1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
# X509v3 certificate extension, cf. x509v3_config(5ssl)
x509_check() {
local cert="$1" ext out
out="$(mktemp --tmpdir)"
ext="basicConstraints,subjectAltName,keyUsage,extendedKeyUsage,tlsfeature"
openssl x509 -noout -subject -ext "$ext" -nameopt compat <"$cert" >"$out"
diff --unified --color=auto -b --label="a/${cert#/}" --label="b/${cert#/}" -- - "$out"
}
# default settings (the ACME server adds a subjectAltName with the Common Name)
openssl genpkey -algorithm RSA -out /etc/lacme/test1.key
commonName="$(head -c10 /dev/urandom | base32 -w0 | tr "[A-Z]" "[a-z]").$DOMAINNAME"
cat >"/etc/lacme/lacme-certs.conf.d/test1.conf" <<- EOF
[test1]
certificate-key = /etc/lacme/test1.key
certificate-chain = /etc/lacme/test1.crt
subject = /CN=$commonName
EOF
lacme newOrder test1
test /etc/lacme/test1.crt -nt /etc/lacme/test1.key
x509_check /etc/lacme/test1.crt <<-EOF
subject=/CN=$commonName
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Alternative Name:
DNS:$commonName
EOF
# subjectAltName
openssl genpkey -algorithm RSA -out /etc/lacme/test2.key
commonName="$(head -c10 /dev/urandom | base32 -w0 | tr "[A-Z]" "[a-z]").$DOMAINNAME"
subjectAltName=""
for i in $(seq 1 8); do
subjectAltName="${subjectAltName:+"$subjectAltName "}$(head -c10 /dev/urandom | base32 -w0 | tr "[A-Z]" "[a-z]").$DOMAINNAME"
done
cat >"/etc/lacme/lacme-certs.conf.d/test2.conf" <<- EOF
[test2]
certificate-key = /etc/lacme/test2.key
certificate-chain = /etc/lacme/test2.crt
subject = /CN=$commonName
subjectAltName = DNS:$(echo "$subjectAltName" | sed -r "s/ /, DNS:/g")
EOF
lacme newOrder test2
test /etc/lacme/test2.crt -nt /etc/lacme/test2.key
x509_check /etc/lacme/test2.crt <<-EOF
subject=/CN=$commonName
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Alternative Name:
DNS:$(echo "$commonName" "$subjectAltName" | tr " " "\\n" | sort -u | paste -sd" " | sed -r "s/ /, DNS:/g")
EOF
# tlsfeature
openssl genpkey -algorithm RSA -out /etc/lacme/test3.key
commonName="$(head -c10 /dev/urandom | base32 -w0 | tr "[A-Z]" "[a-z]").$DOMAINNAME"
cat >"/etc/lacme/lacme-certs.conf.d/test3.conf" <<- EOF
[test3]
certificate-key = /etc/lacme/test3.key
certificate-chain = /etc/lacme/test3.crt
subject = /CN=$commonName
tlsfeature = status_request
EOF
lacme newOrder test3
test /etc/lacme/test3.crt -nt /etc/lacme/test3.key
x509_check /etc/lacme/test3.crt <<-EOF
subject=/CN=$commonName
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Alternative Name:
DNS:$commonName
TLS Feature:
status_request
EOF
# vim: set filetype=sh :
|
