- add BasicConstraints CA:TRUE for a ca cert, false for the others

- make signature digest sha - instead of md5
- make certs ver 3 not ver 1
- closes rh bug: https://bugzilla.redhat.com/show_bug.cgi?id=583047

diff --git a/certmaster/certs.py b/certmaster/certs.py
index 554822e..81409f3 100644 (file)
--- a/certmaster/certs.py
+++ b/certmaster/certs.py
@@ -96,7 +96,11 @@ def create_ca(CN="Certmaster Certificate Authority", ca_key_file=None, ca_cert_f
     cacert.set_issuer(careq.get_subject())
     cacert.set_subject(careq.get_subject())
     cacert.set_pubkey(careq.get_pubkey())
-    cacert.sign(cakey, 'md5')
+    cacert.set_version(2)
+    xt = crypto.X509Extension('basicConstraints',1,'CA:TRUE')
+    # FIXME - add subjectkeyidentifier and authoritykeyidentifier extensions, too)
+    cacert.add_extensions((xt,))
+    cacert.sign(cakey, 'sha1')
     if ca_cert_file:
         destfo = open(ca_cert_file, 'w')
         destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cacert))
@@ -134,7 +138,11 @@ def create_slave_certificate(csr, cakey, cacert, cadir, slave_cert_file=None):
     cert.set_issuer(cacert.get_subject())
     cert.set_subject(csr.get_subject())
     cert.set_pubkey(csr.get_pubkey())
-    cert.sign(cakey, 'md5')
+    cert.set_version(2)
+    xt = crypto.X509Extension('basicConstraints', False ,'CA:False')
+    # FIXME - add subjectkeyidentifier and authoritykeyidentifier extensions, too)    
+    cacert.add_extensions((xt,))
+    cert.sign(cakey, 'sha1')
     if slave_cert_file:
         destfo = open(slave_cert_file, 'w')
         destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))