+2

certs/.gitignore

reviewed

··· 2 2 *.csr 3 3 *.crt 4 4 *.pem 5 5 + *.srl 6 6 + *.conf

+46 -15

certs/Makefile

reviewed

··· 1 1 - NAME ?= localhost 2 1 DOMAIN ?= localhost 2 2 + NAME ?= ${DOMAIN} 3 3 4 4 - KEY ?= ${NAME}.key 4 4 + CAKEY ?= CAkey.key 5 5 + CACERT ?= CAcert.pem 6 6 + 5 7 SIGN_REQ ?= ${NAME}.csr 6 8 CERT ?= ${NAME}.crt 9 9 + PEM ?= ${NAME}.pem 10 10 + KEY ?= ${NAME}.key 7 11 8 8 - SUBJECT = "/C=US/ST=Connecticut/O=/localityName=New Haven/commonName=${DOMAIN}/commonName=*.${DOMAIN}/organizationalUnitName=/emailAddress=/" 12 12 + CA = "/C=PL/ST=Wlkp/O=/localityName=Poznan/CN=Hauleth/emailAddress=lukasz@niemier.pl" 13 13 + 14 14 + SUBJECT = "/CN=*.${DOMAIN}" 15 15 + 16 16 + VERIFY_OPTS = -purpose sslserver -CAfile ${CACERT} 17 17 + 18 18 + verify: ${PEM} ${CACERT} 19 19 + openssl version 20 20 + openssl x509 -noout -text -in "$<" 21 21 + openssl verify ${VERIFY_OPTS} -verify_hostname ${DOMAIN} $< 22 22 + openssl verify ${VERIFY_OPTS} -verify_hostname test.${DOMAIN} $< 23 23 + 24 24 + clean: 25 25 + $(RM) -f "${CERT}" "${SIGN_REQ}" "${PEM}" "${KEY}" 26 26 + 27 27 + ${CAKEY}: 28 28 + openssl genrsa -out "$@" 2048 9 29 10 10 - all: ${CERT} 30 30 + ${CACERT}: ${CAKEY} 31 31 + openssl req -new -key "$<" -out "$@" \ 32 32 + -subj ${CA} -x509 -nodes -sha256 -days 1825 11 33 12 12 - install: all 13 13 - security import ${CERT} 14 14 - security add-trusted-cert ${CERT} 34 34 + installCA: ${CACERT} 35 35 + security import "$<" 36 36 + security add-trusted-cert "$<" 15 37 16 16 - clea: 17 17 - $(RM) -rf ${KEY} ${CERT} ${SIGN_REQ} 38 38 + cleanCA: 39 39 + security remove-trusted-cert "${CACERT}" 40 40 + $(RM) -f "${CACERT}" "${CAKEY}" 18 41 19 19 - verify: ${CERT} 20 20 - openssl x509 -noout -text -in $< 42 42 + config.conf: 43 43 + echo 'subjectAltName=$${ENV::SAN}' > "$@" 21 44 22 45 ${KEY}: 23 46 openssl genrsa -out "$@" 2048 24 47 25 48 ${SIGN_REQ}: ${KEY} 26 26 - openssl req -new -sha256 -subj $(SUBJECT) -key "$<" -out "$@" -passin pass:"" 49 49 + openssl req -new -sha256 -subj $(SUBJECT) -key "$<" -out "$@" \ 50 50 + -addext "subjectAltName=DNS:${DOMAIN},DNS:*.${DOMAIN}" 27 51 28 28 - ${CERT}: ${SIGN_REQ} ${KEY} 29 29 - openssl x509 -req -days 365 -in "${SIGN_REQ}" -signkey "${KEY}" -out "$@" 52 52 + ${CERT}: ${SIGN_REQ} ${CACERT} ${CAKEY} config.conf 53 53 + SAN="DNS:${DOMAIN},DNS:*.${DOMAIN}" \ 54 54 + openssl x509 -req -out "$@" -in ${SIGN_REQ} \ 55 55 + -CA ${CACERT} -CAkey ${CAKEY} -CAcreateserial \ 56 56 + -days 1825 -sha256 \ 57 57 + -extfile config.conf 58 58 + 59 59 + ${PEM}: ${CERT} ${KEY} 60 60 + cat ${CERT} ${KEY} > "$@" 30 61 31 31 - .PHONY: all clean verify install 62 62 + .PHONY: clean verify install installCA cleanCA