Commit 6eef59b4 authored by Dimitris Aragiorgis's avatar Dimitris Aragiorgis Committed by Stratos Psomadakis

deploy: Proper CA creation

1. Include CN in root CA (Synnefo Demo CA @ HOSTNAME). This way we
will be able to import several distinct CA's to our browsers under
the same Organization (Synnefo).

2. Let openssl decide a random serial number for the root CA.

3. Let the certificate have serial number 1 (instead of 100).

4. Include a script that updates the root CA and certificates
   locally (cd /root && ./create_root_ca.sh && ./update_root_ca.sh)
Signed-off-by: default avatarDimitris Aragiorgis <dimitris.aragiorgis@gmail.com>
parent f982f0cd
......@@ -14,6 +14,7 @@ CSR=$DIR/cert.csr
CERT=$DIR/cert.pem
ROOT_CNF=$DIR/ca-x509-extensions.cnf
CNF=$DIR/x509-extensions.cnf
HOSTNAME=$(hostname -f)
mkdir -p $DIR
......@@ -22,11 +23,11 @@ openssl genpkey -algorithm RSA -out $ROOT_CA_KEY -pkeyopt rsa_keygen_bits:4096
echo [$ROOT_CA_CSR] Generating certificate request for root CA...
openssl req -new -key $ROOT_CA_KEY -days 5480 -extensions v3_ca -batch \
-out $ROOT_CA_CSR -utf8 -subj '/C=GR/O=Synnefo/OU=SynnefoCloudSoftware'
-out $ROOT_CA_CSR -utf8 -subj '/C=GR/CN=Synnefo Demo CA @ '$HOSTNAME'/O=Synnefo/OU=SynnefoCloudSoftware'
echo [$ROOT_CA_CERT] Generating certificate for root CA...
openssl x509 -req -sha256 -days 3650 -in $ROOT_CA_CSR -signkey $ROOT_CA_KEY \
-set_serial 1 -extfile $ROOT_CNF -out $ROOT_CA_CERT
-extfile $ROOT_CNF -out $ROOT_CA_CERT
......@@ -39,5 +40,5 @@ openssl req -new -key $KEY -days 1096 -extensions v3_ca -batch \
echo [$CERT] Generating certificate for services...
openssl x509 -req -sha256 -days 1096 -in $CSR \
-CAkey $ROOT_CA_KEY -CA $ROOT_CA_CERT -set_serial 100 \
-CAkey $ROOT_CA_KEY -CA $ROOT_CA_CERT -set_serial 1 \
-out $CERT -extfile $CNF
DIR=/root/ca
# For apache
cp -v $DIR/cacert.pem /etc/ssl/certs/synnefo_ca.pem
cp -v $DIR/key.pem /etc/ssl/private/synnefo.key
cp -v $DIR/cert.pem /etc/ssl/certs/synnefo.pem
/etc/init.d/apache2 restart
# For kamaki
cp -v $DIR/cacert.pem /usr/local/share/ca-certificates/Synnefo_Root_CA.crt
rm -v /etc/ssl/certs/Synnefo_Root_CA.pem
rm -v /etc/ssl/certs/ca-certificates.crt
update-ca-certificates
# For vncauthproxy
cp -v $DIR/cert.pem /var/lib/vncauthproxy/cert.pem
cp -v $DIR/key.pem /var/lib/vncauthproxy/key.pem
/etc/init.d/vncauthproxy restart
/etc/init.d/gunicorn restart
......@@ -584,6 +584,7 @@ class CA(base.Component):
}
return [
("/root/create_root_ca.sh", r1, {"mode": 0755}),
("/root/update_root_ca.sh", {}, {"mode": 0755}),
("/root/ca/ca-x509-extensions.cnf", r1, {}),
("/root/ca/x509-extensions.cnf", r1, {}),
]
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment