Univention Bugzilla – Bug 49755
Add nameConstraints and CRLDistribution points
Last modified: 2019-09-12 08:58:45 CEST
User feedback. User needs nameConstraints and CRLDistribution points with UCS Root CA. --- make-certificates.sh.backup 2019-03-14 16:24:40.448253015 +0100 +++ make-certificates.sh 2019-03-14 16:28:53.281701333 +0100 @@ -49,6 +49,11 @@ : "${DEFAULT_BITS:=2048}" export DEFAULT_MD DEFAULT_BITS DEFAULT_CRL_DAYS +CRL_DISTRIBUTION_POINTS="$(/usr/sbin/univention-config-registry get ssl/crl/distribution_points)" +if [ -z "$CRL_DISTRIBUTION_POINTS" ]; then + CRL_DISTRIBUTION_POINTS="URI:http://ssl.interne.domain/ucsCA.crl" +fi + if test -e "$SSLBASE/password"; then PASSWD="$(cat "$SSLBASE/password")" else @@ -182,7 +187,7 @@ [ req_attributes ] challengePassword = A challenge password -unstructuredName = Univention GmbH +unstructuredName = Discovergy GmbH [ ${CA}_ext ] @@ -194,6 +199,15 @@ # issuerAltName = issuer:copy # nsCertType = sslCA, emailCA, objCA # nsComment = signed by Univention Corporate Server Root CA +nameConstraints = @name_constraints +crlDistributionPoints = @crl_info + +[crl_info] +URI.0 = $CRL_DISTRIBUTION_POINTS + +[name_constraints] +permitted;DNS.0=<interne.domain> +permitted;DNS.1=<externe.domain> [ v3_req ]
CRL-DP is Bug #34285