#!/bin/bash # Peter Poeml # # Script to generate ssl keys for mod_ssl, without requiring user input # most of it is copied from mkcert.sh of the mod_ssl distribution # # XXX This is just a hack, it won't be able to do anything you want! # function usage { cat <<-EOF `basename $0` will generate a test certificate "the quick way", i.e. without interaction. You can change some defaults however. It will overwrite /root/.mkcert.cfg These options are recognized: Default: -N comment "$comment" -c country (two letters, e.g. DE) $C -s state $ST -l city $L -o organisation "$O" -u organisational unit "$U" -n fully qualified domain name $CN (hostname -f) -e email address of webmaster webmaster@$CN -a subject alternative name $altName -y days server cert is valid for $srvdays -Y days CA cert is valid for $CAdays -d run in debug mode -h show usage EOF } test -t && { BRIGHT=''; RED=''; NORMAL=''; } function myecho { echo $BRIGHT$@$NORMAL; } function error { echo $RED$@$NORMAL; } function myexit { error something ugly seems to have happened in line $1...; exit $2; } hostname=/usr/bin/hostname FQHOSTNAME="" if [ -x $hostname ]; then FQHOSTNAME=`$hostname -f 2>/dev/null` # bsc#1035829 fqlength=`echo -n $FQHOSTNAME|wc -c` if [ $fqlength -gt 64 ]; then FQHOSTNAME=`$hostname 2>/dev/null` fi fi # bsc#1057406 if [ -z $FQHOSTNAME ]; then FQHOSTNAME='localhost' fi # defaults comment="mod_ssl server certificate" C=XY ST=unknown L=unknown U="web server" O="SUSE Linux Web Server" CN=$FQHOSTNAME email=webmaster@$FQHOSTNAME altName=DNS:$CN CAdays=$((365 * 6)) srvdays=$((365 * 2)) while getopts C:N:c:s:l:o:u:n:e:a:y:Y:dh OPT; do case $OPT in N) comment=$OPTARG;; c) C=$OPTARG;; s) ST=$OPTARG;; l) L=$OPTARG;; u) U=$OPTARG;; o) O=$OPTARG;; n) CN=$OPTARG;; e) email=$OPTARG;; a) altName=$OPTARG;; y) srvdays=$OPTARG;; Y) CAdays=$OPTARG;; d) set -x;; h) usage; exit 2;; *) echo unrecognized option: $OPT; usage; exit 2;; esac done GO_LEFT="\033[80D" GO_MIDDLE="$GO_LEFT\033[15C" for i in comment C ST L U O CN email altName srvdays CAdays; do eval "echo -e $i\"$GO_MIDDLE\" \$$i;" done openssl=/usr/bin/openssl sslcrtdir=/etc/apache2/ssl.crt sslcsrdir=/etc/apache2/ssl.csr sslkeydir=/etc/apache2/ssl.key sslprmdir=/etc/apache2/ssl.prm name="$CN-" # # CA # echo;myecho creating CA key ... (umask 0377 ; $openssl genrsa -rand /dev/urandom -out $sslkeydir/${name}ca.key 2048 || myexit $LINENO $?) cat >/root/.mkcert.cfg </root/.mkcert.cfg </root/.mkcert.cfg </root/.mkcert.serial myecho "creating server certificate ..." (umask 0377 ; $openssl x509 \ -extfile /root/.mkcert.cfg \ -days $srvdays \ -CAserial /root/.mkcert.serial \ -CA $sslcrtdir/${name}ca.crt \ -CAkey $sslkeydir/${name}ca.key \ -in $sslcsrdir/${name}server.csr -req \ -out $sslcrtdir/${name}server.crt || myexit $LINENO $?) rm -f /root/.mkcert.cfg echo;myecho "Verify: matching certificate & key modulus" modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/${name}server.crt | sed -e 's;.*Modulus=;;' || myexit $LINENO $?` modkey=`$openssl rsa -noout -modulus -in $sslkeydir/${name}server.key | sed -e 's;.*Modulus=;;' || myexit $LINENO $?` if [ ".$modcrt" != ".$modkey" ]; then error "gensslcert:Error: Failed to verify modulus on resulting X.509 certificate" 1>&2 myexit $LINENO $? fi echo;myecho Verify: matching certificate signature $openssl verify -CAfile $sslcrtdir/${name}ca.crt $sslcrtdir/${name}server.crt || myexit $LINENO $? if [ $? -ne 0 ]; then error "gensslcert:Error: Failed to verify signature on resulting X.509 certificate" 1>&2 myexit $LINENO $? fi echo;myecho generating dhparams and appending it to the server certificate file... openssl dhparam 2048 >> $sslcrtdir/${name}server.crt exit 0