I need to map certificate Subject DNs to LDAP User DNs. I would like to be
handle complex cases such as:
Subject DN = CN=Fred+UID=FSMITH, OU=DEV, O=CompanyA
to
UserDN UID=CN=Fred+FSMITH, OU=DEV, O=CompanyA
Is there a standard certificate mapping syntax that I should follow? Is
there parsing code to handle this?
Thanks!
Lisa
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of GOMEZ Henri
Sent: Thursday, June 03, 1999 4:45 AM
To: [EMAIL PROTECTED]
Subject: ca-fix required in openssl 0.9.3
Hi.
Since openssl 0.9.3, ca-fix seems to be no more supported.
Since I've got to generate CA cert and user certs (with pkcs12), I use a
script
modified from mca.sh found in mod_ssl.
Question : How did I replace patches with ca-fix ?
Thanks
#!/bin/sh
##
## jmca -- mod_ssl mca modified
##
## mca -- My CA (trivial CA management for testing)
## Copyright (c) 1998-1999 Ralf S. Engelschall, All Rights Reserved.
##
## This script is derived from mkcert.sh from the mod_ssl distribution.
## It's based on three external programs:
##
## openssl ... get it from http://www.openssl.org
## or ssleay ... get it from ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/
##
## ca-fix ... get it from
http://www.drh-consultancy.demon.co.uk/ca-fix.html
## pkcs12 ... get it from
http://www.drh-consultancy.demon.co.uk/pkcs12faq.html
##
# parameters
if [ -x /usr/bin/openssl ]; then
sslcmd="openssl"
else
if [ -x /usr/bin/ssleay ]; then
sslcmd="ssleay"
else
echo "missing openssl/ssleay..."
exit 1
fi;
fi;
# check if pkcs12 is necessary
#
$sslcmd pkcs12 -h >/dev/null 2>&1
if [ $? -eq 0 ]; then
pkcs12="pkcs12"
else
pkcs12="$sslcmd pkcs12"
fi
cafix="ca-fix"
sslcrtdir="/etc/jonama/conf/ssl.crt"
sslcsrdir="/etc/jonama/conf/ssl.csr"
sslkeydir="/etc/jonama/conf/ssl.key"
jmcacfg="/etc/jonama/conf/.jmca.cfg"
jmcaserial="/etc/jonama/conf/.jmca.serial"
user="userid-"`cat /proc/uptime | $sslcmd md5`
# 512 bits for export (non-US) versions of IE/NS
# 1024 bits for domestic (US) versions of IE/NS
# now default is 512 (export)
userkeylen=512
# some optional terminal sequences
case $TERM in
xterm|xterm*|vt220|vt220*)
T_MD=`echo dummy | awk '{ printf("%c%c%c%c", 27, 91, 49, 109); }'`
T_ME=`echo dummy | awk '{ printf("%c%c%c", 27, 91, 109); }'`
;;
vt100|vt100*)
T_MD=`echo dummy | awk '{ printf("%c%c%c%c%c%c", 27, 91, 49, 109, 0,
0); }'`
T_ME=`echo dummy | awk '{ printf("%c%c%c%c%c", 27, 91, 109, 0, 0);
}'`
;;
default)
T_MD=''
T_ME=''
;;
esac
# find some random files
# (do not use /dev/random here, because this device
# doesn't work as expected on all platforms)
randfiles=''
for file in /var/log/messages /var/adm/messages \
/kernel /vmunix /vmlinuz \
/etc/hosts /etc/resolv.conf; do
if [ -f $file ]; then
if [ ".$randfiles" = . ]; then
randfiles="$file"
else
randfiles="${randfiles}:$file"
fi
fi
done
if [ ! -f $sslcrtdir/ca.crt ]; then
echo ""
echo "${T_MD}Generating custom Certificate Authority (CA)${T_ME}"
echo
"______________________________________________________________________"
echo ""
echo "${T_MD}STEP 1: Generating RSA private key for CA (1024
bit)${T_ME}"
if [ ! -f $HOME/.rnd ]; then
touch $HOME/.rnd
fi
if [ ".$randfiles" != . ]; then
$sslcmd genrsa -rand $randfiles \
-out $sslkeydir/ca.key \
1024
else
$sslcmd genrsa -out $sslkeydir/ca.key \
1024
fi
if [ $? -ne 0 ]; then
echo "jmca:Error: Failed to generate RSA private key" 1>&2
exit 1
fi
echo
"______________________________________________________________________"
echo ""
echo "${T_MD}STEP 2: Generating X.509 certificate signing request for
CA${T_ME}"
cat > $jmcacfg <<EOT
[ req ]
default_bits = 1024
distinguished_name = req_DN
[ req_DN ]
countryName = "1. Country Name (2 letter
code)"
countryName_default = XY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = "2. State or Province Name (full name)
"
stateOrProvinceName_default = Snake Desert
localityName = "3. Locality Name (eg, city)
"
localityName_default = Snake Town
0.organizationName = "4. Organization Name (eg, company)
"
0.organizationName_default = Snake Oil, Ltd
organizationalUnitName = "5. Organizational Unit Name (eg, section)
"
organizationalUnitName_default = Certificate Authority
commonName = "6. Common Name (eg, CA name)
"
commonName_max = 64
commonName_default = Snake Oil CA
emailAddress = "7. Email Address (eg,
name@FQDN)"
emailAddress_max = 40
emailAddress_default = [EMAIL PROTECTED]
EOT
$sslcmd req -config $jmcacfg \
-new \
-key $sslkeydir/ca.key \
-out $sslcsrdir/ca.csr
if [ $? -ne 0 ]; then
echo "jmca:Error: Failed to generate certificate signing request"
1>&2
exit 1
fi
echo
"______________________________________________________________________"
echo ""
echo "${T_MD}STEP 3: Generating X.509 certificate for CA signed by
itself${T_ME}"
$sslcmd x509 -req \
-days 365 \
-signkey $sslkeydir/ca.key \
-in $sslcsrdir/ca.csr \
-out $sslcrtdir/ca.crt
if [ $? -ne 0 ]; then
echo "jmca:Error: Failed to generate self-signed CA certificate"
1>&2
exit 1
fi
$cafix \
-caset \
-nscertype 0x07 \
-nobscrit \
-pathlen 0 \
-in $sslcrtdir/ca.crt \
-inkey $sslkeydir/ca.key \
-out $sslcrtdir/ca-new.crt
if [ $? -ne 0 ]; then
echo "jmca:Error: Failed to patch X.509 certificate" 1>&2
exit 1
fi
cp $sslcrtdir/ca-new.crt $sslcrtdir/ca.crt
rm -f $sslcrtdir/ca-new.crt
echo
"______________________________________________________________________"
echo ""
echo "${T_MD}RESULT:${T_ME}"
$sslcmd verify $sslcrtdir/ca.crt
if [ $? -ne 0 ]; then
echo "jmca:Error: Failed to verify resulting X.509 certificate" 1>&2
exit 1
fi
$cafix -in $sslcrtdir/ca.crt -inkey $sslkeydir/ca.key -print
fi
echo ""
echo "${T_MD}Generating custom USER${T_ME}"
echo
"______________________________________________________________________"
echo ""
echo "${T_MD}STEP 5: Generating RSA private key for USER ("$userkeylen"
bit)${T_ME}"
if [ ! -f $HOME/.rnd ]; then
touch $HOME/.rnd
fi
if [ ".$randfiles" != . ]; then
$sslcmd genrsa -rand $randfiles \
-out $sslkeydir/$user.key \
$userkeylen
else
$sslcmd genrsa -out $sslkeydir/$user.key \
$userkeylen
fi
if [ $? -ne 0 ]; then
echo "jmca:Error: Failed to generate RSA private key" 1>&2
exit 1
fi
echo
"______________________________________________________________________"
echo ""
echo "${T_MD}STEP 6: Generating X.509 certificate signing request for
USER${T_ME}"
cat >$jmcacfg <<EOT
[ req ]
default_bits = $userkeylen
distinguished_name = req_DN
[ req_DN ]
countryName = "1. Country Name (2 letter
code)"
countryName_default = XY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = "2. State or Province Name (full name)
"
stateOrProvinceName_default = Snake Desert
localityName = "3. Locality Name (eg, city)
"
localityName_default = Snake Town
0.organizationName = "4. Organization Name (eg, company)
"
0.organizationName_default = Snake Oil, Ltd
organizationalUnitName = "5. Organizational Unit Name (eg, section)
"
organizationalUnitName_default = Webserver Team
commonName = "6. Common Name (eg, FQDN)
"
commonName_max = 64
commonName_default = www.snakeoil.dom
emailAddress = "7. Email Address (eg,
name@fqdn)"
emailAddress_max = 40
emailAddress_default = [EMAIL PROTECTED]
EOT
$sslcmd req -config $jmcacfg \
-new \
-key $sslkeydir/$user.key \
-out $sslcsrdir/$user.csr
if [ $? -ne 0 ]; then
echo "jmca:Error: Failed to generate certificate signing request" 1>&2
exit 1
fi
echo
"______________________________________________________________________"
echo ""
echo "${T_MD}STEP 7: Generating X.509 certificate signed by own CA${T_ME}"
if [ ! -f $jmcaserial ]; then
echo '01' >$jmcaserial
fi
$sslcmd x509 -days 365 \
-CAserial $jmcaserial \
-CA $sslcrtdir/ca.crt \
-CAkey $sslkeydir/ca.key \
-in $sslcsrdir/$user.csr -req \
-out $sslcrtdir/$user.crt
if [ $? -ne 0 ]; then
echo "jmca:Error: Failed to generate X.509 certificate" 1>&2
exit 1
fi
$cafix \
-nscertype 0xB0 \
-nobscrit \
-pathlen 0 \
-in $sslcrtdir/$user.crt \
-inkey $sslkeydir/$user.key \
-nosign \
-out $sslcrtdir/$user-tmp.crt
if [ $? -ne 0 ]; then
echo "jmca:Error: Failed to patch X.509 certificate" 1>&2
exit 1
fi
$cafix \
-in $sslcrtdir/$user-tmp.crt \
-inkey $sslkeydir/ca.key \
-out $sslcrtdir/$user.crt
if [ $? -ne 0 ]; then
echo "jmca:Error: Failed to patch X.509 certificate" 1>&2
exit 1
fi
rm -f $sslcrtdir/$user-tmp.crt
caname="`$sslcmd x509 -noout -text -in $sslcrtdir/ca.crt |\
grep Subject: | sed -e 's;.*CN=;;' -e 's;/Em.*;;'`"
username="`$sslcmd x509 -noout -text -in $sslcrtdir/$user.crt |\
grep Subject: | sed -e 's;.*CN=;;' -e 's;/Em.*;;'`"
$pkcs12 \
-export \
-in $sslcrtdir/$user.crt \
-inkey $sslkeydir/$user.key \
-certfile $sslcrtdir/ca.crt \
-name "$username" \
-caname "$caname" \
-out $sslcrtdir/$user.p12
echo
"______________________________________________________________________"
echo ""
echo "${T_MD}RESULT:${T_ME}"
$sslcmd verify -CAfile $sslcrtdir/ca.crt $sslcrtdir/$user.crt
if [ $? -ne 0 ]; then
echo "jmca:Error: Failed to verify resulting X.509 certificate" 1>&2
exit 1
fi
$cafix -in $sslcrtdir/$user.crt -inkey $sslkeydir/$user.key -print
echo
"______________________________________________________________________"
echo ""
echo "${T_MD}STEP 8: Enrypting RSA private key of USER with a pass phrase
for security${T_ME}"
$sslcmd rsa -des3 -in $sslkeydir/$user.key -out $sslkeydir/$user.key.crypt
if [ $? -ne 0 ]; then
echo "jmca:Error: Failed to encrypt RSA private key" 1>&2
exit 1
fi
cp $sslkeydir/$user.key.crypt $sslkeydir/$user.key
rm -f $sslkeydir/$user.key.crypt
subject="`$sslcmd x509 -noout -text -in $sslcrtdir/$user.crt | grep
Subject:`"
oname="`echo $subject | sed -e 's;.*O=;;' -e 's;,.*;;' -e 'y; ;_;'`"
uname="`echo $subject | sed -e 's;.*O=;;' -e 's;.*CN=;;' -e 's;/Em.*;;' -e
'y; ;.;'`"
username=$oname-$uname
mv $sslcrtdir/$user.crt $sslcrtdir/"$username".crt
mv $sslkeydir/$user.key $sslkeydir/"$username".key
mv $sslcrtdir/$user.p12 $sslcrtdir/"$username".p12
mv $sslcsrdir/$user.csr $sslcsrdir/"$username".csr
##EOF##
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]