shell: Embed openssl configuration file.

Also, remove irrelevant key usage extension, as during certificate renewal
the extensions of the existing certificate are used, not the ones of the
certificate signing request.

shell/caucase.sh

@@ -342,10 +342,23 @@ renewCertificate () {
   # If created, key file permissions will be set so group and other have no
   # access.
   # shellcheck disable=SC2039
-  local url="$1" oldkey="$2" bits="$3" newcrt="$4" newkey="$5"
+  local url="$1" oldkey="$2" bits="$3" newcrt="$4" newkey="$5" emptyreqcnf
   # shellcheck disable=SC2039
   local newkeydata newcrtdata
 
+  emptyreqcnf="$(mktemp --suffix=emptyreq.cnf)"
+  cat > "$emptyreqcnf" << EOF
+[ req ]
+distinguished_name = req_distinguished_name
+string_mask = utf8only
+req_extensions = v3_req
+
+[ req_distinguished_name ]
+CN = Common Name
+
+[ v3_req ]
+basicConstraints = CA:FALSE
+EOF
   newkeydata="$(
     openssl genpkey \
       -algorithm rsa \
@@ -361,7 +374,7 @@ renewCertificate () {
           -new \
           -key - \
           -subj "/CN=dummy" \
-          -config emptyreq.cnf \
+          -config "$emptyreqcnf" \
         | str2json
       )" \
     | wrap "$oldkey" "sha256" \
@@ -376,6 +389,7 @@ renewCertificate () {
     ]; then
       if checkCertificateMatchesKey "$newcrtdata" "$newkeydata"; then
         writeCertKey "$newcrt" "$newcrtdata" "$newkey" "$newkeydata"
+        rm "$emptyreqcnf"
         return 0
       fi
       printf "Certificate does not match private key\\n" >&2
@@ -383,6 +397,7 @@ renewCertificate () {
       printf "%s" "$newcrtdata" >&2
     fi
   fi
+  rm "$emptyreqcnf"
   return 1
 }
 

shell/emptyreq.cnf

-[ req ]
-distinguished_name	= req_distinguished_name
-string_mask		= utf8only
-req_extensions		= v3_req
-
-[ req_distinguished_name ]
-commonName		= Common Name
-commonName_max		= 64
-
-[ v3_req ]
-basicConstraints	= CA:FALSE
-keyUsage		= digitalSignature, keyEncipherment