diff options
| author | Daniel Kahn Gillmor <dkg@fifthhorseman.net> | 2011-01-02 17:11:39 -0500 |
|---|---|---|
| committer | Daniel Kahn Gillmor <dkg@fifthhorseman.net> | 2011-01-02 17:18:24 -0500 |
| commit | e50da193be297bc7a49c3be88a26586fa69bde51 (patch) | |
| tree | ef51c657ab1555166f78ce9c78191760e6a658c0 /examples/make-https-certreqs | |
| parent | 98e5ebd65696db59063e45ee16da0f0923eda64a (diff) | |
genericized x509 certificate generation -- now works for any service, not just https (invoke it like "make-x509-certreqs imap" for imap:// keys, etc)
Diffstat (limited to 'examples/make-https-certreqs')
| -rw-r--r-- | examples/make-https-certreqs | 95 |
1 files changed, 0 insertions, 95 deletions
diff --git a/examples/make-https-certreqs b/examples/make-https-certreqs deleted file mode 100644 index 0512032..0000000 --- a/examples/make-https-certreqs +++ /dev/null @@ -1,95 +0,0 @@ -#!/bin/bash - -# Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> -# Date: 2010-12-20 20:54:55-0500 - -# On a system with keys for https already imported into -# monkeysphere-host, this script generates X.509 certificate requests -# for each key, with appropriate subjectAltNames and the PGPExtension -# embedded. - -# The generated requests get dumped to stdout. redirect to a file or -# copy/paste if you want to save them/send them someplace. - -# This script uses bashisms - -# It currently needs OpenSSL binaries to work properly - -# It assumes that the monkeysphere-host keyring is in -# /var/lib/monkeysphere/host (which it is on debian) - -# This should probably eventually be incorporated into -# monkeysphere-host directly. - -get_openssl_config() { - # first param is seconds since the epoch: - X509_PGP_EXTENSION="$(TZ=UTC date -d "@$1" '+%Y%m%d%H%M%SZ')" - # next parameter is SAN names, separated by newlines: - SUBJECTALTNAME=$(printf "%s" "$2" | sed 's/^/DNS:/' | tr '\n' ',' | \ - sed -e 's/,*$//' -e 's/^,*//') - - printf "sAN: %s\n" "$SUBJECTALTNAME" >&2 - - cat <<EOF -default_md = sha256 -oid_section = new_oids - -[ new_oids ] -PGPExtension = 1.3.6.1.4.1.3401.8.1.1 - -[ req ] -distinguished_name = req_distinguished_name -req_extensions = v3_req # The extensions to add to a certificate request - -[ req_distinguished_name ] -commonName = Common Name (e.g. www.example.org) -commonName_max = 64 - -[ v3_req ] - -# Extensions to add to a certificate request - -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment -extendedKeyUsage = serverAuth -subjectAltName = $SUBJECTALTNAME -PGPExtension = ASN1:SEQUENCE:pgp_sect - -[ pgp_sect ] -# see http://www.alvestrand.no/objectid/submissions/1.3.6.1.4.1.3401.8.1.1.html -# this is equivalent to: -# Version ::= INTEGER { v1(0) } -version = INTEGER:0 - -# this is the OpenPGP creation timestamp -keyCreation = GENERALIZEDTIME:$X509_PGP_EXTENSION -EOF -} - -gencertreq() { - keyid="$1" - - timestamp=$(gpg --fixed-list-mode --with-colons --list-keys "0x$keyid!" | grep ^pub: | cut -f6 -d:) - - san='' - primary='' -# find all the https User IDs: - uids=$(gpg --fixed-list-mode --with-colons --list-keys "0x$keyid!" | \ - grep '^uid:' | cut -f10 -d: | \ - grep '^https\\x3a//' | \ - sed -r -e 's!^https\\x3a//!!' -e 's!:[0-9]+$!!') - primary=$(printf "%s" "$uids" | head -n1) - - printf "Certificate Request for TLS WWW server %s\n[OpenPGP key %s]\n" "$primary" "$keyid" - openssl req -text -new \ - -config <(get_openssl_config "$timestamp" "$uids") \ - -key <(gpg --export-secret-key "$keyid" | openpgp2ssh "$keyid") \ - -subj "/CN=${primary}/" -} - - -export GNUPGHOME=/var/lib/monkeysphere/host - -for fpr in $(gpg --fixed-list-mode --with-colons --fingerprint --list-secret-keys https:// | grep '^fpr:' | cut -f10 -d:); do - gencertreq "$fpr" -done |