Merge ~jsquyres-cisco/ubuntu/+source/shim:pr/better-make-cert-field-values into ubuntu/+source/shim:ubuntu/devel

Proposed by Jeff Squyres
Status: Needs review
Proposed branch: ~jsquyres-cisco/ubuntu/+source/shim:pr/better-make-cert-field-values
Merge into: ubuntu/+source/shim:ubuntu/devel
Diff against target: 71 lines (+10/-13)
1 file modified
make-certs (+10/-13)
Reviewer Review Type Date Requested Status
Ubuntu Server Dev import team Pending
Review via email:

Description of the change

My group recently had a somewhat-alarming day when we noticed a basically-unlabeled MOK on our machines. After several hours, we finally tracked the cert down to

This merge proposal simply updates the certificate meta data in an attempt to help future admins who notice this MOK be able to track it down and see that it is, indeed, a legitimate / necessary certificate.

To post a comment you must log in.
Revision history for this message
Jeff Squyres (jsquyres-cisco) wrote :

Could someone from the review team have a look at this PR? Thanks!

Unmerged commits

b74e498... by Jeff Squyres <email address hidden>

make-certs: improve locality, org, and comments

Use something slightly less generic than "SomeCity" / "SomeOrg" for
meta data given to new certs. The intent to be help a curious
sysadmin who stumbles across a MOK on their system that was created by
an ephemeral certificate have a better/easier chance of tracking down
exactly what that MOK is / is for (see

Signed-off-by: Jeff Squyres <email address hidden>

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/make-certs b/make-certs
2index 3e9293b..990884b 100755
3--- a/make-certs
4+++ b/make-certs
5@@ -219,9 +219,8 @@ subjectKeyIdentifier=hash
7 [req_ca_name]
8 C=US
13+O=Ubuntu shim package build system
14 EOF
15 #echo $DOMAIN | awk 'BEGIN {FS="."}{for(i=NF;i>0;i--){print NF-i ".domainComponent="$i;}}' >> openssl.cnf
16 cat >> openssl.cnf <<- EOF
17@@ -233,7 +232,7 @@ authorityKeyIdentifier=keyid:always
18 #authorityKeyIdentifier=keyid:always,issuer:always
19 keyUsage=nonRepudiation,digitalSignature,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign
20 basicConstraints=critical,CA:TRUE
21-nsComment="Testing CA Certificate"
22+nsComment="CA Certificate from Ubuntu shim package build system"
23 EOF
24 if test -n "$aia" ; then
25 echo "authorityInfoAccess = ${aia}" >> openssl.cnf
26@@ -254,9 +253,8 @@ default_md = $DIGEST
28 [req_ocsp_name]
29 C=US
34+O=Ubuntu shim package build system
35 EOF
36 #echo $DOMAIN | awk 'BEGIN {FS="."}{for(i=NF;i>0;i--){print NF-i ".domainComponent="$i;}}' >> openssl.cnf
37 cat >> openssl.cnf <<- EOF
38@@ -270,7 +268,7 @@ keyUsage=digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgr
39 extendedKeyUsage=
40 #basicConstraints=CA:FALSE
41 basicConstraints=CA:TRUE
42-nsComment="Testing OCSP Certificate"
43+nsComment="OCSP Certificate from Ubuntu shim package build system"
45 EOF
46 if test -n "$aia" ; then
47@@ -289,9 +287,8 @@ default_md = $DIGEST
49 [req_issued_name]
50 C=US
55+O=Ubuntu shim package build system
56 EOF
57 #echo $DOMAIN | awk 'BEGIN {FS="."}{for(i=NF;i>0;i--){print NF-i ".domainComponent="$i;}}' >> openssl.cnf
58 #mail = $GIVENUSER
59@@ -322,10 +319,10 @@ if test -n "$eku" ; then
60 fi
61 if test "x$CA" = xTRUE ; then
62 echo "basicConstraints=critical,CA:TRUE" >> openssl.cnf
63- echo 'nsComment="Testing CA Certificate for '"$commonname"'"' >> openssl.cnf
64+ echo 'nsComment="CA Certificate from Ubuntu shim package build system for '"$commonname"'"' >> openssl.cnf
65 else
66 echo "basicConstraints=CA:FALSE" >> openssl.cnf
67- echo 'nsComment="Testing Certificate for '"$commonname"'"' >> openssl.cnf
68+ echo 'nsComment="Certificate from Ubuntu shim package build system for '"$commonname"'"' >> openssl.cnf
69 fi
70 for value in $principals; do
71 user=`echo "$value" | cut -f1 -d@`


People subscribed via source and target branches