From b3ea305c26f2c920f49251414770a0b88fdf618f Mon Sep 17 00:00:00 2001 From: Soner Tari Date: Fri, 30 Dec 2022 18:29:24 +1300 Subject: [PATCH] Faketime to generate CA certs with startdate in the past startdate is 2 years from now enddate is 8 years from now This is expected to solve any issues with the start and end dates of certificates after firstboot, especially with the CA and forged certificates by sslproxy OpenBSD does not has faketime, so we temporarily adjust the system date in the script to 2 years from now --- src/Model/ssl/gen_ssl.sh | 18 +++++++++++++++--- src/Model/ssl/openvpn/gen-sample-keys.sh | 6 ++++-- src/Model/ssl/openvpn/openssl.cnf | 2 +- 3 files changed, 20 insertions(+), 6 deletions(-) diff --git a/src/Model/ssl/gen_ssl.sh b/src/Model/ssl/gen_ssl.sh index 1a931b0c..17a4e644 100644 --- a/src/Model/ssl/gen_ssl.sh +++ b/src/Model/ssl/gen_ssl.sh @@ -25,17 +25,26 @@ install_file() { chown $_own $_filepath } +# This is a workaround in the absence of faketime +origdate=$(date "+%Y%m%d%H%M") + +# -startdate is 2 years from now +date "$(($(date "+%Y")-2))$(date "+%m%d%H%M")" + +# -enddate is 10 years from startdate (8 years from now) +days=3650 + # httpd cd httpd openssl genrsa -out ca.key 2048 -openssl req -new -nodes -x509 -sha256 -out ca.crt -key ca.key -extensions v3_ca -set_serial $SET_SERIAL -days 365 \ +openssl req -new -nodes -x509 -sha256 -out ca.crt -key ca.key -extensions v3_ca -set_serial $SET_SERIAL -days $days \ -config httpd_ca.cnf \ -subj "/C=TR/ST=Antalya/L=Serik/O=ComixWall/OU=UTMFW/CN=example.org/emailAddress=sonertari@gmail.com" openssl req -new -nodes -sha256 -keyout server.key -out server.csr \ -config httpd.cnf \ -subj "/C=TR/ST=Antalya/L=Serik/O=ComixWall/OU=UTMFW/CN=example.org/emailAddress=sonertari@gmail.com" -openssl x509 -req -CA ca.crt -CAkey ca.key -in server.csr -out server.crt -extensions server -set_serial $SET_SERIAL -days 365 +openssl x509 -req -CA ca.crt -CAkey ca.key -in server.csr -out server.crt -extensions server -set_serial $SET_SERIAL -days $days cd .. install_file "server.crt" "httpd" "$PREFIX/ssl" "644" "root:bin" @@ -57,10 +66,13 @@ install_file "server.key" "openvpn" "$PREFIX/openvpn" "400" "root:wheel" # sslproxy cd sslproxy openssl genrsa -out ca.key 2048 -openssl req -new -nodes -x509 -sha256 -out ca.crt -key ca.key -extensions v3_ca -set_serial $SET_SERIAL -days 365 \ +openssl req -new -nodes -x509 -sha256 -out ca.crt -key ca.key -extensions v3_ca -set_serial $SET_SERIAL -days $days \ -config sslproxy.cnf \ -subj "/C=TR/ST=Antalya/L=Serik/O=ComixWall/OU=SSLproxy/CN=example.org/emailAddress=sonertari@gmail.com" cd .. install_file "ca.crt" "sslproxy" "$PREFIX/sslproxy" "644" "root:bin" install_file "ca.key" "sslproxy" "$PREFIX/sslproxy" "644" "root:bin" + +# restore orig date +date $origdate diff --git a/src/Model/ssl/openvpn/gen-sample-keys.sh b/src/Model/ssl/openvpn/gen-sample-keys.sh index 8167522c..3b42cce8 100755 --- a/src/Model/ssl/openvpn/gen-sample-keys.sh +++ b/src/Model/ssl/openvpn/gen-sample-keys.sh @@ -24,8 +24,11 @@ touch sample-ca/index.txt # (?) Ideally, check the serial in the last crt and increment echo "01" > sample-ca/serial +# -enddate is 10 years from startdate +days=3650 + # Generate CA key and cert -openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 \ +openssl req -new -newkey rsa:2048 -days $days -nodes -x509 \ -extensions easyrsa_ca -keyout sample-ca/ca.key -out sample-ca/ca.crt \ -subj "/C=TR/ST=Antalya/L=Serik/O=ComixWall/OU=OpenVPN/CN=example.org/emailAddress=sonertari@gmail.com" \ -config openssl.cnf @@ -47,4 +50,3 @@ openssl ca -batch -config openssl.cnf \ # Copy keys and certs to working directory cp sample-ca/*.key . cp sample-ca/*.crt . - diff --git a/src/Model/ssl/openvpn/openssl.cnf b/src/Model/ssl/openvpn/openssl.cnf index 83bb171d..c6650283 100644 --- a/src/Model/ssl/openvpn/openssl.cnf +++ b/src/Model/ssl/openvpn/openssl.cnf @@ -25,7 +25,7 @@ x509_extensions = basic_exts # The extentions to add to the cert # is designed for will. In return, we get the Issuer attached to CRLs. crl_extensions = crl_ext -default_days = 365 # how long to certify for +default_days = 3650 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = sha256 # use public key default MD preserve = no # keep passed DN ordering