mirror of
https://git.code.sf.net/p/linux-ima/ima-evm-utils
synced 2025-04-28 06:33:36 +02:00
9f669a6b38
Update the OpenSSL config files for support for loading certs onto the .machine keyring where certain key usage flags must be set. Also update the OpenSSL config files shown in the README. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
35 lines
889 B
Bash
Executable File
35 lines
889 B
Bash
Executable File
#!/bin/sh
|
|
|
|
GENKEY=ima.genkey
|
|
|
|
cat << __EOF__ >$GENKEY
|
|
[ req ]
|
|
default_bits = 2048
|
|
distinguished_name = req_distinguished_name
|
|
prompt = no
|
|
string_mask = utf8only
|
|
x509_extensions = v3_usr
|
|
|
|
[ req_distinguished_name ]
|
|
O = `hostname`
|
|
CN = `whoami` signing key
|
|
emailAddress = `whoami`@`hostname`
|
|
|
|
[ v3_usr ]
|
|
basicConstraints=critical,CA:FALSE
|
|
#basicConstraints=CA:FALSE
|
|
keyUsage=digitalSignature
|
|
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
|
extendedKeyUsage=critical,codeSigning
|
|
subjectKeyIdentifier=hash
|
|
authorityKeyIdentifier=keyid
|
|
#authorityKeyIdentifier=keyid,issuer
|
|
__EOF__
|
|
|
|
openssl req -new -nodes -utf8 -sha256 -days 365 -batch -config $GENKEY \
|
|
-out csr_ima.pem -keyout privkey_ima.pem
|
|
openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
|
|
-CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \
|
|
-outform DER -out x509_ima.der
|
|
|