mirror of
git://git.psyced.org/git/psyced
synced 2024-08-15 03:25:10 +00:00
thanks to prosody.im for the certificate generator
This commit is contained in:
parent
c650302885
commit
47fe829aee
3 changed files with 86 additions and 0 deletions
|
@ -955,6 +955,7 @@ _path_configuration = $CONFIG_DIR
|
|||
; (absolute or relative to _path_configuration)
|
||||
_path_PEM_key = key.pem
|
||||
_path_PEM_certificate = cert.pem
|
||||
; You can run 'make' in the 'utility/gencert' folder to create a pair
|
||||
|
||||
; Path to the TLS trust directory where certs are kept.
|
||||
; If unset this will default to your system installation's defaults.
|
||||
|
|
32
utility/gencert/Makefile
Normal file
32
utility/gencert/Makefile
Normal file
|
@ -0,0 +1,32 @@
|
|||
# taken from prosody.im, originally written by zash. MIT license
|
||||
#
|
||||
.DEFAULT: localhost.cert
|
||||
keysize=2048
|
||||
|
||||
# How to:
|
||||
# First, `make yourhost.cnf` which creates a openssl config file.
|
||||
# Then edit this file and fill in the details you want it to have,
|
||||
# and add or change hosts and components it should cover.
|
||||
# Then `make yourhost.key` to create your private key, you can
|
||||
# include keysize=number to change the size of the key.
|
||||
# Then you can either `make yourhost.csr` to generate a certificate
|
||||
# signing request that you can submit to a CA, or `make yourhost.cert`
|
||||
# to generate a self signed certificate.
|
||||
|
||||
.PRECIOUS: %.cnf %.key
|
||||
|
||||
# To request a cert
|
||||
%.csr: %.cnf %.key
|
||||
openssl req -new -key $(lastword $^) -out $@ -utf8 -config $(firstword $^)
|
||||
|
||||
# Self signed
|
||||
%.cert: %.cnf %.key
|
||||
openssl req -new -x509 -nodes -key $(lastword $^) -days 365 \
|
||||
-sha1 -out $@ -utf8 -config $(firstword $^)
|
||||
|
||||
%.cnf:
|
||||
sed 's,example\.com,$*,g' openssl.cnf > $@
|
||||
|
||||
%.key:
|
||||
openssl genrsa $(keysize) > $@
|
||||
@chmod 400 -c $@
|
53
utility/gencert/openssl.cnf
Normal file
53
utility/gencert/openssl.cnf
Normal file
|
@ -0,0 +1,53 @@
|
|||
# based on the prosody certs/openssl.cnf by zash - MIT license
|
||||
#
|
||||
# note: if you have an internationalized domain name, be very careful
|
||||
# about encoding it properly.
|
||||
oid_section = new_oids
|
||||
|
||||
[ new_oids ]
|
||||
|
||||
# RFC 3920 section 5.1.1 defines this OID
|
||||
xmppAddr = 1.3.6.1.5.5.7.8.5
|
||||
|
||||
# RFC 4985 defines this OID
|
||||
SRVName = 1.3.6.1.5.5.7.8.7
|
||||
|
||||
[ req ]
|
||||
|
||||
default_bits = 4096
|
||||
default_keyfile = example.com.key
|
||||
distinguished_name = distinguished_name
|
||||
req_extensions = v3_extensions
|
||||
x509_extensions = v3_extensions
|
||||
string_mask = utf8only
|
||||
|
||||
# ask about the DN?
|
||||
prompt = no
|
||||
|
||||
[ distinguished_name ]
|
||||
|
||||
commonName = example.com
|
||||
countryName = GB
|
||||
localityName = The Internet
|
||||
organizationName = Your Organisation
|
||||
organizationalUnitName = IT Department
|
||||
emailAddress = psycmaster@example.com
|
||||
|
||||
[ v3_extensions ]
|
||||
|
||||
# for certificate requests (req_extensions)
|
||||
# and self-signed certificates (x509_extensions)
|
||||
# note: setting keyUsage does not work for self-signed certs
|
||||
basicConstraints = CA:FALSE
|
||||
keyUsage = digitalSignature,keyEncipherment
|
||||
extendedKeyUsage = serverAuth,clientAuth
|
||||
subjectAltName = @subject_alternative_name
|
||||
|
||||
[ subject_alternative_name ]
|
||||
|
||||
# See http://tools.ietf.org/html/rfc6120#section-13.7.1.2 for more info
|
||||
|
||||
DNS.0 = example.com
|
||||
otherName.0 = SRVName;IA5STRING:_xmpp-client.example.com
|
||||
otherName.1 = SRVName;IA5STRING:_xmpp-server.example.com
|
||||
otherName.2 = SRVName;IA5STRING:_psyc.example.com
|
Loading…
Reference in a new issue