Home Explore Help
Sign In
fphammerle
/
template-x509-cert-signing
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

create and sign cert for ssl server

Fabian Peter Hammerle 8 years ago
parent
c144ee7db3
commit
90a0279c51
3 changed files with 17 additions and 17 deletions
Split View Show Diff Stats
  1. 8 9
      Makefile
  2. 1 1
      expiry-datetime
  3. 8 7
      gpgsm-params-template

+ 8 - 9
Makefile
View File 

@@ -1,7 +1,10 @@
 
-all : gpgsm-params cert.der cert.pem cert.openssl-text key-cert.p12
 
+all : key.enc.pem gpgsm-params cert.der cert.pem cert.openssl-text
 
 
-subject-keygrip.hex :
 
-	openssl genrsa 2048 \
 
+key.enc.pem :
 
+	openssl genrsa -out "$@" -aes256 2048
 
+
 
+subject-keygrip.hex : key.enc.pem
 
+	openssl rsa -in "$<" \
 
 		| openssl pkcs12 -export -nocerts -passout pass: \
 
 		| gpgsm --import 2>&1 \
 
 		| grep -Po 'keygrip=\s*\K.*' | sed 's/ //g' >$@
 
@@ -10,7 +13,7 @@ gpgsm-params : gpgsm-params-template subject-keygrip.hex issuer-keygrip.hex expi
 
 	./prepare-gpgsm-params --template gpgsm-params-template \
 
 		--subject-keygrip "$(shell cat subject-keygrip.hex)" \
 
 		--issuer-keygrip "$(shell cat issuer-keygrip.hex)" \
 
-		--expiry-datetime "$(shell date --date="$(shell cat expiry-datetime)")" \
 
+		--expiry-datetime "$(shell date --iso-8601=seconds --date="$(shell cat expiry-datetime)")" \
 
 		> $@
 
 
 cert.der : gpgsm-params
 
@@ -22,14 +25,10 @@ cert.pem : cert.der
 
 cert.openssl-text : cert.pem
 
 	openssl x509 -in $^ -text -noout > $@
 
 
-key-cert.p12 : cert.der subject-keygrip.hex
 
-	gpgsm --import cert.der
 
-	gpgsm --out $@ --export-secret-key-p12 '&$(shell cat subject-keygrip.hex)'
 
-
 
 clean :
 
+	-shred key.enc.pem && rm key.enc.pem
 
 	-trash subject-keygrip.hex
 
 	-trash gpgsm-params
 
 	-trash cert.der
 
 	-trash cert.pem
 
 	-trash cert.openssl-text
 
-	-shred key-cert.p12 && rm key-cert.p12

+ 1 - 1
expiry-datetime
View File 

@@ -1 +1 @@
 
-+1 month
 
++1 year

+ 8 - 7
gpgsm-params-template
View File 

@@ -3,7 +3,8 @@ Key-Type: RSA
 
 Key-Grip: {subject-keygrip}
 
 Key-Usage: sign
 
 Serial: random
 
-Name-DN: CN=test client,C=AT
 
+Name-DN: CN=example.hammerle.me,C=AT
 
+Name-DNS: example.hammerle.me
 
 Hash-Algo: SHA256
 
 Issuer-DN: CN=Fabian Peter Hammerle,C=AT
 
 Not-After: {not-after}
 
@@ -14,11 +15,11 @@ Authority-Key-Id: {issuer-keygrip}
 
 #   CA:FALSE
 
 Extension: 2.5.29.19 c 3003010100
 
 # X509v3 Extended Key Usage:
 
-#   TLS Web Client Authentication
 
-Extension: 2.5.29.37 n 300A06082B06010505070302
 
+#   TLS Web Server Authentication, TLS Web Client Authentication
 
+Extension: 2.5.29.37 n 301406082B0601050507030106082B06010505070302
 
 # Netscape Cert Type:
 
-#   SSL Client
 
-Extension: 2.16.840.1.113730.1.1 n 03020780
 
+#   SSL Client, SSL Server
 
+Extension: 2.16.840.1.113730.1.1 n 030206C0
 
 # Netscape Comment:
 
-#   client authentication only
 
-Extension: 2.16.840.1.113730.1.13 n 161A636C69656E742061757468656E7469636174696F6E206F6E6C79
 
+#   for demonstration purposes only
 
+Extension: 2.16.840.1.113730.1.13 n 161F666F722064656D6F6E7374726174696F6E20707572706F736573206F6E6C79