6 echo "Usage: $0 <confdir> <fqdn> <email> <org>"
8 echo " confdir is ignored"
9 echo " fqdn is the fully qualified name of the web server"
10 echo " email address that will appear in the certificate"
11 echo " org is the organization name"
16 # Get/set all parameters.
24 SSLCRTDIR=${SSLDIR}/certs
25 SSLKEYDIR=${SSLDIR}/private
30 # Create temporary files.
32 TMPFILE=`tempfile -d /var/tmp -p apache2-cn`
33 TMPFILE2=`tempfile -d /var/tmp -p apache2-cn`
36 # Set trap for deleting all temp files.
38 trap "rm -f $TMPFILE $TMPFILE2" 1 2 15;
41 export RANDFILE=/dev/urandom
47 if [ ! -f ${SSLKEYDIR}/apache2-ca.key ]; then
49 (umask 077; openssl genrsa -out ${SSLKEYDIR}/apache2-ca.key 2048)
51 - ${SSLKEYDIR}/apache2-ca.key"
54 if [ ! -f ${SSLKEYDIR}/apache2-ca.csr ] || [ -n "$KEYS" ]; then
59 default_keyfile = apache2-ca.pem
60 distinguished_name = req_distinguished_name
61 attributes = req_attributes
64 [ req_distinguished_name ]
68 emailAddress = $WEBMASTER
74 openssl req -sha256 -config $TMPFILE -new -key ${SSLKEYDIR}/apache2-ca.key -out ${SSLKEYDIR}/apache2-ca.csr
77 if [ ! -f ${SSLCRTDIR}/apache2-ca.pem ] || [ -n "$KEYS" ]; then
82 subjectAltName = email:copy
83 basicConstraints = CA:true,pathlen:0
84 nsComment = "CARNet apache2-cn package generated custom CA certificate"
88 openssl x509 -sha256 -extfile $TMPFILE -days 3651 -signkey ${SSLKEYDIR}/apache2-ca.key \
89 -in ${SSLKEYDIR}/apache2-ca.csr -req -out ${SSLCRTDIR}/apache2-ca.pem
92 - ${SSLCRTDIR}/apache2-ca.pem"
95 mod1=`openssl x509 -sha256 -noout -modulus -in ${SSLCRTDIR}/apache2-ca.pem`
96 mod2=`openssl rsa -noout -modulus -in ${SSLKEYDIR}/apache2-ca.key`
98 if [ "$mod1" != "$mod2" ]; then
99 echo "Moduli for CA keys don't match."
104 ln -sf apache2-ca.pem $(openssl x509 -sha256 -hash -noout -in apache2-ca.pem)
107 # Generate server certificate
109 (umask 077; openssl genrsa -out ${SSLKEYDIR}/apache2.key 2048)
111 echo 01 > "$TMPFILE2"
112 sed "s/HOST/$FQDN/g; s/DOMAIN/$DOMAIN/g; s/WEBMASTER/$WEBMASTER/g" \
113 < $A2CNDIR/templates/openssl.cnf > "$TMPFILE"
115 openssl req -sha256 -config "$TMPFILE" -new -nodes \
116 -key ${SSLKEYDIR}/apache2.key -out ${SSLKEYDIR}/apache2.csr
117 openssl x509 -sha256 -extfile "$TMPFILE" -days 3650 \
118 -CAserial "$TMPFILE2" -CA ${SSLCRTDIR}/apache2-ca.pem -CAkey ${SSLKEYDIR}/apache2-ca.key \
119 -in ${SSLKEYDIR}/apache2.csr -req -out ${SSLCRTDIR}/apache2.pem
121 mod1=`openssl x509 -sha256 -noout -modulus -in ${SSLCRTDIR}/apache2.pem`
122 mod2=`openssl rsa -noout -modulus -in ${SSLKEYDIR}/apache2.key`
124 if [ "$mod1" != "$mod2" ]; then
125 echo "Moduli for server keys don't match."
130 - ${SSLCRTDIR}/apache2.pem"
132 - ${SSLKEYDIR}/apache2.key"
135 ln -sf apache2.pem $(openssl x509 -sha256 -hash -noout -in apache2.pem)
138 # Fix file access permissions.
140 chmod 600 ${SSLKEYDIR}/apache2-ca.key ${SSLKEYDIR}/apache2.key
145 rm -f $TMPFILE $TMPFILE2
148 echo "Successfully generated server key pairs:"