Faketime to generate CA certs with startdate in the past

startdate is 2 years from now enddate is 8 years from now This is expected to solve any issues with the start and end dates of certificates after firstboot, especially with the CA and forged certificates by sslproxy OpenBSD does not has faketime, so we temporarily adjust the system date in the script to 2 years from now
sonertari · Dec 30, 2022 · b3ea305 · b3ea305
1 parent b977d8d
commit b3ea305
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 6 deletions.
diff --git a/src/Model/ssl/gen_ssl.sh b/src/Model/ssl/gen_ssl.sh
@@ -25,17 +25,26 @@ install_file() {
     chown $_own $_filepath
 }
 
+# This is a workaround in the absence of faketime
+origdate=$(date "+%Y%m%d%H%M")
+
+# -startdate is 2 years from now
+date "$(($(date "+%Y")-2))$(date "+%m%d%H%M")"
+
+# -enddate is 10 years from startdate (8 years from now)
+days=3650
+
 # httpd
 cd httpd
 openssl genrsa -out ca.key 2048
-openssl req -new -nodes -x509 -sha256 -out ca.crt -key ca.key -extensions v3_ca -set_serial $SET_SERIAL -days 365 \
+openssl req -new -nodes -x509 -sha256 -out ca.crt -key ca.key -extensions v3_ca -set_serial $SET_SERIAL -days $days \
     -config httpd_ca.cnf \
     -subj "/C=TR/ST=Antalya/L=Serik/O=ComixWall/OU=UTMFW/CN=example.org/[email protected]"
 
 openssl req -new -nodes -sha256 -keyout server.key -out server.csr \
     -config httpd.cnf \
     -subj "/C=TR/ST=Antalya/L=Serik/O=ComixWall/OU=UTMFW/CN=example.org/[email protected]"
-openssl x509 -req -CA ca.crt -CAkey ca.key -in server.csr -out server.crt -extensions server -set_serial $SET_SERIAL -days 365
+openssl x509 -req -CA ca.crt -CAkey ca.key -in server.csr -out server.crt -extensions server -set_serial $SET_SERIAL -days $days
 cd ..
 
 install_file "server.crt" "httpd" "$PREFIX/ssl" "644" "root:bin"
@@ -57,10 +66,13 @@ install_file "server.key" "openvpn" "$PREFIX/openvpn" "400" "root:wheel"
 # sslproxy
 cd sslproxy
 openssl genrsa -out ca.key 2048
-openssl req -new -nodes -x509 -sha256 -out ca.crt -key ca.key -extensions v3_ca -set_serial $SET_SERIAL -days 365 \
+openssl req -new -nodes -x509 -sha256 -out ca.crt -key ca.key -extensions v3_ca -set_serial $SET_SERIAL -days $days \
     -config sslproxy.cnf \
     -subj "/C=TR/ST=Antalya/L=Serik/O=ComixWall/OU=SSLproxy/CN=example.org/[email protected]"
 cd ..
 
 install_file "ca.crt" "sslproxy" "$PREFIX/sslproxy" "644" "root:bin"
 install_file "ca.key" "sslproxy" "$PREFIX/sslproxy" "644" "root:bin"
+
+# restore orig date
+date $origdate
diff --git a/src/Model/ssl/openvpn/gen-sample-keys.sh b/src/Model/ssl/openvpn/gen-sample-keys.sh
@@ -24,8 +24,11 @@ touch sample-ca/index.txt
 # (?) Ideally, check the serial in the last crt and increment
 echo "01" > sample-ca/serial
 
+# -enddate is 10 years from startdate
+days=3650
+
 # Generate CA key and cert
-openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 \
+openssl req -new -newkey rsa:2048 -days $days -nodes -x509 \
     -extensions easyrsa_ca -keyout sample-ca/ca.key -out sample-ca/ca.crt \
     -subj "/C=TR/ST=Antalya/L=Serik/O=ComixWall/OU=OpenVPN/CN=example.org/[email protected]" \
     -config openssl.cnf
@@ -47,4 +50,3 @@ openssl ca -batch -config openssl.cnf \
 # Copy keys and certs to working directory
 cp sample-ca/*.key .
 cp sample-ca/*.crt .
-
diff --git a/src/Model/ssl/openvpn/openssl.cnf b/src/Model/ssl/openvpn/openssl.cnf
@@ -25,7 +25,7 @@ x509_extensions	= basic_exts		# The extentions to add to the cert
 # is designed for will. In return, we get the Issuer attached to CRLs.
 crl_extensions	= crl_ext
 
-default_days	= 365			# how long to certify for
+default_days	= 3650			# how long to certify for
 default_crl_days= 30			# how long before next CRL
 default_md	= sha256		# use public key default MD
 preserve	= no			# keep passed DN ordering