author | Kim Alvefur <zash@zash.se> |
Fri, 01 Mar 2024 19:22:49 +0100 | |
changeset 13455 | 4a9a69659727 |
parent 8595 | bd4f8a2b72c7 |
permissions | -rw-r--r-- |
5293
fe9215155453
prosodyctl, prosody.cfg.lua.dist, certs/Makefile: Use .crt as suffix for certificates everywhere (thanks jasperixla)
Kim Alvefur <zash@zash.se>
parents:
3714
diff
changeset
|
1 |
.DEFAULT: localhost.crt |
3701
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 |
keysize=2048 |
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 |
# How to: |
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 |
# First, `make yourhost.cnf` which creates a openssl config file. |
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 |
# Then edit this file and fill in the details you want it to have, |
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 |
# and add or change hosts and components it should cover. |
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 |
# Then `make yourhost.key` to create your private key, you can |
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 |
# include keysize=number to change the size of the key. |
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 |
# Then you can either `make yourhost.csr` to generate a certificate |
5293
fe9215155453
prosodyctl, prosody.cfg.lua.dist, certs/Makefile: Use .crt as suffix for certificates everywhere (thanks jasperixla)
Kim Alvefur <zash@zash.se>
parents:
3714
diff
changeset
|
11 |
# signing request that you can submit to a CA, or `make yourhost.crt` |
3701
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 |
# to generate a self signed certificate. |
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 |
|
3703
5bca5f90286f
certs/Makefile: Add .PRECIOUS to stop make deleting the key as an intermediate file (thanks deryni/Zash)
Matthew Wild <mwild1@gmail.com>
parents:
3701
diff
changeset
|
14 |
.PRECIOUS: %.cnf %.key |
5bca5f90286f
certs/Makefile: Add .PRECIOUS to stop make deleting the key as an intermediate file (thanks deryni/Zash)
Matthew Wild <mwild1@gmail.com>
parents:
3701
diff
changeset
|
15 |
|
3701
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 |
# To request a cert |
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
17 |
%.csr: %.cnf %.key |
7031
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
18 |
openssl req -new -key $(lastword $^) \ |
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
19 |
-sha256 -utf8 -config $(firstword $^) -out $@ |
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
20 |
|
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
21 |
%.csr: %.cnf |
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
22 |
umask 0077 && touch $*.key |
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
23 |
openssl req -new -newkey rsa:$(keysize) -nodes -keyout $*.key \ |
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
24 |
-sha256 -utf8 -config $^ -out $@ |
7718
08989f8464b9
certs/Makefile: Remove more -c flags
Kim Alvefur <zash@zash.se>
parents:
7717
diff
changeset
|
25 |
@chmod 400 $*.key |
7031
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
26 |
|
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
27 |
%.csr: %.key |
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
28 |
openssl req -new -key $^ -utf8 -subj /CN=$* -out $@ |
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
29 |
|
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
30 |
%.csr: |
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
31 |
umask 0077 && touch $*.key |
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
32 |
openssl req -new -newkey rsa:$(keysize) -nodes -keyout $*.key \ |
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
33 |
-utf8 -subj /CN=$* -out $@ |
7718
08989f8464b9
certs/Makefile: Remove more -c flags
Kim Alvefur <zash@zash.se>
parents:
7717
diff
changeset
|
34 |
@chmod 400 $*.key |
3701
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
35 |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
36 |
# Self signed |
5293
fe9215155453
prosodyctl, prosody.cfg.lua.dist, certs/Makefile: Use .crt as suffix for certificates everywhere (thanks jasperixla)
Kim Alvefur <zash@zash.se>
parents:
3714
diff
changeset
|
37 |
%.crt: %.cnf %.key |
7031
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
38 |
openssl req -new -x509 -key $(lastword $^) -days 365 -sha256 -utf8 \ |
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
39 |
-config $(firstword $^) -out $@ |
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
40 |
|
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
41 |
%.crt: %.cnf |
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
42 |
umask 0077 && touch $*.key |
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
43 |
openssl req -new -x509 -newkey rsa:$(keysize) -nodes -keyout $*.key \ |
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
44 |
-days 365 -sha256 -utf8 -config $(firstword $^) -out $@ |
7718
08989f8464b9
certs/Makefile: Remove more -c flags
Kim Alvefur <zash@zash.se>
parents:
7717
diff
changeset
|
45 |
@chmod 400 $*.key |
3701
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
46 |
|
7031
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
47 |
%.crt: %.key |
7038
085a286e2873
certs/Makefile: Fix generating cert from only a key (no config then)
Kim Alvefur <zash@zash.se>
parents:
7034
diff
changeset
|
48 |
openssl req -new -x509 -key $^ -days 365 -sha256 -utf8 -subj /CN=$* -out $@ |
7031
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
49 |
|
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
50 |
%.crt: |
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
51 |
umask 0077 && touch $*.key |
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
52 |
openssl req -new -x509 -newkey rsa:$(keysize) -nodes -keyout $*.key \ |
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
53 |
-days 365 -sha256 -out $@ -utf8 -subj /CN=$* |
7718
08989f8464b9
certs/Makefile: Remove more -c flags
Kim Alvefur <zash@zash.se>
parents:
7717
diff
changeset
|
54 |
@chmod 400 $*.key |
7031
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
55 |
|
7d0ce5e6a6d3
certs/Makefile: Add targets for any combination of already existing config, key file
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
56 |
# Generate a config from the example |
3701
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
57 |
%.cnf: |
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
58 |
sed 's,example\.com,$*,g' openssl.cnf > $@ |
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
59 |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
60 |
%.key: |
7033
b5bc9f77f096
certs/Makefile: Run key generation with a stricter umask (fixes a race condition)
Kim Alvefur <zash@zash.se>
parents:
5293
diff
changeset
|
61 |
umask 0077 && openssl genrsa -out $@ $(keysize) |
7716
003ee2be2635
certs/Makefile: Remove -c flag to chmod, which appears to be a GNUism ... again (thanks waqas)
Kim Alvefur <zash@zash.se>
parents:
7033
diff
changeset
|
62 |
@chmod 400 $@ |
7197
1c55403d06c4
certs/Makefile: Add target for generating DH params
Kim Alvefur <zash@zash.se>
parents:
7038
diff
changeset
|
63 |
|
1c55403d06c4
certs/Makefile: Add target for generating DH params
Kim Alvefur <zash@zash.se>
parents:
7038
diff
changeset
|
64 |
# Generate Diffie-Hellman parameters |
1c55403d06c4
certs/Makefile: Add target for generating DH params
Kim Alvefur <zash@zash.se>
parents:
7038
diff
changeset
|
65 |
dh-%.pem: |
1c55403d06c4
certs/Makefile: Add target for generating DH params
Kim Alvefur <zash@zash.se>
parents:
7038
diff
changeset
|
66 |
openssl dhparam -out $@ $* |