particle-os/debian-koji-osbuild
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
debian-koji-osbuild/test/data/openssl.conf
Christian Kellner 6f439dc34f ci: rework ssl cert generation (SAN usage) 
Rework the generation of certificates, in order to make use of
the SubjectAltName (SAN) extension, that is required for modern
usage of TLS (see RFC 2818, or [1]) and now enforced by default
for go version 1.15[2] (Fedora 33). For this a different config
file is used, originally written by Lars, and assign SANs to
the server and client certificates. Additionally, the correct
extensions are used for each of those, so that their usage is
limited to the server or client use case. The client certificate
is renamed from "worker" to "client".
The lifetime of the certificates is increased, as a side effect of
the new config file.

[1] https://github.com/urllib3/urllib3/issues/497
[2] https://golang.org/doc/go1.15#commonname

Co-authored-by: Lars Karlitski <lars@karlitski.net>
2020-11-12 13:13:55 +01:00

70 lines
1.5 KiB
Text
Raw Blame History

#
# ca options
#
[ca]
default_ca = osbuild_ca
[osbuild_ca]
database = /etc/osbuild-composer/index.txt
new_certs_dir = /etc/osbuild-composer
rand_serial = yes
certificate = /etc/osbuild-composer/ca-crt.pem
private_key = /etc/osbuild-composer/ca-key.pem
default_days = 3650
default_md = sha256
x509_extensions = osbuild_ca_ext
# See WARNINGS in `man openssl ca`. This is ok, because it only copies
# extensions that are not already specified in `osbuild_ca_ext`.
copy_extensions = copy
preserve = no
policy = osbuild_ca_policy
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
CN = localhost
[osbuild_ca_ext]
basicConstraints = critical, CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[osbuild_ca_policy]
emailAddress = optional
#
# Extensions for server certificates
#
[osbuild_server_ext]
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
#
# Extensions for client certificates
#
[osbuild_client_ext]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
Reference in a new issue View git blame Copy permalink