Tips-Of-Mine/gestion-certificats2
2
0
Fork 0
mirror of https://github.com/tips-of-mine/gestion-certificats2.git synced 2025-06-28 06:58:43 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix: Ensure successful creation of leaf certificates.

Browse Source 
This commit addresses several issues related to the creation of leaf certificates signed by functional scope intermediate CAs:

1.  **Providing environment variables to `create_cert.sh`:**
    *   `CertificateController.php` was modified to extract the `ROOT_DOMAIN` from the Root CA certificate.
    *   The `SAN` (Subject Alternative Name) environment variable is now built dynamically (e.g., `DNS:cert_name.scope_name.root_domain`).
    *   The `OCSP_URL` (from the application configuration) and `SAN` environment variables are passed to the execution environment of the `create_cert.sh` script. This resolves "variable has no value" errors in OpenSSL when using the intermediate CA configuration file that references `$ENV::OCSP_URL` and `$ENV::SAN`.

2.  **Explicit use of `v3_leaf` extensions:**
    *   The `scripts/create_cert.sh` script was modified to explicitly use `-reqexts v3_leaf` (for the CSR) and `-extensions v3_leaf` (for CA signing). This ensures that the `[v3_leaf]` section of the OpenSSL configuration file (containing SAN and OCSP directives) is correctly applied to leaf certificates.

3.  **Correction of success detection in `CertificateController.php`:**
    *   The string searched for by `strpos` to detect a success message from `create_cert.sh` has been made more precise, ensuring that the PHP controller correctly interprets the script's result.

These changes ensure that leaf certificates are created with the correct extensions and that their creation is properly recognized by the application.
This commit is contained in:
google-labs-jules[bot]
2025-06-15 17:41:19 +00:00
parent 32aced02d6
commit fc3a86a839
2 changed files with 39 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
scripts/create_cert.sh
View File

@ -42,10 +42,10 @@ chmod 400 "$KEY_FILE" # Permissions strictes
# Le Common Name (CN) est important pour les certificats SSL/TLS
openssl req -new -sha256 -key "$KEY_FILE" -out "$CSR_FILE" \
-subj "/C=FR/ST=Hauts-de-France/L=Roubaix/O=GestionCertif/OU=${FUNCTIONAL_PERIMETER_NAME}/CN=${SUBDOMAIN_OR_CN_NAME}.cert-gestion.local" \
-reqexts usr_cert -config "$INTERMEDIATE_CNF" # Utilise le CNF de l'intermédiaire et ses extensions usr_cert
-reqexts v3_leaf -config "$INTERMEDIATE_CNF" # Utilise le CNF de l'intermédiaire et ses extensions v3_leaf
# Signer la CSR avec le CA intermédiaire
openssl ca -batch -config "$INTERMEDIATE_CNF" -extensions usr_cert -days 365 -notext -md sha256 \
openssl ca -batch -config "$INTERMEDIATE_CNF" -extensions v3_leaf -days 365 -notext -md sha256 \
-in "$CSR_FILE" \
-out "$CERT_FILE"