[ovs-dev,3/3] ovs-pki: generate x.509 v3 certificate
diff mbox series

Message ID 20180627175844.2809-4-qiuyu.xiao.qyx@gmail.com
State Changes Requested
Headers show
Series
  • IPsec support for tunneling
Related show

Commit Message

Qiuyu Xiao June 27, 2018, 5:58 p.m. UTC
This patch modifies ovs-pki to generate x.509 version 3 certificate.
Compared with the x.509 v1 certificate generated by ovs-pki, version 3
certificate adds subjectAltName field and sets its value the same as
common name (CN). The main reason for this change is to enable
strongSwan IKE daemon to extract certificate identity string from the
subjectAltName field, which makes OVN IPsec implementation easier.

Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
---
 utilities/ovs-pki.in | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

Comments

Ben Pfaff July 3, 2018, 8:04 p.m. UTC | #1
On Wed, Jun 27, 2018 at 10:58:44AM -0700, Qiuyu Xiao wrote:
> This patch modifies ovs-pki to generate x.509 version 3 certificate.
> Compared with the x.509 v1 certificate generated by ovs-pki, version 3
> certificate adds subjectAltName field and sets its value the same as
> common name (CN). The main reason for this change is to enable
> strongSwan IKE daemon to extract certificate identity string from the
> subjectAltName field, which makes OVN IPsec implementation easier.
> 
> Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>

Please add an item to the top-level NEWS file that explains the change.

Thanks,

Ben.

Patch
diff mbox series

diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
index 4f6941865..1b6681d3a 100755
--- a/utilities/ovs-pki.in
+++ b/utilities/ovs-pki.in
@@ -284,7 +284,7 @@  policy         = policy                # default policy
 email_in_dn    = no                    # Don't add the email into cert DN
 name_opt       = ca_default            # Subject name display option
 cert_opt       = ca_default            # Certificate display option
-copy_extensions = none                 # Don't copy extensions from request
+copy_extensions = copy                 # Copy extensions from request
 unique_subject = no                    # Allow certs with duplicate subjects
 
 # For the CA policy
@@ -295,6 +295,13 @@  organizationName        = match
 organizationalUnitName  = optional
 commonName              = supplied
 emailAddress            = optional
+
+# For the x509v3 extension
+[ ca_cert ]
+basicConstraints=CA:true
+
+[ usr_cert ]
+basicConstraints=CA:false
 EOF
         fi
 
@@ -307,7 +314,8 @@  EOF
         openssl req -config ca.cnf -nodes \
             -newkey $newkey -keyout private/cakey.pem -out careq.pem \
             1>&3 2>&3
-        openssl ca -config ca.cnf -create_serial -out cacert.pem \
+        openssl ca -config ca.cnf -create_serial \
+            -extensions ca_cert -out cacert.pem \
             -days 3650 -batch -keyfile private/cakey.pem -selfsign \
             -infiles careq.pem 1>&3 2>&3
         chmod 0700 private/cakey.pem
@@ -445,6 +453,7 @@  make_request() {
 [ req ]
 prompt = no
 distinguished_name = req_distinguished_name
+req_extensions = v3_req
 
 [ req_distinguished_name ]
 C = US
@@ -453,6 +462,9 @@  L = Palo Alto
 O = Open vSwitch
 OU = Open vSwitch certifier
 CN = $cn
+
+[ v3_req ]
+subjectAltName = DNS:$cn
 EOF
     if test $keytype = rsa; then
         (umask 077 && openssl genrsa -out "$1-privkey.pem" $bits) 1>&3 2>&3 \
@@ -481,7 +493,7 @@  sign_request() {
     esac
 
     (cd "$pkidir/${type}ca" && 
-     openssl ca -config ca.cnf -batch -in "$request_file") \
+     openssl ca -config ca.cnf -extensions usr_cert -batch -in "$request_file") \
         > "$2.tmp$$" 2>&3
     mv "$2.tmp$$" "$2"
 }