On Fri, Feb 07, 2020 at 01:10:15AM -0800, greearb@xxxxxxxxxxxxxxx wrote: > diff --git a/hs20/server/ca/setup.sh b/hs20/server/ca/setup.sh > @@ -21,6 +21,7 @@ OCSP_URI="http://$CNO:8888/"; > +DAYS=7300 > @@ -141,7 +144,7 @@ echo > -$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -keyfile demoCA/private/cakey.pem -passin pass:$PASS -in ocsp.csr -out ocsp.pem -days 730 -extensions v3_OCSP || fail "Could not generate ocsp.pem" > +$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -keyfile demoCA/private/cakey.pem -passin pass:$PASS -in ocsp.csr -out ocsp.pem -days $DAYS -extensions v3_OCSP || fail "Could not generate ocsp.pem" This change of replacing hardcoded 7300 with $DAYS in existing commands should be in its own separate patch to make this easier to read for the new functionality. > @@ -180,12 +183,35 @@ ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:$OPER_FI" > cat my-openssl.cnf | > sed "s/#@CN@/commonName_default = $OSU_SERVER_HOSTNAME/" | > sed "s/^##organizationalUnitName/organizationalUnitName/" | > - sed "s/#@OU@/organizationalUnitName_default = Hotspot 2.0 Online Sign Up Server/" | > + sed "s/#@OU@/organizationalUnitName_default = Hotspot 2.0 Online Server/" | Why? > +#dump logotype details for debugging > +$OPENSSL x509 -in server.pem -out server.der -outform DER > +openssl asn1parse -in server.der -inform DER | grep HEX | tail -1 | sed 's/.*://' | xxd -r -p > logo.der > +openssl asn1parse -in logo.der -inform DER > logo.asn1 This belongs in another patch since it has nothing to do with the main topic here.. > +echo > +echo "---[ Signup Server ]-----------------------------------------------------------" > +echo > + > +ALT="DNS:$OSU_SIGNUP_SERVER_HOSTNAME" > +ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:$OPER_ENG" > +ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:$OPER_FI" > + > +cat my-openssl.cnf | > + sed "s/#@CN@/commonName_default = $OSU_SIGNUP_SERVER_HOSTNAME/" | > + sed "s/^##organizationalUnitName/organizationalUnitName/" | > + sed "s/#@OU@/organizationalUnitName_default = Hotspot 2.0 Online Sign Up Server/" | > + sed "s/#@ALTNAME@/subjectAltName=critical,$ALT/" \ > + > openssl.cnf.tmp > +echo $OPENSSL req -config $PWD/openssl.cnf.tmp -batch -sha256 -new -newkey rsa:2048 -nodes -out signup-server.csr -keyout signup-server.key -reqexts v3_osu_server > +$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -sha256 -new -newkey rsa:2048 -nodes -out signup-server.csr -keyout signup-server.key -reqexts v3_osu_server || fail "Failed to generate signup server request" > +$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in signup-server.csr -out signup-server.pem -key $PASS -days $DAYS -extensions ext_server -policy policy_osu_server || fail "Failed to sign signup server certificate" What is the purpose of creating yet another server certificate? This does not sound like something that an operator would do (pay a CA for..). The same OSU server certificate would be expected to be used both on the AAA server for OSEN and the OSU server. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
