Skip to content

Commit 6438c01

Browse files
sbiberhofersbiberhofer
committed
Sync nsd-control-setup with unbound-control-setup
Make nsd-control-setup add x509v3 SAN extensions to generated certificates by essentially syncing this script with unbound's unbound-control-setup, which already includes these extensions in generated certificates. Signed-off-by: Sascha Biberhofer <[email protected]>
1 parent c5e6a8e commit 6438c01

File tree

1 file changed

+15
-7
lines changed

1 file changed

+15
-7
lines changed

nsd-control-setup.sh.in

Lines changed: 15 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ SERVERNAME=nsd
4343
CLIENTNAME=nsd-control
4444

4545
# validity period for certificates
46-
DAYS=3650
46+
DAYS=7200
4747

4848
# size of keys in bits
4949
BITS=3072
@@ -86,9 +86,7 @@ fatal() {
8686
usage() {
8787
cat <<EOF
8888
usage: $0 OPTIONS
89-
9089
OPTIONS
91-
9290
-d <dir> used directory to store keys and certificates (default: $DESTDIR)
9391
-h show help notice
9492
-r recreate certificates
@@ -99,7 +97,7 @@ OPTIND=1
9997
while getopts 'd:hr' arg; do
10098
case "$arg" in
10199
d) DESTDIR="$OPTARG" ;;
102-
h) usage; exit 0 ;;
100+
h) usage; exit 1 ;;
103101
r) RECREATE=1 ;;
104102
?) fatal "'$arg' unknown option" ;;
105103
esac
@@ -122,13 +120,19 @@ if [ ! -f "$SVR_BASE.key" ]; then
122120
fi
123121

124122
cat >server.cnf <<EOF
123+
[req]
125124
default_bits=$BITS
126125
default_md=$HASH
127126
prompt=no
128127
distinguished_name=req_distinguished_name
129-
128+
x509_extensions=v3_ca
130129
[req_distinguished_name]
131130
commonName=$SERVERNAME
131+
[v3_ca]
132+
subjectKeyIdentifier=hash
133+
authorityKeyIdentifier=keyid:always,issuer:always
134+
basicConstraints=critical,CA:TRUE,pathlen:0
135+
subjectAltName=DNS:$SERVERNAME
132136
EOF
133137

134138
[ -f server.cnf ] || fatal "cannot create openssl configuration"
@@ -159,9 +163,12 @@ default_bits=$BITS
159163
default_md=$HASH
160164
prompt=no
161165
distinguished_name=req_distinguished_name
162-
166+
req_extensions=v3_req
163167
[req_distinguished_name]
164168
commonName=$CLIENTNAME
169+
[v3_req]
170+
basicConstraints=critical,CA:FALSE
171+
subjectAltName=DNS:$CLIENTNAME
165172
EOF
166173

167174
[ -f client.cnf ] || fatal "cannot create openssl configuration"
@@ -183,6 +190,8 @@ if [ ! -f "$CTL_BASE.pem" -o $RECREATE -eq 1 ]; then
183190
-CAkey "$SVR_BASE.key" \
184191
-CAcreateserial \
185192
-$HASH \
193+
-extfile client.cnf \
194+
-extensions v3_req \
186195
-out "$CTL_BASE.pem"
187196

188197
[ ! -f "CTL_BASE.pem" ] || fatal "cannot create signed client certificate"
@@ -199,7 +208,6 @@ cleanup
199208

200209
echo "Setup success. Certificates created. Enable in nsd.conf file to use"
201210

202-
203211
# create trusted usage pem
204212
# openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem"
205213

0 commit comments

Comments
 (0)