secrets: simplify cert generation
- Remove openssl.cnf which includes many unused settings. - Generate the key and cert files with a single call to openssl. - Option `-nodes` ("no DES") disables encryption of the key file. - Option `-addext` is used to specify `subjectAltName` settings that were previously defined by openssl.cnf. The key type is unchanged. Certificate changes: - Certificate duration is now 10 years - Organization (subj 'O') is now 'loop' instead of 'loopd' for lightning-loop to simplify the code. For reference, the org. name in auto-generated loop certs is "loop autogenerated cert". - The certificate now includes all default x509v3 extensions. These were previously restricted to just `subjectAltName` by openssl.cnf. We now use the openssl defaults for simplicity.
This commit is contained in:
parent
2c8e29b35b
commit
e1e3d8a92b
@ -30,16 +30,15 @@ makePasswordSecret jm-wallet-password
|
|||||||
[[ -e spark-wallet-login ]] || echo "login=spark-wallet:$(cat spark-wallet-password)" > spark-wallet-login
|
[[ -e spark-wallet-login ]] || echo "login=spark-wallet:$(cat spark-wallet-password)" > spark-wallet-login
|
||||||
[[ -e backup-encryption-env ]] || echo "PASSPHRASE=$(cat backup-encryption-password)" > backup-encryption-env
|
[[ -e backup-encryption-env ]] || echo "PASSPHRASE=$(cat backup-encryption-password)" > backup-encryption-env
|
||||||
|
|
||||||
if [[ ! -e lnd-key || ! -e lnd-cert ]]; then
|
makeCert() {
|
||||||
openssl ecparam -genkey -name prime256v1 -out lnd-key
|
if [[ ! -e $name-key || ! -e $name-cert ]]; then
|
||||||
openssl req -config $opensslConf -new -sha256 -key lnd-key -out lnd.csr -subj '/CN=localhost/O=lnd'
|
openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \
|
||||||
openssl req -config $opensslConf -x509 -sha256 -days 1825 -key lnd-key -in lnd.csr -out lnd-cert
|
-sha256 -days 3650 -nodes -keyout "$name-key" -out "$name-cert" \
|
||||||
rm lnd.csr
|
-subj "/CN=localhost/O=$name" \
|
||||||
|
-addext "subjectAltName=DNS:localhost,IP:127.0.0.1,IP:169.254.1.14,IP:169.254.1.22"
|
||||||
|
# TODO: Remove hardcoded lnd, loopd netns ips
|
||||||
fi
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
if [[ ! -e loop-key || ! -e loop-cert ]]; then
|
makeCert lnd
|
||||||
openssl ecparam -genkey -name prime256v1 -out loop-key
|
makeCert loop
|
||||||
openssl req -config $opensslConf -new -sha256 -key loop-key -out loop.csr -subj '/CN=localhost/O=loopd'
|
|
||||||
openssl req -config $opensslConf -x509 -sha256 -days 1825 -key loop-key -in loop.csr -out loop-cert
|
|
||||||
rm loop.csr
|
|
||||||
fi
|
|
||||||
|
@ -1,36 +0,0 @@
|
|||||||
[ req ]
|
|
||||||
#default_bits = 2048
|
|
||||||
#default_md = sha256
|
|
||||||
#default_keyfile = privkey.pem
|
|
||||||
distinguished_name = req_distinguished_name
|
|
||||||
attributes = req_attributes
|
|
||||||
x509_extensions = v3_ca
|
|
||||||
|
|
||||||
[ req_distinguished_name ]
|
|
||||||
countryName = Country Name (2 letter code)
|
|
||||||
countryName_min = 2
|
|
||||||
countryName_max = 2
|
|
||||||
stateOrProvinceName = State or Province Name (full name)
|
|
||||||
localityName = Locality Name (eg, city)
|
|
||||||
0.organizationName = Organization Name (eg, company)
|
|
||||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
|
||||||
commonName = Common Name (eg, fully qualified host name)
|
|
||||||
commonName_max = 64
|
|
||||||
emailAddress = Email Address
|
|
||||||
emailAddress_max = 64
|
|
||||||
|
|
||||||
[ req_attributes ]
|
|
||||||
challengePassword = A challenge password
|
|
||||||
challengePassword_min = 4
|
|
||||||
challengePassword_max = 20
|
|
||||||
|
|
||||||
[ v3_ca ]
|
|
||||||
subjectAltName = @alt_names
|
|
||||||
|
|
||||||
[ alt_names ]
|
|
||||||
IP.1 = 127.0.0.1
|
|
||||||
DNS.1 = localhost
|
|
||||||
# TODO: Remove hardcoded lnd IP
|
|
||||||
IP.2 = 169.254.1.14
|
|
||||||
# TODO: Remove hardcoded loopd IP
|
|
||||||
IP.3 = 169.254.1.22
|
|
Loading…
Reference in New Issue
Block a user