Create self-signed ApplicationInstanceCertificate (#1865)

* Create self-signed ApplicationInstanceCertificate

* Comments removed and changes to CMakeList

examples/CMakeLists.txt

@@ -110,12 +110,12 @@ endif()
 
 if(UA_BUILD_SELFSIGNED_CERTIFICATE)
   find_package(OpenSSL REQUIRED)
-  add_custom_command(OUTPUT server_cert.der ca.crt
+  add_custom_command(OUTPUT server_cert.der
                      COMMAND ${PYTHON_EXECUTABLE} ${PROJECT_SOURCE_DIR}/tools/certs/create_self-signed.py ${CMAKE_CURRENT_BINARY_DIR}
                      DEPENDS ${PROJECT_SOURCE_DIR}/tools/certs/create_self-signed.py
                              ${PROJECT_SOURCE_DIR}/tools/certs/localhost.cnf)
-  add_custom_target(selfsigned ALL DEPENDS server_cert.der ca.crt)
-  add_executable(server_certificate server_certificate.c ${STATIC_OBJECTS} server_cert.der ca.crt)
+  add_custom_target(selfsigned ALL DEPENDS server_cert.der)
+  add_executable(server_certificate server_certificate.c ${STATIC_OBJECTS} server_cert.der)
   target_link_libraries(server_certificate open62541 ${open62541_LIBRARIES})
 endif()
 

tools/certs/create_self-signed.py

@@ -25,49 +25,21 @@ os.environ['HOSTNAME'] = socket.gethostname()
 openssl_conf = os.path.join(certsdir, "localhost.cnf")
 
 os.chdir(os.path.abspath(sys.argv[1]))
-os.system("""openssl genrsa -out ca.key {}""".format(keysize))
-os.system("""openssl req \
-    -x509 \
-    -new \
-    -nodes \
-    -key ca.key \
-    -days 3650 \
-    -subj "/C=DE/O=open62541/CN=open62541.org" \
-    -out ca.crt""")
+
 os.system("""openssl req \
-    -new \
-    -newkey rsa:{} \
-    -nodes \
-    -subj "/C=DE/O=open62541/CN=open62541Server@localhost" \
-    -keyout localhost.key \
-    -out localhost.csr""".format(keysize))
-os.system("""openssl x509 -req \
-    -days 3650 \
-    -in localhost.csr \
-    -CA ca.crt \
-    -CAkey ca.key \
-    -CAcreateserial \
-    -out localhost.crt \
-    -extfile {} \
-    -extensions v3_ca""".format(openssl_conf))
+     -config {} \
+     -new \
+     -nodes \
+     -x509 -sha256  \
+     -newkey rsa:{} \
+     -keyout localhost.key -days 365 \
+     -subj "/C=DE/O=open62541/CN=open62541Server@localhost"\
+     -out localhost.crt""".format(openssl_conf, keysize))
+
 os.system("openssl x509 -in localhost.crt -outform der -out server_cert.der")
 os.system("openssl rsa -inform PEM -in localhost.key -outform DER -out server_key.der")
-# Convert certificate authority(CA) file 'ca.crt' into DER encoded form
-# to provide as trust list input
-os.system("openssl x509 -in ca.crt -outform der -out ca_cert.der")
 
 os.remove("localhost.key")
 os.remove("localhost.crt")
-os.remove("localhost.csr")
-os.remove("ca.srl")
-# os.remove("ca.key")
-# os.remove("ca.crt")
-
-# if os.path.isfile(os.path.join(sys.argv[1], "server_cert.der")):
-# 	os.remove(os.path.join(sys.argv[1], "server_cert.der"))
-# shutil.move("server_cert.der", sys.argv[1])
-# if os.path.isfile(os.path.join(sys.argv[1], "ca.crt")):
-# 	os.remove(os.path.join(sys.argv[1], "ca.crt"))
-# shutil.move("ca.crt", sys.argv[1])
 
 print("Certificates generated in " + sys.argv[1])

tools/certs/localhost.cnf

@@ -254,7 +254,7 @@ basicConstraints = CA:false
 # left out by default.
 # keyUsage = cRLSign, keyCertSign
 
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign
 extendedKeyUsage = TLS Web Server Authentication, TLS Web Client Authentication
 
 # Some might want this also