Add some goo for creating secondary apache certificates for use on users.

This is a local hack for now.

Add some goo for creating secondary apache certificates for use on users.
This is a local hack for now.
8c3a7e33 · Leigh B. Stoller · b3c23e5d · 8c3a7e33 · 8c3a7e33
Commit 8c3a7e33 authored Mar 08, 2005 by Leigh B. Stoller
Hide whitespace changes
Inline Side-by-side

Showing with 59 additions and 0 deletions

ssl/GNUmakefile.in ssl/GNUmakefile.in +32 -0

ssl/apache2.cnf.in ssl/apache2.cnf.in +27 -0

No files found.
--- a/ssl/GNUmakefile.in
+++ b/ssl/GNUmakefile.in
@@ -63,6 +63,38 @@ server.pem:	dirsmade server.cnf ca.cnf
 	cat server_key.pem server_cert.pem > server.pem
 	rm -f newreq.pem

+#
+# This is for the main web server on boss.
+# 
+apache2.pem:	dirsmade apache2.cnf ca.cnf
+	#
+	# Create the server side private key and certificate request.
+	#
+	openssl req -new -config apache2.cnf \
+		-keyout apache2_key.pem -out apache2_req.pem
+	#
+	# Combine key and cert request.
+	#
+	cat apache2_key.pem apache2_req.pem > newreq.pem
+	#
+	# Sign the apache cert request, creating a apache certificate.
+	#
+	openssl ca -batch -policy policy_sslxmlrpc -config ca.cnf \
+		-out apache2_cert.pem \
+		-cert cacert.pem -keyfile cakey.pem \
+		-infiles newreq.pem
+	#
+	# Combine the key and the certificate into one file. This file is
+	# is not actually installed though; the separate files will be
+	# installed into the apache cert/key directories by install/boss-install
+	# when the boss node is created.
+	#
+	cat apache2_key.pem apache2_cert.pem > apache2.pem
+	rm -f newreq.pem
+
+#
+# This is for the secondary web server on users.
+# 
 apache.pem:	dirsmade apache.cnf ca.cnf
 	#
 	# Create the server side private key and certificate request.

--- a/ssl/apache2.cnf.in
+++ b/ssl/apache2.cnf.in
+[ req ]
+prompt                  = no
+default_bits		= 1024
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	        = v3_ca	# The extentions to add to the self signed cert
+encrypt_key		= no
+string_mask             = nombstr
+
+[ req_distinguished_name ]
+C                      = @SSLCERT_COUNTRY@
+ST                     = @SSLCERT_STATE@
+L                      = @SSLCERT_LOCALITY@
+O                      = @SSLCERT_ORGNAME@
+OU                     = WebServer
+# The apache server wants the CommonName (CN) to match what we set "ServerName"
+# to in apache/http.conf.in (in the SSL section).
+CN                     = @USERNODE@
+emailAddress           = @TBOPSEMAIL@
+
+[ req_attributes ]
+
+[ v3_ca ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = CA:true