On 02/16/2020 06:28 AM, Jouni Malinen wrote:
On Fri, Feb 07, 2020 at 01:10:15AM -0800, greearb@xxxxxxxxxxxxxxx wrote:
diff --git a/hs20/server/ca/setup.sh b/hs20/server/ca/setup.sh
@@ -21,6 +21,7 @@ OCSP_URI="http://$CNO:8888/";
+DAYS=7300
@@ -141,7 +144,7 @@ echo
-$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -keyfile demoCA/private/cakey.pem -passin pass:$PASS -in ocsp.csr -out ocsp.pem -days 730 -extensions v3_OCSP || fail "Could not generate ocsp.pem"
+$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -keyfile demoCA/private/cakey.pem -passin pass:$PASS -in ocsp.csr -out ocsp.pem -days $DAYS -extensions v3_OCSP || fail "Could not generate ocsp.pem"
This change of replacing hardcoded 7300 with $DAYS in existing commands
should be in its own separate patch to make this easier to read for the
new functionality.
@@ -180,12 +183,35 @@ ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:$OPER_FI"
cat my-openssl.cnf |
sed "s/#@CN@/commonName_default = $OSU_SERVER_HOSTNAME/" |
sed "s/^##organizationalUnitName/organizationalUnitName/" |
- sed "s/#@OU@/organizationalUnitName_default = Hotspot 2.0 Online Sign Up Server/" |
+ sed "s/#@OU@/organizationalUnitName_default = Hotspot 2.0 Online Server/" |
Why?
So it is easier to know which cert is which?
+#dump logotype details for debugging
+$OPENSSL x509 -in server.pem -out server.der -outform DER
+openssl asn1parse -in server.der -inform DER | grep HEX | tail -1 | sed 's/.*://' | xxd -r -p > logo.der
+openssl asn1parse -in logo.der -inform DER > logo.asn1
This belongs in another patch since it has nothing to do with the main
topic here..
+echo
+echo "---[ Signup Server ]-----------------------------------------------------------"
+echo
+
+ALT="DNS:$OSU_SIGNUP_SERVER_HOSTNAME"
+ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:$OPER_ENG"
+ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:$OPER_FI"
+
+cat my-openssl.cnf |
+ sed "s/#@CN@/commonName_default = $OSU_SIGNUP_SERVER_HOSTNAME/" |
+ sed "s/^##organizationalUnitName/organizationalUnitName/" |
+ sed "s/#@OU@/organizationalUnitName_default = Hotspot 2.0 Online Sign Up Server/" |
+ sed "s/#@ALTNAME@/subjectAltName=critical,$ALT/" \
+ > openssl.cnf.tmp
+echo $OPENSSL req -config $PWD/openssl.cnf.tmp -batch -sha256 -new -newkey rsa:2048 -nodes -out signup-server.csr -keyout signup-server.key -reqexts v3_osu_server
+$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -sha256 -new -newkey rsa:2048 -nodes -out signup-server.csr -keyout signup-server.key -reqexts v3_osu_server || fail "Failed to generate signup server request"
+$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in signup-server.csr -out signup-server.pem -key $PASS -days $DAYS -extensions ext_server -policy policy_osu_server || fail "Failed to sign signup server certificate"
What is the purpose of creating yet another server certificate? This
does not sound like something that an operator would do (pay a CA
for..). The same OSU server certificate would be expected to be used
both on the AAA server for OSEN and the OSU server.
I was having issues getting apache configured properly, and it was easier to debug
the problem if I had different certs for different virtual instances. That way, I knew
which apache instance was complaining.
These certs are all self signed and fake anyway, and it is very difficult in my experience
to set this up and debug problems among all of the different components, so anything that
makes it easier to debug seems useful to me.
Let me know if you want this change, and I'll split it up as you suggested above if so,
otherwise, just drop the whole thing.
Thanks,
Ben
--
Ben Greear <greearb@xxxxxxxxxxxxxxx>
Candela Technologies Inc http://www.candelatech.com
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
