# Generate CA
#
-if [ ! -f ${sslkey}/ca.key ]; then
+if [ ! -f ${sslkey}/apache2-ca.key ]; then
- openssl genrsa -out ${sslkey}/ca.key 1024
+ openssl genrsa -out ${sslkey}/apache2-ca.key 1024
KEYS="${KEYS}
- - ${sslkey}/ca.key"
+ - ${sslkey}/apache2-ca.key"
fi
-if [ ! -f ${sslkey}/ca.csr ] || [ -n "$KEYS" ]; then
+if [ ! -f ${sslkey}/apache2-ca.csr ] || [ -n "$KEYS" ]; then
cat <<EOF > $TMPFILE
[ req ]
default_bits = 1024
-default_keyfile = ca.pem
+default_keyfile = apache2-ca.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
EOF
- openssl req -config $TMPFILE -new -key ${sslkey}/ca.key -out ${sslkey}/ca.csr
+ openssl req -config $TMPFILE -new -key ${sslkey}/apache2-ca.key -out ${sslkey}/apache2-ca.csr
fi
-if [ ! -f ${sslcrt}/ca.pem ] || [ -n "$KEYS" ]; then
+if [ ! -f ${sslcrt}/apache2-ca.pem ] || [ -n "$KEYS" ]; then
cat >$TMPFILE <<EOT
extensions = x509v3
nsCertType = sslCA
EOT
- openssl x509 -extfile $TMPFILE -days 3651 -signkey ${sslkey}/ca.key \
- -in ${sslkey}/ca.csr -req -out ${sslcrt}/ca.pem
+ openssl x509 -extfile $TMPFILE -days 3651 -signkey ${sslkey}/apache2-ca.key \
+ -in ${sslkey}/apache2-ca.csr -req -out ${sslcrt}/apache2-ca.pem
KEYS="${KEYS}
- - ${sslcrt}/ca.pem"
+ - ${sslcrt}/apache2-ca.pem"
fi
-mod1=`openssl x509 -noout -modulus -in ${sslcrt}/ca.pem`
-mod2=`openssl rsa -noout -modulus -in ${sslkey}/ca.key`
+mod1=`openssl x509 -noout -modulus -in ${sslcrt}/apache2-ca.pem`
+mod2=`openssl rsa -noout -modulus -in ${sslkey}/apache2-ca.key`
if [ "$mod1" != "$mod2" ]; then
echo "Moduli for CA keys don't match."
fi
cd ${sslcrt}
-ln -sf ca.pem $(openssl x509 -hash -noout -in ca.pem)
+ln -sf apache2-ca.pem $(openssl x509 -hash -noout -in apache2-ca.pem)
# Generate server certificate
openssl req -config "$TMPFILE" -new -nodes \
-key ${sslkey}/apache2.key -out ${sslkey}/apache2.csr
openssl x509 -extfile "$TMPFILE" -days 3650 \
- -CAserial "$TMPFILE2" -CA ${sslcrt}/ca.pem -CAkey ${sslkey}/ca.key \
+ -CAserial "$TMPFILE2" -CA ${sslcrt}/apache2-ca.pem -CAkey ${sslkey}/apache2-ca.key \
-in ${sslkey}/apache2.csr -req -out ${sslcrt}/apache2.pem
mod1=`openssl x509 -noout -modulus -in ${sslcrt}/apache2.pem`
ln -sf apache2.pem $(openssl x509 -hash -noout -in apache2.pem)
+# Fix file access permissions and group ownership.
+#
+chgrp www-data ${sslkey}/apache2-ca.key ${sslkey}/apache2-ca.csr ${sslkey}/apache2.key ${sslkey}/apache2.csr
+chmod 640 ${sslkey}/apache2-ca.key ${sslkey}/apache2-ca.csr ${sslkey}/apache2.key ${sslkey}/apache2.csr
+
+
# Cleanup
#
rm -f $TMPFILE $TMPFILE2