From 47fe829aee93aff9694f929f6c2dc4813156d109 Mon Sep 17 00:00:00 2001 From: "psyc://psyced.org/~lynX" <@> Date: Wed, 3 Aug 2011 18:30:44 +0200 Subject: [PATCH] thanks to prosody.im for the certificate generator --- install.sh | 1 + utility/gencert/Makefile | 32 ++++++++++++++++++++++ utility/gencert/openssl.cnf | 53 +++++++++++++++++++++++++++++++++++++ 3 files changed, 86 insertions(+) create mode 100644 utility/gencert/Makefile create mode 100644 utility/gencert/openssl.cnf diff --git a/install.sh b/install.sh index 77108f7..243c77b 100755 --- a/install.sh +++ b/install.sh @@ -955,6 +955,7 @@ _path_configuration = $CONFIG_DIR ; (absolute or relative to _path_configuration) _path_PEM_key = key.pem _path_PEM_certificate = cert.pem +; You can run 'make' in the 'utility/gencert' folder to create a pair ; Path to the TLS trust directory where certs are kept. ; If unset this will default to your system installation's defaults. diff --git a/utility/gencert/Makefile b/utility/gencert/Makefile new file mode 100644 index 0000000..57bd015 --- /dev/null +++ b/utility/gencert/Makefile @@ -0,0 +1,32 @@ +# taken from prosody.im, originally written by zash. MIT license +# +.DEFAULT: localhost.cert +keysize=2048 + +# How to: +# First, `make yourhost.cnf` which creates a openssl config file. +# Then edit this file and fill in the details you want it to have, +# and add or change hosts and components it should cover. +# Then `make yourhost.key` to create your private key, you can +# include keysize=number to change the size of the key. +# Then you can either `make yourhost.csr` to generate a certificate +# signing request that you can submit to a CA, or `make yourhost.cert` +# to generate a self signed certificate. + +.PRECIOUS: %.cnf %.key + +# To request a cert +%.csr: %.cnf %.key + openssl req -new -key $(lastword $^) -out $@ -utf8 -config $(firstword $^) + +# Self signed +%.cert: %.cnf %.key + openssl req -new -x509 -nodes -key $(lastword $^) -days 365 \ + -sha1 -out $@ -utf8 -config $(firstword $^) + +%.cnf: + sed 's,example\.com,$*,g' openssl.cnf > $@ + +%.key: + openssl genrsa $(keysize) > $@ + @chmod 400 -c $@ diff --git a/utility/gencert/openssl.cnf b/utility/gencert/openssl.cnf new file mode 100644 index 0000000..49e5305 --- /dev/null +++ b/utility/gencert/openssl.cnf @@ -0,0 +1,53 @@ +# based on the prosody certs/openssl.cnf by zash - MIT license +# +# note: if you have an internationalized domain name, be very careful +# about encoding it properly. +oid_section = new_oids + +[ new_oids ] + +# RFC 3920 section 5.1.1 defines this OID +xmppAddr = 1.3.6.1.5.5.7.8.5 + +# RFC 4985 defines this OID +SRVName = 1.3.6.1.5.5.7.8.7 + +[ req ] + +default_bits = 4096 +default_keyfile = example.com.key +distinguished_name = distinguished_name +req_extensions = v3_extensions +x509_extensions = v3_extensions +string_mask = utf8only + +# ask about the DN? +prompt = no + +[ distinguished_name ] + +commonName = example.com +countryName = GB +localityName = The Internet +organizationName = Your Organisation +organizationalUnitName = IT Department +emailAddress = psycmaster@example.com + +[ v3_extensions ] + +# for certificate requests (req_extensions) +# and self-signed certificates (x509_extensions) +# note: setting keyUsage does not work for self-signed certs +basicConstraints = CA:FALSE +keyUsage = digitalSignature,keyEncipherment +extendedKeyUsage = serverAuth,clientAuth +subjectAltName = @subject_alternative_name + +[ subject_alternative_name ] + +# See http://tools.ietf.org/html/rfc6120#section-13.7.1.2 for more info + +DNS.0 = example.com +otherName.0 = SRVName;IA5STRING:_xmpp-client.example.com +otherName.1 = SRVName;IA5STRING:_xmpp-server.example.com +otherName.2 = SRVName;IA5STRING:_psyc.example.com