secrets: simplify cert generation

- Remove openssl.cnf which includes many unused settings.
- Generate the key and cert files with a single call to openssl.
  - Option `-nodes` ("no DES") disables encryption of the key file.
  - Option `-addext` is used to specify `subjectAltName` settings
    that were previously defined by openssl.cnf.

The key type is unchanged.
Certificate changes:
- Certificate duration is now 10 years
- Organization (subj 'O') is now 'loop' instead of 'loopd' for
  lightning-loop to simplify the code.
  For reference, the org. name in auto-generated loop certs is
  "loop autogenerated cert".
- The certificate now includes all default x509v3 extensions.
  These were previously restricted to just `subjectAltName` by openssl.cnf.
  We now use the openssl defaults for simplicity.

pkgs/generate-secrets/generate-secrets.sh

@@ -30,16 +30,15 @@ makePasswordSecret jm-wallet-password
 [[ -e spark-wallet-login   ]] || echo "login=spark-wallet:$(cat spark-wallet-password)" > spark-wallet-login
 [[ -e backup-encryption-env ]] || echo "PASSPHRASE=$(cat backup-encryption-password)" > backup-encryption-env
 
-if [[ ! -e lnd-key || ! -e lnd-cert ]]; then
-    openssl ecparam -genkey -name prime256v1 -out lnd-key
-    openssl req -config $opensslConf -new -sha256 -key lnd-key -out lnd.csr -subj '/CN=localhost/O=lnd'
-    openssl req -config $opensslConf -x509 -sha256 -days 1825 -key lnd-key -in lnd.csr -out lnd-cert
-    rm lnd.csr
-fi
+makeCert() {
+  if [[ ! -e $name-key || ! -e $name-cert ]]; then
+    openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \
+      -sha256 -days 3650 -nodes -keyout "$name-key" -out "$name-cert" \
+      -subj "/CN=localhost/O=$name" \
+      -addext "subjectAltName=DNS:localhost,IP:127.0.0.1,IP:169.254.1.14,IP:169.254.1.22"
+    # TODO: Remove hardcoded lnd, loopd netns ips
+  fi
+}
 
-if [[ ! -e loop-key || ! -e loop-cert ]]; then
-    openssl ecparam -genkey -name prime256v1 -out loop-key
-    openssl req -config $opensslConf -new -sha256 -key loop-key -out loop.csr -subj '/CN=localhost/O=loopd'
-    openssl req -config $opensslConf -x509 -sha256 -days 1825 -key loop-key -in loop.csr -out loop-cert
-    rm loop.csr
-fi
+makeCert lnd
+makeCert loop

pkgs/generate-secrets/openssl.cnf

@@ -1,36 +0,0 @@
-[ req ]
-#default_bits		= 2048
-#default_md		= sha256
-#default_keyfile 	= privkey.pem
-distinguished_name	= req_distinguished_name
-attributes		= req_attributes
-x509_extensions         = v3_ca
-
-[ req_distinguished_name ]
-countryName			= Country Name (2 letter code)
-countryName_min			= 2
-countryName_max			= 2
-stateOrProvinceName		= State or Province Name (full name)
-localityName			= Locality Name (eg, city)
-0.organizationName		= Organization Name (eg, company)
-organizationalUnitName		= Organizational Unit Name (eg, section)
-commonName			= Common Name (eg, fully qualified host name)
-commonName_max			= 64
-emailAddress			= Email Address
-emailAddress_max		= 64
-
-[ req_attributes ]
-challengePassword		= A challenge password
-challengePassword_min		= 4
-challengePassword_max		= 20
-
-[ v3_ca ]
-subjectAltName			= @alt_names
-
-[ alt_names ]
-IP.1 = 127.0.0.1
-DNS.1 = localhost
-# TODO: Remove hardcoded lnd IP
-IP.2 = 169.254.1.14
-# TODO: Remove hardcoded loopd IP
-IP.3 = 169.254.1.22