X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=apache2-cn.git;a=blobdiff_plain;f=carnet-generate-ssl;h=7f618ba3d4be9e7924a9dd8bc3cfc3a522b979bf;hp=093a22bd6b3eeab9f8af083140b2eab0298d3bf5;hb=b0aaaaefbf10a1e20c50cb243fd4b21b283930e0;hpb=c55399d12b8affa2cc755f4904415bede2f35f4c

diff --git a/carnet-generate-ssl b/carnet-generate-ssl
index 093a22b..7f618ba 100755
--- a/carnet-generate-ssl
+++ b/carnet-generate-ssl
@@ -43,19 +43,19 @@ cd /etc/ssl
 
 # Generate CA
 #
-if [ ! -f ${sslkey}/ca.key ]; then
+if [ ! -f ${sslkey}/apache2-ca.key ]; then
 
-    openssl genrsa -out ${sslkey}/ca.key 1024
+    (umask 077; openssl genrsa -out ${sslkey}/apache2-ca.key 1024)
     KEYS="${KEYS}
- - ${sslkey}/ca.key"
+ - ${sslkey}/apache2-ca.key"
 fi
 
-if [ ! -f ${sslkey}/ca.csr ] || [ -n "$KEYS" ]; then
+if [ ! -f ${sslkey}/apache2-ca.csr ] || [ -n "$KEYS" ]; then
 
     cat <<EOF > $TMPFILE
 [ req ]
 default_bits           = 1024
-default_keyfile        = ca.pem
+default_keyfile        = apache2-ca.pem
 distinguished_name     = req_distinguished_name
 attributes             = req_attributes
 prompt                 = no
@@ -70,10 +70,10 @@ emailAddress           = $WEBMASTER
 
 EOF
 
-    openssl req -config $TMPFILE -new -key ${sslkey}/ca.key -out ${sslkey}/ca.csr
+    openssl req -config $TMPFILE -new -key ${sslkey}/apache2-ca.key -out ${sslkey}/apache2-ca.csr
 fi
 
-if [ ! -f ${sslcrt}/ca.pem ] || [ -n "$KEYS" ]; then
+if [ ! -f ${sslcrt}/apache2-ca.pem ] || [ -n "$KEYS" ]; then
 
     cat >$TMPFILE <<EOT
 extensions = x509v3
@@ -84,15 +84,15 @@ nsComment        = "CARNet apache2-cn package generated custom CA certificate"
 nsCertType       = sslCA
 EOT
 
-    openssl x509 -extfile $TMPFILE -days 3651 -signkey ${sslkey}/ca.key \
-	    -in ${sslkey}/ca.csr -req -out ${sslcrt}/ca.pem
+    openssl x509 -extfile $TMPFILE -days 3651 -signkey ${sslkey}/apache2-ca.key \
+	    -in ${sslkey}/apache2-ca.csr -req -out ${sslcrt}/apache2-ca.pem
 
     KEYS="${KEYS}
- - ${sslcrt}/ca.pem"
+ - ${sslcrt}/apache2-ca.pem"
 fi
 
-mod1=`openssl x509 -noout -modulus -in ${sslcrt}/ca.pem`
-mod2=`openssl rsa -noout -modulus -in ${sslkey}/ca.key`
+mod1=`openssl x509 -noout -modulus -in ${sslcrt}/apache2-ca.pem`
+mod2=`openssl rsa -noout -modulus -in ${sslkey}/apache2-ca.key`
 
 if [ "$mod1" != "$mod2" ]; then
     echo "Moduli for CA keys don't match."
@@ -100,12 +100,12 @@ if [ "$mod1" != "$mod2" ]; then
 fi
 
 cd ${sslcrt}
-ln -sf ca.pem $(openssl x509 -hash -noout -in ca.pem)
+ln -sf apache2-ca.pem $(openssl x509 -hash -noout -in apache2-ca.pem)
 
 
 # Generate server certificate
 #
-openssl genrsa -out ${sslkey}/apache2.key 1024
+(umask 077; openssl genrsa -out ${sslkey}/apache2.key 1024)
 
 echo 01 > "$TMPFILE2"
 sed "s/HOST/$FQDN/g; s/DOMAIN/$DOMAIN/g; s/WEBMASTER/$WEBMASTER/g" \
@@ -114,7 +114,7 @@ sed "s/HOST/$FQDN/g; s/DOMAIN/$DOMAIN/g; s/WEBMASTER/$WEBMASTER/g" \
 openssl req -config "$TMPFILE" -new -nodes \
 	-key ${sslkey}/apache2.key -out ${sslkey}/apache2.csr
 openssl x509 -extfile "$TMPFILE" -days 3650 \
-	-CAserial "$TMPFILE2" -CA ${sslcrt}/ca.pem -CAkey ${sslkey}/ca.key \
+	-CAserial "$TMPFILE2" -CA ${sslcrt}/apache2-ca.pem -CAkey ${sslkey}/apache2-ca.key \
 	-in ${sslkey}/apache2.csr -req -out ${sslcrt}/apache2.pem
 
 mod1=`openssl x509 -noout -modulus -in ${sslcrt}/apache2.pem`
@@ -134,6 +134,11 @@ cd ${sslcrt}
 ln -sf apache2.pem $(openssl x509 -hash -noout -in apache2.pem)
 
 
+# Fix file access permissions.
+#
+chmod 600 ${sslkey}/apache2-ca.key ${sslkey}/apache2.key
+
+
 # Cleanup
 #
 rm -f $TMPFILE $TMPFILE2