X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;f=carnet-generate-ssl;h=d3976eed40d7366d914b7a29f0235828d96c37a6;hb=154a522fadea7fc9797958d58ab9027a21aa54c1;hp=661d73189c3c3847672487cb895e9b137a2760b1;hpb=eb37ec66b33ffb28c3a28fae57326403db609a25;p=apache2-cn.git

diff --git a/carnet-generate-ssl b/carnet-generate-ssl
index 661d731..d3976ee 100755
--- a/carnet-generate-ssl
+++ b/carnet-generate-ssl
@@ -1,42 +1,62 @@
 #!/bin/sh
+
 set -e
 
-TMPFILE=`tempfile -d /var/tmp -p apache2-cn`
-TMPFILE2=`tempfile -d /var/tmp -p apache2-cn`
+if [ -z "$4" ]; then
+    echo "Usage: $0 <confdir> <fqdn> <email> <org>"
+    echo
+    echo "      confdir is ignored"
+    echo "      fqdn    is the fully qualified name of the web server"
+    echo "      email   address that will appear in the certificate"
+    echo "      org     is the organization name"
+    exit 2
+fi
 
-trap "rm -f $TMPFILE $TMPFILE2" 1 2 15;
 
+# Get/set all parameters.
+#
 CONFDIR="$1"
 FQDN="$2"
 WEBMASTER="$3"
 DOMAIN="$4"
 
-sslcrt=/etc/ssl/certs
-sslkey=/etc/ssl/private
+SSLDIR=/etc/ssl
+SSLCRTDIR=${SSLDIR}/certs
+SSLKEYDIR=${SSLDIR}/private
 A2CNDIR=$(dirname $0)
+KEYS=
+
+
+# Create temporary files.
+#
+TMPFILE=`tempfile -d /var/tmp -p apache2-cn`
+TMPFILE2=`tempfile -d /var/tmp -p apache2-cn`
 
-if [ -z "$4" ]; then
-  echo "Usage: $0 <confdir> <fqdn> <email> <org>"
-  echo
-  echo "	confdir is ignored"
-  echo "	fqdn    is the fully qualified name of the web server"
-  echo "	email   address that will appear in the certificate"
-  echo "	org     is the organization name"
-  exit 2
-fi
 
-# XXX validate the arguments
+# Set trap for deleting all temp files.
+#
+trap "rm -f $TMPFILE $TMPFILE2" 1 2 15;
+
 
 export RANDFILE=/dev/urandom
-cd /etc/ssl
+cd ${SSLDIR}
+
 
-if [ ! -f ${sslkey}/ca.key ]; then
-# CA
-openssl genrsa -out $sslkey/ca.key 1024
-cat <<EOF > $TMPFILE
+# Generate CA
+#
+if [ ! -f ${SSLKEYDIR}/apache2-ca.key ]; then
+
+    (umask 077; openssl genrsa -out ${SSLKEYDIR}/apache2-ca.key 2048)
+    KEYS="${KEYS}
+ - ${SSLKEYDIR}/apache2-ca.key"
+fi
+
+if [ ! -f ${SSLKEYDIR}/apache2-ca.csr ] || [ -n "$KEYS" ]; then
+
+    cat <<EOF > $TMPFILE
 [ req ]
-default_bits           = 1024
-default_keyfile        = ca.pem
+default_bits           = 2048
+default_keyfile        = apache2-ca.pem
 distinguished_name     = req_distinguished_name
 attributes             = req_attributes
 prompt                 = no
@@ -50,8 +70,13 @@ emailAddress           = $WEBMASTER
 [ req_attributes ]
 
 EOF
-openssl req -config $TMPFILE -new -key ${sslkey}/ca.key -out ${sslkey}/ca.csr
-cat >$TMPFILE <<EOT
+
+    openssl req -sha256 -config $TMPFILE -new -key ${SSLKEYDIR}/apache2-ca.key -out ${SSLKEYDIR}/apache2-ca.csr
+fi
+
+if [ ! -f ${SSLCRTDIR}/apache2-ca.pem ] || [ -n "$KEYS" ]; then
+
+    cat >$TMPFILE <<EOT
 extensions = x509v3
 [ x509v3 ]
 subjectAltName   = email:copy
@@ -59,54 +84,67 @@ basicConstraints = CA:true,pathlen:0
 nsComment        = "CARNet apache2-cn package generated custom CA certificate"
 nsCertType       = sslCA
 EOT
-openssl x509 -extfile $TMPFILE -days 3651 -signkey ${sslkey}/ca.key \
-  -in ${sslkey}/ca.csr -req -out ${sslcrt}/ca.pem
-openssl x509 -noout -modulus -in ${sslcrt}/ca.pem | \
-  read mod1
-openssl rsa -noout -modulus -in ${sslkey}/ca.key | \
-  read mod2
+
+    openssl x509 -sha256 -extfile $TMPFILE -days 3651 -signkey ${SSLKEYDIR}/apache2-ca.key \
+	    -in ${SSLKEYDIR}/apache2-ca.csr -req -out ${SSLCRTDIR}/apache2-ca.pem
+
+    KEYS="${KEYS}
+ - ${SSLCRTDIR}/apache2-ca.pem"
+fi
+
+mod1=`openssl x509 -sha256 -noout -modulus -in ${SSLCRTDIR}/apache2-ca.pem`
+mod2=`openssl rsa -noout -modulus -in ${SSLKEYDIR}/apache2-ca.key`
+
 if [ "$mod1" != "$mod2" ]; then
-  echo "Moduli for CA keys don't match."
-  exit 1
+    echo "Moduli for CA keys don't match."
+    exit 1
 fi
-cd ${sslcrt}
-ln -sf ca.pem $(openssl x509 -hash -noout -in ca.pem)
 
-KEYS="${KEYS}
- - ${sslcrt}/ca.pem"
-KEYS="${KEYS}
- - ${sslkey}/ca.key"
+cd ${SSLCRTDIR}
+ln -sf apache2-ca.pem $(openssl x509 -sha256 -hash -noout -in apache2-ca.pem)
 
-fi # CA
 
-# server
-openssl genrsa -out ${sslkey}/apache2.key 1024
+# Generate server certificate
+#
+(umask 077; openssl genrsa -out ${SSLKEYDIR}/apache2.key 2048)
+
 echo 01 > "$TMPFILE2"
 sed "s/HOST/$FQDN/g; s/DOMAIN/$DOMAIN/g; s/WEBMASTER/$WEBMASTER/g" \
   <  $A2CNDIR/templates/openssl.cnf > "$TMPFILE"
-openssl req -config "$TMPFILE" -new -nodes \
-  -key ${sslkey}/apache2.key -out ${sslkey}/apache2.csr
-openssl x509 -extfile "$TMPFILE" -days 3650 \
-  -CAserial "$TMPFILE2" -CA ${sslcrt}/ca.pem -CAkey ${sslkey}/ca.key \
-  -in ${sslkey}/apache2.csr -req -out ${sslcrt}/apache2.pem
-# verify
-openssl x509 -noout -modulus -in ${sslcrt}/apache2.pem | read mod1
-openssl rsa -noout -modulus -in ${sslkey}/apache2.key | read mod2
+
+openssl req -sha256 -config "$TMPFILE" -new -nodes \
+	-key ${SSLKEYDIR}/apache2.key -out ${SSLKEYDIR}/apache2.csr
+openssl x509 -sha256 -extfile "$TMPFILE" -days 3650 \
+	-CAserial "$TMPFILE2" -CA ${SSLCRTDIR}/apache2-ca.pem -CAkey ${SSLKEYDIR}/apache2-ca.key \
+	-in ${SSLKEYDIR}/apache2.csr -req -out ${SSLCRTDIR}/apache2.pem
+
+mod1=`openssl x509 -sha256 -noout -modulus -in ${SSLCRTDIR}/apache2.pem`
+mod2=`openssl rsa -noout -modulus -in ${SSLKEYDIR}/apache2.key`
+
 if [ "$mod1" != "$mod2" ]; then
-  echo "Moduli for server keys don't match."
-  exit 1
+    echo "Moduli for server keys don't match."
+    exit 1
 fi
 
 KEYS="${KEYS}
- - ${sslcrt}/apache2.pem"
+ - ${SSLCRTDIR}/apache2.pem"
 KEYS="${KEYS}
- - ${sslkey}/apache2.key"
+ - ${SSLKEYDIR}/apache2.key"
+
+cd ${SSLCRTDIR}
+ln -sf apache2.pem $(openssl x509 -sha256 -hash -noout -in apache2.pem)
 
-cd ${sslcrt}
-ln -sf apache2.pem $(openssl x509 -hash -noout -in apache2.pem)
- 
+
+# Fix file access permissions.
+#
+chmod 600 ${SSLKEYDIR}/apache2-ca.key ${SSLKEYDIR}/apache2.key
+
+
+# Cleanup
+#
 rm -f $TMPFILE $TMPFILE2
 
+
 echo "Successfully generated server key pairs:"
 echo "$KEYS"
 echo