226 lines
6.1 KiB
Bash
226 lines
6.1 KiB
Bash
#!/bin/bash
|
||
# Peter Poeml <apache@suse.de>
|
||
#
|
||
# Script to generate ssl keys for mod_ssl, without requiring user input
|
||
# most of it is copied from mkcert.sh of the mod_ssl distribution
|
||
#
|
||
# XXX This is just a hack, it won't be able to do anything you want!
|
||
#
|
||
|
||
function usage
|
||
{
|
||
cat <<-EOF
|
||
`basename $0` will generate a test certificate "the quick way", i.e. without interaction.
|
||
You can change some defaults however.
|
||
It will overwrite /root/.mkcert.cfg
|
||
|
||
These options are recognized: Default:
|
||
|
||
-N comment "$comment"
|
||
-c country (two letters, e.g. DE) $C
|
||
-s state $ST
|
||
-l city $L
|
||
-o organisation "$O"
|
||
-u organisational unit "$U"
|
||
-n fully qualified domain name $CN (hostname -f)
|
||
-e email address of webmaster webmaster@$CN
|
||
-a subject alternative name $altName
|
||
-y days server cert is valid for $srvdays
|
||
-Y days CA cert is valid for $CAdays
|
||
-d run in debug mode
|
||
-h show usage
|
||
EOF
|
||
}
|
||
|
||
|
||
test -t && { BRIGHT='[01m'; RED='[31m'; NORMAL='[00m'; }
|
||
function myecho { echo $BRIGHT$@$NORMAL; }
|
||
function error { echo $RED$@$NORMAL; }
|
||
function myexit { error something ugly seems to have happened in line $1...; exit $2; }
|
||
|
||
hostname=/usr/bin/hostname
|
||
FQHOSTNAME=""
|
||
if [ -x $hostname ]; then
|
||
FQHOSTNAME=`$hostname -f 2>/dev/null`
|
||
# bsc#1035829
|
||
fqlength=`echo -n $FQHOSTNAME|wc -c`
|
||
if [ $fqlength -gt 64 ]; then
|
||
FQHOSTNAME=`$hostname 2>/dev/null`
|
||
fi
|
||
fi
|
||
# bsc#1057406
|
||
if [ -z $FQHOSTNAME ]; then
|
||
FQHOSTNAME='localhost'
|
||
fi
|
||
|
||
# defaults
|
||
comment="mod_ssl server certificate"
|
||
C=XY
|
||
ST=unknown
|
||
L=unknown
|
||
U="web server"
|
||
O="SUSE Linux Web Server"
|
||
CN=$FQHOSTNAME
|
||
email=webmaster@$FQHOSTNAME
|
||
altName=DNS:$CN
|
||
CAdays=$((365 * 6))
|
||
srvdays=$((365 * 2))
|
||
|
||
while getopts C:N:c:s:l:o:u:n:e:a:y:Y:dh OPT; do
|
||
case $OPT in
|
||
N) comment=$OPTARG;;
|
||
c) C=$OPTARG;;
|
||
s) ST=$OPTARG;;
|
||
l) L=$OPTARG;;
|
||
u) U=$OPTARG;;
|
||
o) O=$OPTARG;;
|
||
n) CN=$OPTARG;;
|
||
e) email=$OPTARG;;
|
||
a) altName=$OPTARG;;
|
||
y) srvdays=$OPTARG;;
|
||
Y) CAdays=$OPTARG;;
|
||
d) set -x;;
|
||
h) usage; exit 2;;
|
||
*) echo unrecognized option: $OPT; usage; exit 2;;
|
||
esac
|
||
done
|
||
|
||
GO_LEFT="\033[80D"
|
||
GO_MIDDLE="$GO_LEFT\033[15C"
|
||
for i in comment C ST L U O CN email altName srvdays CAdays; do
|
||
eval "echo -e $i\"$GO_MIDDLE\" \$$i;"
|
||
done
|
||
|
||
|
||
openssl=/usr/bin/openssl
|
||
sslcrtdir=/etc/apache2/ssl.crt
|
||
sslcsrdir=/etc/apache2/ssl.csr
|
||
sslkeydir=/etc/apache2/ssl.key
|
||
sslprmdir=/etc/apache2/ssl.prm
|
||
|
||
name="$CN-"
|
||
|
||
#
|
||
# CA
|
||
#
|
||
echo;myecho creating CA key ...
|
||
(umask 0377 ; $openssl genrsa -rand /dev/urandom -out $sslkeydir/${name}ca.key 2048 || myexit $LINENO $?)
|
||
|
||
cat >/root/.mkcert.cfg <<EOT
|
||
[ req ]
|
||
default_bits = 2048
|
||
default_keyfile = keyfile.pem
|
||
distinguished_name = req_distinguished_name
|
||
attributes = req_attributes
|
||
prompt = no
|
||
output_password = mypass
|
||
x509_extensions = req_v3_ca
|
||
|
||
[ req_distinguished_name ]
|
||
C = $C
|
||
ST = $ST
|
||
L = $L
|
||
O = $O
|
||
OU = CA
|
||
CN = $CN
|
||
emailAddress = $email
|
||
|
||
[ req_attributes ]
|
||
challengePassword = $RANDOM$RANDOMA challenge password
|
||
|
||
[req_v3_ca]
|
||
# bsc#1180530
|
||
basicConstraints = critical,CA:true
|
||
EOT
|
||
|
||
echo;myecho creating CA request/certificate ...
|
||
(umask 0377 ; $openssl req -config /root/.mkcert.cfg -new -x509 -days $CAdays -key $sslkeydir/${name}ca.key -out $sslcrtdir/${name}ca.crt || myexit $LINENO $?)
|
||
|
||
cp -pv $sslcrtdir/${name}ca.crt /srv/www/htdocs/$(echo $name | tr 'a-z' 'A-Z')CA.crt
|
||
|
||
#
|
||
# Server CERT
|
||
#
|
||
echo;myecho creating server key ...
|
||
(umask 0377 ; $openssl genrsa -rand /dev/urandom -out $sslkeydir/${name}server.key 2048 || myexit $LINENO $?)
|
||
|
||
cat >/root/.mkcert.cfg <<EOT
|
||
[ req ]
|
||
default_bits = 2048
|
||
default_keyfile = keyfile.pem
|
||
distinguished_name = req_distinguished_name
|
||
attributes = req_attributes
|
||
prompt = no
|
||
output_password = mypass
|
||
req_extensions = x509v3
|
||
|
||
[ req_distinguished_name ]
|
||
C = $C
|
||
ST = $ST
|
||
L = $L
|
||
O = $O
|
||
OU = $U
|
||
CN = $CN
|
||
emailAddress = $email
|
||
|
||
[ x509v3 ]
|
||
subjectAltName = $altName
|
||
nsComment = $comment
|
||
nsCertType = server
|
||
|
||
[ req_attributes ]
|
||
challengePassword = $RANDOM$RANDOMA challenge password
|
||
EOT
|
||
|
||
echo;myecho creating server request ...
|
||
(umask 0377 ; $openssl req -config /root/.mkcert.cfg -new -key $sslkeydir/${name}server.key -out $sslcsrdir/${name}server.csr || myexit $LINENO $?)
|
||
|
||
|
||
cat >/root/.mkcert.cfg <<EOT
|
||
extensions = x509v3
|
||
[ x509v3 ]
|
||
subjectAltName = $altName
|
||
nsComment = $comment
|
||
nsCertType = server
|
||
EOT
|
||
|
||
|
||
test -f /root/.mkcert.serial || echo 01 >/root/.mkcert.serial
|
||
myecho "creating server certificate ..."
|
||
(umask 0377 ; $openssl x509 \
|
||
-extfile /root/.mkcert.cfg \
|
||
-days $srvdays \
|
||
-CAserial /root/.mkcert.serial \
|
||
-CA $sslcrtdir/${name}ca.crt \
|
||
-CAkey $sslkeydir/${name}ca.key \
|
||
-in $sslcsrdir/${name}server.csr -req \
|
||
-out $sslcrtdir/${name}server.crt || myexit $LINENO $?)
|
||
|
||
rm -f /root/.mkcert.cfg
|
||
|
||
|
||
|
||
|
||
echo;myecho "Verify: matching certificate & key modulus"
|
||
modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/${name}server.crt | sed -e 's;.*Modulus=;;' || myexit $LINENO $?`
|
||
modkey=`$openssl rsa -noout -modulus -in $sslkeydir/${name}server.key | sed -e 's;.*Modulus=;;' || myexit $LINENO $?`
|
||
|
||
if [ ".$modcrt" != ".$modkey" ]; then
|
||
error "gensslcert:Error: Failed to verify modulus on resulting X.509 certificate" 1>&2
|
||
myexit $LINENO $?
|
||
fi
|
||
|
||
echo;myecho Verify: matching certificate signature
|
||
$openssl verify -CAfile $sslcrtdir/${name}ca.crt $sslcrtdir/${name}server.crt || myexit $LINENO $?
|
||
if [ $? -ne 0 ]; then
|
||
error "gensslcert:Error: Failed to verify signature on resulting X.509 certificate" 1>&2
|
||
myexit $LINENO $?
|
||
fi
|
||
|
||
echo;myecho generating dhparams and appending it to the server certificate file...
|
||
openssl dhparam 2048 >> $sslcrtdir/${name}server.crt
|
||
|
||
|
||
exit 0
|
||
|