secrets: simplify cert generation
- Remove openssl.cnf which includes many unused settings. - Generate the key and cert files with a single call to openssl. - Option `-nodes` ("no DES") disables encryption of the key file. - Option `-addext` is used to specify `subjectAltName` settings that were previously defined by openssl.cnf. The key type is unchanged. Certificate changes: - Certificate duration is now 10 years - Organization (subj 'O') is now 'loop' instead of 'loopd' for lightning-loop to simplify the code. For reference, the org. name in auto-generated loop certs is "loop autogenerated cert". - The certificate now includes all default x509v3 extensions. These were previously restricted to just `subjectAltName` by openssl.cnf. We now use the openssl defaults for simplicity.
This commit is contained in:
parent
2c8e29b35b
commit
e1e3d8a92b
@ -30,16 +30,15 @@ makePasswordSecret jm-wallet-password
|
||||
[[ -e spark-wallet-login ]] || echo "login=spark-wallet:$(cat spark-wallet-password)" > spark-wallet-login
|
||||
[[ -e backup-encryption-env ]] || echo "PASSPHRASE=$(cat backup-encryption-password)" > backup-encryption-env
|
||||
|
||||
if [[ ! -e lnd-key || ! -e lnd-cert ]]; then
|
||||
openssl ecparam -genkey -name prime256v1 -out lnd-key
|
||||
openssl req -config $opensslConf -new -sha256 -key lnd-key -out lnd.csr -subj '/CN=localhost/O=lnd'
|
||||
openssl req -config $opensslConf -x509 -sha256 -days 1825 -key lnd-key -in lnd.csr -out lnd-cert
|
||||
rm lnd.csr
|
||||
makeCert() {
|
||||
if [[ ! -e $name-key || ! -e $name-cert ]]; then
|
||||
openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \
|
||||
-sha256 -days 3650 -nodes -keyout "$name-key" -out "$name-cert" \
|
||||
-subj "/CN=localhost/O=$name" \
|
||||
-addext "subjectAltName=DNS:localhost,IP:127.0.0.1,IP:169.254.1.14,IP:169.254.1.22"
|
||||
# TODO: Remove hardcoded lnd, loopd netns ips
|
||||
fi
|
||||
}
|
||||
|
||||
if [[ ! -e loop-key || ! -e loop-cert ]]; then
|
||||
openssl ecparam -genkey -name prime256v1 -out loop-key
|
||||
openssl req -config $opensslConf -new -sha256 -key loop-key -out loop.csr -subj '/CN=localhost/O=loopd'
|
||||
openssl req -config $opensslConf -x509 -sha256 -days 1825 -key loop-key -in loop.csr -out loop-cert
|
||||
rm loop.csr
|
||||
fi
|
||||
makeCert lnd
|
||||
makeCert loop
|
||||
|
@ -1,36 +0,0 @@
|
||||
[ req ]
|
||||
#default_bits = 2048
|
||||
#default_md = sha256
|
||||
#default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
x509_extensions = v3_ca
|
||||
|
||||
[ req_distinguished_name ]
|
||||
countryName = Country Name (2 letter code)
|
||||
countryName_min = 2
|
||||
countryName_max = 2
|
||||
stateOrProvinceName = State or Province Name (full name)
|
||||
localityName = Locality Name (eg, city)
|
||||
0.organizationName = Organization Name (eg, company)
|
||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
commonName = Common Name (eg, fully qualified host name)
|
||||
commonName_max = 64
|
||||
emailAddress = Email Address
|
||||
emailAddress_max = 64
|
||||
|
||||
[ req_attributes ]
|
||||
challengePassword = A challenge password
|
||||
challengePassword_min = 4
|
||||
challengePassword_max = 20
|
||||
|
||||
[ v3_ca ]
|
||||
subjectAltName = @alt_names
|
||||
|
||||
[ alt_names ]
|
||||
IP.1 = 127.0.0.1
|
||||
DNS.1 = localhost
|
||||
# TODO: Remove hardcoded lnd IP
|
||||
IP.2 = 169.254.1.14
|
||||
# TODO: Remove hardcoded loopd IP
|
||||
IP.3 = 169.254.1.22
|
Loading…
Reference in New Issue
Block a user