# HG changeset patch # User Matthew Wild # Date 1291656755 0 # Node ID 23c6ce0e3f20bd678270154a2e34d8ac4bce8eb6 # Parent c8fcd63e95267d59808f22f10f83ee75c08f712b# Parent 4f22615c836163a96ccb025ec3852c1f5e5abdcf Merge with Zash diff -r c8fcd63e9526 -r 23c6ce0e3f20 certs/Makefile --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/certs/Makefile Mon Dec 06 17:32:35 2010 +0000 @@ -0,0 +1,28 @@ +.DEFAULT: localhost.cert +keysize=2048 + +# How to: +# First, `make yourhost.cnf` which creates a openssl config file. +# Then edit this file and fill in the details you want it to have, +# and add or change hosts and components it should cover. +# Then `make yourhost.key` to create your private key, you can +# include keysize=number to change the size of the key. +# Then you can either `make yourhost.csr` to generate a certificate +# signing request that you can submit to a CA, or `make yourhost.cert` +# to generate a self signed certificate. + +# To request a cert +%.csr: %.cnf %.key + openssl req -new -key $(lastword $^) -out $@ -utf8 -config $(firstword $^) + +# Self signed +%.cert: %.cnf %.key + openssl req -new -x509 -nodes -key $(lastword $^) -days 365 \ + -sha1 -out $@ -utf8 -config $(firstword $^) + +%.cnf: + sed 's,example\.com,$*,g' openssl.cnf > $@ + +%.key: + openssl genrsa $(keysize) > $@ + @chmod 400 -c $@ diff -r c8fcd63e9526 -r 23c6ce0e3f20 certs/openssl.cnf --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/certs/openssl.cnf Mon Dec 06 17:32:35 2010 +0000 @@ -0,0 +1,52 @@ +oid_section = new_oids + +[ new_oids ] + +# RFC 3920 section 5.1.1 defines this OID +xmppAddr = 1.3.6.1.5.5.7.8.5 + +# RFC 4985 defines this OID +SRVName = 1.3.6.1.5.5.7.8.7 + +[ req ] + +default_bits = 4096 +default_keyfile = example.com.key +distinguished_name = distinguished_name +req_extensions = v3_extensions +x509_extensions = v3_extensions + +# ask about the DN? +prompt = no + +[ distinguished_name ] + +commonName = example.com +countryName = UK +localityName = The Internet +organizationName = Your Organisation +organizationalUnitName = XMPP Department +emailAddress = xmpp@example.com + +[ v3_extensions ] + +# for certificate requests (req_extensions) +# and self-signed certificates (x509_extensions) + +basicConstraints = CA:FALSE +keyUsage = digitalSignature,keyEncipherment +extendedKeyUsage = serverAuth,clientAuth +subjectAltName = @subject_alternative_name + +[ subject_alternative_name ] + +# See http://tools.ietf.org/html/draft-ietf-xmpp-3920bis#section-13.7.1.2 for more info. + +DNS.0 = example.com +otherName.0 = xmppAddr;UTF8:example.com +otherName.1 = SRVName;IA5STRING:_xmpp-client.example.com +otherName.2 = SRVName;IA5STRING:_xmpp-server.example.com + +DNS.1 = conference.example.com +otherName.3 = xmppAddr;UTF8:conference.example.com +otherName.4 = SRVName;IA5STRING:_xmpp-server.conference.example.com