Al Tobey
2011-03-25 21:54:03 UTC
https://github.com/tobert/certmaster/commit/21b55436bc7e9f154c637a4213266e67aa0b6577
This patch adds x509 extensions for dnsName and nsComment to certmaster.
I've only done light testing at this point, but it seems to work on my
Fedora 14 machine. The try/catch should allow things to keep working on
older distros with broken x509Extension support in pyOpenSSL. I'll be
testing on CentOS 5.3 soon, since that's my target platform.
My goal is to get full mutual authentication working with rsyslog 4.2.2 TLS
(4.2.2 is shipped with EL6).
X509v3 Basic Constraints: critical
CA:FALSE
Netscape Comment:
Created by certmaster.
X509v3 Subject Alternative Name:
DNS:xxxxxx
And openssl x509 -in /etc/pki/certmaster/ca.cert -text
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
Netscape Comment:
Created by certmaster.
X509v3 Subject Alternative Name:
DNS:xxxxxx
Thanks,
-Al Tobey
commit 21b55436bc7e9f154c637a4213266e67aa0b6577
Author: Al Tobey <tobert-***@public.gmane.org>
Date: Fri Mar 25 14:14:57 2011 -0700
Add x509 extensions for dnsName and nsComment.
Many utilities that could use certmaster certs follow rules laid
out in RFC3280. At the moment I'm working on integrating rsyslog
TLS with mutual authentication. Certmaster certs currently only
work in "anon" mode where encryption is achieved, but no
authentication is performed.
To that end, a function _build_extension_list() is implemented in
this patch that is now used by both create_ca() and
create_slave_certificate() that attempts to add the extensions to
the cert before signing.
subjectKeyIdentifier will be explored in a subsequent patch.
This patch adds x509 extensions for dnsName and nsComment to certmaster.
I've only done light testing at this point, but it seems to work on my
Fedora 14 machine. The try/catch should allow things to keep working on
older distros with broken x509Extension support in pyOpenSSL. I'll be
testing on CentOS 5.3 soon, since that's my target platform.
My goal is to get full mutual authentication working with rsyslog 4.2.2 TLS
(4.2.2 is shipped with EL6).
From openssl x509 -in /etc/pki/certmaster/xxxxxx.cert -text
X509v3 extensions:X509v3 Basic Constraints: critical
CA:FALSE
Netscape Comment:
Created by certmaster.
X509v3 Subject Alternative Name:
DNS:xxxxxx
And openssl x509 -in /etc/pki/certmaster/ca.cert -text
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
Netscape Comment:
Created by certmaster.
X509v3 Subject Alternative Name:
DNS:xxxxxx
Thanks,
-Al Tobey
commit 21b55436bc7e9f154c637a4213266e67aa0b6577
Author: Al Tobey <tobert-***@public.gmane.org>
Date: Fri Mar 25 14:14:57 2011 -0700
Add x509 extensions for dnsName and nsComment.
Many utilities that could use certmaster certs follow rules laid
out in RFC3280. At the moment I'm working on integrating rsyslog
TLS with mutual authentication. Certmaster certs currently only
work in "anon" mode where encryption is achieved, but no
authentication is performed.
To that end, a function _build_extension_list() is implemented in
this patch that is now used by both create_ca() and
create_slave_certificate() that attempts to add the extensions to
the cert before signing.
subjectKeyIdentifier will be explored in a subsequent patch.