nsqd: update test cert generation config/scripts

judwhite · Sep 16, 2017 · b53f2f9 · b53f2f9
1 parent 9be582e
commit b53f2f9
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 19 deletions.
diff --git a/nsqd/test/cert.sh b/nsqd/test/cert.sh
@@ -1,39 +1,45 @@
 #!/bin/bash
-# call this script with an email address (valid or not).
-# like:
-# ./cert.sh foo@foo.com
+# ./cert.sh foo@foo.com 127.0.0.1
 # Found: https://gist.github.com/ncw/9253562#file-makecert-sh
 
 if [ "$1" == "" ]; then
     echo "Need email as argument"
     exit 1
 fi
 
+if [ "$2" == "" ]; then
+    echo "Need CN as argument"
+    exit 1
+fi
+
+PRIVKEY="test"
 EMAIL=$1
+CN=$2
 
-rm -rf tmp 
+rm -rf tmp
 mkdir tmp
 cd tmp
 
 echo "make CA"
-PRIVKEY="test"
-openssl req -new -x509 -days 365 -keyout ca.key -out ca.pem -subj "/C=DE/ST=NRW/L=Earth/O=Random Company/OU=IT/CN=www.random.com/emailAddress=KryptoKings@random.com" -passout pass:$PRIVKEY
+openssl req -new -x509 -days 3650 -keyout ca.key -out ca.pem \
+    -config ../openssl.conf -extensions ca \
+    -subj "/CN=ca" \
+    -passout pass:$PRIVKEY
 
 echo "make server cert"
-openssl req -new -nodes -x509 -out server.pem -keyout server.key -days 3650 -subj "/C=DE/ST=NRW/L=Earth/O=Random Company/OU=IT/CN=www.random.com/emailAddress=${EMAIL}"
+openssl genrsa -out server.key 2048
+openssl req -new -sha256 -key server.key -out server.req \
+    -subj "/emailAddress=${EMAIL}/C=DE/ST=NRW/L=Earth/O=Random Company/OU=IT/CN=${CN}"
+openssl x509 -req -days 3650 -sha256 -in server.req -CA ca.pem -CAkey ca.key -CAcreateserial -passin pass:$PRIVKEY -out server.pem \
+    -extfile ../openssl.conf -extensions server
+
 
 echo "make client cert"
-#openssl req -new -nodes -x509 -out client.pem -keyout client.key
-#-days 3650 -subj "/C=DE/ST=NRW/L=Earth/O=Random
-#Company/OU=IT/CN=www.random.com/emailAddress=${EMAIL}"
-
 openssl genrsa -out client.key 2048
-echo "00" > ca.srl
-openssl req -sha1 -key client.key -new -out client.req -subj "/C=DE/ST=NRW/L=Earth/O=Random Company/OU=IT/CN=client.com/emailAddress=${EMAIL}"
-# Adding -addtrust clientAuth makes certificates Go can't read
-openssl x509 -req -days 365 -in client.req -CA ca.pem -CAkey ca.key -passin pass:$PRIVKEY -out client.pem # -addtrust clientAuth
-
-openssl x509 -extfile ../openssl.conf -extensions ssl_client -req -days 365 -in client.req -CA ca.pem -CAkey ca.key -passin pass:$PRIVKEY -out client.pem
+openssl req -new -sha256 -key client.key -out client.req \
+    -subj "/emailAddress=${EMAIL}/C=DE/ST=NRW/L=Earth/O=Random Company/OU=IT/CN=${CN}"
+openssl x509 -req -days 3650 -sha256 -in client.req -CA ca.pem -CAkey ca.key -CAserial ca.srl -passin pass:$PRIVKEY -out client.pem \
+    -extfile ../openssl.conf -extensions client
 
 cd ..
 mv tmp/* certs

diff --git a/nsqd/test/openssl.conf b/nsqd/test/openssl.conf
@@ -1,2 +1,24 @@
-[ ssl_client ]
-extendedKeyUsage = clientAuth
+[req]
+distinguished_name = req_distinguished_name
+
+[req_distinguished_name]
+
+[ca]
+basicConstraints = critical, CA:true
+subjectKeyIdentifier = hash
+keyUsage = critical, cRLSign, keyCertSign
+
+[client]
+basicConstraints = critical, CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth
+
+[server]
+basicConstraints = critical, CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = IP:127.0.0.1