X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=apache2-cn.git;a=blobdiff_plain;f=carnet-generate-ssl;h=d3976eed40d7366d914b7a29f0235828d96c37a6;hp=34af61f6b212ee5fb17d367e804c5a630fce2a3d;hb=HEAD;hpb=d0545bc48a700b22c3def9c648d97c6b80398cfe diff --git a/carnet-generate-ssl b/carnet-generate-ssl index 34af61f..d3976ee 100755 --- a/carnet-generate-ssl +++ b/carnet-generate-ssl @@ -20,8 +20,9 @@ FQDN="$2" WEBMASTER="$3" DOMAIN="$4" -sslcrt=/etc/ssl/certs -sslkey=/etc/ssl/private +SSLDIR=/etc/ssl +SSLCRTDIR=${SSLDIR}/certs +SSLKEYDIR=${SSLDIR}/private A2CNDIR=$(dirname $0) KEYS= @@ -38,23 +39,23 @@ trap "rm -f $TMPFILE $TMPFILE2" 1 2 15; export RANDFILE=/dev/urandom -cd /etc/ssl +cd ${SSLDIR} # Generate CA # -if [ ! -f ${sslkey}/apache2-ca.key ]; then +if [ ! -f ${SSLKEYDIR}/apache2-ca.key ]; then - openssl genrsa -out ${sslkey}/apache2-ca.key 1024 + (umask 077; openssl genrsa -out ${SSLKEYDIR}/apache2-ca.key 2048) KEYS="${KEYS} - - ${sslkey}/apache2-ca.key" + - ${SSLKEYDIR}/apache2-ca.key" fi -if [ ! -f ${sslkey}/apache2-ca.csr ] || [ -n "$KEYS" ]; then +if [ ! -f ${SSLKEYDIR}/apache2-ca.csr ] || [ -n "$KEYS" ]; then cat < $TMPFILE [ req ] -default_bits = 1024 +default_bits = 2048 default_keyfile = apache2-ca.pem distinguished_name = req_distinguished_name attributes = req_attributes @@ -70,10 +71,10 @@ emailAddress = $WEBMASTER EOF - openssl req -config $TMPFILE -new -key ${sslkey}/apache2-ca.key -out ${sslkey}/apache2-ca.csr + openssl req -sha256 -config $TMPFILE -new -key ${SSLKEYDIR}/apache2-ca.key -out ${SSLKEYDIR}/apache2-ca.csr fi -if [ ! -f ${sslcrt}/apache2-ca.pem ] || [ -n "$KEYS" ]; then +if [ ! -f ${SSLCRTDIR}/apache2-ca.pem ] || [ -n "$KEYS" ]; then cat >$TMPFILE < "$TMPFILE2" sed "s/HOST/$FQDN/g; s/DOMAIN/$DOMAIN/g; s/WEBMASTER/$WEBMASTER/g" \ < $A2CNDIR/templates/openssl.cnf > "$TMPFILE" -openssl req -config "$TMPFILE" -new -nodes \ - -key ${sslkey}/apache2.key -out ${sslkey}/apache2.csr -openssl x509 -extfile "$TMPFILE" -days 3650 \ - -CAserial "$TMPFILE2" -CA ${sslcrt}/apache2-ca.pem -CAkey ${sslkey}/apache2-ca.key \ - -in ${sslkey}/apache2.csr -req -out ${sslcrt}/apache2.pem +openssl req -sha256 -config "$TMPFILE" -new -nodes \ + -key ${SSLKEYDIR}/apache2.key -out ${SSLKEYDIR}/apache2.csr +openssl x509 -sha256 -extfile "$TMPFILE" -days 3650 \ + -CAserial "$TMPFILE2" -CA ${SSLCRTDIR}/apache2-ca.pem -CAkey ${SSLKEYDIR}/apache2-ca.key \ + -in ${SSLKEYDIR}/apache2.csr -req -out ${SSLCRTDIR}/apache2.pem -mod1=`openssl x509 -noout -modulus -in ${sslcrt}/apache2.pem` -mod2=`openssl rsa -noout -modulus -in ${sslkey}/apache2.key` +mod1=`openssl x509 -sha256 -noout -modulus -in ${SSLCRTDIR}/apache2.pem` +mod2=`openssl rsa -noout -modulus -in ${SSLKEYDIR}/apache2.key` if [ "$mod1" != "$mod2" ]; then echo "Moduli for server keys don't match." @@ -126,18 +127,17 @@ if [ "$mod1" != "$mod2" ]; then fi KEYS="${KEYS} - - ${sslcrt}/apache2.pem" + - ${SSLCRTDIR}/apache2.pem" KEYS="${KEYS} - - ${sslkey}/apache2.key" + - ${SSLKEYDIR}/apache2.key" -cd ${sslcrt} -ln -sf apache2.pem $(openssl x509 -hash -noout -in apache2.pem) +cd ${SSLCRTDIR} +ln -sf apache2.pem $(openssl x509 -sha256 -hash -noout -in apache2.pem) -# Fix file access permissions and group ownership. +# Fix file access permissions. # -chgrp www-data ${sslkey}/apache2-ca.key ${sslkey}/apache2-ca.csr ${sslkey}/apache2.key ${sslkey}/apache2.csr -chmod 640 ${sslkey}/apache2-ca.key ${sslkey}/apache2-ca.csr ${sslkey}/apache2.key ${sslkey}/apache2.csr +chmod 600 ${SSLKEYDIR}/apache2-ca.key ${SSLKEYDIR}/apache2.key # Cleanup