mirror of
https://github.com/laurivosandi/certidude
synced 2024-12-23 00:25:18 +00:00
Embed OCSP responder URL in certificate
This commit is contained in:
parent
47d2d37684
commit
d44b6035c2
@ -67,7 +67,8 @@ REQUEST_SUBMISSION_ALLOWED = cp.getboolean("authority", "request submission allo
|
|||||||
CLIENT_CERTIFICATE_LIFETIME = cp.getint("signature", "client certificate lifetime")
|
CLIENT_CERTIFICATE_LIFETIME = cp.getint("signature", "client certificate lifetime")
|
||||||
SERVER_CERTIFICATE_LIFETIME = cp.getint("signature", "server certificate lifetime")
|
SERVER_CERTIFICATE_LIFETIME = cp.getint("signature", "server certificate lifetime")
|
||||||
AUTHORITY_CERTIFICATE_URL = cp.get("signature", "authority certificate url")
|
AUTHORITY_CERTIFICATE_URL = cp.get("signature", "authority certificate url")
|
||||||
CERTIFICATE_CRL_URL = cp.get("signature", "revoked url")
|
AUTHORITY_CRL_URL = cp.get("signature", "revoked url")
|
||||||
|
AUTHORITY_OCSP_URL = cp.get("signature", "responder url")
|
||||||
CERTIFICATE_RENEWAL_ALLOWED = cp.getboolean("signature", "renewal allowed")
|
CERTIFICATE_RENEWAL_ALLOWED = cp.getboolean("signature", "renewal allowed")
|
||||||
|
|
||||||
REVOCATION_LIST_LIFETIME = cp.getint("signature", "revocation list lifetime")
|
REVOCATION_LIST_LIFETIME = cp.getint("signature", "revocation list lifetime")
|
||||||
|
@ -99,6 +99,18 @@ class SignHandler(asynchat.async_chat):
|
|||||||
extended_key_usage_flags.append( # OpenVPN client
|
extended_key_usage_flags.append( # OpenVPN client
|
||||||
ExtendedKeyUsageOID.CLIENT_AUTH)
|
ExtendedKeyUsageOID.CLIENT_AUTH)
|
||||||
|
|
||||||
|
aia = [
|
||||||
|
x509.AccessDescription(
|
||||||
|
AuthorityInformationAccessOID.CA_ISSUERS,
|
||||||
|
x509.UniformResourceIdentifier(config.AUTHORITY_CERTIFICATE_URL))
|
||||||
|
]
|
||||||
|
|
||||||
|
if config.AUTHORITY_OCSP_URL:
|
||||||
|
aia.append(
|
||||||
|
x509.AccessDescription(
|
||||||
|
AuthorityInformationAccessOID.OCSP,
|
||||||
|
x509.UniformResourceIdentifier(config.AUTHORITY_OCSP_URL)))
|
||||||
|
|
||||||
builder = x509.CertificateBuilder(
|
builder = x509.CertificateBuilder(
|
||||||
).subject_name(
|
).subject_name(
|
||||||
x509.Name([common_name])
|
x509.Name([common_name])
|
||||||
@ -142,24 +154,7 @@ class SignHandler(asynchat.async_chat):
|
|||||||
request.public_key()),
|
request.public_key()),
|
||||||
critical=False
|
critical=False
|
||||||
).add_extension(
|
).add_extension(
|
||||||
x509.AuthorityInformationAccess([
|
x509.AuthorityInformationAccess(aia),
|
||||||
x509.AccessDescription(
|
|
||||||
AuthorityInformationAccessOID.CA_ISSUERS,
|
|
||||||
x509.UniformResourceIdentifier(
|
|
||||||
config.AUTHORITY_CERTIFICATE_URL)
|
|
||||||
)
|
|
||||||
]),
|
|
||||||
critical=False
|
|
||||||
).add_extension(
|
|
||||||
x509.CRLDistributionPoints([
|
|
||||||
x509.DistributionPoint(
|
|
||||||
full_name=[
|
|
||||||
x509.UniformResourceIdentifier(
|
|
||||||
config.CERTIFICATE_CRL_URL)],
|
|
||||||
relative_name=None,
|
|
||||||
crl_issuer=None,
|
|
||||||
reasons=None)
|
|
||||||
]),
|
|
||||||
critical=False
|
critical=False
|
||||||
).add_extension(
|
).add_extension(
|
||||||
x509.AuthorityKeyIdentifier.from_issuer_public_key(
|
x509.AuthorityKeyIdentifier.from_issuer_public_key(
|
||||||
@ -167,6 +162,20 @@ class SignHandler(asynchat.async_chat):
|
|||||||
critical=False
|
critical=False
|
||||||
)
|
)
|
||||||
|
|
||||||
|
if config.AUTHORITY_CRL_URL:
|
||||||
|
builder = builder.add_extension(
|
||||||
|
x509.CRLDistributionPoints([
|
||||||
|
x509.DistributionPoint(
|
||||||
|
full_name=[
|
||||||
|
x509.UniformResourceIdentifier(
|
||||||
|
config.AUTHORITY_CRL_URL)],
|
||||||
|
relative_name=None,
|
||||||
|
crl_issuer=None,
|
||||||
|
reasons=None)
|
||||||
|
]),
|
||||||
|
critical=False
|
||||||
|
)
|
||||||
|
|
||||||
# OpenVPN uses CN while StrongSwan uses SAN
|
# OpenVPN uses CN while StrongSwan uses SAN
|
||||||
if server_flags:
|
if server_flags:
|
||||||
builder = builder.add_extension(
|
builder = builder.add_extension(
|
||||||
|
@ -58,11 +58,14 @@ autosign subnets = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
|
|||||||
|
|
||||||
# Simple Certificate Enrollment Protocol enabled subnets
|
# Simple Certificate Enrollment Protocol enabled subnets
|
||||||
scep subnets =
|
scep subnets =
|
||||||
|
;scep subnets = 0.0.0.0/0
|
||||||
|
|
||||||
# Online Certificate Status Protocol enabled subnets
|
# Online Certificate Status Protocol enabled subnets
|
||||||
ocsp subnets =
|
ocsp subnets =
|
||||||
|
;ocsp subnets = 0.0.0.0/0
|
||||||
|
|
||||||
# Certificate Revocation lists can be accessed from anywhere by default
|
# Certificate Revocation lists can be accessed from anywhere by default
|
||||||
|
;crl subnets =
|
||||||
crl subnets = 0.0.0.0/0
|
crl subnets = 0.0.0.0/0
|
||||||
|
|
||||||
[logging]
|
[logging]
|
||||||
@ -92,10 +95,16 @@ revocation list lifetime = 24
|
|||||||
# URL where CA certificate can be fetched from
|
# URL where CA certificate can be fetched from
|
||||||
authority certificate url = {{ certificate_url }}
|
authority certificate url = {{ certificate_url }}
|
||||||
|
|
||||||
# Strongswan can be configured to automatically fetch CRL
|
# Strongswan can automatically fetch CRL if
|
||||||
# in that case CRL URL has to be embedded in the certificate
|
# CRL distribution point extension is included in the certificate
|
||||||
|
;revoked url =
|
||||||
revoked url = {{ revoked_url }}
|
revoked url = {{ revoked_url }}
|
||||||
|
|
||||||
|
# StrongSwan can automatically query OCSP responder if
|
||||||
|
# AIA extension includes OCSP responder URL
|
||||||
|
responder url =
|
||||||
|
;responder url = {{ responder_url }}
|
||||||
|
|
||||||
# If certificate renewal is allowed clients can request a certificate
|
# If certificate renewal is allowed clients can request a certificate
|
||||||
# for the same public key with extended lifetime
|
# for the same public key with extended lifetime
|
||||||
renewal allowed = false
|
renewal allowed = false
|
||||||
|
Loading…
Reference in New Issue
Block a user