Commit 8cf2d8e8 authored by Leigh Stoller's avatar Leigh Stoller

Generate key in a separate call to genrsa, rather combining with the call

to req (csr generation). Not allowed to specify the cipher when via req,
and we want des3. Default changed between FreeBSD 8 and 10, and I have no
idea where to change it, so just do it explicitly on the command line.
parent 13bc50a6
......@@ -258,11 +258,7 @@ if ($reusekey) {
UserFatal("Cannot decrypt private key. Correct pass phrase?");
}
$reqargs = "-key usercert_key.pem -passin 'pass:${sh_password}' ";
}
else {
newkey:
$reqargs = "-keyout usercert_key.pem";
$reqargs .= ($encrypted ? " -passout 'pass:${sh_password}' " : " -nodes ")
}
#
......@@ -373,9 +369,18 @@ sub CreateNewCert() {
#
# Create a client side private key and certificate request.
#
system("$OPENSSL req -new -config usercert.cnf ".
"$reqargs -out usercert_req.pem") == 0
or fatal("Could not create certificate request");
if (!$reusekey) {
my $genopts =
($encrypted ? " -passout 'pass:${sh_password}' -des3 " : "");
system("$OPENSSL genrsa $genopts -out usercert_key.pem 1024")
== 0 or fatal("Could generate new key");
}
my $reqopts = ($encrypted ? "-passin 'pass:${sh_password}' " : "");
system("$OPENSSL req $reqopts -new -config usercert.cnf ".
"-key usercert_key.pem -out usercert_req.pem")
== 0 or fatal("Could not create certificate request");
#
# Sign the client cert request, creating a client certificate.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment