X-Git-Url: https://pwan.org/git/?a=blobdiff_plain;f=certmaster%2Fcerts.py;h=b59a972c7de642519629a05352cfc7ee237a6f22;hb=42050df52ff80295e1cf64e6ba36b793b09412cf;hp=8a1db3a8c6c75b91a9f5371b759a4dd3d3cce220;hpb=4575d4c9942579a235eb7b46a726ddcd557a2edd;p=certmaster.git

diff --git a/certmaster/certs.py b/certmaster/certs.py
index 8a1db3a..b59a972 100644
--- a/certmaster/certs.py
+++ b/certmaster/certs.py
@@ -37,7 +37,7 @@ def make_keypair(dest=None):
     return pkey
 
 
-def make_csr(pkey, dest=None, cn=None):
+def make_csr(pkey, dest=None, cn=None, hostname=None, emailaddr=None):
     req = crypto.X509Req()
     req.get_subject()
     subj  = req.get_subject()
@@ -48,9 +48,15 @@ def make_csr(pkey, dest=None, cn=None):
     subj.OU = def_ou
     if cn:
         subj.CN = cn
+    elif hostname:
+        subj.CN = hostname
     else:
-        subj.CN = utils.get_hostname() 
-    subj.emailAddress = 'root@%s' % subj.CN       
+        subj.CN = utils.gethostname()
+
+    if emailaddr:
+        subj.emailAddress = emailaddr
+    else:
+        subj.emailAddress = 'root@%s' % subj.CN       
         
     req.set_pubkey(pkey)
     req.sign(pkey, 'md5')
@@ -93,7 +99,11 @@ def create_ca(CN="Certmaster Certificate Authority", ca_key_file=None, ca_cert_f
     cacert.set_issuer(careq.get_subject())
     cacert.set_subject(careq.get_subject())
     cacert.set_pubkey(careq.get_pubkey())
-    cacert.sign(cakey, 'md5')
+    cacert.set_version(2)
+    xt = crypto.X509Extension('basicConstraints',1,'CA:TRUE')
+    # FIXME - add subjectkeyidentifier and authoritykeyidentifier extensions, too)
+    cacert.add_extensions((xt,))
+    cacert.sign(cakey, 'sha1')
     if ca_cert_file:
         destfo = open(ca_cert_file, 'w')
         destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cacert))
@@ -131,7 +141,11 @@ def create_slave_certificate(csr, cakey, cacert, cadir, slave_cert_file=None):
     cert.set_issuer(cacert.get_subject())
     cert.set_subject(csr.get_subject())
     cert.set_pubkey(csr.get_pubkey())
-    cert.sign(cakey, 'md5')
+    cert.set_version(2)
+    xt = crypto.X509Extension('basicConstraints', False ,'CA:FALSE')
+    # FIXME - add subjectkeyidentifier and authoritykeyidentifier extensions, too)    
+    cert.add_extensions((xt,))
+    cert.sign(cakey, 'sha1')
     if slave_cert_file:
         destfo = open(slave_cert_file, 'w')
         destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))