2 files changed, 40 insertions, 6 deletions

diff --git a/certs/Makefile b/certs/Makefile
index 587fadc6..fd4a2932 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -15,16 +15,52 @@ keysize=2048
 
 # To request a cert
 %.csr: %.cnf %.key
-	openssl req -new -key $(lastword $^) -out $@ -utf8 -config $(firstword $^)
+	openssl req -new -key $(lastword $^) \
+		-sha256 -utf8 -config $(firstword $^) -out $@
+
+%.csr: %.cnf
+	umask 0077 && touch $*.key
+	openssl req -new -newkey rsa:$(keysize) -nodes -keyout $*.key \
+		-sha256 -utf8 -config $^ -out $@
+	@chmod 400 $*.key
+
+%.csr: %.key
+	openssl req -new -key $^ -utf8 -subj /CN=$* -out $@
+
+%.csr:
+	umask 0077 && touch $*.key
+	openssl req -new -newkey rsa:$(keysize) -nodes -keyout $*.key \
+		-utf8 -subj /CN=$* -out $@
+	@chmod 400 $*.key
 
 # Self signed
 %.crt: %.cnf %.key
-	openssl req -new -x509 -nodes -key $(lastword $^) -days 365 \
-		-sha1 -out $@ -utf8 -config $(firstword $^)
+	openssl req -new -x509 -key $(lastword $^) -days 365 -sha256 -utf8 \
+		-config $(firstword $^) -out $@
+
+%.crt: %.cnf
+	umask 0077 && touch $*.key
+	openssl req -new -x509 -newkey rsa:$(keysize) -nodes -keyout $*.key \
+		-days 365 -sha256 -utf8 -config $(firstword $^) -out $@
+	@chmod 400 $*.key
 
+%.crt: %.key
+	openssl req -new -x509 -key $^ -days 365 -sha256 -utf8 -subj /CN=$* -out $@
+
+%.crt:
+	umask 0077 && touch $*.key
+	openssl req -new -x509 -newkey rsa:$(keysize) -nodes -keyout $*.key \
+		-days 365 -sha256 -out $@ -utf8 -subj /CN=$*
+	@chmod 400 $*.key
+
+# Generate a config from the example
 %.cnf:
 	sed 's,example\.com,$*,g' openssl.cnf > $@
 
 %.key:
 	umask 0077 && openssl genrsa -out $@ $(keysize)
 	@chmod 400 $@
+
+# Generate Diffie-Hellman parameters
+dh-%.pem:
+	openssl dhparam -out $@ $*
diff --git a/certs/localhost.cnf b/certs/localhost.cnf
index 41548534..a7dc6cfe 100644
--- a/certs/localhost.cnf
+++ b/certs/localhost.cnf
@@ -1,7 +1,5 @@
 [v3_extensions]
-extendedKeyUsage = serverAuth,clientAuth
-keyUsage = digitalSignature,keyEncipherment
-basicConstraints = CA:FALSE
+basicConstraints = CA:TRUE
 subjectAltName = @subject_alternative_name
 
 [subject_alternative_name]