Default CA key to AES256
Defaults the CA key created using AES256. This resolves #58 and resolves #17 Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
This commit is contained in:
Eric F Crist
parent
1ce52f8120
commit
6268cd9653
@ -416,9 +416,10 @@ Your newly created PKI dir is: $EASYRSA_PKI
|
||||
build_ca() {
|
||||
opts=""
|
||||
sub_ca=""
|
||||
crypto="-aes256"
|
||||
while [ -n "$1" ]; do
|
||||
case "$1" in
|
||||
nopass) opts="$opts -nodes" ;;
|
||||
nopass) opts="$opts -nodes "; crypt= ;;
|
||||
subca) sub_ca=1 ;;
|
||||
*) warn "Ignoring unknown command option: '$1'" ;;
|
||||
esac
|
||||
@ -433,7 +434,7 @@ build_ca() {
|
||||
out_key="$EASYRSA_PKI/private/ca.key"
|
||||
if [ ! $sub_ca ]; then
|
||||
out_file="$EASYRSA_PKI/ca.crt"
|
||||
opts="$opts -x509 -days $EASYRSA_CA_EXPIRE"
|
||||
opts="$opts -x509 -days $EASYRSA_CA_EXPIRE "
|
||||
fi
|
||||
|
||||
# Test for existing CA, and complain if already present
|
||||
@ -464,14 +465,30 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
|
||||
[ "$EASYRSA_BATCH" ] && opts="$opts -batch" || export EASYRSA_REQ_CN="Easy-RSA CA"
|
||||
|
||||
out_key_tmp="$(mktemp "$out_key.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$out_key_tmp"
|
||||
out_key_pass_tmp="$(mktemp "$out_key_pass.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$out_key_pass_tmp"
|
||||
out_file_tmp="$(mktemp "$out_file.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$out_file_tmp"
|
||||
printf "Enter New CA Key Passphrase: "
|
||||
read -s kpass
|
||||
echo
|
||||
printf "Re-Enter New CA Key Passphrase: "
|
||||
read -s kpass2
|
||||
echo
|
||||
if [ "$kpass" = "$kpass2" ];
|
||||
then
|
||||
printf "$kpass" > "$out_key_pass_tmp"
|
||||
else
|
||||
die "Passphrases do not match."
|
||||
fi
|
||||
# create the CA key using AES256
|
||||
"$EASYRSA_OPENSSL" genrsa -aes256 -out "$out_key_tmp" -passout file:"$out_key_pass_tmp"
|
||||
# create the CA keypair:
|
||||
#shellcheck disable=SC2086
|
||||
"$EASYRSA_OPENSSL" req -utf8 -new -newkey "$EASYRSA_ALGO":"$EASYRSA_ALGO_PARAMS" \
|
||||
-config "$EASYRSA_SSL_CONF" -keyout "$out_key_tmp" -out "$out_file_tmp" $opts || \
|
||||
"$EASYRSA_OPENSSL" req -utf8 -new -key "$out_key_tmp" \
|
||||
-config "$EASYRSA_SSL_CONF" -keyout "$out_key_tmp" -out "$out_file_tmp" -passin file:"$out_key_pass_tmp" $opts || \
|
||||
die "Failed to build the CA"
|
||||
mv "$out_key_tmp" "$out_key"; EASYRSA_TEMP_FILE_2=
|
||||
mv "$out_file_tmp" "$out_file"; EASYRSA_TEMP_FILE_3=
|
||||
rm "$out_key_pass_tmp"
|
||||
|
||||
# Success messages
|
||||
if [ $sub_ca ]; then
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user