4 TMPFILE=`tempfile -d /var/tmp -p apache2-cn`
5 TMPFILE2=`tempfile -d /var/tmp -p apache2-cn`
7 trap "rm -f $TMPFILE $TMPFILE2" 1 2 15;
15 sslkey=/etc/ssl/private
19 echo "Usage: $0 <confdir> <fqdn> <email> <org>"
21 echo " confdir is ignored"
22 echo " fqdn is the fully qualified name of the web server"
23 echo " email address that will appear in the certificate"
24 echo " org is the organization name"
28 # XXX validate the arguments
30 export RANDFILE=/dev/urandom
33 if [ ! -f ${sslkey}/ca.key ]; then
35 openssl genrsa -out $sslkey/ca.key 1024
39 default_keyfile = ca.pem
40 distinguished_name = req_distinguished_name
41 attributes = req_attributes
44 [ req_distinguished_name ]
48 emailAddress = $WEBMASTER
53 openssl req -config $TMPFILE -new -key ${sslkey}/ca.key -out ${sslkey}/ca.csr
57 subjectAltName = email:copy
58 basicConstraints = CA:true,pathlen:0
59 nsComment = "CARNet apache2-cn package generated custom CA certificate"
62 openssl x509 -extfile $TMPFILE -days 3651 -signkey ${sslkey}/ca.key \
63 -in ${sslkey}/ca.csr -req -out ${sslcrt}/ca.pem
64 openssl x509 -noout -modulus -in ${sslcrt}/ca.pem | \
66 openssl rsa -noout -modulus -in ${sslkey}/ca.key | \
68 if [ "$mod1" != "$mod2" ]; then
69 echo "Moduli for CA keys don't match."
73 ln -sf ca.pem $(openssl x509 -hash -noout -in ca.pem)
83 openssl genrsa -out ${sslkey}/apache2.key 1024
85 sed "s/HOST/$FQDN/g; s/DOMAIN/$DOMAIN/g; s/WEBMASTER/$WEBMASTER/g" \
86 < $A2CNDIR/templates/openssl.cnf > "$TMPFILE"
87 openssl req -config "$TMPFILE" -new -nodes \
88 -key ${sslkey}/apache2.key -out ${sslkey}/apache2.csr
89 openssl x509 -extfile "$TMPFILE" -days 3650 \
90 -CAserial "$TMPFILE2" -CA ${sslcrt}/ca.pem -CAkey ${sslkey}/ca.key \
91 -in ${sslkey}/apache2.csr -req -out ${sslcrt}/apache2.pem
93 openssl x509 -noout -modulus -in ${sslcrt}/apache2.pem | read mod1
94 openssl rsa -noout -modulus -in ${sslkey}/apache2.key | read mod2
95 if [ "$mod1" != "$mod2" ]; then
96 echo "Moduli for server keys don't match."
101 - ${sslcrt}/apache2.pem"
103 - ${sslkey}/apache2.key"
106 ln -sf apache2.pem $(openssl x509 -hash -noout -in apache2.pem)
108 rm -f $TMPFILE $TMPFILE2
110 echo "Successfully generated server key pairs:"