* examples/ca/init_sub_ca.rb: Add a command line option for CN.

* examples/ca/gen_crl.rb: CRL issuer was wrong!  Oops.
* examples/ca/gen_cert.rb: Changed keyUsage bits of each cert type.

4 files changed, 14 insertions, 14 deletions

diff --git a/ChangeLog b/ChangeLog
index 0881dfe..39efbbf 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Thu, 11 Jul 2003 02:23:04 +0900 -- NAKAMURA, Hiroshi <nahi@ruby-lang.org>
+	* examples/ca/init_sub_ca.rb: Add a command line option for CN.
+	* examples/ca/gen_crl.rb: CRL issuer was wrong!  Oops.
+	* examples/ca/gen_cert.rb: Changed keyUsage bits of each cert type.
+
 Thu, 10 Jul 2003 12:32:56 +0200 -- Michal Rokos <m.rokos@sh.cvut.cz>
 	* ossl.c: Prototype for sk2ary
 	* ocsp.c: Typo in ossl_ocspbres_add_status (sk_X509_pop_free -> sk_X509_EXTENSION_pop_free)
diff --git a/examples/ca/gen_cert.rb b/examples/ca/gen_cert.rb
index e496f90..3d32c41 100755
--- a/examples/ca/gen_cert.rb
+++ b/examples/ca/gen_cert.rb
@@ -13,7 +13,7 @@ def usage
   exit
 end
 
-getopts nil, 'type:client', 'out:', 'force', 'noakid'
+getopts nil, 'type:client', 'out:', 'force'
 
 cert_type = $OPT_type
 out_file = $OPT_out || 'cert.pem'
@@ -79,13 +79,11 @@ when "terminalsubca"
   key_usage << "cRLSign" << "keyCertSign"
 when "server"
   basic_constraint = "CA:FALSE"
-  key_usage << "nonRepudiation" << "digitalSignature" << "keyEncipherment"
-  key_usage << "dataEncipherment"
+  key_usage << "digitalSignature" << "keyEncipherment"
   ext_key_usage << "serverAuth"
 when "ocsp"
   basic_constraint = "CA:FALSE"
-  key_usage << "nonRepudiation" << "digitalSignature" << "keyEncipherment"
-  key_usage << "dataEncipherment"
+  key_usage << "nonRepudiation" << "digitalSignature"
   ext_key_usage << "serverAuth" << "OCSPSigning"
 when "client"
   basic_constraint = "CA:FALSE"
@@ -104,13 +102,8 @@ ex << ef.create_extension("nsComment","Ruby/OpenSSL Generated Certificate")
 ex << ef.create_extension("subjectKeyIdentifier", "hash")
 #ex << ef.create_extension("nsCertType", "client,email")
 ex << ef.create_extension("keyUsage", key_usage.join(",")) unless key_usage.empty?
-if $OPT_noakid
-  # For cross certification, with OpenSSL, akid seems to block to find a
-  # cross-cert path.  RFC2510 defines this field as a 'MUST' field so use this
-  # option carefully.
-else
-  ex << ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
-end
+#ex << ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
+#ex << ef.create_extension("authorityKeyIdentifier", "keyid:always")
 ex << ef.create_extension("extendedKeyUsage", ext_key_usage.join(",")) unless ext_key_usage.empty?
 
 ex << ef.create_extension("crlDistributionPoints", CAConfig::CDP_LOCATION) if CAConfig::CDP_LOCATION
diff --git a/examples/ca/gen_crl.rb b/examples/ca/gen_crl.rb
index 04b1e1a..1e41ded 100755
--- a/examples/ca/gen_crl.rb
+++ b/examples/ca/gen_crl.rb
@@ -35,7 +35,7 @@ crl = if FileTest.exist?(CAConfig::CRL_FILE)
     X509::CRL.new
   end
 
-crl.issuer = ca.issuer
+crl.issuer = ca.subject
 crl.last_update = Time.now
 crl.next_update = Time.now + CAConfig::CRL_DAYS * 24 * 60 * 60
 
diff --git a/examples/ca/init_sub_ca.rb b/examples/ca/init_sub_ca.rb
index 6cb27d3..db6137a 100755
--- a/examples/ca/init_sub_ca.rb
+++ b/examples/ca/init_sub_ca.rb
@@ -8,6 +8,8 @@ include OpenSSL
 
 $stdout.sync = true
 
+cn = ARGV.shift || 'SubCA'
+
 getopts nil, "csrout:"
 csrout = $OPT_csrout || "csr.pem"
 
@@ -36,7 +38,7 @@ File.open(keypair_file, "w", 0400) do |f|
   f << keypair.export(Cipher::DES.new(:EDE3, :CBC), &CAConfig::PASSWD_CB)
 end
 
-name = CAConfig::NAME.dup << ['CN','Sub CA']
+name = CAConfig::NAME.dup << ['CN', cn]
 
 puts "Generating CSR for #{name.inspect}"