diff --git a/spec/spec_helper_tls.rb b/spec/spec_helper_tls.rb index bd97562..c3a1250 100644 --- a/spec/spec_helper_tls.rb +++ b/spec/spec_helper_tls.rb @@ -1,90 +1,102 @@ require 'openssl' def gen_certs(num_certs, path) ret = { :clients => [] } serial = 1_000_000 ca_key = OpenSSL::PKey::RSA.new 2048 # CA Cert - ca_name = OpenSSL::X509::Name.parse 'CN=ca/DC=example' + ca_name = OpenSSL::X509::Name.parse 'CN=ca/DC=example/DC=com' ca_cert = OpenSSL::X509::Certificate.new ca_cert.serial = serial serial += 1 ca_cert.version = 2 ca_cert.not_before = Time.now ca_cert.not_after = Time.now + 86_400 ca_cert.public_key = ca_key.public_key ca_cert.subject = ca_name ca_cert.issuer = ca_name extension_factory = OpenSSL::X509::ExtensionFactory.new extension_factory.subject_certificate = ca_cert extension_factory.issuer_certificate = ca_cert - ca_cert.add_extension extension_factory.create_extension( - 'subjectAltName', ['localhost', '127.0.0.1'].map { |d| "DNS: #{d}" }.join(',') - ) + # ca_cert.add_extension extension_factory.create_extension( + # 'subjectAltName', ['localhost', '127.0.0.1'].map { |d| "DNS: #{d}" }.join(',') + # ) ca_cert.add_extension extension_factory.create_extension( 'subjectKeyIdentifier', 'hash' ) ca_cert.add_extension extension_factory.create_extension( 'basicConstraints', 'CA:TRUE', true ) - ca_cert.sign ca_key, OpenSSL::Digest::SHA1.new + ca_cert.sign ca_key, OpenSSL::Digest::SHA256.new ret[:ca] = { :cert => { :pem => ca_cert.to_pem, :path => path + '/ca_cert.pem' } } num_certs.times do |i| key, cert, serial = gen_cert_pair serial, ca_cert - cert.sign ca_key, OpenSSL::Digest::SHA1.new + cert.sign ca_key, OpenSSL::Digest::SHA256.new ret[:clients] << { :key => { :pem => key.to_pem, :path => path + '/' + i.to_s + '_key.pem' }, :cert => { :pem => cert.to_pem, :path => path + '/' + i.to_s + '_cert.pem' } } end ret end def gen_cert_pair(serial, ca_cert) serial += 1 # Node Key key = OpenSSL::PKey::RSA.new 2048 - node_name = OpenSSL::X509::Name.parse 'CN=localhost/DC=example' + node_name = OpenSSL::X509::Name.parse 'CN=localhost/DC=example/DC=com' + + # prepare SANS list + sans = ['localhost.localdomain', 'localhost', 'localhost.example.com'] + sans_list = sans.map { |domain| "DNS:#{domain}" } # Node Cert cert = OpenSSL::X509::Certificate.new cert.serial = serial cert.version = 2 cert.not_before = Time.now cert.not_after = Time.now + 6000 cert.subject = node_name cert.public_key = key.public_key cert.issuer = ca_cert.subject csr_extension_factory = OpenSSL::X509::ExtensionFactory.new csr_extension_factory.subject_certificate = cert csr_extension_factory.issuer_certificate = ca_cert + cert.add_extension csr_extension_factory.create_extension( + 'subjectAltName', + sans_list.join(',') + ) cert.add_extension csr_extension_factory.create_extension( 'basicConstraints', 'CA:FALSE' ) cert.add_extension csr_extension_factory.create_extension( 'keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature' ) + cert.add_extension csr_extension_factory.create_extension( + 'extendedKeyUsage', + 'serverAuth,clientAuth' + ) cert.add_extension csr_extension_factory.create_extension( 'subjectKeyIdentifier', 'hash' ) [key, cert, serial] end