oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

For https://github.com/heimdal/heimdal/issues/392

Browse Source 
Modern OpenSSL no longer has the 2038 year restriction.  Update the
certs to last 500 years rather than 10 years.

Modern crypto requirements suggest a stronger key strength than 1024.
Update to use a minimum of 4096.

Fix executable bit on gen-req.sh
This commit is contained in:
Quanah Gibson-Mount
2019-03-22 21:11:37 +00:00
committed by Jeffrey Altman
parent c827cd48f6
commit 98f904036c
2 changed files with 5 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
lib/hx509/data/gen-req.sh Normal file → Executable file
View File

@@ -16,7 +16,7 @@ fi
gen_cert() gen_cert()
{ {
keytype=${6:-rsa:1024} keytype=${6:-rsa:4096}
${openssl} req \ ${openssl} req \
-new \ -new \
-subj "$1" \ -subj "$1" \
@@ -30,7 +30,7 @@ gen_cert()
if [ "$3" = "ca" ] ; then if [ "$3" = "ca" ] ; then
${openssl} x509 \ ${openssl} x509 \
-req \ -req \
-days 3650 \ -days 182500 \
-in cert.req \ -in cert.req \
-extfile ${config} \ -extfile ${config} \
-extensions $4 \ -extensions $4 \
@@ -46,7 +46,7 @@ gen_cert()
${openssl} x509 \ ${openssl} x509 \
-req \ -req \
-in cert.req \ -in cert.req \
-days 3650 \ -days 182500 \
-out cert.crt \ -out cert.crt \
-CA $2.crt \ -CA $2.crt \
-CAkey $2.key \ -CAkey $2.key \
@@ -59,7 +59,7 @@ gen_cert()
${openssl} ca \ ${openssl} ca \
-name $4 \ -name $4 \
-days 3650 \ -days 182500 \
-cert $2.crt \ -cert $2.crt \
-keyfile $2.key \ -keyfile $2.key \
-in cert.req \ -in cert.req \

3
lib/hx509/data/mkcert.sh
View File

@@ -2,8 +2,7 @@
set -e set -e
# For now, avoid going past the 2038 32-bit clock rollover DAYS=182500
DAYS=$(( ( 0x7fffffff - $(date +%s) ) / 86400 - 1 ))
key() { key() {
local key=$1; shift local key=$1; shift