This commit is contained in:
Simon Josefsson
2014-10-07 10:22:38 +02:00
parent 8d13aa3037
commit d1308434aa
+8 -6
View File
@@ -26,8 +26,10 @@ should do no harm, and may be useful in some environments.
The root also has a path length constraint of 1 to prevent the Sub-CAs The root also has a path length constraint of 1 to prevent the Sub-CAs
from issuing further Sub-Sub-CAs. from issuing further Sub-Sub-CAs.
We'll also set a short lifelength on the root CA to signal that expiry We also set a expiry date far away in the future on the root CA
dates on root CAs are not relevant. (expiring in 1000000 days) and use datefudge to set an arbitrary start
date for the CA, to avoid leaking the time of CA creation which would
leak some bits if information going into the randomness generation.
Preparations Preparations
------------ ------------
@@ -67,9 +69,9 @@ counter as follows:
CN=Yubico Internal HTTPS CA CN=Yubico Internal HTTPS CA
[ v3_ca ] [ v3_ca ]
subjectKeyIdentifier=hash subjectKeyIdentifier=hash
basicConstraints=critical, CA:true, pathlen:1 basicConstraints=critical,CA:true,pathlen:1
keyUsage=critical, keyCertSign, cRLSign keyUsage=critical,keyCertSign,cRLSign
nameConstraints=@nc nameConstraints=critical,@nc
[ nc ] [ nc ]
permitted;otherName=1.3.6.1.5.5.7.8.7;IA5:yubico.com permitted;otherName=1.3.6.1.5.5.7.8.7;IA5:yubico.com
permitted;email.0=yubico.com permitted;email.0=yubico.com
@@ -80,7 +82,7 @@ counter as follows:
permitted;IP.0=0.0.0.0/255.255.255.255 permitted;IP.0=0.0.0.0/255.255.255.255
permitted;IP.1=::/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff permitted;IP.1=::/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
EOF EOF
openssl req -new -sha256 -x509 -set_serial 1 -days 1 -config yubico-internal-https-ca.conf -key yubico-internal-https-ca-key.pem -out yubico-internal-https-ca-crt.pem datefudge "2014-01-01 UTC" openssl req -new -sha256 -x509 -set_serial 1 -days 1000000 -config yubico-internal-https-ca.conf -key yubico-internal-https-ca-key.pem -out yubico-internal-https-ca-crt.pem
echo 01 > yubico-internal-https-ca-crt.srl echo 01 > yubico-internal-https-ca-crt.srl
You may inspect the newly generated root CA with: You may inspect the newly generated root CA with: