compatibility routines
case $(uname -s) in
-FreeBSD)
+FreeBSD|NetBSD|Darwin)
file_mod_epoch()
{
stat -r "$1" | awk '{print $10}'
(default: $pkidir)
-f, --force Continue even if file or directory already exists
-l, --log=FILE Log openssl output to FILE (default: ovs-log.log)
+ -u, --unique NAME is unique (don't append UUID/date)
-h, --help Print this usage message.
-V, --version Display version information.
EOF
--ba*|-b)
batch=yes
;;
+ --un*|-u)
+ unique_name=yes
+ ;;
-*)
echo "unrecognized option $option" >&2
exit 1
dsaparam=$pkidir/dsaparam.pem
fi
case $log in
- /*) ;;
+ /* | ?:[\\/]*) ;;
*) log=`pwd`/$log ;;
esac
logdir=$(dirname "$log")
if test ! -d "$logdir"; then
- mkdir -p -m755 "$logdir" 2>/dev/null || true
+ mkdir -p -m750 "$logdir" 2>/dev/null || true
if test ! -d "$logdir"; then
echo "$0: log directory $logdir does not exist and cannot be created" >&2
exit 1
serial = $dir/serial # serial no file
private_key = $dir/private/cakey.pem# CA private key
RANDFILE = $dir/private/.rand # random number file
-default_days = 365 # how long to certify for
+default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
-default_md = md5 # md to use
+default_md = sha512 # message digest to use
policy = policy # default policy
email_in_dn = no # Don't add the email into cert DN
name_opt = ca_default # Subject name display option
cert_opt = ca_default # Certificate display option
-copy_extensions = none # Don't copy extensions from request
+copy_extensions = copy # Copy extensions from request
unique_subject = no # Allow certs with duplicate subjects
# For the CA policy
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
+
+# For the x509v3 extension
+[ ca_cert ]
+basicConstraints=CA:true
+
+[ usr_cert ]
+basicConstraints=CA:false
EOF
fi
openssl req -config ca.cnf -nodes \
-newkey $newkey -keyout private/cakey.pem -out careq.pem \
1>&3 2>&3
- openssl ca -config ca.cnf -create_serial -out cacert.pem \
- -days 2191 -batch -keyfile private/cakey.pem -selfsign \
+ openssl ca -config ca.cnf -create_serial \
+ -extensions ca_cert -out cacert.pem \
+ -days 3650 -batch -keyfile private/cakey.pem -selfsign \
-infiles careq.pem 1>&3 2>&3
chmod 0700 private/cakey.pem
must_not_exist "$arg1-privkey.pem"
must_not_exist "$arg1-req.pem"
make_tmpdir
+ if test $unique_name != yes; then
+ # Use uuidgen or date to create unique subject DNs.
+ unique=`(uuidgen) 2>/dev/null` || unique=`date +"%Y %b %d %T"`
+ cn="$arg1 id:$unique"
+ else
+ cn="$arg1"
+ fi
cat > "$TMP/req.cnf" <<EOF
[ req ]
prompt = no
distinguished_name = req_distinguished_name
+req_extensions = v3_req
[ req_distinguished_name ]
C = US
L = Palo Alto
O = Open vSwitch
OU = Open vSwitch certifier
-CN = Open vSwitch certificate for $arg1
+CN = $cn
+
+[ v3_req ]
+subjectAltName = DNS:$cn
EOF
if test $keytype = rsa; then
(umask 077 && openssl genrsa -out "$1-privkey.pem" $bits) 1>&3 2>&3 \
must_not_exist "$2"
pkidir_must_exist
+ case "$1" in
+ /* | ?:[\\/]*)
+ request_file="$1"
+ ;;
+ *)
+ request_file="`pwd`/$1"
+ ;;
+ esac
+
(cd "$pkidir/${type}ca" &&
- openssl ca -config ca.cnf -batch -in /dev/stdin) \
- < "$1" > "$2.tmp$$" 2>&3
+ openssl ca -config ca.cnf -extensions usr_cert -batch -in "$request_file") \
+ > "$2.tmp$$" 2>&3
mv "$2.tmp$$" "$2"
}
check_type "$arg2"
verify_fingerprint "$arg1-req.pem"
- sign_request "$arg1-req.pem" "$arg2-cert.pem"
+ sign_request "$arg1-req.pem" "$arg1-cert.pem"
elif test "$command" = req+sign; then
one_or_two_args
check_type "$arg2"
must_exist "$arg1-req.pem"
must_exist "$arg1-privkey.pem"
must_not_exist "$arg1-cert.pem"
+ make_tmpdir
+ cat > "$TMP/v3.ext" <<EOF
+subjectAltName = DNS:$arg1
+EOF
# Create both the private key and certificate with restricted permissions.
(umask 077 && \
openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem.tmp" \
- -signkey "$arg1-privkey.pem" -req -days 2191 -text) 2>&3 || exit $?
+ -signkey "$arg1-privkey.pem" -req -days 3650 -text \
+ -extfile $TMP/v3.ext) 2>&3 || exit $?
# Reset the permissions on the certificate to the user's default.
cat "$arg1-cert.pem.tmp" > "$arg1-cert.pem"