diff --git a/bin/unit-test/setup_certificates.sh b/bin/unit-test/setup_certificates.sh index 30a5087..c66de21 100755 --- a/bin/unit-test/setup_certificates.sh +++ b/bin/unit-test/setup_certificates.sh @@ -78,7 +78,8 @@ extendedKeyUsage = OCSPSigning [v3_ca] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always -basicConstraints = CA:TRUE +basicConstraints = critical, CA:TRUE +keyUsage = critical, cRLSign, digitalSignature, keyCertSign [req] distinguished_name = req_distinguished_name @@ -91,7 +92,7 @@ sed -i "s|REPLACE_WITH_CERTPATH|${certpath}|" "${certpath}/ca.conf" # Generate the CA "${OPENSSL}" genrsa -out "${certpath}/ca.key" 2048 > /dev/null 2>&1 -"${OPENSSL}" req -x509 -new -nodes -key "${certpath}/ca.key" -sha256 -days 1 -out "${certpath}/ca.crt" -subj "/CN=managedssh.amazonaws.com" > /dev/null 2>&1 +"${OPENSSL}" req -x509 -new -nodes -config "${certpath}/ca.conf" -key "${certpath}/ca.key" -sha256 -days 1 -out "${certpath}/ca.crt" -extensions v3_ca -subj "/CN=managedssh.amazonaws.com" > /dev/null 2>&1 "${OPENSSL}" x509 -in "${certpath}/ca.crt" -outform PEM -out "${certpath}/ca.pem" subject=$("${OPENSSL}" x509 -noout -subject -in "${certpath}/ca.pem" | sed -n -e 's/^.*CN=//p') # Add "# subject" to start diff --git a/bin/unit_test_suite.sh b/bin/unit_test_suite.sh index ab6df32..3342b7a 100755 --- a/bin/unit_test_suite.sh +++ b/bin/unit_test_suite.sh @@ -31,8 +31,8 @@ trap 'rm -rf "${tmpdir}"' EXIT # Combine unittest & intermediate into the trust chain for the actual AuthorizedKeysCommand cat "${tmpdir}/unittest.pem" "${tmpdir}/intermediate.pem" "${tmpdir}/ca.pem" > "${tmpdir}/chain.pem" -intermediate_fingerprint="$(openssl x509 -noout -fingerprint -sha1 -inform pem -in "${tmpdir}/intermediate.pem" | sed -n 's/SHA1 Fingerprint=\(.*\)/\1/p' | tr -d ':')" -unittest_fingerprint="$(openssl x509 -noout -fingerprint -sha1 -inform pem -in "${tmpdir}"/unittest.pem | sed -n 's/SHA1 Fingerprint=\(.*\)/\1/p' | tr -d ':')" +intermediate_fingerprint="$(openssl x509 -noout -fingerprint -SHA1 -inform pem -in "${tmpdir}/intermediate.pem" | sed -n 's/SHA1 Fingerprint=\(.*\)/\1/p' | tr -d ':')" +unittest_fingerprint="$(openssl x509 -noout -fingerprint -SHA1 -inform pem -in "${tmpdir}"/unittest.pem | sed -n 's/SHA1 Fingerprint=\(.*\)/\1/p' | tr -d ':')" # Generate OCSP for those certificates "${TOPDIR}/bin/unit-test/generate_ocsp.sh" "${OPENSSL}" "${tmpdir}/intermediate.crt" "${tmpdir}/ca" "${tmpdir}/${intermediate_fingerprint}"