From 039dad81d729103dc871a772d6ed3657800a5b4f Mon Sep 17 00:00:00 2001 From: Dax Kelson Date: Jul 17 2015 19:07:28 +0000 Subject: [PATCH 1/2] Display the cert fingerprint on generation Some SAML2 SPs want the fingerprint of the IdP cert hardcoded in their configuration for validation. Display the finger print on the screen when running ipsilon-server-install. Signed-off-by: Dax Kelson --- diff --git a/ipsilon/tools/certs.py b/ipsilon/tools/certs.py index b131ba9..1c0a27f 100644 --- a/ipsilon/tools/certs.py +++ b/ipsilon/tools/certs.py @@ -26,6 +26,12 @@ class Certificate(object): '-keyout', self.key, '-out', self.cert] proc = Popen(command) proc.wait() + # show the sysadmin the cert fingerprint, needed by some SPs + print 'ipsilon SAML2 Public Key' + command = ['openssl', 'x509', '-in', self.cert, '-noout', + '-fingerprint'] + proc = Popen(command) + proc.wait() def import_cert(self, certfile, keyfile): self.cert = certfile From a7c42f5d2208d21f48aa580108ae4ae89044008e Mon Sep 17 00:00:00 2001 From: Dax Kelson Date: Jul 17 2015 19:08:19 +0000 Subject: [PATCH 2/2] Bump the self-signed cert expiration to 10 years from 5 Most enterprise linux flavors have a 10+ year lifecycle. Increase the self-signed certificate expiration to 10 years to last as least as long lifecyle of the server. Eliminating a nasty surprise 5 years after ipsilon is installed. Signed-off-by: Dax Kelson --- diff --git a/ipsilon/tools/certs.py b/ipsilon/tools/certs.py index 1c0a27f..83cafce 100644 --- a/ipsilon/tools/certs.py +++ b/ipsilon/tools/certs.py @@ -21,7 +21,7 @@ class Certificate(object): self.cert = os.path.join(self.path, '%s.pem' % prefix) self.subject = '/CN=%s' % subject command = ['openssl', - 'req', '-x509', '-batch', '-days', '1825', + 'req', '-x509', '-batch', '-days', '3650', '-newkey', 'rsa:2048', '-nodes', '-subj', self.subject, '-keyout', self.key, '-out', self.cert] proc = Popen(command)