fix mac can't generate key

makerdiary · Mar 19, 2019 · f793bbc · f793bbc
1 parent 7a81f1f
commit f793bbc
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 5 deletions.
diff --git a/certs/myserver.cnf.example b/certs/myserver.cnf.example
@@ -0,0 +1,34 @@
+# OpenSSL configuration file for creating a CSR for a server certificate
+# Adapt at least the FQDN and ORGNAME lines, and then run 
+# openssl req -new -config myserver.cnf -keyout myserver.key -out myserver.csr
+# on the command line.
+
+# the fully qualified server (or service) name
+FQDN = foo.example.org
+
+# the name of your organization
+# (see also https://www.switch.ch/pki/participants/)
+ORGNAME = Example University
+
+# subjectAltName entries: to add DNS aliases to the CSR, delete
+# the '#' character in the ALTNAMES line, and change the subsequent
+# 'DNS:' entries accordingly. Please note: all DNS names must
+# resolve to the same IP address as the FQDN.
+ALTNAMES = DNS:$FQDN   # , DNS:bar.example.org , DNS:www.foo.example.org
+
+# --- no modifications required below ---
+[ req ]
+default_bits = 2048
+default_md = sha256
+prompt = no
+encrypt_key = no
+distinguished_name = dn
+req_extensions = req_ext
+
+[ dn ]
+C = CH
+O = $ORGNAME
+CN = $FQDN
+
+[ req_ext ]
+subjectAltName = $ALTNAMES
diff --git a/tools/generate-certs.sh b/tools/generate-certs.sh
@@ -41,11 +41,11 @@ for command in openssl python; do
   fi
 done
 for openssl_subcommand in ecparam req x509; do
-  openssl help >/tmp/.generate_certs &>/dev/null
-  if ! cat >/tmp/.generate_certs | grep -q "$openssl_subcommand"; then
+  openssl help &> /tmp/.generate_certs
+  if ! grep -q $openssl_subcommand /tmp/.generate_certs; then
     echo "OpenSSL does not support the \"$openssl_subcommand\" command." >&2
     echo "Please compile a full-featured version of OpenSSL." >&2
-    rm -rf /tmp/.generate_certs &>/dev/null
+    rm -f /tmp/.generate_certs
     exit 1
   fi
 done
@@ -56,13 +56,13 @@ cd "$workdir"
 
 # Generate CA key and certificate
 openssl ecparam -genkey -name prime256v1 -out ca.key
-openssl req -x509 -new -batch -SHA256 -nodes -key ca.key -days 3650 -out ca.crt
+openssl req -config myserver.cnf -x509 -new -batch -SHA256 -nodes -key ca.key -days 3650 -out ca.crt
 
 # Generate attestation key
 openssl ecparam -genkey -name prime256v1 -out attestation.key
 
 # Sign the attestation key with the certificate
-openssl req -new -batch -SHA256 -key attestation.key -nodes -out attestation.csr
+openssl req -config myserver.cnf -new -batch -SHA256 -key attestation.key -nodes -out attestation.csr
 openssl x509 -req -SHA256 -days 3650 -in attestation.csr -CA ca.crt -CAkey ca.key -CAcreateserial -outform DER -out attestation.der 2>/dev/null
 
 # Print private key.