Re: Archive database (projectb) queries for the public
Ian Jackson writes ("Re: Archive database (projectb) queries for the public"):
> Joerg: since you had concerns about the burden on the ftpmasters of
> generating K_lca, K_serv and the delegation certificate, I wrote a
> script for you to DTRT. Attached.
I got some helpful review from Mark Wooding and as a result here is an
updated version which produces certs which look "a bit more like" the
ones people tend to get from openssl using its supplied default config
file. Also it fixes the bug that the two certs had the same serial
number, which some fussy software somewhere might have complained
about.
Thanks,
Ian.
#!/bin/bash
set -e
server_fqdn=localhost
now=${DEBUG_NOW-`date +%s`}
klca=klca-$now
kserv=kserv-$now
genkey () {
if test -f $1-privkey.pem; then return; fi
certtool --generate-privkey --outfile $1-privkey.pem
}
genkey $klca
genkey $kserv
certtool --generate-self-signed --load-privkey $klca-privkey.pem \
--outfile $klca-cert.pem --template /dev/stdin <<END
organization = "Debian"
unit = "ftpmaster archive query service"
country = GB
cn = "archive query service pseudo-CA"
serial = 1
expiration_days = 5000
ca
cert_signing_key
END
certtool --generate-certificate \
--load-ca-privkey $klca-privkey.pem \
--load-ca-certificate $klca-cert.pem \
--load-privkey $kserv-privkey.pem \
--outfile $kserv-cert.pem --template /dev/stdin <<END
organization = "Debian"
unit = "ftpmaster archive query service"
country = GB
cn = "$server_fqdn"
serial = 2
expiration_days = 5000
tls_www_server
dns_name = "$server_fqdn"
encryption_key
signing_key
END
Reply to: