Skip to content
This repository has been archived by the owner on Apr 30, 2024. It is now read-only.

1.1.0

Latest
Compare
Choose a tag to compare
@tdharris tdharris released this 18 Sep 17:21
· 8 commits to master since this release

Certificate Creation Changes:

Added support for subjectAltName (x509v3 Subject Alternative Name) - RFC 5280.

Common Name has been officially deprecated and "Certification Authorities are encouraged to use the dNSName" (RFC 2818). While often used as the fallback in the absence of the subjectAlternativeName extension, support for it has been dropped by popular browsers (Google, Firefox, etc.). Therefore it is recommended to use this preferred extension.

During certificate creation, checks for subjectAltName in openssl config. If not found, it will prompt user if they wish to have it added. This will append the following to the [ req_attributes ] section of the openssl config (def. /etc/ssl/openssl.cnf):

subjectAltName = Alternative DNS names, Email adresses or IPs (comma seperated list; e.g. DNS=example.com,DNS=www.example.com)

This then adds the above prompt during CSR generation in openssl cli, which this script leverages.

The following are a couple examples of the proper syntax for this Alternative Names field:

DNS:example.com, DNS:www.example.com
DNS:example.com, DNS:www.example.com, IP:127.0.0.1

Configurable certificate options

Cipher to encrypt private key (e.g. des3, aes128, aes192, etc.)

Prompts user for input. Default increased to aes256

Size of private key to generate in bits

Prompts user for input numbits. Default increased to 4096

Clarified Verify certificates submenu options for verifying keypairs.

1. CSR is signed by private key
2. Public certificate and private key are a keypair
3. 3rd party intermediate chain file and signed public certificate are a keypair 
4. Check date validity of certificates