thanks to prosody.im for the certificate generator

This commit is contained in:
psyc://psyced.org/~lynX 2011-08-03 18:30:44 +02:00
parent c650302885
commit 47fe829aee
3 changed files with 86 additions and 0 deletions

View File

@ -955,6 +955,7 @@ _path_configuration = $CONFIG_DIR
; (absolute or relative to _path_configuration) ; (absolute or relative to _path_configuration)
_path_PEM_key = key.pem _path_PEM_key = key.pem
_path_PEM_certificate = cert.pem _path_PEM_certificate = cert.pem
; You can run 'make' in the 'utility/gencert' folder to create a pair
; Path to the TLS trust directory where certs are kept. ; Path to the TLS trust directory where certs are kept.
; If unset this will default to your system installation's defaults. ; If unset this will default to your system installation's defaults.

32
utility/gencert/Makefile Normal file
View File

@ -0,0 +1,32 @@
# taken from prosody.im, originally written by zash. MIT license
#
.DEFAULT: localhost.cert
keysize=2048
# How to:
# First, `make yourhost.cnf` which creates a openssl config file.
# Then edit this file and fill in the details you want it to have,
# and add or change hosts and components it should cover.
# Then `make yourhost.key` to create your private key, you can
# include keysize=number to change the size of the key.
# Then you can either `make yourhost.csr` to generate a certificate
# signing request that you can submit to a CA, or `make yourhost.cert`
# to generate a self signed certificate.
.PRECIOUS: %.cnf %.key
# To request a cert
%.csr: %.cnf %.key
openssl req -new -key $(lastword $^) -out $@ -utf8 -config $(firstword $^)
# Self signed
%.cert: %.cnf %.key
openssl req -new -x509 -nodes -key $(lastword $^) -days 365 \
-sha1 -out $@ -utf8 -config $(firstword $^)
%.cnf:
sed 's,example\.com,$*,g' openssl.cnf > $@
%.key:
openssl genrsa $(keysize) > $@
@chmod 400 -c $@

View File

@ -0,0 +1,53 @@
# based on the prosody certs/openssl.cnf by zash - MIT license
#
# note: if you have an internationalized domain name, be very careful
# about encoding it properly.
oid_section = new_oids
[ new_oids ]
# RFC 3920 section 5.1.1 defines this OID
xmppAddr = 1.3.6.1.5.5.7.8.5
# RFC 4985 defines this OID
SRVName = 1.3.6.1.5.5.7.8.7
[ req ]
default_bits = 4096
default_keyfile = example.com.key
distinguished_name = distinguished_name
req_extensions = v3_extensions
x509_extensions = v3_extensions
string_mask = utf8only
# ask about the DN?
prompt = no
[ distinguished_name ]
commonName = example.com
countryName = GB
localityName = The Internet
organizationName = Your Organisation
organizationalUnitName = IT Department
emailAddress = psycmaster@example.com
[ v3_extensions ]
# for certificate requests (req_extensions)
# and self-signed certificates (x509_extensions)
# note: setting keyUsage does not work for self-signed certs
basicConstraints = CA:FALSE
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth,clientAuth
subjectAltName = @subject_alternative_name
[ subject_alternative_name ]
# See http://tools.ietf.org/html/rfc6120#section-13.7.1.2 for more info
DNS.0 = example.com
otherName.0 = SRVName;IA5STRING:_xmpp-client.example.com
otherName.1 = SRVName;IA5STRING:_xmpp-server.example.com
otherName.2 = SRVName;IA5STRING:_psyc.example.com