5 files changed, 65 insertions, 12 deletions

diff --git a/cpp/config/makecerts b/cpp/certs/makecerts
index 95fb3f6b85e..f46313dd34d 100755
--- a/cpp/config/makecerts
+++ b/cpp/certs/makecerts
@@ -18,13 +18,13 @@
 #
 PASSPHRASE=-nodes
 
-CA_HOME=$ICE_HOME/certs/ca
+CA_HOME=$ICE_HOME/certs/openssl/ca
 
 if ! [ -f $CA_HOME/cakey.pem ]; then
     #
     # Set up a sample CA for key generation.
     #
-    cd $ICE_HOME/certs
+    cd $ICE_HOME/certs/openssl
     mkdir ca
     cd ca
     echo '01' > serial
@@ -34,7 +34,7 @@ if ! [ -f $CA_HOME/cakey.pem ]; then
     # Generate our CA certificate and key if they do not already exist.
     #
     echo "You will be prompted for a passphrase - this is the passphrase that protects the CA signing authority key."
-    openssl req -config $ICE_HOME/config/ice_ca.cnf -x509 -days 1825 -newkey rsa -out $CA_HOME/cacert.pem \
+    openssl req -config $ICE_HOME/certs/openssl/ice_ca.cnf -x509 -days 1825 -newkey rsa -out $CA_HOME/cacert.pem \
 	-outform PEM $PASSPHRASE
     cp $CA_HOME/cacert.pem $ICE_HOME/certs
 
@@ -44,11 +44,11 @@ if ! [ -f $CA_HOME/cakey.pem ]; then
     SERIAL=`cat $CA_HOME/serial`
     KEY_NAME=`echo $SERIAL`_key.pem
     CERT_NAME=`echo $SERIAL`_cert.pem
-    openssl req -config $ICE_HOME/config/server.cnf -newkey rsa $PASSPHRASE -keyout $CA_HOME/$KEY_NAME \
+    openssl req -config $ICE_HOME/certs/openssl/server.cnf -newkey rsa $PASSPHRASE -keyout $CA_HOME/$KEY_NAME \
         -keyform PEM -out $CA_HOME/req.pem
     echo "You will be prompted for a passphrase - this is so we can sign the new Server Certificate."
     echo "Enter the passphrase for the CA signing authority."
-    openssl ca -config $ICE_HOME/config/server.cnf -batch -in $CA_HOME/req.pem
+    openssl ca -config $ICE_HOME/certs/openssl/server.cnf -batch -in $CA_HOME/req.pem
     mv $CA_HOME/$SERIAL.pem $CA_HOME/$CERT_NAME
     cp $CA_HOME/$KEY_NAME  $ICE_HOME/certs/s_rsa1024_priv.pem
     cp $CA_HOME/$CERT_NAME $ICE_HOME/certs/s_rsa1024_pub.pem
@@ -60,11 +60,11 @@ if ! [ -f $CA_HOME/cakey.pem ]; then
     SERIAL=`cat $CA_HOME/serial`
     KEY_NAME=`echo $SERIAL`_key.pem
     CERT_NAME=`echo $SERIAL`_cert.pem
-    openssl req -config $ICE_HOME/config/client.cnf -newkey rsa $PASSPHRASE -keyout $CA_HOME/$KEY_NAME \
+    openssl req -config $ICE_HOME/certs/openssl/client.cnf -newkey rsa $PASSPHRASE -keyout $CA_HOME/$KEY_NAME \
         -keyform PEM -out $CA_HOME/req.pem
     echo "You will be prompted for a passphrase - this is so we can sign the new Client Certificate."
     echo "Enter the passphrase for the CA signing authority."
-    openssl ca -config $ICE_HOME/config/client.cnf -batch -in $CA_HOME/req.pem
+    openssl ca -config $ICE_HOME/certs/openssl/client.cnf -batch -in $CA_HOME/req.pem
     mv $CA_HOME/$SERIAL.pem $CA_HOME/$CERT_NAME
     cp $CA_HOME/$KEY_NAME  $ICE_HOME/certs/c_rsa1024_priv.pem
     cp $CA_HOME/$CERT_NAME $ICE_HOME/certs/c_rsa1024_pub.pem
@@ -86,11 +86,11 @@ else
     SERIAL=`cat $CA_HOME/serial`
     KEY_NAME=`echo $SERIAL`_key.pem
     CERT_NAME=`echo $SERIAL`_cert.pem
-    openssl req -config $ICE_HOME/config/generic.cnf -newkey rsa $PASSPHRASE -keyout $CA_HOME/$KEY_NAME \
+    openssl req -config $ICE_HOME/certs/openssl/generic.cnf -newkey rsa $PASSPHRASE -keyout $CA_HOME/$KEY_NAME \
         -keyform PEM -out $CA_HOME/req.pem
     echo "You will be prompted for a passphrase - this is so we can sign the new certificate."
     echo "Enter the passphrase for the CA signing authority."
-    openssl ca -config $ICE_HOME/config/generic.cnf -in $CA_HOME/req.pem
+    openssl ca -config $ICE_HOME/certs/openssl/generic.cnf -in $CA_HOME/req.pem
     mv $CA_HOME/$SERIAL.pem $CA_HOME/$CERT_NAME
     cp $CA_HOME/$KEY_NAME  $ICE_HOME/certs/newkey.pem
     cp $CA_HOME/$CERT_NAME $ICE_HOME/certs/newcert.pem
diff --git a/cpp/config/client.cnf b/cpp/certs/openssl/client.cnf
index e24d606e03f..6f2c9446df3 100644
--- a/cpp/config/client.cnf
+++ b/cpp/certs/openssl/client.cnf
@@ -20,7 +20,7 @@ default_ca = ice
 
 
 [ ice ]
-dir              = $ENV::ICE_HOME/certs/ca  # Where everything is kept.
+dir              = $ENV::ICE_HOME/certs/openssl/ca  # Where everything is kept.
 private_key      = $dir/cakey.pem           # The CA Private Key.
 certificate      = $dir/cacert.pem          # The CA Certificate.
 database         = $dir/index.txt           # Database index file.
diff --git a/cpp/config/generic.cnf b/cpp/certs/openssl/generic.cnf
index 64457012508..39fef122976 100644
--- a/cpp/config/generic.cnf
+++ b/cpp/certs/openssl/generic.cnf
@@ -20,7 +20,7 @@ default_ca = ice
 
 
 [ ice ]
-dir              = $ENV::ICE_HOME/certs/ca  # Where everything is kept.
+dir              = $ENV::ICE_HOME/certs/openssl/ca  # Where everything is kept.
 private_key      = $dir/cakey.pem           # The CA Private Key.
 certificate      = $dir/cacert.pem          # The CA Certificate.
 database         = $dir/index.txt           # Database index file.
diff --git a/cpp/certs/openssl/ice_ca.cnf b/cpp/certs/openssl/ice_ca.cnf
new file mode 100644
index 00000000000..e514301f3c0
--- /dev/null
+++ b/cpp/certs/openssl/ice_ca.cnf
@@ -0,0 +1,53 @@
+# **********************************************************************
+#
+# Copyright (c) 2003-2005 ZeroC, Inc. All rights reserved.
+#
+# This copy of Ice is licensed to you under the terms described in the
+# ICE_LICENSE file included in this distribution.
+#
+# **********************************************************************
+
+#
+# ZeroC base OpenSSL configuration file.
+#
+
+###############################################################################
+###  Self Signed Root Certificate
+###############################################################################
+
+[ ca ]
+default_ca = ice
+
+
+[ ice ]
+default_days     = 365     # How long certs are valid.
+default_md       = md5     # The Message Digest type.
+preserve         = no      # Keep passed DN ordering?
+
+
+[ req ]
+default_bits        = 2048
+default_keyfile     = $ENV::ICE_HOME/certs/openssl/ca/cakey.pem
+default_md          = md5
+prompt              = no
+distinguished_name  = root_ca_distinguished_name
+x509_extensions     = root_ca_extensions
+
+
+[ root_ca_distinguished_name ]
+countryName            = US
+stateOrProvinceName    = Some State
+localityName           = Somewhere
+organizationName       = Your Company
+organizationalUnitName = Development
+commonName             = Your Certificate Authority
+emailAddress           = you@some.net
+
+
+[ root_ca_extensions ]
+basicConstraints = CA:true
+
+# PKIX recommendation.
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+
diff --git a/cpp/config/server.cnf b/cpp/certs/openssl/server.cnf
index c9b2364db06..221002d06b0 100644
--- a/cpp/config/server.cnf
+++ b/cpp/certs/openssl/server.cnf
@@ -20,7 +20,7 @@ default_ca = ice
 
 
 [ ice ]
-dir              = $ENV::ICE_HOME/certs/ca  # Where everything is kept.
+dir              = $ENV::ICE_HOME/certs/openssl/ca  # Where everything is kept.
 private_key      = $dir/cakey.pem           # The CA Private Key.
 certificate      = $dir/cacert.pem          # The CA Certificate.
 database         = $dir/index.txt           # Database index file.