Attached is the first cut at mkcert.sh, a tool to create PostgreSQL
server certificates. It also sets up a directory suitable for the
OpenSSL CA tool, something that can be used to sign client certs.
The root cert should be added to the backend SSL cert verification
tools, and copied to user's .postgresql directory so the client
can verify the server cert. This one root cert can be used for
multiple server certs in addition to all client certs.
Also, this script sets up DSA keys/certs. With empheral DH keys the
server (and client) keys are only used to sign the emphermal keys,
so you can use DSA keys. Without emphermal keys you would need to
use RSA keys since those keys are used for encryption in addition
to signing.
Some predictable changes:
1) the root key should be encrypted, since it isn't necessary for
the system to boot. (Extreme case: the root key should be
kept off the hard disk, perhaps in a smart cart.)
2) the 'openssl.conf' file could be split into 'root.conf' and
'server.conf' files so the prompts can be a bit more suggestive.
There should also be a 'client.conf' file for client certs,
and it should be copied to /etc/postgresql and visible to clients.
(To avoid the hassles of requiring clients have the OpenSSL
tools bundled, pgkeygen should be a binary program instead of
a script.)
3) there should be a sample domain-component config file in addition
to the geopolitical one. That gives DNs like
[EMAIL PROTECTED]
instead of
[EMAIL PROTECTED]
Bear
#!/bin/sh -e
# === FIRST DRAFT ===
#
# this script creates the root (CA) certificate and
# server cert for PostgreSQL. The OpenSSL applications
# must be in the path.
#
if [ $PG_HOME"." = "." ]
then
/bin/echo You must define \$PG_HOME before running this program.
exit 0
fi
#
# generate DSA parameters file used for keys, if one does
# not already exist.
#
if [ ! -f $PG_HOME/dsa1024.pem -o -z $PG_HOME/dsa1024.pem ]
then
openssl dsaparam -out $PG_HOME/dsa1024.pem 1024
fi
#
# generate CA directory tree and contents, if it does not already
# exist.
#
if [ ! -d $PG_HOME/CA ]
then
/bin/mkdir $PG_HOME/CA;
fi
if [ ! -d $PG_HOME/CA/certs ]
then
/bin/mkdir $PG_HOME/CA/certs
fi
if [ ! -d $PG_HOME/CA/crl ]
then
/bin/mkdir $PG_HOME/CA/crl
fi
if [ ! -d $PG_HOME/CA/newcerts ]
then
/bin/mkdir $PG_HOME/CA/newcerts
fi
if [ ! -d $PG_HOME/CA/private ]
then
/bin/mkdir $PG_HOME/CA/private
/bin/chmod 0700 $PG_HOME/CA/private
fi
if [ ! -f $PG_HOME/CA/index.txt ]
then
/usr/bin/touch $PG_HOME/CA/index.txt
fi
if [ ! -f $PG_HOME/CA/serial ]
then
/bin/echo 01 > $PG_HOME/CA/serial
fi
#
# generate root key, if one does not already exist.
#
if [ ! -f $PG_HOME/CA/private/cakey.pem -o -z $PG_HOME/CA/private/cakey.pem ]
then
openssl gendsa -out $PG_HOME/CA/private/cakey.pem $PG_HOME/dsa1024.pem
/bin/chmod 0700 $PG_HOME/CA/private/cakey.pem
fi
#
# generate self-signed root certificate, if one does not already exist
#
if [ ! -f $PG_HOME/CA/cacert.pem -o -z $PG_HOME/CA/cacert.pem ]
then
/bin/echo "Creating the CA root certificate...."
/bin/echo "The common name should be something like 'PostgreSQL Root Cert'"
/bin/echo ""
openssl req -new -x509 -out $PG_HOME/CA/cacert.pem \
-key $PG_HOME/CA/private/cakey.pem \
-config $PG_HOME/openssl.conf
/bin/link -s
fi
#
# generate server key, if one does not already exist.
#
if [ ! -f $PG_HOME/server.key -o -z $PG_HOME/server.key ]
then
openssl gendsa -out $PG_HOME/server.key $PG_HOME/dsa1024.pem
/bin/chmod 0700 $PG_HOME/CA/private/cakey.pem
fi
#
# generate server certificate, if one does not already exist.
#
if [ ! -f $PG_HOME/server.crt -o -z $PG_HOME/server.crt ]
then
/bin/echo "Creating the PostgreSQL server certificate...."
/bin/echo "The common name must be the fully qualified domain name of server!"
/bin/echo ""
openssl req -new -x509 -out $PG_HOME/server.self \
-key $PG_HOME/server.key \
-config $PG_HOME/openssl.conf
if [ -f $PG_HOME/server.self ]
then
openssl ca -out $PG_HOME/server.crt -config $PG_HOME/openssl.conf \
-ss_cert $PG_HOME/server.self
/bin/rm -f $PG_HOME/server.self
fi
fi
#
# PostgreSQL sample configuration for *root* cert.
# Contrast and compare with server.conf and client.conf.
#
# This definition stops the following lines choking if HOME isn't
# defined.
#HOME = .
#RANDFILE = $ENV::HOME/.rnd
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::PG_HOME/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Snake Oil
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
# SET-ex3 = SET extension number 3
[ req_attributes ]
#challengePassword = A challenge password
#challengePassword_min = 4
#challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
#nsComment = "OpenSSL Generated Certificate"
nsComment = "PostgreSQL/OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
subjectAltName=email:copy
# Copy issuer details
issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]
