forked from jan/cacert-devsetup
Add test mgr setup
This commit is contained in:
parent
8e7f8c3d46
commit
30ddadd954
14 changed files with 345 additions and 64 deletions
|
@ -35,6 +35,9 @@ Variable | Usage
|
|||
`MYSQL_ROOT_PASSWORD` | Database root password
|
||||
`MYSQL_APP_USER` | Database application user
|
||||
`MYSQL_APP_PASSWORD` | Database application password
|
||||
`CLIENT_CERT_EMAIL` | email address for client certificate generated by `setup_test_ca.sh`
|
||||
`CLIENT_CERT_USERNAME` | user name for client certificate generated by `setup_test_ca.sh`
|
||||
`CLIENT_CERT_PASSWORD` | PKCS#12 keystore password for client certificate generated by `setup_test_ca.sh`
|
||||
|
||||
```shell
|
||||
echo -e "MYSQL_ROOT_PASSWORD=$(openssl rand -base64 18)\nMYSQL_APP_USER=cacert_dev\nMYSQL_APP_PASSWORD=$(openssl rand -base64 18)" > .env
|
||||
|
@ -43,3 +46,7 @@ docker-compose up
|
|||
```
|
||||
|
||||
After these steps you should be able to reach the CAcert application at https://test.cacert.localhost:8443/.
|
||||
The test manager application is reachable at https://mgr.cacert.localhost:9443/.
|
||||
|
||||
A client certificate is created by `setup_test_ca.sh` and is placed in `testca/certs/clientcert.p12`
|
||||
which can be imported in a browser to support client certificate authentication.
|
||||
|
|
|
@ -40,7 +40,12 @@ RUN apt-get update \
|
|||
STOPSIGNAL SIGWINCH
|
||||
|
||||
COPY docker/apache-foreground /usr/local/bin/
|
||||
COPY testca/ /usr/local/etc/testca/
|
||||
COPY testca/root/ca.crt.pem /usr/local/share/ca-certificates/testca_root.crt
|
||||
COPY testca/class3/ca.crt.pem /usr/local/share/ca-certificates/testca_class3.crt
|
||||
COPY testca/certs/test.cacert.localhost.crt.pem testca/certs/secure.test.cacert.localhost.crt.pem /etc/ssl/certs/
|
||||
COPY testca/certs/test.cacert.localhost.key.pem testca/certs/secure.test.cacert.localhost.key.pem /etc/ssl/private/
|
||||
COPY testca/certs/cachain.crt.pem /etc/ssl/certs/combined.crt
|
||||
|
||||
COPY docker/apache-virtualhost.conf /etc/apache2/sites-available/
|
||||
COPY docker/cacert.conf /etc/apache2/conf-available/
|
||||
COPY docker/php5-cacert.ini /etc/php5/mods-available/cacert.ini
|
||||
|
|
|
@ -19,6 +19,12 @@ services:
|
|||
dockerfile: smtp.Dockerfile
|
||||
volumes:
|
||||
- maildir:/home/catchall/Maildir
|
||||
mail:
|
||||
build:
|
||||
context: .
|
||||
dockerfile: mail.Dockerfile
|
||||
volumes:
|
||||
- maildir:/home/catchall/Maildir
|
||||
application:
|
||||
build:
|
||||
context: .
|
||||
|
@ -46,6 +52,19 @@ services:
|
|||
- smtp
|
||||
volumes:
|
||||
- ./cacert-software:/www
|
||||
mgr:
|
||||
build:
|
||||
context: .
|
||||
dockerfile: mgr.Dockerfile
|
||||
env_file:
|
||||
- ./.env
|
||||
ports:
|
||||
- "9443:443"
|
||||
depends_on:
|
||||
- db
|
||||
- mail
|
||||
volumes:
|
||||
- ./cacert-mgr:/var/www
|
||||
|
||||
volumes:
|
||||
db: { }
|
||||
|
|
|
@ -4,16 +4,6 @@ set -eux
|
|||
# Apache gets grumpy about PID files pre-existing
|
||||
rm -f /run/apache2/apache2.pid
|
||||
|
||||
cp /usr/local/etc/testca/certs/test.cacert.localhost.crt.pem /etc/ssl/certs/
|
||||
cp /usr/local/etc/testca/certs/test.cacert.localhost.key.pem /etc/ssl/private/
|
||||
(
|
||||
openssl x509 -in /usr/local/etc/testca/class3/ca.crt.pem
|
||||
openssl x509 -in /usr/local/etc/testca/root/ca.crt.pem
|
||||
) >/etc/ssl/certs/combined.crt
|
||||
|
||||
cp /usr/local/etc/testca/certs/secure.test.cacert.localhost.crt.pem /etc/ssl/certs/
|
||||
cp /usr/local/etc/testca/certs/secure.test.cacert.localhost.key.pem /etc/ssl/private/
|
||||
|
||||
cp /usr/local/etc/application/feed.rss /www/pages/index/feed.rss
|
||||
|
||||
make -C /www/locale
|
||||
|
|
17
docker/apache-mgr-foreground
Executable file
17
docker/apache-mgr-foreground
Executable file
|
@ -0,0 +1,17 @@
|
|||
#!/bin/sh
|
||||
set -eux
|
||||
|
||||
# Apache gets grumpy about PID files pre-existing
|
||||
rm -f /run/apache2/apache2.pid
|
||||
|
||||
sed "s/@MYSQL_MGR_USER@/${MYSQL_MGR_USER}/g; s/@MYSQL_MGR_PASSWORD@/${MYSQL_MGR_PASSWORD}/g" \
|
||||
/usr/local/etc/mgr-application.ini > /var/www/manager/application/configs/application.ini
|
||||
|
||||
mysql -u "${MYSQL_MGR_USER}" -h db "-p${MYSQL_MGR_PASSWORD}" mgr <<-EOF
|
||||
REPLACE INTO system_user (id, system_role_id, login, user_client_crt_s_dn_i_dn)
|
||||
VALUES (2, 2,'${CLIENT_CERT_EMAIL}','/CN=${CLIENT_CERT_USERNAME}///C=AU/O=CAcert Inc./CN=Class 3 Test CA');
|
||||
EOF
|
||||
|
||||
apache2ctl start "$@"
|
||||
|
||||
exec tail -F --follow=name --retry /var/log/apache2/error.log
|
21
docker/apache-mgr-virtualhost.conf
Normal file
21
docker/apache-mgr-virtualhost.conf
Normal file
|
@ -0,0 +1,21 @@
|
|||
<VirtualHost *:443>
|
||||
ServerName mgr.cacert.localhost
|
||||
ServerAlias www.mgr.cacert.localhost
|
||||
DocumentRoot /var/www/manager/public
|
||||
|
||||
SSLEngine on
|
||||
SSLStrictSNIVHostCheck on
|
||||
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
|
||||
SSLHonorCipherOrder on
|
||||
SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
|
||||
SSLCertificateFile /etc/ssl/certs/mgr.cacert.localhost.crt.pem
|
||||
SSLCertificateKeyFile /etc/ssl/private/mgr.cacert.localhost.key.pem
|
||||
SSLCertificateChainFile /etc/ssl/certs/combined.crt
|
||||
|
||||
SSLCACertificateFile /etc/ssl/certs/combined.crt
|
||||
SSLVerifyClient require
|
||||
SSLVerifyDepth 2
|
||||
SSLOptions +StdEnvVars
|
||||
|
||||
Header always set Strict-Transport-Security "max-age=31536000"
|
||||
</VirtualHost>
|
|
@ -4,15 +4,15 @@ set -eux
|
|||
|
||||
mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" <<-EOF
|
||||
CREATE database cacert CHARSET latin1 COLLATE latin1_swedish_ci;
|
||||
CREATE USER $MYSQL_APP_USER@'%' IDENTIFIED BY '$MYSQL_APP_PASSWORD';
|
||||
GRANT CREATE TEMPORARY TABLES ON cacert.* TO $MYSQL_APP_USER@'%';
|
||||
GRANT SELECT, INSERT, UPDATE, DELETE ON cacert.* TO $MYSQL_APP_USER@'%';
|
||||
CREATE database mgr CHARSET utf8 COLLATE utf8_unicode_ci;
|
||||
EOF
|
||||
|
||||
for script in /db_migrations/*.sh; do
|
||||
sh "$script" -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" cacert
|
||||
done
|
||||
|
||||
mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" mgr </mgr_dbadm/ca_mgr.mysql
|
||||
|
||||
mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" cacert <<-'EOF'
|
||||
INSERT INTO languages (locale, en_co, en_lang, country, lang)
|
||||
VALUES ('sq_AL', 'Albania', 'Albanian', 'Shqipëria', 'shqipe'),
|
||||
|
@ -115,3 +115,14 @@ VALUES ('sq_AL', 'Albania', 'Albanian', 'Shqipëria', 'shqipe'),
|
|||
('vi_VN', 'Vietnam', 'Vietnamese', 'Việt Nam', 'Tiểng Việt'),
|
||||
('ar_YE', 'Yemen', 'Arabic', 'ﻦﻤﻴﻠﺍ', 'ﺔﻴﺐﺮﻌﻠﺍ');
|
||||
EOF
|
||||
|
||||
mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" <<-EOF
|
||||
CREATE USER $MYSQL_APP_USER@'%' IDENTIFIED BY '$MYSQL_APP_PASSWORD';
|
||||
GRANT CREATE TEMPORARY TABLES ON cacert.* TO $MYSQL_APP_USER@'%';
|
||||
GRANT SELECT, INSERT, UPDATE, DELETE ON cacert.* TO $MYSQL_APP_USER@'%';
|
||||
|
||||
CREATE USER $MYSQL_MGR_USER@'%' IDENTIFIED BY '$MYSQL_MGR_PASSWORD';
|
||||
GRANT CREATE TEMPORARY TABLES ON mgr.* TO $MYSQL_MGR_USER@'%';
|
||||
GRANT SELECT, INSERT, UPDATE, DELETE ON mgr.* TO $MYSQL_MGR_USER@'%';
|
||||
GRANT SELECT, INSERT, UPDATE, DELETE ON cacert.users TO $MYSQL_MGR_USER@'%';
|
||||
EOF
|
||||
|
|
57
docker/mgr-application.ini
Normal file
57
docker/mgr-application.ini
Normal file
|
@ -0,0 +1,57 @@
|
|||
[production]
|
||||
phpSettings.display_startup_errors = 1
|
||||
phpSettings.display_errors = 1
|
||||
includePaths.library = LIBRARY_PATH
|
||||
bootstrap.path = APPLICATION_PATH "/Bootstrap.php"
|
||||
bootstrap.class = "Bootstrap"
|
||||
resources.frontController.controllerDirectory = APPLICATION_PATH "/controllers"
|
||||
resources.frontController.noViewRenderer = 0
|
||||
resources.frontController.noErrorHandler = 0
|
||||
resources.frontController.useDefaultControllerAlways = 0
|
||||
resources.layout.layoutPath = APPLICATION_PATH "/layouts/scripts"
|
||||
resources.view[] =
|
||||
autoloadernamespaces.0 = "CAcert_"
|
||||
|
||||
; Database settings for Session DB
|
||||
ca_mgr.db.session.pdo = "Pdo_Mysql"
|
||||
ca_mgr.db.session.autocleanup = 1
|
||||
ca_mgr.db.session.host = "db"
|
||||
ca_mgr.db.session.username = "@MYSQL_MGR_USER@"
|
||||
ca_mgr.db.session.password = "@MYSQL_MGR_PASSWORD@"
|
||||
ca_mgr.db.session.dbname = "mgr"
|
||||
|
||||
; Database settings for Auth DB (CACert User Table)
|
||||
ca_mgr.db.auth.pdo = "Pdo_Mysql"
|
||||
ca_mgr.db.auth.host = "db"
|
||||
ca_mgr.db.auth.username = "@MYSQL_MGR_USER@"
|
||||
ca_mgr.db.auth.password = "@MYSQL_MGR_PASSWORD@"
|
||||
ca_mgr.db.auth.dbname = "cacert"
|
||||
ca_mgr.db.auth.tablename = "users"
|
||||
|
||||
; Database settings for Auth DB (Manager User Table)
|
||||
ca_mgr.db.auth2.pdo = "Pdo_Mysql"
|
||||
ca_mgr.db.auth2.host = "db"
|
||||
ca_mgr.db.auth2.username = "@MYSQL_MGR_USER@"
|
||||
ca_mgr.db.auth2.password = "@MYSQL_MGR_PASSWORD@"
|
||||
ca_mgr.db.auth2.dbname = "mgr"
|
||||
ca_mgr.db.auth2.tablename = "system_user"
|
||||
|
||||
; Database settings for Config DB (access to system_config and dnssecme data tables)
|
||||
ca_mgr.db.config.pdo = "Pdo_Mysql"
|
||||
ca_mgr.db.config.host = "db"
|
||||
ca_mgr.db.config.username = "@MYSQL_MGR_USER@"
|
||||
ca_mgr.db.config.password = "@MYSQL_MGR_PASSWORD@"
|
||||
ca_mgr.db.config.dbname = "mgr"
|
||||
|
||||
; Application name for logger
|
||||
log.application = "web"
|
||||
|
||||
[staging : production]
|
||||
|
||||
[testing : production]
|
||||
phpSettings.display_startup_errors = 1
|
||||
phpSettings.display_errors = 1
|
||||
|
||||
[development : production]
|
||||
phpSettings.display_startup_errors = 1
|
||||
phpSettings.display_errors = 1
|
4
docker/run-dovecot
Executable file
4
docker/run-dovecot
Executable file
|
@ -0,0 +1,4 @@
|
|||
#!/bin/sh
|
||||
set -eu
|
||||
|
||||
dovecot -F
|
23
mail.Dockerfile
Normal file
23
mail.Dockerfile
Normal file
|
@ -0,0 +1,23 @@
|
|||
FROM debian:buster
|
||||
|
||||
RUN apt-get update \
|
||||
&& DEBIAN_FRONTEND=noninteractive \
|
||||
apt-get install -y --no-install-recommends \
|
||||
ca-certificates \
|
||||
curl \
|
||||
dovecot-imapd \
|
||||
dumb-init \
|
||||
mutt \
|
||||
psmisc \
|
||||
&& apt-get clean \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
EXPOSE 143
|
||||
|
||||
RUN adduser --uid 1000 --gecos "catchall mailbox" --disabled-password catchall
|
||||
|
||||
VOLUME /home/catchall/Maildir
|
||||
|
||||
COPY docker/run-dovecot /usr/local/bin/run-dovecot
|
||||
|
||||
CMD ["dumb-init", "/usr/local/bin/run-dovecot"]
|
|
@ -2,3 +2,4 @@ FROM mariadb:focal
|
|||
|
||||
COPY docker/initdb.sh /docker-entrypoint-initdb.d/initdb.sh
|
||||
COPY cacert-software/scripts/db_migrations/*.sh /db_migrations/
|
||||
COPY cacert-mgr/dbadm/ca_mgr.mysql /mgr_dbadm/
|
44
mgr.Dockerfile
Normal file
44
mgr.Dockerfile
Normal file
|
@ -0,0 +1,44 @@
|
|||
FROM debian:jessie
|
||||
|
||||
RUN apt-get update \
|
||||
&& DEBIAN_FRONTEND=noninteractive \
|
||||
apt-get install -y --no-install-recommends \
|
||||
ca-certificates \
|
||||
curl \
|
||||
gettext \
|
||||
libapache2-mod-php5 \
|
||||
locales-all \
|
||||
mariadb-client \
|
||||
nullmailer \
|
||||
php5-mysql \
|
||||
zendframework \
|
||||
&& apt-get clean \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
STOPSIGNAL SIGWINCH
|
||||
|
||||
COPY docker/apache-mgr-foreground /usr/local/bin/
|
||||
COPY testca/root/ca.crt.pem /usr/local/share/ca-certificates/testca_root.crt
|
||||
COPY testca/class3/ca.crt.pem /usr/local/share/ca-certificates/testca_class3.crt
|
||||
COPY testca/certs/mgr.cacert.localhost.crt.pem /etc/ssl/certs/
|
||||
COPY testca/certs/mgr.cacert.localhost.key.pem /etc/ssl/private/
|
||||
COPY testca/certs/cachain.crt.pem /etc/ssl/certs/combined.crt
|
||||
COPY testca/class3/ca.crt.pem /etc/ssl/certs/clientca.crt
|
||||
|
||||
COPY docker/apache-mgr-virtualhost.conf /etc/apache2/sites-available/mgr.cacert.localhost.conf
|
||||
COPY docker/mgr-application.ini /usr/local/etc/
|
||||
|
||||
VOLUME /var/www
|
||||
|
||||
RUN a2ensite mgr.cacert.localhost ; \
|
||||
a2dissite 000-default ; \
|
||||
a2enmod headers ; \
|
||||
a2enmod ssl ; \
|
||||
cd /usr/local/share/ca-certificates ; \
|
||||
curl -O http://www.cacert.org/certs/root_X0F.crt ; \
|
||||
curl -O http://www.cacert.org/certs/class3_X0E.crt ; \
|
||||
update-ca-certificates
|
||||
|
||||
EXPOSE 443
|
||||
|
||||
CMD ["/usr/local/bin/apache-mgr-foreground"]
|
110
setup_test_ca.sh
110
setup_test_ca.sh
|
@ -1,19 +1,20 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -eux
|
||||
|
||||
if [ -d testca/ ]; then
|
||||
echo "testca/ exists, remove it if you want to start from scratch"
|
||||
exit 1
|
||||
fi
|
||||
set -eu
|
||||
|
||||
ORGANIZATION="CAcert Inc."
|
||||
COUNTRY_CODE="AU"
|
||||
. ./.env
|
||||
|
||||
if [ ! -d testca/ ]; then
|
||||
mkdir -p testca/
|
||||
cd testca
|
||||
mkdir -p root/newcerts class3/newcerts root/private class3/private certs
|
||||
touch root/index.txt class3/index.txt
|
||||
else
|
||||
cd testca
|
||||
fi
|
||||
|
||||
cat >ca.cnf <<EOF
|
||||
[ca]
|
||||
default_ca = class3_ca
|
||||
|
@ -100,6 +101,16 @@ authorityInfoAccess = 1.3.6.1.5.5.7.48.2;URI:http://test.cacert.localhost/ca/
|
|||
crlDistributionPoints = URI:http://crl.test.cacert.localhost/class3.crl
|
||||
certificatePolicies = @policy_class3_ca
|
||||
|
||||
[client_ext]
|
||||
basicConstraints = critical,CA:false
|
||||
keyUsage = digitalSignature,keyEncipherment
|
||||
extendedKeyUsage = clientAuth
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always
|
||||
authorityInfoAccess = 1.3.6.1.5.5.7.48.2;URI:http://test.cacert.localhost/ca/class3/ca.crt,OCSP;URI:http://ocsp.test.cacert.localhost/
|
||||
crlDistributionPoints = URI:http://crl.test.cacert.localhost/class3.crl
|
||||
certificatePolicies = @policy_class3_ca
|
||||
|
||||
[server_ext]
|
||||
basicConstraints = critical,CA:false
|
||||
keyUsage = digitalSignature,keyEncipherment
|
||||
|
@ -115,6 +126,7 @@ policyIdentifier = 1.3.6.1.5.5.7.2.1
|
|||
CPS = http://test.cacert.localhost/ca/class3/cps.html
|
||||
EOF
|
||||
|
||||
if [ ! -f root/ca.crt.pem ]; then
|
||||
openssl req -new -x509 -config ca.cnf \
|
||||
-keyout root/private/ca.key.pem \
|
||||
-nodes \
|
||||
|
@ -122,6 +134,8 @@ openssl req -new -x509 -config ca.cnf \
|
|||
-days 3650 \
|
||||
-extensions root_extensions \
|
||||
-out root/ca.crt.pem
|
||||
fi
|
||||
if [ ! -f class3/ca.crt.pem ]; then
|
||||
openssl req -new -config ca.cnf \
|
||||
-keyout class3/private/ca.key.pem \
|
||||
-nodes \
|
||||
|
@ -133,19 +147,55 @@ openssl ca -config ca.cnf \
|
|||
-rand_serial \
|
||||
-extensions class3_extensions \
|
||||
-batch
|
||||
openssl req -new -keyout certs/test.cacert.localhost.key.pem -nodes \
|
||||
-out certs/test.cacert.localhost.csr.pem -subj "/CN=test.cacert.localhost" \
|
||||
-addext "subjectAltName=DNS:test.cacert.localhost,DNS:www.test.cacert.localhost"
|
||||
openssl req -new -keyout certs/secure.test.cacert.localhost.key.pem -nodes \
|
||||
-out certs/secure.test.cacert.localhost.csr.pem -subj "/CN=secure.test.cacert.localhost" \
|
||||
-addext "subjectAltName=DNS:secure.test.cacert.localhost"
|
||||
fi
|
||||
|
||||
if [ ! -f certs/cachain.crt.pem ]; then
|
||||
(
|
||||
openssl x509 -in class3/ca.crt.pem
|
||||
openssl x509 -in root/ca.crt.pem
|
||||
) >certs/cachain.crt.pem
|
||||
fi
|
||||
|
||||
if [ ! -f certs/cats.cacert.localhost.crt.pem ]; then
|
||||
openssl req -new -keyout certs/cats.cacert.localhost.key.pem -nodes \
|
||||
-out certs/cats.cacert.localhost.csr.pem -subj "/CN=cats.cacert.localhost" \
|
||||
-addext "subjectAltName=DNS:cats.cacert.localhost,DNS:www.cats.cacert.localhost"
|
||||
openssl ca -config ca.cnf \
|
||||
-name class3_ca \
|
||||
-in certs/test.cacert.localhost.csr.pem \
|
||||
-out certs/test.cacert.localhost.crt.pem \
|
||||
-in certs/cats.cacert.localhost.csr.pem \
|
||||
-out certs/cats.cacert.localhost.crt.pem \
|
||||
-rand_serial \
|
||||
-extensions server_ext \
|
||||
-batch
|
||||
fi
|
||||
if [ ! -f certs/cats-client.cacert.localhost.crt.pem ]; then
|
||||
openssl req -new -keyout certs/cats-client.cacert.localhost.key.pem -nodes \
|
||||
-out certs/cats-client.cacert.localhost.csr.pem -subj "/CN=cats.cacert.localhost" \
|
||||
-addext "subjectAltName=DNS:cats.cacert.localhost"
|
||||
openssl ca -config ca.cnf \
|
||||
-name class3_ca \
|
||||
-in certs/cats-client.cacert.localhost.csr.pem \
|
||||
-out certs/cats-client.cacert.localhost.crt.pem \
|
||||
-rand_serial \
|
||||
-extensions client_ext \
|
||||
-batch
|
||||
fi
|
||||
if [ ! -f certs/mgr.cacert.localhost.crt.pem ]; then
|
||||
openssl req -new -keyout certs/mgr.cacert.localhost.key.pem -nodes \
|
||||
-out certs/mgr.cacert.localhost.csr.pem -subj "/CN=mgr.cacert.localhost" \
|
||||
-addext "subjectAltName=DNS:mgr.cacert.localhost,DNS:www.mgr.cacert.localhost"
|
||||
openssl ca -config ca.cnf \
|
||||
-name class3_ca \
|
||||
-in certs/mgr.cacert.localhost.csr.pem \
|
||||
-out certs/mgr.cacert.localhost.crt.pem \
|
||||
-rand_serial \
|
||||
-extensions server_ext \
|
||||
-batch
|
||||
fi
|
||||
if [ ! -f certs/secure.test.cacert.localhost.crt.pem ]; then
|
||||
openssl req -new -keyout certs/secure.test.cacert.localhost.key.pem -nodes \
|
||||
-out certs/secure.test.cacert.localhost.csr.pem -subj "/CN=secure.test.cacert.localhost" \
|
||||
-addext "subjectAltName=DNS:secure.test.cacert.localhost"
|
||||
openssl ca -config ca.cnf \
|
||||
-name class3_ca \
|
||||
-in certs/secure.test.cacert.localhost.csr.pem \
|
||||
|
@ -153,3 +203,35 @@ openssl ca -config ca.cnf \
|
|||
-rand_serial \
|
||||
-extensions server_ext \
|
||||
-batch
|
||||
fi
|
||||
if [ ! -f certs/test.cacert.localhost.crt.pem ]; then
|
||||
openssl req -new -keyout certs/test.cacert.localhost.key.pem -nodes \
|
||||
-out certs/test.cacert.localhost.csr.pem -subj "/CN=test.cacert.localhost" \
|
||||
-addext "subjectAltName=DNS:test.cacert.localhost,DNS:www.test.cacert.localhost"
|
||||
openssl ca -config ca.cnf \
|
||||
-name class3_ca \
|
||||
-in certs/test.cacert.localhost.csr.pem \
|
||||
-out certs/test.cacert.localhost.crt.pem \
|
||||
-rand_serial \
|
||||
-extensions server_ext \
|
||||
-batch
|
||||
fi
|
||||
|
||||
if [ ! -f certs/testclient.p12 ]; then
|
||||
openssl req -new -keyout certs/testclient.key.pem -nodes \
|
||||
-out certs/testclient.csr.pem -subj "/CN=${CLIENT_CERT_USERNAME}" \
|
||||
-addext "subjectAltName=email:${CLIENT_CERT_EMAIL}"
|
||||
openssl ca -config ca.cnf \
|
||||
-name class3_ca \
|
||||
-in certs/testclient.csr.pem \
|
||||
-out certs/testclient.crt.pem \
|
||||
-rand_serial \
|
||||
-extensions client_ext \
|
||||
-batch
|
||||
openssl pkcs12 -export -out certs/testclient.p12 \
|
||||
-passout "pass:${CLIENT_CERT_PASSWORD}" \
|
||||
-chain -CAfile certs/cachain.crt.pem \
|
||||
-inkey certs/testclient.key.pem \
|
||||
-in certs/testclient.crt.pem \
|
||||
-name "${CLIENT_CERT_USERNAME}"
|
||||
fi
|
||||
|
|
Loading…
Reference in a new issue