6 echo "Usage: $0 <confdir> <fqdn> <email> <org>"
8 echo " confdir is ignored"
9 echo " fqdn is the fully qualified name of the web server"
10 echo " email address that will appear in the certificate"
11 echo " org is the organization name"
16 # Get/set all parameters.
24 sslkey=/etc/ssl/private
29 # Create temporary files.
31 TMPFILE=`tempfile -d /var/tmp -p apache2-cn`
32 TMPFILE2=`tempfile -d /var/tmp -p apache2-cn`
35 # Set trap for deleting all temp files.
37 trap "rm -f $TMPFILE $TMPFILE2" 1 2 15;
40 export RANDFILE=/dev/urandom
46 if [ ! -f ${sslkey}/apache2-ca.key ]; then
48 openssl genrsa -out ${sslkey}/apache2-ca.key 1024
50 - ${sslkey}/apache2-ca.key"
53 if [ ! -f ${sslkey}/apache2-ca.csr ] || [ -n "$KEYS" ]; then
58 default_keyfile = apache2-ca.pem
59 distinguished_name = req_distinguished_name
60 attributes = req_attributes
63 [ req_distinguished_name ]
67 emailAddress = $WEBMASTER
73 openssl req -config $TMPFILE -new -key ${sslkey}/apache2-ca.key -out ${sslkey}/apache2-ca.csr
76 if [ ! -f ${sslcrt}/apache2-ca.pem ] || [ -n "$KEYS" ]; then
81 subjectAltName = email:copy
82 basicConstraints = CA:true,pathlen:0
83 nsComment = "CARNet apache2-cn package generated custom CA certificate"
87 openssl x509 -extfile $TMPFILE -days 3651 -signkey ${sslkey}/apache2-ca.key \
88 -in ${sslkey}/apache2-ca.csr -req -out ${sslcrt}/apache2-ca.pem
91 - ${sslcrt}/apache2-ca.pem"
94 mod1=`openssl x509 -noout -modulus -in ${sslcrt}/apache2-ca.pem`
95 mod2=`openssl rsa -noout -modulus -in ${sslkey}/apache2-ca.key`
97 if [ "$mod1" != "$mod2" ]; then
98 echo "Moduli for CA keys don't match."
103 ln -sf apache2-ca.pem $(openssl x509 -hash -noout -in apache2-ca.pem)
106 # Generate server certificate
108 openssl genrsa -out ${sslkey}/apache2.key 1024
110 echo 01 > "$TMPFILE2"
111 sed "s/HOST/$FQDN/g; s/DOMAIN/$DOMAIN/g; s/WEBMASTER/$WEBMASTER/g" \
112 < $A2CNDIR/templates/openssl.cnf > "$TMPFILE"
114 openssl req -config "$TMPFILE" -new -nodes \
115 -key ${sslkey}/apache2.key -out ${sslkey}/apache2.csr
116 openssl x509 -extfile "$TMPFILE" -days 3650 \
117 -CAserial "$TMPFILE2" -CA ${sslcrt}/apache2-ca.pem -CAkey ${sslkey}/apache2-ca.key \
118 -in ${sslkey}/apache2.csr -req -out ${sslcrt}/apache2.pem
120 mod1=`openssl x509 -noout -modulus -in ${sslcrt}/apache2.pem`
121 mod2=`openssl rsa -noout -modulus -in ${sslkey}/apache2.key`
123 if [ "$mod1" != "$mod2" ]; then
124 echo "Moduli for server keys don't match."
129 - ${sslcrt}/apache2.pem"
131 - ${sslkey}/apache2.key"
134 ln -sf apache2.pem $(openssl x509 -hash -noout -in apache2.pem)
137 # Fix file access permissions and group ownership.
139 chgrp www-data ${sslkey}/apache2-ca.key ${sslkey}/apache2-ca.csr ${sslkey}/apache2.key ${sslkey}/apache2.csr
140 chmod 640 ${sslkey}/apache2-ca.key ${sslkey}/apache2-ca.csr ${sslkey}/apache2.key ${sslkey}/apache2.csr
145 rm -f $TMPFILE $TMPFILE2
148 echo "Successfully generated server key pairs:"