vyatta-op-vpn (0.15.0+vyos2+current2+nmu1) UNRELEASED; urgency=low

  * Non-maintainer upload.
  * address lintian issues
  - script-not-executable: removed #!/usr/bin/perl from .pm files
  - debhelper-but-no-misc-depends: added ${misc:Depends} to Depends: field
  - debian-rules-missing-recommended-target: added build-arch build-indep
  - out-of-date-standards-version: updated standards version to 3.9.4
  - package-contains-linda-override: removed linda override
  - file-in-unusual-dir: not triggering, removed from override
  - script-with-language-extension: renamed vyatta-gen-x509-keypair.sh
    vyatta-gen-x509-keypair
  * address dpkg-gencontrol issue:
  - unknown substitution variable ${shlibs:Depends} - removed
  * address dpkg-source issue:
  - debian/source/format set to "3.0 (native)"

Signed-off-by: C.J. Collier <cjcollier@linuxfoundation.org>

2 files changed, 44 insertions, 4 deletions

diff --git a/scripts/key-pair.template b/scripts/key-pair.template
index 5b5b2a6..bbf5eb9 100644
--- a/scripts/key-pair.template
+++ b/scripts/key-pair.template
@@ -1,10 +1,15 @@
 [ req ]
- default_bits           = 1024
+ default_bits           = 2048
  default_keyfile        = privkey.pem
  distinguished_name     = req_distinguished_name
+ string_mask            = utf8only
  attributes             = req_attributes
+ dirstring_type         = nobmp
+# SHA-1 is deprecated, so use SHA-2 instead.
+ default_md             = sha256
+# Extension to add when the -x509 option is used.
  x509_extensions        = v3_ca
- dirstring_type = nobmp
+
 [ req_distinguished_name ]
  countryName                    = Country Name (2 letter code)
  countryName_min                = 2
@@ -24,4 +29,39 @@
 [ v3_ca ]
  subjectKeyIdentifier=hash
  authorityKeyIdentifier=keyid:always,issuer:always
- basicConstraints = CA:true
+ basicConstraints = critical, CA:true
+ keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid:always,issuer
+ basicConstraints = critical, CA:true, pathlen:0
+ keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+ basicConstraints = CA:FALSE
+ nsCertType = client, email
+ nsComment = "OpenSSL Generated Client Certificate"
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid,issuer
+ keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+ extendedKeyUsage = clientAuth, emailProtection
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+ basicConstraints = CA:FALSE
+ nsCertType = server
+ nsComment = "OpenSSL Generated Server Certificate"
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid,issuer:always
+ keyUsage = critical, digitalSignature, keyEncipherment
+ extendedKeyUsage = serverAuth
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+ authorityKeyIdentifier=keyid:always
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+ basicConstraints = CA:FALSE
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid,issuer
+ keyUsage = critical, digitalSignature
+ extendedKeyUsage = critical, OCSPSigning
\ No newline at end of file
diff --git a/scripts/vyatta-gen-x509-keypair.sh b/scripts/vyatta-gen-x509-keypair.sh.in
index 5a66d0a..194ac4f 100755
--- a/scripts/vyatta-gen-x509-keypair.sh
+++ b/scripts/vyatta-gen-x509-keypair.sh.in
@@ -1,7 +1,7 @@
 #!/bin/bash
 CN=$1
 genkeypair (){
-  openssl req -new -nodes -keyout /config/auth/$CN.key -out /config/auth/$CN.csr -config /opt/vyatta/etc/key-pair.template
+  openssl req -new -nodes -keyout /config/auth/$CN.key -out /config/auth/$CN.csr -config @sysconfdir@/key-pair.template
 }
 if [ -f /config/auth/$CN.csr ]; then
   read -p "A certificate request named $CN.csr already exists. Overwrite (y/n)?"