summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Mark Wooding [Thu, 6 Dec 2012 03:20:22 +0000 (03:20 +0000)]
etc/config.tcl: Fix the validity duration for certificates.
I misremembered that the durations are measured in hours, not days.
But actually 28 hours isn't enough, because hosts refresh their cache
of the certificate store at different times of night: we must have the
new certificates ready for the early risers, and the old ones must
still be valid until time that the late risers are done.
Mark Wooding [Sat, 1 Dec 2012 22:00:24 +0000 (22:00 +0000)]
Merge branch 'master' of git://git.distorted.org.uk/~mdw/ca
* 'master' of git://git.distorted.org.uk/~mdw/ca:
bin/add: Run the update hook after adding a certificate request.
Mark Wooding [Sat, 1 Dec 2012 22:00:07 +0000 (22:00 +0000)]
bin/add: Run the update hook after adding a certificate request.
Mark Wooding [Sat, 1 Dec 2012 20:01:27 +0000 (20:01 +0000)]
Merge branch 'master' of git://git.distorted.org.uk/~mdw/ca
* 'master' of git://git.distorted.org.uk/~mdw/ca:
lib/func.tcl: Hack output of `openssl dgst -hex'.
etc/openssl.conf: Allow `keyEncipherment' for TLS clients.
Mark Wooding [Sat, 1 Dec 2012 20:01:05 +0000 (20:01 +0000)]
Configuration for production.
Mark Wooding [Sat, 1 Dec 2012 19:51:12 +0000 (19:51 +0000)]
lib/func.tcl: Hack output of `openssl dgst -hex'.
Remove the gratuitous incompatibility from the front.
Mark Wooding [Sat, 1 Dec 2012 19:50:08 +0000 (19:50 +0000)]
etc/openssl.conf: Allow `keyEncipherment' for TLS clients.
For some reason libvirt doesn't accept client certificates without this,
even though TLS client authentication doesn't involve encipherting keys.
Mark Wooding [Sat, 1 Dec 2012 14:26:21 +0000 (14:26 +0000)]
bin/setup: Fix permissions on `ca.key' and `ca.cert'.
The previous thing was a mix of both, and didn't work properly.
Mark Wooding [Sat, 1 Dec 2012 13:54:50 +0000 (13:54 +0000)]
.gitignore: Remove old things which aren't meant to exist any more.
Provides a useful clue to which things can be deleted.
Mark Wooding [Sat, 1 Dec 2012 13:52:31 +0000 (13:52 +0000)]
Add an `update-hook' configuration tweak.
This is for publishing the archive to a web server or similar.
Mark Wooding [Sat, 1 Dec 2012 13:40:23 +0000 (13:40 +0000)]
bin: Produce output PEM files with text descriptions of their contents.
This makes them easier to read. There's a slight risk of someone being
confused by a malicious file whose text representation doesn't contain
an accurate description of the actual contents, but I think that's a
fairly minor consideration. The files are also larger than they were
previously, but we'll have to put up with that.
Mark Wooding [Sat, 1 Dec 2012 13:39:53 +0000 (13:39 +0000)]
test/init: Some more updates to check expiry and archiving.
Mark Wooding [Sat, 1 Dec 2012 13:03:41 +0000 (13:03 +0000)]
Almost a complete rewrite.
The scripts are now written in Tcl, using Sqlite3 to store information
about the certificates. There's a comprehensive library for hacking the
database, and fiddling with certificates. There are even tests, which
seem to work properly.
Mark Wooding [Sun, 31 Jul 2011 17:28:36 +0000 (18:28 +0100)]
bin/make-ca-key, lib/func.sh: Make user and group names configurable.
This makes testing in a sandpit much easier.
The defaults are good, so I've left the configuration file out of the
repository.
Mark Wooding [Sun, 31 Jul 2011 17:27:03 +0000 (18:27 +0100)]
bin/make-ca-key, etc/issuer: Split the issuer name out.
Makes the configuration-file nature of the issuer name more apparent.
Mark Wooding [Sun, 31 Jul 2011 17:25:46 +0000 (18:25 +0100)]
bin/clean: Simple new program to reset the directory to a clean state.
Mark Wooding [Sun, 10 Jul 2011 22:11:40 +0000 (23:11 +0100)]
Minimal X.509 certificate authority.
~mdw / ca / log