create private key for server with the certificate

make a 1024 bit certificate by default (128bit)

revert to 2048bit keys

Change certificate generation script

The key length can now be supplied as a command line argument and the file names should better reflect the files purposes.

tools/certs/create_self-signed.py

@@ -1,5 +1,4 @@
 #!/usr/bin/env python
-
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this 
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
@@ -14,51 +13,57 @@ if len(sys.argv) < 2:
 
 if not os.path.exists(sys.argv[1]):
     sys.exit('ERROR: Directory %s was not found!' % sys.argv[1])
-    
-os.chdir(os.path.dirname(os.path.abspath(__file__)))
 
+keysize = 2048
+
+if len(sys.argv) == 3:
+    keysize = int(sys.argv[2])
+
+certsdir = os.path.dirname(os.path.abspath(__file__))
 os.environ['HOSTNAME'] = socket.gethostname()
-os.environ['OPENSSL_CONF'] = os.path.join(os.getcwd(), "localhost.cnf")
+os.environ['OPENSSL_CONF'] = os.path.join(certsdir, "localhost.cnf")
 
-os.system("""openssl genrsa -out ca.key 2048""")
+os.chdir(os.path.abspath(sys.argv[1]))
+os.system("""openssl genrsa -out ca.key {}""".format(keysize))
 os.system("""openssl req \
-	-x509 \
-	-new \
-	-nodes \
-	-key ca.key \
-	-days 3650 \
-	-subj "/C=DE/O=open62541/CN=open62541.org" \
-	-out ca.crt""")
+    -x509 \
+    -new \
+    -nodes \
+    -key ca.key \
+    -days 3650 \
+    -subj "/C=DE/O=open62541/CN=open62541.org" \
+    -out ca.crt""")
 os.system("""openssl req \
     -new \
-    -newkey rsa:2048 \
+    -newkey rsa:{} \
     -nodes \
     -subj "/C=DE/O=open62541/CN=open62541Server@localhost" \
-    -config localhost.cnf \
     -keyout localhost.key \
-    -out localhost.csr""")
+    -out localhost.csr""".format(keysize))
 os.system("""openssl x509 -req \
-	-days 3650 \
-	-in localhost.csr \
-	-CA ca.crt \
-	-CAkey ca.key \
-	-CAcreateserial \
-	-out localhost.crt \
-	-extensions v3_ca \
-	-extfile localhost.cnf""")
-os.system("""openssl x509 -in localhost.crt -outform der -out server_cert.der""")
-#we will need these files later
-os.remove("localhost.key") #we will need it later
+    -days 3650 \
+    -in localhost.csr \
+    -CA ca.crt \
+    -CAkey ca.key \
+    -CAcreateserial \
+    -out localhost.crt \
+    -extfile $OPENSSL_CONF \
+    -extensions v3_ca""")
+os.system("openssl x509 -in localhost.crt -outform der -out server_cert.der")
+os.system("openssl rsa -inform PEM -in localhost.key -outform DER -out server_key.der")
+
+os.remove("localhost.key")
 os.remove("localhost.crt")
 os.remove("localhost.csr")
-os.remove("ca.key")
 os.remove("ca.srl")
+# os.remove("ca.key")
+# os.remove("ca.crt")
 
-if os.path.isfile(os.path.join(sys.argv[1], "server_cert.der")):
-	os.remove(os.path.join(sys.argv[1], "server_cert.der"))
-shutil.move("server_cert.der", sys.argv[1])
-if os.path.isfile(os.path.join(sys.argv[1], "ca.crt")):
-	os.remove(os.path.join(sys.argv[1], "ca.crt"))
-shutil.move("ca.crt", sys.argv[1])
+# if os.path.isfile(os.path.join(sys.argv[1], "server_cert.der")):
+# 	os.remove(os.path.join(sys.argv[1], "server_cert.der"))
+# shutil.move("server_cert.der", sys.argv[1])
+# if os.path.isfile(os.path.join(sys.argv[1], "ca.crt")):
+# 	os.remove(os.path.join(sys.argv[1], "ca.crt"))
+# shutil.move("ca.crt", sys.argv[1])
 
 print("Certificates generated in " + sys.argv[1])