ecrist / ssl-admin Goto Github PK
View Code? Open in Web Editor NEWInteractive x509 CA Manager
License: BSD 3-Clause "New" or "Revised" License
ssl-admin's People
Contributors
Stargazers
Watchers
ssl-admin's Issues
unsupported certificate purpose when using one-step request/sign of ssl-admin 1.2.1_2
I created a new cert today, with a CA I haven't used in a while.
I used option 4) Perform a one-step request/sign
Bacula complains about this cert: ERR=26:unsupported certificate purpose
Comparing that cert with one that works, created with the same CA, I notice this difference. The non-working cert contains this section just before the Signature Algorithm section:
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://CRL_URI
What's up with that?
req_v3(?)
Owner Query Loop
When ssl-admin asks for the owner of a new request, the software asks twice. It should only ask once.
How can I create a new CRL?
The CRL I created a month ago had a 1-month expiration date.
How can I:
- create a refreshed CRL?
- have a CRL with a longer expiry date? ANSWER: modify
default_crl_daysinopenssl.conf
My work around:
- create a new cert
- revoke it
Is a new menu option called for?
I found this around line 334:
print "=========> Generating new Certificate Revokation List $crl\n";
`cd $working_dir/active && openssl ca -gencrl -out $crl -config $key_config`;
I think the command line solution is:
cd /usr/local/etc/ssl-admin/active
openssl ca -gencrl -out /usr/local/etc/ssl-admin/prog/crl.pem -config /usr/local/etc/ssl-admin/openssl.conf
But this is perl not a shell script, that won't work. It errors out.
1.2.1 and 1.2.1_1 are different code
I discovered this today. With the move from pulling from github, the tarball changed. The contents are different. We went from revision 355 to 367.
Along with this change we went from using req_v3 to using req.
In general, if code changes, the port needs a revision bump and a different tarball.
Of note, when running ssl-admin I see:
# SSL-ADMIN v~~~VERSION~~~ #
This is the diff.
$ diff -ruN ~/ssl-admin-1.2.1_1 /usr/local/bin/ssl-admin
--- /home/dvl/ssl-admin-1.2.1_1 2022-03-16 15:16:04.022544000 -0400
+++ /usr/local/bin/ssl-admin 2020-09-12 22:44:26.000000000 -0400
@@ -27,13 +27,12 @@
# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
-# VERSION: ~~~VERSION~~~
-# $Id: ssl-admin 367 2014-10-21 15:54:27Z ecrist $
+# VERSION: 1.2.1
+# $Id: ssl-admin 355 2014-06-25 02:58:34Z ecrist $
use strict;
use warnings;
-use File::Copy;
## Read config file and die if there's a syntax error.
my $config_file = "/usr/local/etc/ssl-admin/ssl-admin.conf";
@@ -141,9 +140,9 @@
chomp($yn = <>);
} until $yn =~ m/^[yn]$/;
if ($yn eq "y") {
- system("cd $working_dir && openssl req_v3 -new -keyout $cn.key -out $cn.csr -config $key_config -batch");
+ system("cd $working_dir && openssl req -new -keyout $cn.key -out $cn.csr -config $key_config -batch");
} elsif ($yn eq "n") {
- system("cd $working_dir && openssl req_v3 -nodes -new -keyout $cn.key -out $cn.csr -config $key_config -batch");
+ system("cd $working_dir && openssl req -nodes -new -keyout $cn.key -out $cn.csr -config $key_config -batch");
}
}
@@ -153,7 +152,7 @@
if ($intermediate eq "NO"){
print "=========> Signing request for $cn\n";
- `cd $working_dir && openssl ca -config $key_config -days $key_days -out $cn.crt -in $cn.csr -batch -extensions v3_req`;
+ `cd $working_dir && openssl ca -config $key_config -days $key_days -out $cn.crt -in $cn.csr -batch`;
} elsif ($intermediate eq "YES"){
print "=========> Signing new Intermediate CA request for $cn\n";
`cd $working_dir && openssl ca -config $key_config -policy policy_new_ca -out $cn.crt -extensions v3_ca -infiles $cn.csr -batch`;
@@ -259,7 +258,7 @@
sub main_menu {
update_serial();
print "\n\n=====================================================\n";
- print '# SSL-ADMIN v~~~VERSION~~~ #';
+ print '# SSL-ADMIN v1.2.1 #';
print "\n=====================================================\n";
print "Please enter the menu option from the following list:\n";
print "1) Update run-time options:\n";
@@ -346,16 +345,13 @@
print "ERRORS\n";
}
print "=========> Moving $cn\'s files to $working_dir/revoked\n";
- my @exts = ('csr', 'pem', 'crt', 'key');
- foreach (@exts){
- move("$working_dir/active/$cn.$_", "$working_dir/revoked//$cn.$_") unless (! -e "$working_dir/active/$cn.$_");
- }
+ `mv $working_dir/active/$cn.* $working_dir/revoked/`;
print "=========> Destroying previous packages built for $cn: ";
- unlink "$working_dir/packages/$cn.ovpn", "$working_dir/packages/$cn.zip";
+ `rm -rf $working_dir/packages/$cn.*`;
print "DONE\n";
print "=========> CSR for all users is in $working_dir/csr\n";
print "===============> Changing file name for $cn\'s request to *.revoked";
- move("$working_dir/csr/$cn.csr", "$working_dir/csr/$cn.csr.revoked");
+ `mv $working_dir/csr/$cn.csr $working_dir/csr/$cn.csr.revoked`;
sleep 3;
### RE-SIGN/RENEW MENU
$
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.