X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=apache2-cn.git;a=blobdiff_plain;f=carnet-generate-ssl;h=093a22bd6b3eeab9f8af083140b2eab0298d3bf5;hp=661d73189c3c3847672487cb895e9b137a2760b1;hb=c55399d12b8affa2cc755f4904415bede2f35f4c;hpb=d03328f5a691130af6d00a90401854ec1dbca134 diff --git a/carnet-generate-ssl b/carnet-generate-ssl index 661d731..093a22b 100755 --- a/carnet-generate-ssl +++ b/carnet-generate-ssl @@ -1,11 +1,20 @@ #!/bin/sh + set -e -TMPFILE=`tempfile -d /var/tmp -p apache2-cn` -TMPFILE2=`tempfile -d /var/tmp -p apache2-cn` +if [ -z "$4" ]; then + echo "Usage: $0 " + echo + echo " confdir is ignored" + echo " fqdn is the fully qualified name of the web server" + echo " email address that will appear in the certificate" + echo " org is the organization name" + exit 2 +fi -trap "rm -f $TMPFILE $TMPFILE2" 1 2 15; +# Get/set all parameters. +# CONFDIR="$1" FQDN="$2" WEBMASTER="$3" @@ -14,26 +23,36 @@ DOMAIN="$4" sslcrt=/etc/ssl/certs sslkey=/etc/ssl/private A2CNDIR=$(dirname $0) +KEYS= -if [ -z "$4" ]; then - echo "Usage: $0 " - echo - echo " confdir is ignored" - echo " fqdn is the fully qualified name of the web server" - echo " email address that will appear in the certificate" - echo " org is the organization name" - exit 2 -fi -# XXX validate the arguments +# Create temporary files. +# +TMPFILE=`tempfile -d /var/tmp -p apache2-cn` +TMPFILE2=`tempfile -d /var/tmp -p apache2-cn` + + +# Set trap for deleting all temp files. +# +trap "rm -f $TMPFILE $TMPFILE2" 1 2 15; + export RANDFILE=/dev/urandom cd /etc/ssl + +# Generate CA +# if [ ! -f ${sslkey}/ca.key ]; then -# CA -openssl genrsa -out $sslkey/ca.key 1024 -cat < $TMPFILE + + openssl genrsa -out ${sslkey}/ca.key 1024 + KEYS="${KEYS} + - ${sslkey}/ca.key" +fi + +if [ ! -f ${sslkey}/ca.csr ] || [ -n "$KEYS" ]; then + + cat < $TMPFILE [ req ] default_bits = 1024 default_keyfile = ca.pem @@ -50,8 +69,13 @@ emailAddress = $WEBMASTER [ req_attributes ] EOF -openssl req -config $TMPFILE -new -key ${sslkey}/ca.key -out ${sslkey}/ca.csr -cat >$TMPFILE <$TMPFILE < "$TMPFILE2" sed "s/HOST/$FQDN/g; s/DOMAIN/$DOMAIN/g; s/WEBMASTER/$WEBMASTER/g" \ < $A2CNDIR/templates/openssl.cnf > "$TMPFILE" + openssl req -config "$TMPFILE" -new -nodes \ - -key ${sslkey}/apache2.key -out ${sslkey}/apache2.csr + -key ${sslkey}/apache2.key -out ${sslkey}/apache2.csr openssl x509 -extfile "$TMPFILE" -days 3650 \ - -CAserial "$TMPFILE2" -CA ${sslcrt}/ca.pem -CAkey ${sslkey}/ca.key \ - -in ${sslkey}/apache2.csr -req -out ${sslcrt}/apache2.pem -# verify -openssl x509 -noout -modulus -in ${sslcrt}/apache2.pem | read mod1 -openssl rsa -noout -modulus -in ${sslkey}/apache2.key | read mod2 + -CAserial "$TMPFILE2" -CA ${sslcrt}/ca.pem -CAkey ${sslkey}/ca.key \ + -in ${sslkey}/apache2.csr -req -out ${sslcrt}/apache2.pem + +mod1=`openssl x509 -noout -modulus -in ${sslcrt}/apache2.pem` +mod2=`openssl rsa -noout -modulus -in ${sslkey}/apache2.key` + if [ "$mod1" != "$mod2" ]; then - echo "Moduli for server keys don't match." - exit 1 + echo "Moduli for server keys don't match." + exit 1 fi KEYS="${KEYS} @@ -104,9 +132,13 @@ KEYS="${KEYS} cd ${sslcrt} ln -sf apache2.pem $(openssl x509 -hash -noout -in apache2.pem) - + + +# Cleanup +# rm -f $TMPFILE $TMPFILE2 + echo "Successfully generated server key pairs:" echo "$KEYS" echo