write CN as DNS in x509 SAN

This commit is contained in:
Andy 2018-10-12 07:12:40 +02:00
parent 8c977cd3ed
commit 5fb4785429
Signed by: arno
GPG Key ID: 9076D5E6B31AE99C
2 changed files with 13 additions and 9 deletions

View File

@ -1,7 +1,7 @@
# gencert # gencert
This script generates x509 server certificate (with all IPs in SAN) signed by a This script generates x509 server certificate (with DNS and IP in SAN) signed
self-signed CA. by a self-signed CA.
## Purpose ## Purpose
@ -17,8 +17,8 @@ to enable SSE-C (Server Side Encryption with Customer provided keys).
## How does this script work ## How does this script work
This script will always produce a self-signed x509 certificate with the IP This script will always produce a self-signed x509 certificate with the DNS and
addresses embedded to x509's SAN. IP addresses embedded to x509's SAN.
It will also produce a CA certificate and can be used by other services It will also produce a CA certificate and can be used by other services
which may need to authenticate against this self-signed certificate. which may need to authenticate against this self-signed certificate.
@ -29,6 +29,7 @@ used by the client in order to validate the server's certificate.
- generate CA certificate if does not find any - generate CA certificate if does not find any
- always generate server certificate on startup to ensure all IP addresses - always generate server certificate on startup to ensure all IP addresses
are in x509 SAN are in x509 SAN
- write CN to x509 SAN which is a must
- warn if the CA certificate is about to expire (<30 days till expiration) - warn if the CA certificate is about to expire (<30 days till expiration)
- regenerate the CA certificate if it finds it has expired - regenerate the CA certificate if it finds it has expired

View File

@ -2,7 +2,7 @@
# Filename: gencert.sh # Filename: gencert.sh
# Description: This script generates x509 server certificate (with all IPs in # Description: This script generates x509 server certificate (with all IPs in
# SAN) signed by a self-signed CA. # SAN) signed by a self-signed CA.
# Version: 1.3 - 2018 July 15 # Version: 1.5 - 2018 October 12
# Author: Andrey Arapov <andrey.arapov@nixaid.com> # Author: Andrey Arapov <andrey.arapov@nixaid.com>
# License: GPLv3 # License: GPLv3
@ -239,13 +239,16 @@ keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign
[ v3_req_server ] [ v3_req_server ]
basicConstraints = CA:FALSE basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth" extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1=${CN}"
if [ ! -z "$SAN_IP" ]; then if [ ! -z "$SAN_IP" ]; then
echo "[${ME}] Using user-provided SAN records: " ${SAN_IP} echo "[${ME}] Using user-provided SAN records: " ${SAN_IP}
i=1 i=1
IFS=, IFS=,
PAYLOAD="subjectAltName = @alt_names\n[ alt_names ]\n$(for IP in $SAN_IP; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)" PAYLOAD="$(for IP in $SAN_IP; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)"
unset IFS unset IFS
elif [ -z "$NOSAN" ]; then elif [ -z "$NOSAN" ]; then
# Gather IPs for SAN # Gather IPs for SAN
@ -254,7 +257,7 @@ extendedKeyUsage = serverAuth"
IPS="$( (getent ahostsv4 $(hostname) 2>/dev/null || getent hosts $(hostname) 2>/dev/null) | awk '{print $1}' |sort | uniq)" IPS="$( (getent ahostsv4 $(hostname) 2>/dev/null || getent hosts $(hostname) 2>/dev/null) | awk '{print $1}' |sort | uniq)"
echo "[${ME}] Found these IPs: " ${IPS} echo "[${ME}] Found these IPs: " ${IPS}
PAYLOAD="subjectAltName = @alt_names\n[ alt_names ]\n$(for IP in $IPS; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)" PAYLOAD="$(for IP in $IPS; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)"
fi fi
printf "${OPENSSL_CONFIG_CONTENT}\n${PAYLOAD}\n" > "${OPENSSL_CONFIG}" printf "${OPENSSL_CONFIG_CONTENT}\n${PAYLOAD}\n" > "${OPENSSL_CONFIG}"
@ -324,7 +327,7 @@ start() {
echo "[${ME}] The certificates have been generated in ${PWD} directory." echo "[${ME}] The certificates have been generated in ${PWD} directory."
CERT_INFO="$(openssl x509 -in "${SERVER_CERT}" -noout -text)" CERT_INFO="$(openssl x509 -in "${SERVER_CERT}" -noout -text)"
echo "${CERT_INFO}" | grep -E "CN=|IP Address|Not\ " echo "${CERT_INFO}" | grep -E "CN=|DNS:|IP Address|Not\ "
} }
# script starts here # script starts here