From ccfdd24ff3fb6d28bc224c4a6bff8d5758a109c8 Mon Sep 17 00:00:00 2001 From: Thomas Preud'homme Date: Tue, 4 Nov 2014 22:18:42 +0000 Subject: [PATCH] [ssl_mgmt] Set CA:FALSE constraint for certs --- ssl_mgmt/openssl.cnf.in | 7 ++++++- ssl_mgmt/tests/5/cmdline | 3 +++ ssl_mgmt/tests/5/driver | 2 ++ ssl_mgmt/tests/5/fini | 1 + ssl_mgmt/tests/5/init | 1 + 5 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 ssl_mgmt/tests/5/cmdline create mode 100755 ssl_mgmt/tests/5/driver create mode 120000 ssl_mgmt/tests/5/fini create mode 120000 ssl_mgmt/tests/5/init diff --git a/ssl_mgmt/openssl.cnf.in b/ssl_mgmt/openssl.cnf.in index ada01a3..9771a36 100644 --- a/ssl_mgmt/openssl.cnf.in +++ b/ssl_mgmt/openssl.cnf.in @@ -24,7 +24,7 @@ policy = policy_match copy_extensions = copy # We want those extensions only to generate the root certificates, so # we specify it on the command line: -x509_extensions = v3_ca +x509_extensions = v3_x509 [ policy_match ] countryName = match @@ -64,3 +64,8 @@ authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:FALSE subjectKeyIdentifier = hash subjectAltName = @ALTNAME@ + +[ v3_x509 ] +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always diff --git a/ssl_mgmt/tests/5/cmdline b/ssl_mgmt/tests/5/cmdline new file mode 100644 index 0000000..65feb3f --- /dev/null +++ b/ssl_mgmt/tests/5/cmdline @@ -0,0 +1,3 @@ +keyId= cnfFilePath=./ssl_mgmt.conf ../ssl_mgmt renew foo \ + && openssl x509 -in destdir/certs/foo-cert.pem -text -noout \ + | grep -A 1 "X509v3 Basic Constraints:" | grep "CA:FALSE" diff --git a/ssl_mgmt/tests/5/driver b/ssl_mgmt/tests/5/driver new file mode 100755 index 0000000..e64bbaa --- /dev/null +++ b/ssl_mgmt/tests/5/driver @@ -0,0 +1,2 @@ +echo +echo "y" diff --git a/ssl_mgmt/tests/5/fini b/ssl_mgmt/tests/5/fini new file mode 120000 index 0000000..f12b28a --- /dev/null +++ b/ssl_mgmt/tests/5/fini @@ -0,0 +1 @@ +../restore_foo_fini \ No newline at end of file diff --git a/ssl_mgmt/tests/5/init b/ssl_mgmt/tests/5/init new file mode 120000 index 0000000..f74317c --- /dev/null +++ b/ssl_mgmt/tests/5/init @@ -0,0 +1 @@ +../save_foo_init \ No newline at end of file