diff --git a/iron/libexec/iron/iron-ca b/iron/libexec/iron/iron-ca
index 7d2c1176e88fa692dd5432aecf4991a662514530..f1b5271c9d5098a986e51b989345f300fe30b058 100755
--- a/iron/libexec/iron/iron-ca
+++ b/iron/libexec/iron/iron-ca
@@ -3,6 +3,7 @@ # Usage: iron ca
# Summary: manage CA
# Help: This command groups commands used to setup config create delete a CA
+KEYSIZE=4096
APPNAME="iron"
CURRDIR=$(pwd)
@@ -15,9 +16,9 @@ function ca_create()
{
test -d $CAPATH || mkdir -p ./$CAPATH
CA_DAYS=3650
- openssl genrsa -out $CAPATH/ca.key 2048
- openssl req -batch -new -key $CAPATH/ca.key -out $CAPATH/ca.csr -config $CA_CONFIG_FILE
- openssl x509 -req -days ${CA_DAYS} -in $CAPATH/ca.csr -signkey $CAPATH/ca.key -out $CAPATH/ca.crt
+ openssl genrsa -out $CAPATH/ca.key ${KEYSIZE}
+ openssl req -batch -new -key $CAPATH/ca.key -out $CAPATH/ca.csr -config $CA_CONFIG_FILE
+ openssl x509 -req -days ${CA_DAYS} -in $CAPATH/ca.csr -signkey $CAPATH/ca.key -out $CAPATH/ca.crt -extensions v3_ca -extfile $RCDIR/CA/conf/openssl-ca-extensions.conf
}
function ca_home_setup_delete()
@@ -39,22 +40,35 @@ test -d $RCDIR/CA || mkdir -p $RCDIR/CA
test -d $RCDIR/CA/conf || mkdir -p $RCDIR/CA/conf
echo "CAPATH=$RCDIR/CA">${RCFILE}
echo "CA_CONFIG_FILE=$RCDIR/CA/conf/openssl-ca.conf">>${RCFILE}
+ cat<<__EOF__ >$RCDIR/CA/conf/openssl-ca-extensions.conf
+[ v3_ca ]
+# Extensions for a typical CA
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+__EOF__
+
+
cat<<__EOF__ >$RCDIR/CA/conf/openssl-ca.conf
-RANDFILE = $ENV::HOME/.rnd
+#RANDFILE = $ENV::HOME/.rnd
[ req ]
-default_bits = 2048
+default_bits = ${KEYSIZE}
default_keyfile = keyfile.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
#output_password = abadpass
default_days =3650
+#x509_extensions = v3_ca
+
[ req_distinguished_name ]
C = SE
ST = Sweden
-L = Göteborg
+L = Gotenburg
O = kevwe.se
OU = kevwe.se
CN = kevwe.se
@@ -62,6 +76,46 @@ emailAddress = cto@kevwe.se
[ req_attributes ]
challengePassword = blablabla
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+[ crl_ext ]
+# Extension for CRLs
+authorityKeyIdentifier=keyid:always
+
+[ ocsp ]
+# Extension for OCSP signing certificates
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning
+
__EOF__
}