2006-12-20 18:01:15 +01:00
|
|
|
|
#!/bin/bash
|
2007-03-20 01:13:36 +01:00
|
|
|
|
# Peter Poeml <apache@suse.de>
|
2006-12-20 18:01:15 +01:00
|
|
|
|
#
|
|
|
|
|
|
# Script to generate ssl keys for mod_ssl, without requiring user input
|
|
|
|
|
|
# most of it is copied from mkcert.sh of the mod_ssl distribution
|
|
|
|
|
|
#
|
|
|
|
|
|
# XXX This is just a hack, it won't be able to do anything you want!
|
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
|
|
function usage
|
|
|
|
|
|
{
|
|
|
|
|
|
cat <<-EOF
|
|
|
|
|
|
`basename $0` will generate a test certificate "the quick way", i.e. without interaction.
|
|
|
|
|
|
You can change some defaults however.
|
|
|
|
|
|
It will overwrite /root/.mkcert.cfg
|
|
|
|
|
|
|
|
|
|
|
|
These options are recognized: Default:
|
|
|
|
|
|
|
|
|
|
|
|
-N comment "$comment"
|
|
|
|
|
|
-c country (two letters, e.g. DE) $C
|
|
|
|
|
|
-s state $ST
|
|
|
|
|
|
-l city $L
|
|
|
|
|
|
-o organisation "$O"
|
|
|
|
|
|
-u organisational unit "$U"
|
2015-10-26 09:39:01 +01:00
|
|
|
|
-n fully qualified domain name $CN (hostname -f)
|
2006-12-20 18:01:15 +01:00
|
|
|
|
-e email address of webmaster webmaster@$CN
|
2020-08-31 14:56:14 +02:00
|
|
|
|
-a subject alternative name $altName
|
2006-12-20 18:01:15 +01:00
|
|
|
|
-y days server cert is valid for $srvdays
|
|
|
|
|
|
-Y days CA cert is valid for $CAdays
|
|
|
|
|
|
-d run in debug mode
|
|
|
|
|
|
-h show usage
|
|
|
|
|
|
EOF
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
test -t && { BRIGHT='�[01m'; RED='�[31m'; NORMAL='�[00m'; }
|
|
|
|
|
|
function myecho { echo $BRIGHT$@$NORMAL; }
|
|
|
|
|
|
function error { echo $RED$@$NORMAL; }
|
|
|
|
|
|
function myexit { error something ugly seems to have happened in line $1...; exit $2; }
|
|
|
|
|
|
|
2017-10-17 14:46:25 +02:00
|
|
|
|
hostname=/usr/bin/hostname
|
|
|
|
|
|
FQHOSTNAME=""
|
|
|
|
|
|
if [ -x $hostname ]; then
|
|
|
|
|
|
FQHOSTNAME=`$hostname -f 2>/dev/null`
|
|
|
|
|
|
# bsc#1035829
|
|
|
|
|
|
fqlength=`echo -n $FQHOSTNAME|wc -c`
|
|
|
|
|
|
if [ $fqlength -gt 64 ]; then
|
|
|
|
|
|
FQHOSTNAME=`$hostname 2>/dev/null`
|
|
|
|
|
|
fi
|
|
|
|
|
|
fi
|
|
|
|
|
|
# bsc#1057406
|
|
|
|
|
|
if [ -z $FQHOSTNAME ]; then
|
|
|
|
|
|
FQHOSTNAME='localhost'
|
2017-06-02 09:45:40 +02:00
|
|
|
|
fi
|
|
|
|
|
|
|
2006-12-20 18:01:15 +01:00
|
|
|
|
# defaults
|
|
|
|
|
|
comment="mod_ssl server certificate"
|
|
|
|
|
|
C=XY
|
|
|
|
|
|
ST=unknown
|
|
|
|
|
|
L=unknown
|
|
|
|
|
|
U="web server"
|
2013-10-15 17:43:17 +02:00
|
|
|
|
O="SUSE Linux Web Server"
|
2006-12-20 18:01:15 +01:00
|
|
|
|
CN=$FQHOSTNAME
|
|
|
|
|
|
email=webmaster@$FQHOSTNAME
|
2020-08-31 14:56:14 +02:00
|
|
|
|
altName=DNS:$CN
|
2006-12-20 18:01:15 +01:00
|
|
|
|
CAdays=$((365 * 6))
|
|
|
|
|
|
srvdays=$((365 * 2))
|
|
|
|
|
|
|
2020-08-31 14:56:14 +02:00
|
|
|
|
while getopts C:N:c:s:l:o:u:n:e:a:y:Y:dh OPT; do
|
2006-12-20 18:01:15 +01:00
|
|
|
|
case $OPT in
|
|
|
|
|
|
N) comment=$OPTARG;;
|
|
|
|
|
|
c) C=$OPTARG;;
|
|
|
|
|
|
s) ST=$OPTARG;;
|
|
|
|
|
|
l) L=$OPTARG;;
|
|
|
|
|
|
u) U=$OPTARG;;
|
|
|
|
|
|
o) O=$OPTARG;;
|
|
|
|
|
|
n) CN=$OPTARG;;
|
|
|
|
|
|
e) email=$OPTARG;;
|
2020-08-31 14:56:14 +02:00
|
|
|
|
a) altName=$OPTARG;;
|
2006-12-20 18:01:15 +01:00
|
|
|
|
y) srvdays=$OPTARG;;
|
|
|
|
|
|
Y) CAdays=$OPTARG;;
|
|
|
|
|
|
d) set -x;;
|
|
|
|
|
|
h) usage; exit 2;;
|
|
|
|
|
|
*) echo unrecognized option: $OPT; usage; exit 2;;
|
|
|
|
|
|
esac
|
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
|
|
GO_LEFT="\033[80D"
|
|
|
|
|
|
GO_MIDDLE="$GO_LEFT\033[15C"
|
2020-08-31 14:56:14 +02:00
|
|
|
|
for i in comment C ST L U O CN email altName srvdays CAdays; do
|
2006-12-20 18:01:15 +01:00
|
|
|
|
eval "echo -e $i\"$GO_MIDDLE\" \$$i;"
|
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
|
|
|
2017-10-17 14:46:25 +02:00
|
|
|
|
openssl=/usr/bin/openssl
|
|
|
|
|
|
sslcrtdir=/etc/apache2/ssl.crt
|
|
|
|
|
|
sslcsrdir=/etc/apache2/ssl.csr
|
|
|
|
|
|
sslkeydir=/etc/apache2/ssl.key
|
|
|
|
|
|
sslprmdir=/etc/apache2/ssl.prm
|
|
|
|
|
|
|
|
|
|
|
|
name="$CN-"
|
2006-12-20 18:01:15 +01:00
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
|
# CA
|
|
|
|
|
|
#
|
|
|
|
|
|
echo;myecho creating CA key ...
|
2017-10-17 14:46:25 +02:00
|
|
|
|
(umask 0377 ; $openssl genrsa -rand /dev/urandom -out $sslkeydir/${name}ca.key 2048 || myexit $LINENO $?)
|
2006-12-20 18:01:15 +01:00
|
|
|
|
|
2017-10-17 14:46:25 +02:00
|
|
|
|
cat >/root/.mkcert.cfg <<EOT
|
2006-12-20 18:01:15 +01:00
|
|
|
|
[ req ]
|
2013-08-02 20:44:55 +02:00
|
|
|
|
default_bits = 2048
|
2006-12-20 18:01:15 +01:00
|
|
|
|
default_keyfile = keyfile.pem
|
|
|
|
|
|
distinguished_name = req_distinguished_name
|
|
|
|
|
|
attributes = req_attributes
|
|
|
|
|
|
prompt = no
|
|
|
|
|
|
output_password = mypass
|
2021-01-12 12:26:51 +01:00
|
|
|
|
x509_extensions = req_v3_ca
|
2006-12-20 18:01:15 +01:00
|
|
|
|
|
|
|
|
|
|
[ req_distinguished_name ]
|
|
|
|
|
|
C = $C
|
|
|
|
|
|
ST = $ST
|
|
|
|
|
|
L = $L
|
|
|
|
|
|
O = $O
|
|
|
|
|
|
OU = CA
|
|
|
|
|
|
CN = $CN
|
|
|
|
|
|
emailAddress = $email
|
|
|
|
|
|
|
|
|
|
|
|
[ req_attributes ]
|
2021-01-12 12:26:51 +01:00
|
|
|
|
challengePassword = $RANDOM$RANDOMA challenge password
|
|
|
|
|
|
|
|
|
|
|
|
[req_v3_ca]
|
|
|
|
|
|
# bsc#1180530
|
|
|
|
|
|
basicConstraints = critical,CA:true
|
2006-12-20 18:01:15 +01:00
|
|
|
|
EOT
|
|
|
|
|
|
|
|
|
|
|
|
echo;myecho creating CA request/certificate ...
|
2017-10-17 14:46:25 +02:00
|
|
|
|
(umask 0377 ; $openssl req -config /root/.mkcert.cfg -new -x509 -days $CAdays -key $sslkeydir/${name}ca.key -out $sslcrtdir/${name}ca.crt || myexit $LINENO $?)
|
2006-12-20 18:01:15 +01:00
|
|
|
|
|
2017-10-17 14:46:25 +02:00
|
|
|
|
cp -pv $sslcrtdir/${name}ca.crt /srv/www/htdocs/$(echo $name | tr 'a-z' 'A-Z')CA.crt
|
2006-12-20 18:01:15 +01:00
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
|
# Server CERT
|
|
|
|
|
|
#
|
|
|
|
|
|
echo;myecho creating server key ...
|
2017-10-17 14:46:25 +02:00
|
|
|
|
(umask 0377 ; $openssl genrsa -rand /dev/urandom -out $sslkeydir/${name}server.key 2048 || myexit $LINENO $?)
|
2006-12-20 18:01:15 +01:00
|
|
|
|
|
2017-10-17 14:46:25 +02:00
|
|
|
|
cat >/root/.mkcert.cfg <<EOT
|
2006-12-20 18:01:15 +01:00
|
|
|
|
[ req ]
|
2013-08-02 20:44:55 +02:00
|
|
|
|
default_bits = 2048
|
2006-12-20 18:01:15 +01:00
|
|
|
|
default_keyfile = keyfile.pem
|
|
|
|
|
|
distinguished_name = req_distinguished_name
|
|
|
|
|
|
attributes = req_attributes
|
|
|
|
|
|
prompt = no
|
|
|
|
|
|
output_password = mypass
|
2017-10-17 14:46:25 +02:00
|
|
|
|
req_extensions = x509v3
|
2006-12-20 18:01:15 +01:00
|
|
|
|
|
|
|
|
|
|
[ req_distinguished_name ]
|
|
|
|
|
|
C = $C
|
|
|
|
|
|
ST = $ST
|
|
|
|
|
|
L = $L
|
|
|
|
|
|
O = $O
|
|
|
|
|
|
OU = $U
|
|
|
|
|
|
CN = $CN
|
|
|
|
|
|
emailAddress = $email
|
|
|
|
|
|
|
2017-10-17 14:46:25 +02:00
|
|
|
|
[ x509v3 ]
|
2020-08-31 14:56:14 +02:00
|
|
|
|
subjectAltName = $altName
|
2017-10-17 14:46:25 +02:00
|
|
|
|
nsComment = $comment
|
|
|
|
|
|
nsCertType = server
|
|
|
|
|
|
|
2006-12-20 18:01:15 +01:00
|
|
|
|
[ req_attributes ]
|
|
|
|
|
|
challengePassword = $RANDOM$RANDOMA challenge password
|
|
|
|
|
|
EOT
|
|
|
|
|
|
|
|
|
|
|
|
echo;myecho creating server request ...
|
2017-10-17 14:46:25 +02:00
|
|
|
|
(umask 0377 ; $openssl req -config /root/.mkcert.cfg -new -key $sslkeydir/${name}server.key -out $sslcsrdir/${name}server.csr || myexit $LINENO $?)
|
2006-12-20 18:01:15 +01:00
|
|
|
|
|
|
|
|
|
|
|
2017-10-17 14:46:25 +02:00
|
|
|
|
cat >/root/.mkcert.cfg <<EOT
|
2006-12-20 18:01:15 +01:00
|
|
|
|
extensions = x509v3
|
|
|
|
|
|
[ x509v3 ]
|
2020-09-22 12:44:35 +02:00
|
|
|
|
subjectAltName = $altName
|
2006-12-20 18:01:15 +01:00
|
|
|
|
nsComment = $comment
|
|
|
|
|
|
nsCertType = server
|
|
|
|
|
|
EOT
|
|
|
|
|
|
|
|
|
|
|
|
|
2017-10-17 14:46:25 +02:00
|
|
|
|
test -f /root/.mkcert.serial || echo 01 >/root/.mkcert.serial
|
2006-12-20 18:01:15 +01:00
|
|
|
|
myecho "creating server certificate ..."
|
2012-07-27 13:17:03 +02:00
|
|
|
|
(umask 0377 ; $openssl x509 \
|
2017-10-17 14:46:25 +02:00
|
|
|
|
-extfile /root/.mkcert.cfg \
|
2006-12-20 18:01:15 +01:00
|
|
|
|
-days $srvdays \
|
2017-10-17 14:46:25 +02:00
|
|
|
|
-CAserial /root/.mkcert.serial \
|
2006-12-20 18:01:15 +01:00
|
|
|
|
-CA $sslcrtdir/${name}ca.crt \
|
|
|
|
|
|
-CAkey $sslkeydir/${name}ca.key \
|
|
|
|
|
|
-in $sslcsrdir/${name}server.csr -req \
|
2012-07-27 13:17:03 +02:00
|
|
|
|
-out $sslcrtdir/${name}server.crt || myexit $LINENO $?)
|
2006-12-20 18:01:15 +01:00
|
|
|
|
|
2017-10-17 14:46:25 +02:00
|
|
|
|
rm -f /root/.mkcert.cfg
|
2006-12-20 18:01:15 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
echo;myecho "Verify: matching certificate & key modulus"
|
|
|
|
|
|
modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/${name}server.crt | sed -e 's;.*Modulus=;;' || myexit $LINENO $?`
|
|
|
|
|
|
modkey=`$openssl rsa -noout -modulus -in $sslkeydir/${name}server.key | sed -e 's;.*Modulus=;;' || myexit $LINENO $?`
|
|
|
|
|
|
|
|
|
|
|
|
if [ ".$modcrt" != ".$modkey" ]; then
|
2014-11-27 14:45:11 +01:00
|
|
|
|
error "gensslcert:Error: Failed to verify modulus on resulting X.509 certificate" 1>&2
|
2006-12-20 18:01:15 +01:00
|
|
|
|
myexit $LINENO $?
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
echo;myecho Verify: matching certificate signature
|
|
|
|
|
|
$openssl verify -CAfile $sslcrtdir/${name}ca.crt $sslcrtdir/${name}server.crt || myexit $LINENO $?
|
|
|
|
|
|
if [ $? -ne 0 ]; then
|
2014-11-27 14:45:11 +01:00
|
|
|
|
error "gensslcert:Error: Failed to verify signature on resulting X.509 certificate" 1>&2
|
2006-12-20 18:01:15 +01:00
|
|
|
|
myexit $LINENO $?
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
2015-08-12 09:21:37 +02:00
|
|
|
|
echo;myecho generating dhparams and appending it to the server certificate file...
|
|
|
|
|
|
openssl dhparam 2048 >> $sslcrtdir/${name}server.crt
|
|
|
|
|
|
|
2006-12-20 18:01:15 +01:00
|
|
|
|
|
|
|
|
|
|
exit 0
|
|
|
|
|
|
|
