ecrist / ssl-admin Goto Github PK
View Code? Open in Web Editor NEWInteractive x509 CA Manager
License: BSD 3-Clause "New" or "Revised" License
Interactive x509 CA Manager
License: BSD 3-Clause "New" or "Revised" License
I created a new cert today, with a CA I haven't used in a while.
I used option 4) Perform a one-step request/sign
Bacula complains about this cert: ERR=26:unsupported certificate purpose
Comparing that cert with one that works, created with the same CA, I notice this difference. The non-working cert contains this section just before the Signature Algorithm
section:
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://CRL_URI
What's up with that?
When ssl-admin asks for the owner of a new request, the software asks twice. It should only ask once.
The CRL I created a month ago had a 1-month expiration date.
How can I:
default_crl_days
in openssl.conf
My work around:
Is a new menu option called for?
I found this around line 334:
print "=========> Generating new Certificate Revokation List $crl\n";
`cd $working_dir/active && openssl ca -gencrl -out $crl -config $key_config`;
I think the command line solution is:
cd /usr/local/etc/ssl-admin/active
openssl ca -gencrl -out /usr/local/etc/ssl-admin/prog/crl.pem -config /usr/local/etc/ssl-admin/openssl.conf
But this is perl not a shell script, that won't work. It errors out.
I discovered this today. With the move from pulling from github, the tarball changed. The contents are different. We went from revision 355 to 367.
Along with this change we went from using req_v3
to using req
.
In general, if code changes, the port needs a revision bump and a different tarball.
Of note, when running ssl-admin
I see:
# SSL-ADMIN v~~~VERSION~~~ #
This is the diff.
$ diff -ruN ~/ssl-admin-1.2.1_1 /usr/local/bin/ssl-admin
--- /home/dvl/ssl-admin-1.2.1_1 2022-03-16 15:16:04.022544000 -0400
+++ /usr/local/bin/ssl-admin 2020-09-12 22:44:26.000000000 -0400
@@ -27,13 +27,12 @@
# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
-# VERSION: ~~~VERSION~~~
-# $Id: ssl-admin 367 2014-10-21 15:54:27Z ecrist $
+# VERSION: 1.2.1
+# $Id: ssl-admin 355 2014-06-25 02:58:34Z ecrist $
use strict;
use warnings;
-use File::Copy;
## Read config file and die if there's a syntax error.
my $config_file = "/usr/local/etc/ssl-admin/ssl-admin.conf";
@@ -141,9 +140,9 @@
chomp($yn = <>);
} until $yn =~ m/^[yn]$/;
if ($yn eq "y") {
- system("cd $working_dir && openssl req_v3 -new -keyout $cn.key -out $cn.csr -config $key_config -batch");
+ system("cd $working_dir && openssl req -new -keyout $cn.key -out $cn.csr -config $key_config -batch");
} elsif ($yn eq "n") {
- system("cd $working_dir && openssl req_v3 -nodes -new -keyout $cn.key -out $cn.csr -config $key_config -batch");
+ system("cd $working_dir && openssl req -nodes -new -keyout $cn.key -out $cn.csr -config $key_config -batch");
}
}
@@ -153,7 +152,7 @@
if ($intermediate eq "NO"){
print "=========> Signing request for $cn\n";
- `cd $working_dir && openssl ca -config $key_config -days $key_days -out $cn.crt -in $cn.csr -batch -extensions v3_req`;
+ `cd $working_dir && openssl ca -config $key_config -days $key_days -out $cn.crt -in $cn.csr -batch`;
} elsif ($intermediate eq "YES"){
print "=========> Signing new Intermediate CA request for $cn\n";
`cd $working_dir && openssl ca -config $key_config -policy policy_new_ca -out $cn.crt -extensions v3_ca -infiles $cn.csr -batch`;
@@ -259,7 +258,7 @@
sub main_menu {
update_serial();
print "\n\n=====================================================\n";
- print '# SSL-ADMIN v~~~VERSION~~~ #';
+ print '# SSL-ADMIN v1.2.1 #';
print "\n=====================================================\n";
print "Please enter the menu option from the following list:\n";
print "1) Update run-time options:\n";
@@ -346,16 +345,13 @@
print "ERRORS\n";
}
print "=========> Moving $cn\'s files to $working_dir/revoked\n";
- my @exts = ('csr', 'pem', 'crt', 'key');
- foreach (@exts){
- move("$working_dir/active/$cn.$_", "$working_dir/revoked//$cn.$_") unless (! -e "$working_dir/active/$cn.$_");
- }
+ `mv $working_dir/active/$cn.* $working_dir/revoked/`;
print "=========> Destroying previous packages built for $cn: ";
- unlink "$working_dir/packages/$cn.ovpn", "$working_dir/packages/$cn.zip";
+ `rm -rf $working_dir/packages/$cn.*`;
print "DONE\n";
print "=========> CSR for all users is in $working_dir/csr\n";
print "===============> Changing file name for $cn\'s request to *.revoked";
- move("$working_dir/csr/$cn.csr", "$working_dir/csr/$cn.csr.revoked");
+ `mv $working_dir/csr/$cn.csr $working_dir/csr/$cn.csr.revoked`;
sleep 3;
### RE-SIGN/RENEW MENU
$
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.