some improvements to support Cisco.

FossilOrigin-Name: 9f0d9e58d55f90bd2020ef622b2501bccbb6038972c04550cb06248139b080c5
2015-03-12 22:21:57 +00:00
parent 955ab26a81
commit 9f048da56f
21 changed files with 172 additions and 48 deletions
--- a/ssl/mkcert.sh
+++ b/ssl/mkcert.sh
@ -34,7 +34,7 @@ createcert()
 		PREF="$TYPE-"
 	fi
 	$OPENSSL genrsa -out $DIR/$NAME.key $KEYSIZE
-	$OPENSSL req -sha1 -new -key $DIR/$NAME.key -out $DIR/$NAME.req   \
+	$OPENSSL req -sha256 -new -key $DIR/$NAME.key -out $DIR/$NAME.req   \
       		 -subj "$SUBJ"


@ -74,16 +74,22 @@ fi
 if [ "$TYPE" = "cisco-ap" ]
 then
 	PREF="$2-"
-#	SUBJ="/C=US/ST=California/L=San Jose/O=Cisco Systems/CN=C1130-f866f2a342fc/emailAddress=support@cisco.com"
-#	SUBJ="/C=US/ST=California/L=San Jose/O=airespace Inc/CN=C1130-f866f2a342fc/emailAddress=support@airespace.com"
-
-#	SUBJ="/ST=California/L=San Jose/C=US/O=Cisco Systems/CN=C1130-c80aa9cd7fa4/emailAddress=support@cisco.com"
-	#SUBJ="/ST=California/L=San Jose/C=US/O=Cisco Systems/CN=C1130-c80aa9cd7fa4/emailAddress=support@cisco.com"
-#	SUBJ="/C=US/ST=California/L=San Jose/O=airespace Inc/CN=C1130-f866f2a342fc/emailAddress=support@airespace.com"
-#	SUBJ="/C=US/ST=California/L=San Jose/O=Cisco Systems/CN=C1200-c80aa9cd7fa4/emailAddress=support@cisco.com"
-#	SUBJ="/C=US/ST=California/L=San Jose/O=Cisco Systems/CN=C1130-c80aa9cd7fa4/emailAddress=support@cisco.com"
 	SUBJ="/C=US/ST=California/L=San Jose/O=Cisco Systems/CN=C1130-0019dbe09327/emailAddress=support@cisco.com"
-	createcert "$SUBJ"
+
+       openssl req -nodes -new -x509 \
+                -sha1 \
+                -extensions v3_ca \
+                -days 3650 \
+                -newkey rsa:2048 \
+                -keyout certs/${NAME}.key -out certs/${NAME}.crt \
+                -config openssl.cnf \
+                -x509 \
+                -subj "$SUBJ"
+
+	$OPENSSL x509 -in $DIR/$NAME.crt -out $DIR/$NAME.pem
+
+
+#	createcert "$SUBJ"


 fi
--- a/ssl/openssl-crt.cnf
+++ b/ssl/openssl-crt.cnf
@ -72,7 +72,7 @@ cert_opt 	= ca_default		# Certificate field options

 default_days	= 365			# how long to certify for
 default_crl_days= 30			# how long before next CRL
-default_md	= sha1 #md5			# use public key default MD
+default_md	= sha256 #md5			# use public key default MD
 preserve	= no			# keep passed DN ordering

 # A few difference way of specifying how similar the request should look
@ -237,6 +237,7 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment

 subjectKeyIdentifier= hash
 authorityKeyIdentifier=keyid:always,issuer:always
+authorityInfoAccess=caIssuers;URI:http://my.ca/ca.html

 # This is what PKIX recommends but some broken software chokes on critical
 # extensions.
--- a/ssl/openssl-int.cnf
+++ b/ssl/openssl-int.cnf
@ -237,6 +237,7 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment

 subjectKeyIdentifier= hash
 authorityKeyIdentifier=keyid:always,issuer:always
+authorityInfoAccess=caIssuers;URI:http://my.ca/ca.html

 # This is what PKIX recommends but some broken software chokes on critical
 # extensions.