Combining certificates to a chain file:
[root@localhost certs]# cd /etc/pki/tls/certs
[root@localhost certs]# openssl x509 -inform PEM -in www.2.0.0.example.com -text > www.2.0.0.example.com-combined.crt
[root@localhost certs]# openssl x509 -inform PEM -in cacert.pem -text >> www.2.0.0.example.com-combined.crt
<VirtualHost 172.16.52.182:443>
SSLEngine on
SSLCertificateChainFile /etc/pki/tls/certs/www.2.0.0.example.com-combined.crt
SSLCertificateFile /etc/pki/tls/certs/www.2.0.0.example.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/www.2.0.0.example.com.key
<Directory /var/www/vhosts/example.com/httpsdocs>
AllowOverride All
</Directory>
DocumentRoot /var/www/vhosts/example.com/httpsdocs
ServerName www.2.0.0.example.com
</VirtualHost>
Monday, December 26, 2011
Thursday, December 8, 2011
Decrypt private key and install certificate
[root@localhost tls]# openssl rsa -in /root/newkey.pem -out private/www.example.com.keyEnter pass phrase for /root/newkey.pem:
writing RSA key
[root@localhost tls]# openssl x509 -in /root/newcert.pem -out certs/www.example.com.crt
mv: overwrite `certs/www.example.com.crt'? y
[root@localhost tls]# pwd
/etc/pki/tls
writing RSA key
[root@localhost tls]# openssl x509 -in /root/newcert.pem -out certs/www.example.com.crt
mv: overwrite `certs/www.example.com.crt'? y
[root@localhost tls]# pwd
/etc/pki/tls
Creating TLSA records from the new certificate
Hats off to Jakob Schlyter for providing the perl script that generates a TLSA record from the certificate:
$ ../src/cert2rr.pl www.example.com 1 0 0 demoCA/cacert.pem
; Selected 755 bytes of data from demoCA/cacert.pem
; TLSA resource record:
;
www.example.com. IN TLSA 1 0 0 308202ef30820258a0030201020209009a0a7ecab015ea56300d06092a864886f70d01010505003059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e301e170d3131313230393033303535385a170d3134313230383033303535385a3059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e30819f300d06092a864886f70d010101050003818d0030818902818100d0e03624b35367095e40abc3485edf10b12e049bfcf384edccc945fca4cce3ac58132fedac355d7a327ccec9d4c473bb49e20822aa5e24b37ea1cf52206054bf43855f895de519b6f19496ad003d8fde9644dd143bc9ae7580e538ef0bd62bef682d2846c6b9c79194f337630ee7535f701c346682df5cd978b8fdce4bb5761f0203010001a381be3081bb301d0603551d0e0416041464e15937d9a5180d3c63fb73a250d4d7a012b49430818b0603551d23048183308180801464e15937d9a5180d3c63fb73a250d4d7a012b494a15da45b3059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e8209009a0a7ecab015ea56300c0603551d13040530030101ff300d06092a864886f70d01010505000381810017c156226f07b10f6434be97cecf132726f0dfb54c6cb5fb15bd4ba181e185304d00a466528dc5b95e2091c4d52c9f921e7a52e3b9fd82a453f47e54bee10d3b0d7043fe85d0a6eba56628ff8afc11c42f5e8f8d0ed49f8d19019f5a22b98d6043c6bfc3d7ba047881b64ec72e2b108137e7a70cd9a78792eb792f5be3138c09
; Unknown resource record:
;
www.example.com. IN TYPE65534 \# 758 010000308202ef30820258a0030201020209009a0a7ecab015ea56300d06092a864886f70d01010505003059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e301e170d3131313230393033303535385a170d3134313230383033303535385a3059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e30819f300d06092a864886f70d010101050003818d0030818902818100d0e03624b35367095e40abc3485edf10b12e049bfcf384edccc945fca4cce3ac58132fedac355d7a327ccec9d4c473bb49e20822aa5e24b37ea1cf52206054bf43855f895de519b6f19496ad003d8fde9644dd143bc9ae7580e538ef0bd62bef682d2846c6b9c79194f337630ee7535f701c346682df5cd978b8fdce4bb5761f0203010001a381be3081bb301d0603551d0e0416041464e15937d9a5180d3c63fb73a250d4d7a012b49430818b0603551d23048183308180801464e15937d9a5180d3c63fb73a250d4d7a012b494a15da45b3059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e8209009a0a7ecab015ea56300c0603551d13040530030101ff300d06092a864886f70d01010505000381810017c156226f07b10f6434be97cecf132726f0dfb54c6cb5fb15bd4ba181e185304d00a466528dc5b95e2091c4d52c9f921e7a52e3b9fd82a453f47e54bee10d3b0d7043fe85d0a6eba56628ff8afc11c42f5e8f8d0ed49f8d19019f5a22b98d6043c6bfc3d7ba047881b64ec72e2b108137e7a70cd9a78792eb792f5be3138c09
$ ../src/cert2rr.pl www.example.com 1 0 0 demoCA/cacert.pem
; Selected 755 bytes of data from demoCA/cacert.pem
; TLSA resource record:
;
www.example.com. IN TLSA 1 0 0 308202ef30820258a0030201020209009a0a7ecab015ea56300d06092a864886f70d01010505003059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e301e170d3131313230393033303535385a170d3134313230383033303535385a3059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e30819f300d06092a864886f70d010101050003818d0030818902818100d0e03624b35367095e40abc3485edf10b12e049bfcf384edccc945fca4cce3ac58132fedac355d7a327ccec9d4c473bb49e20822aa5e24b37ea1cf52206054bf43855f895de519b6f19496ad003d8fde9644dd143bc9ae7580e538ef0bd62bef682d2846c6b9c79194f337630ee7535f701c346682df5cd978b8fdce4bb5761f0203010001a381be3081bb301d0603551d0e0416041464e15937d9a5180d3c63fb73a250d4d7a012b49430818b0603551d23048183308180801464e15937d9a5180d3c63fb73a250d4d7a012b494a15da45b3059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e8209009a0a7ecab015ea56300c0603551d13040530030101ff300d06092a864886f70d01010505000381810017c156226f07b10f6434be97cecf132726f0dfb54c6cb5fb15bd4ba181e185304d00a466528dc5b95e2091c4d52c9f921e7a52e3b9fd82a453f47e54bee10d3b0d7043fe85d0a6eba56628ff8afc11c42f5e8f8d0ed49f8d19019f5a22b98d6043c6bfc3d7ba047881b64ec72e2b108137e7a70cd9a78792eb792f5be3138c09
; Unknown resource record:
;
www.example.com. IN TYPE65534 \# 758 010000308202ef30820258a0030201020209009a0a7ecab015ea56300d06092a864886f70d01010505003059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e301e170d3131313230393033303535385a170d3134313230383033303535385a3059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e30819f300d06092a864886f70d010101050003818d0030818902818100d0e03624b35367095e40abc3485edf10b12e049bfcf384edccc945fca4cce3ac58132fedac355d7a327ccec9d4c473bb49e20822aa5e24b37ea1cf52206054bf43855f895de519b6f19496ad003d8fde9644dd143bc9ae7580e538ef0bd62bef682d2846c6b9c79194f337630ee7535f701c346682df5cd978b8fdce4bb5761f0203010001a381be3081bb301d0603551d0e0416041464e15937d9a5180d3c63fb73a250d4d7a012b49430818b0603551d23048183308180801464e15937d9a5180d3c63fb73a250d4d7a012b494a15da45b3059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e8209009a0a7ecab015ea56300c0603551d13040530030101ff300d06092a864886f70d01010505000381810017c156226f07b10f6434be97cecf132726f0dfb54c6cb5fb15bd4ba181e185304d00a466528dc5b95e2091c4d52c9f921e7a52e3b9fd82a453f47e54bee10d3b0d7043fe85d0a6eba56628ff8afc11c42f5e8f8d0ed49f8d19019f5a22b98d6043c6bfc3d7ba047881b64ec72e2b108137e7a70cd9a78792eb792f5be3138c09
Sign certificate request
$ perl ../openssl-hacked2/apps/CA.pl -signreq
Using configuration from /System/Library/OpenSSL/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
9a:0a:7e:ca:b0:15:ea:57
Validity
Not Before: Dec 9 03:10:52 2011 GMT
Not After : Dec 8 03:10:52 2012 GMT
Subject:
countryName = US
stateOrProvinceName = CA
localityName = Mtn View
organizationName = Internet Widgits Pty Ltd
organizationalUnitName = exjobb
commonName = www.example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
52:92:22:78:10:43:E4:7F:87:21:3A:17:EE:53:FE:FC:C3:DD:78:11
X509v3 Authority Key Identifier:
keyid:64:E1:59:37:D9:A5:18:0D:3C:63:FB:73:A2:50:D4:D7:A0:12:B4:94
Certificate is to be certified until Dec 8 03:10:52 2012 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
Using configuration from /System/Library/OpenSSL/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
9a:0a:7e:ca:b0:15:ea:57
Validity
Not Before: Dec 9 03:10:52 2011 GMT
Not After : Dec 8 03:10:52 2012 GMT
Subject:
countryName = US
stateOrProvinceName = CA
localityName = Mtn View
organizationName = Internet Widgits Pty Ltd
organizationalUnitName = exjobb
commonName = www.example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
52:92:22:78:10:43:E4:7F:87:21:3A:17:EE:53:FE:FC:C3:DD:78:11
X509v3 Authority Key Identifier:
keyid:64:E1:59:37:D9:A5:18:0D:3C:63:FB:73:A2:50:D4:D7:A0:12:B4:94
Certificate is to be certified until Dec 8 03:10:52 2012 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
Creating a certificate request
$ perl ../openssl-hacked2/apps/CA.pl -newreq
Generating a 1024 bit RSA private key
...........................++++++
.................................................++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:Mtn View
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:exjobb
Common Name (eg, YOUR name) []:www.example.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
Generating a 1024 bit RSA private key
...........................++++++
.................................................++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:Mtn View
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:exjobb
Common Name (eg, YOUR name) []:www.example.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
Setting up a CA server
$ perl ../openssl-hacked2/apps/CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
..........................++++++
................................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
phrase is too short, needs to be at least 4 chars
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:Mountain View
Organization Name (eg, company) [Internet Widgits Pty Ltd]:DANE CA
Organizational Unit Name (eg, section) []:Exjobb
Common Name (eg, YOUR name) []:Mathias Samuelson
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /System/Library/OpenSSL/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
9a:0a:7e:ca:b0:15:ea:56
Validity
Not Before: Dec 9 03:05:58 2011 GMT
Not After : Dec 8 03:05:58 2014 GMT
Subject:
countryName = US
stateOrProvinceName = CA
organizationName = DANE CA
organizationalUnitName = Exjobb
commonName = Mathias Samuelson
X509v3 extensions:
X509v3 Subject Key Identifier:
64:E1:59:37:D9:A5:18:0D:3C:63:FB:73:A2:50:D4:D7:A0:12:B4:94
X509v3 Authority Key Identifier:
keyid:64:E1:59:37:D9:A5:18:0D:3C:63:FB:73:A2:50:D4:D7:A0:12:B4:94
DirName:/C=US/ST=CA/O=DANE CA/OU=Exjobb/CN=Mathias Samuelson
serial:9A:0A:7E:CA:B0:15:EA:56
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Dec 8 03:05:58 2014 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
..........................++++++
................................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
phrase is too short, needs to be at least 4 chars
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:Mountain View
Organization Name (eg, company) [Internet Widgits Pty Ltd]:DANE CA
Organizational Unit Name (eg, section) []:Exjobb
Common Name (eg, YOUR name) []:Mathias Samuelson
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /System/Library/OpenSSL/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
9a:0a:7e:ca:b0:15:ea:56
Validity
Not Before: Dec 9 03:05:58 2011 GMT
Not After : Dec 8 03:05:58 2014 GMT
Subject:
countryName = US
stateOrProvinceName = CA
organizationName = DANE CA
organizationalUnitName = Exjobb
commonName = Mathias Samuelson
X509v3 extensions:
X509v3 Subject Key Identifier:
64:E1:59:37:D9:A5:18:0D:3C:63:FB:73:A2:50:D4:D7:A0:12:B4:94
X509v3 Authority Key Identifier:
keyid:64:E1:59:37:D9:A5:18:0D:3C:63:FB:73:A2:50:D4:D7:A0:12:B4:94
DirName:/C=US/ST=CA/O=DANE CA/OU=Exjobb/CN=Mathias Samuelson
serial:9A:0A:7E:CA:B0:15:EA:56
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Dec 8 03:05:58 2014 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
Saturday, December 3, 2011
Hacked dane tool
I just made a hack to the dane tool so that it now supports Certificate Usage field and adds the correct selector and matching type fields.
79c79
< def create_tlsa(hostname, certtype, reftype):
---
> def create_tlsa(hostname, usage, selector, reftype):
100c100
< v4TLSA = draft_genTLSA(hostname, a, certtype, reftype)
---
> v4TLSA = draft_genTLSA(hostname, a, usage, selector, reftype)
102c102
< rfcv4TLSA = rfc_genTLSA(hostname, a, certtype, reftype)
---
> rfcv4TLSA = rfc_genTLSA(hostname, a, usage, selector, reftype)
114c114
< v6TLSA = draft_genTLSA(hostname, aaaa, certtype, reftype)
---
> v6TLSA = draft_genTLSA(hostname, aaaa, usage, selector, reftype)
116c116
< rfcv6TLSA = rfc_genTLSA(hostname, aaaa, certtype, reftype)
---
> rfcv6TLSA = rfc_genTLSA(hostname, aaaa, usage, selector, reftype)
133c133
< def draft_genTLSA(hostname, address, certtype, reftype):
---
> def draft_genTLSA(hostname, address, usage, selector, reftype):
156,157c156,157
< if certtype != 1:
< print "Only EE-cert supported right now"
---
> if selector != 0:
> print "Only full EE-cert supported right now"
161c161
< return "_443._tcp.%s IN TYPE65468 \# %s 0%s0%s%s"%(hostname,len(certhex)/2+2,certtype,reftype, certhex)
---
> return "_443._tcp.%s IN TYPE65468 \# %s 0%s0%s0%s%s"%(hostname,len(certhex)/2+3,usage,selector,reftype, certhex)
168,170c168,170
< # certtype and reftype are part of the length
< data_length += 2
< return "_443._tcp.%s IN TYPE65468 \# %s 0%s0%s%s"%(hostname,data_length,certtype,reftype, hashCert(reftype,dercert))
---
> # selector and reftype are part of the length
> data_length += 3
> return "_443._tcp.%s IN TYPE65468 \# %s 0%s0%s0%s%s"%(hostname,data_length,usage,selector,reftype, hashCert(reftype,dercert))
172c172
< def rfc_genTLSA(hostname, address, certtype, reftype):
---
> def rfc_genTLSA(hostname, address, usage, selector, reftype):
184,186c184,186
< if certtype != 1:
< print "Only EE-cert supported right now"
< return "_443._tcp.%s IN TLSA %s %s %s"%(hostname, certtype, reftype, hashCert(reftype,dercert))
---
> if selector != 0:
> print "Only full EE-cert supported right now"
> return "_443._tcp.%s IN TLSA %s %s %s %s"%(hostname, usage, selector, reftype, hashCert(reftype,dercert))
236a237
> parser.add_argument('--usage', action='store',help='certificate usage [0,1,2] (default:1)', default=1)
264a266,268
> if args.usage:
> if not (args.usage != 0 or args.usage != 1 or args.usage != 2):
> sys.exit("Certificate Usage must be (0, 1, or 2)")
316c320
< create_tlsa(host,1,reftype)
---
> create_tlsa(host,args.usage,0,reftype)
356c360
< create_tlsa(host,1,reftype)
---
> create_tlsa(host,args.usage,0,reftype)
359c363
< create_tlsa(host,1,reftype)
---
> create_tlsa(host,args.usage,1,reftype)
79c79
< def create_tlsa(hostname, certtype, reftype):
---
> def create_tlsa(hostname, usage, selector, reftype):
100c100
< v4TLSA = draft_genTLSA(hostname, a, certtype, reftype)
---
> v4TLSA = draft_genTLSA(hostname, a, usage, selector, reftype)
102c102
< rfcv4TLSA = rfc_genTLSA(hostname, a, certtype, reftype)
---
> rfcv4TLSA = rfc_genTLSA(hostname, a, usage, selector, reftype)
114c114
< v6TLSA = draft_genTLSA(hostname, aaaa, certtype, reftype)
---
> v6TLSA = draft_genTLSA(hostname, aaaa, usage, selector, reftype)
116c116
< rfcv6TLSA = rfc_genTLSA(hostname, aaaa, certtype, reftype)
---
> rfcv6TLSA = rfc_genTLSA(hostname, aaaa, usage, selector, reftype)
133c133
< def draft_genTLSA(hostname, address, certtype, reftype):
---
> def draft_genTLSA(hostname, address, usage, selector, reftype):
156,157c156,157
< if certtype != 1:
< print "Only EE-cert supported right now"
---
> if selector != 0:
> print "Only full EE-cert supported right now"
161c161
< return "_443._tcp.%s IN TYPE65468 \# %s 0%s0%s%s"%(hostname,len(certhex)/2+2,certtype,reftype, certhex)
---
> return "_443._tcp.%s IN TYPE65468 \# %s 0%s0%s0%s%s"%(hostname,len(certhex)/2+3,usage,selector,reftype, certhex)
168,170c168,170
< # certtype and reftype are part of the length
< data_length += 2
< return "_443._tcp.%s IN TYPE65468 \# %s 0%s0%s%s"%(hostname,data_length,certtype,reftype, hashCert(reftype,dercert))
---
> # selector and reftype are part of the length
> data_length += 3
> return "_443._tcp.%s IN TYPE65468 \# %s 0%s0%s0%s%s"%(hostname,data_length,usage,selector,reftype, hashCert(reftype,dercert))
172c172
< def rfc_genTLSA(hostname, address, certtype, reftype):
---
> def rfc_genTLSA(hostname, address, usage, selector, reftype):
184,186c184,186
< if certtype != 1:
< print "Only EE-cert supported right now"
< return "_443._tcp.%s IN TLSA %s %s %s"%(hostname, certtype, reftype, hashCert(reftype,dercert))
---
> if selector != 0:
> print "Only full EE-cert supported right now"
> return "_443._tcp.%s IN TLSA %s %s %s %s"%(hostname, usage, selector, reftype, hashCert(reftype,dercert))
236a237
> parser.add_argument('--usage', action='store',help='certificate usage [0,1,2] (default:1)', default=1)
264a266,268
> if args.usage:
> if not (args.usage != 0 or args.usage != 1 or args.usage != 2):
> sys.exit("Certificate Usage must be (0, 1, or 2)")
316c320
< create_tlsa(host,1,reftype)
---
> create_tlsa(host,args.usage,0,reftype)
356c360
< create_tlsa(host,1,reftype)
---
> create_tlsa(host,args.usage,0,reftype)
359c363
< create_tlsa(host,1,reftype)
---
> create_tlsa(host,args.usage,1,reftype)
Friday, December 2, 2011
Successfully building with Unbound
Thanks to one of my coworkers, Brian, I can now build with Unbound. Yay.
apps msamuel$ diff Makefile Makefile.org
59c59
< spkac.o smime.o cms.o rand.o engine.o ocsp.o prime.o ts.o ../ssl/dane.o
---
> spkac.o smime.o cms.o rand.o engine.o ocsp.o prime.o ts.o
67c67
< spkac.c smime.c cms.c rand.c engine.c ocsp.c prime.c ts.c dane.c
---
> spkac.c smime.c cms.c rand.c engine.c ocsp.c prime.c ts.c
160c160
< LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS) -L/usr/local/lib -lunbound" \
---
> LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \
821d820
< s_client.o: ../include/openssl/dane.h
ssl msamuel$ diff Makefile Makefile.org
8c8
< INCLUDES= -I../crypto -I$(TOP) -I../include $(KRB5_INCLUDES) -I/usr/local/include/unbound.h
---
> INCLUDES= -I../crypto -I$(TOP) -I../include $(KRB5_INCLUDES)
266d265
< #dane.o: /usr/local/include/unbound.h dane.c
apps msamuel$ diff Makefile Makefile.org
59c59
< spkac.o smime.o cms.o rand.o engine.o ocsp.o prime.o ts.o ../ssl/dane.o
---
> spkac.o smime.o cms.o rand.o engine.o ocsp.o prime.o ts.o
67c67
< spkac.c smime.c cms.c rand.c engine.c ocsp.c prime.c ts.c dane.c
---
> spkac.c smime.c cms.c rand.c engine.c ocsp.c prime.c ts.c
160c160
< LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS) -L/usr/local/lib -lunbound" \
---
> LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \
821d820
< s_client.o: ../include/openssl/dane.h
ssl msamuel$ diff Makefile Makefile.org
8c8
< INCLUDES= -I../crypto -I$(TOP) -I../include $(KRB5_INCLUDES) -I/usr/local/include/unbound.h
---
> INCLUDES= -I../crypto -I$(TOP) -I../include $(KRB5_INCLUDES)
266d265
< #dane.o: /usr/local/include/unbound.h dane.c
Subscribe to:
Posts (Atom)