From 1a112caf7a01696ffeef3d7e1bc56b6f8566458b Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Tue, 10 Nov 2015 09:57:57 +0200
Subject: [PATCH] - Only allow the CA to be a CA. - Forgot to explicitly set
 the RSA key size to be 2048 (defaulted to 512).

---
 ssl-ca | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/ssl-ca b/ssl-ca
index b3cd24a..61bcf1e 100755
--- a/ssl-ca
+++ b/ssl-ca
@@ -34,6 +34,12 @@ RANDFILE = /dev/urandom
 #OU = Organizational unit
 #emailAddress = email address
 CN = *.*.\${ENV::domain}
+
+[ v3_ca ]
+basicConstraints = CA:true
+
+[ v3_req ]
+basicConstraints = CA:false
 "
 
 usage () {
@@ -54,6 +60,7 @@ init () {
         -new \
         -newkey rsa:2048 \
         -keyout CA.key \
+        -extensions v3_ca \
         -out CA.crt
 }
 
@@ -87,7 +94,7 @@ sign_key () {
         -out "certs/$1" \
         -CA CA.crt \
         -set_serial $seed \
-        -extensions v3_ca \
+        -extensions v3_req \
         -CAkey CA.key
     rm "$csr"
 }
@@ -108,7 +115,7 @@ gen_key () {
         echo "Key already exists."
         exit 1
     fi
-    openssl genrsa -out "keys/$1"
+    openssl genrsa -out "keys/$1" 2048
 }
 
 if [ $# -lt 1 ]
-- 
GitLab