All new accounts created on Gitlab now require administrator approval. If you invite any collaborators, please let Flux staff know so they can approve the accounts.

Commit 8cf2d8e8 authored by Leigh B Stoller's avatar Leigh B Stoller

Generate key in a separate call to genrsa, rather combining with the call

to req (csr generation). Not allowed to specify the cipher when via req,
and we want des3. Default changed between FreeBSD 8 and 10, and I have no
idea where to change it, so just do it explicitly on the command line.
parent 13bc50a6
......@@ -258,11 +258,7 @@ if ($reusekey) {
UserFatal("Cannot decrypt private key. Correct pass phrase?");
}
$reqargs = "-key usercert_key.pem -passin 'pass:${sh_password}' ";
}
else {
newkey:
$reqargs = "-keyout usercert_key.pem";
$reqargs .= ($encrypted ? " -passout 'pass:${sh_password}' " : " -nodes ")
}
#
......@@ -373,9 +369,18 @@ sub CreateNewCert() {
#
# Create a client side private key and certificate request.
#
system("$OPENSSL req -new -config usercert.cnf ".
"$reqargs -out usercert_req.pem") == 0
or fatal("Could not create certificate request");
if (!$reusekey) {
my $genopts =
($encrypted ? " -passout 'pass:${sh_password}' -des3 " : "");
system("$OPENSSL genrsa $genopts -out usercert_key.pem 1024")
== 0 or fatal("Could generate new key");
}
my $reqopts = ($encrypted ? "-passin 'pass:${sh_password}' " : "");
system("$OPENSSL req $reqopts -new -config usercert.cnf ".
"-key usercert_key.pem -out usercert_req.pem")
== 0 or fatal("Could not create certificate request");
#
# Sign the client cert request, creating a client certificate.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment