diff --git a/certidude/cli.py b/certidude/cli.py index 30a7a51..65f4ded 100755 --- a/certidude/cli.py +++ b/certidude/cli.py @@ -571,6 +571,8 @@ def certidude_setup_strongswan_server(server, config, secrets, subnet, route, em click.echo(" apt-get install strongswan strongswan-starter strongswan-ikev2") click.secho(" service strongswan restart", bold=True) click.echo() + click.echo("If you're running Ubuntu make sure you're not affected by #1505222") + click.echo("https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1505222") @click.command("client", help="Set up strongSwan client") @@ -773,7 +775,7 @@ def certidude_setup_production(username, hostname, push_server, nginx_config, uw @click.option("--locality", "-l", default=None, help="City or locality, none by default") @click.option("--authority-lifetime", default=20*365, help="Authority certificate lifetime in days, 7300 days (20 years) by default") @click.option("--certificate-lifetime", default=5*365, help="Certificate lifetime in days, 1825 days (5 years) by default") -@click.option("--revocation-list-lifetime", default=1, help="Revocation list lifetime in days, 1 day by default") +@click.option("--revocation-list-lifetime", default=20*60, help="Revocation list lifetime in days, 1200 seconds (20 minutes) by default") @click.option("--organization", "-o", default=None, help="Company or organization name") @click.option("--organizational-unit", "-ou", default=None) @click.option("--pkcs11", default=False, is_flag=True, help="Use PKCS#11 token instead of files") @@ -782,9 +784,10 @@ def certidude_setup_production(username, hostname, push_server, nginx_config, uw @click.option("--ocsp-responder-url", default=None, help="OCSP responder URL") @click.option("--push-server", default="http://push.%s" % constants.DOMAIN, help="Push server, http://push.%s by default" % constants.DOMAIN) @click.option("--email-address", default="certidude@" + FQDN, help="E-mail address of the CA") -@click.option("--directory", default=os.path.join("/var/lib/certidude", FQDN), help="Directory for authority files, /var/lib/certidude/ by default") +@click.option("--directory", default=os.path.join("/var/lib/certidude", FQDN), help="Directory for authority files, /var/lib/certidude/%s/ by default" % FQDN) +@click.option("--server-flags", is_flag=True, help="Add TLS Server and IKE Intermediate extended key usage flags") @click.option("--outbox", default="smtp://smtp.%s" % constants.DOMAIN, help="SMTP server, smtp://smtp.%s by default" % constants.DOMAIN) -def certidude_setup_authority(parent, country, state, locality, organization, organizational_unit, common_name, directory, certificate_lifetime, authority_lifetime, revocation_list_lifetime, pkcs11, revoked_url, certificate_url, ocsp_responder_url, push_server, email_address, outbox): +def certidude_setup_authority(parent, country, state, locality, organization, organizational_unit, common_name, directory, certificate_lifetime, authority_lifetime, revocation_list_lifetime, pkcs11, revoked_url, certificate_url, ocsp_responder_url, push_server, email_address, outbox, server_flags): # Make sure common_name is valid if not re.match(r"^[\.\-_a-zA-Z0-9]+$", common_name): @@ -848,10 +851,6 @@ def certidude_setup_authority(parent, country, state, locality, organization, or b"keyUsage", True, b"digitalSignature, keyCertSign, cRLSign"), - crypto.X509Extension( - b"extendedKeyUsage", - False, - b"serverAuth,1.3.6.1.5.5.8.2.2"), crypto.X509Extension( b"subjectKeyIdentifier", False, @@ -863,6 +862,14 @@ def certidude_setup_authority(parent, country, state, locality, organization, or (u"DNS: %s, email: %s" % (common_name, email_address)).encode("ascii")) ]) + if server_flags: + ca.add_extensions([ + crypto.X509Extension( + b"extendedKeyUsage", + False, + b"serverAuth,1.3.6.1.5.5.8.2.2") + ]) + ca.add_extensions([ crypto.X509Extension( b"authorityKeyIdentifier", @@ -890,7 +897,7 @@ def certidude_setup_authority(parent, country, state, locality, organization, or # openssl x509 -in ca_crt.pem -outform DER | sha256sum # openssl x509 -fingerprint -in ca_crt.pem - ca.sign(key, "sha256") + ca.sign(key, "sha512") _, _, uid, gid, gecos, root, shell = pwd.getpwnam("certidude") os.setgid(gid) diff --git a/certidude/templates/certidude.conf b/certidude/templates/certidude.conf index 937188c..595871f 100644 --- a/certidude/templates/certidude.conf +++ b/certidude/templates/certidude.conf @@ -60,8 +60,8 @@ schema = strongswan database = sqlite://{{ directory }}/db.sqlite [signature] -certificate lifetime = 1825 -revocation list lifetime = 1200 +certificate lifetime = {{ certificate_lifetime }} +revocation list lifetime = {{ revocation_list_lifetime }} certificate url = {{ certificate_url }} revoked url = {{ revoked_url }} @@ -77,3 +77,4 @@ signed dir = {{ directory }}/signed/ revoked dir = {{ directory }}/revoked/ expired dir = {{ directory }}/expired/ outbox = {{ outbox }} +