apache2/gensslcert

202 lines
5.6 KiB
Plaintext
Raw Normal View History

#!/bin/bash
# Peter Poeml <apache@suse.de>
#
# Script to generate ssl keys for mod_ssl, without requiring user input
# most of it is copied from mkcert.sh of the mod_ssl distribution
#
# XXX This is just a hack, it won't be able to do anything you want!
#
function usage
{
cat <<-EOF
`basename $0` will generate a test certificate "the quick way", i.e. without interaction.
You can change some defaults however.
It will overwrite /root/.mkcert.cfg
These options are recognized: Default:
-C Common name "$name"
-N comment "$comment"
-c country (two letters, e.g. DE) $C
-s state $ST
-l city $L
-o organisation "$O"
-u organisational unit "$U"
-n fully qualified domain name $CN (\$FQHOSTNAME)
-e email address of webmaster webmaster@$CN
-y days server cert is valid for $srvdays
-Y days CA cert is valid for $CAdays
-d run in debug mode
-h show usage
EOF
}
test -t && { BRIGHT=''; RED=''; NORMAL=''; }
function myecho { echo $BRIGHT$@$NORMAL; }
function error { echo $RED$@$NORMAL; }
function myexit { error something ugly seems to have happened in line $1...; exit $2; }
r=$ROOT
. $r/etc/sysconfig/network/config
FQHOSTNAME=`cat /etc/HOSTNAME`
# defaults
comment="mod_ssl server certificate"
name=
C=XY
ST=unknown
L=unknown
U="web server"
O="SUSE Linux Web Server"
CN=$FQHOSTNAME
email=webmaster@$FQHOSTNAME
CAdays=$((365 * 6))
srvdays=$((365 * 2))
while getopts C:N:c:s:l:o:u:n:e:y:Y:dh OPT; do
case $OPT in
C) name=$OPTARG-;;
N) comment=$OPTARG;;
c) C=$OPTARG;;
s) ST=$OPTARG;;
l) L=$OPTARG;;
u) U=$OPTARG;;
o) O=$OPTARG;;
n) CN=$OPTARG;;
e) email=$OPTARG;;
y) srvdays=$OPTARG;;
Y) CAdays=$OPTARG;;
d) set -x;;
h) usage; exit 2;;
*) echo unrecognized option: $OPT; usage; exit 2;;
esac
done
GO_LEFT="\033[80D"
GO_MIDDLE="$GO_LEFT\033[15C"
for i in comment name C ST L U O CN email srvdays CAdays; do
eval "echo -e $i\"$GO_MIDDLE\" \$$i;"
done
openssl=$r/usr/bin/openssl
sslcrtdir=$r/etc/apache2/ssl.crt
sslcsrdir=$r/etc/apache2/ssl.csr
sslkeydir=$r/etc/apache2/ssl.key
sslprmdir=$r/etc/apache2/ssl.prm
#
# CA
#
echo;myecho creating CA key ...
(umask 0377 ; $openssl genrsa -rand $r/var/log/y2log:$r/var/log/messages -out $sslkeydir/${name}ca.key 2048 || myexit $LINENO $?)
cat >$r/root/.mkcert.cfg <<EOT
[ req ]
default_bits = 2048
default_keyfile = keyfile.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
output_password = mypass
[ req_distinguished_name ]
C = $C
ST = $ST
L = $L
O = $O
OU = CA
CN = $CN
emailAddress = $email
[ req_attributes ]
challengePassword = $RANDOM$RANDOMA challenge password
EOT
echo;myecho creating CA request/certificate ...
(umask 0377 ; $openssl req -config $r/root/.mkcert.cfg -new -x509 -days $CAdays -key $sslkeydir/${name}ca.key -out $sslcrtdir/${name}ca.crt || myexit $LINENO $?)
cp -pv $sslcrtdir/${name}ca.crt $r/srv/www/htdocs/$(echo $name | tr 'a-z' 'A-Z')CA.crt
#
# Server CERT
#
echo;myecho creating server key ...
(umask 0377 ; $openssl genrsa -rand $r/etc/rc.config:$r/var/log/messages -out $sslkeydir/${name}server.key 2048 || myexit $LINENO $?)
cat >$r/root/.mkcert.cfg <<EOT
[ req ]
default_bits = 2048
default_keyfile = keyfile.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
output_password = mypass
[ req_distinguished_name ]
C = $C
ST = $ST
L = $L
O = $O
OU = $U
CN = $CN
emailAddress = $email
[ req_attributes ]
challengePassword = $RANDOM$RANDOMA challenge password
EOT
echo;myecho creating server request ...
(umask 0377 ; $openssl req -config $r/root/.mkcert.cfg -new -key $sslkeydir/${name}server.key -out $sslcsrdir/${name}server.csr || myexit $LINENO $?)
cat >$r/root/.mkcert.cfg <<EOT
extensions = x509v3
[ x509v3 ]
subjectAltName = email:copy
nsComment = $comment
nsCertType = server
EOT
test -f $r/root/.mkcert.serial || echo 01 >$r/root/.mkcert.serial
myecho "creating server certificate ..."
(umask 0377 ; $openssl x509 \
-extfile $r/root/.mkcert.cfg \
-days $srvdays \
-CAserial $r/root/.mkcert.serial \
-CA $sslcrtdir/${name}ca.crt \
-CAkey $sslkeydir/${name}ca.key \
-in $sslcsrdir/${name}server.csr -req \
-out $sslcrtdir/${name}server.crt || myexit $LINENO $?)
rm -f $r/root/.mkcert.cfg
echo;myecho "Verify: matching certificate & key modulus"
modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/${name}server.crt | sed -e 's;.*Modulus=;;' || myexit $LINENO $?`
modkey=`$openssl rsa -noout -modulus -in $sslkeydir/${name}server.key | sed -e 's;.*Modulus=;;' || myexit $LINENO $?`
if [ ".$modcrt" != ".$modkey" ]; then
error "gensslcert:Error: Failed to verify modulus on resulting X.509 certificate" 1>&2
myexit $LINENO $?
fi
echo;myecho Verify: matching certificate signature
$openssl verify -CAfile $sslcrtdir/${name}ca.crt $sslcrtdir/${name}server.crt || myexit $LINENO $?
if [ $? -ne 0 ]; then
error "gensslcert:Error: Failed to verify signature on resulting X.509 certificate" 1>&2
myexit $LINENO $?
fi
echo;myecho generating dhparams and appending it to the server certificate file...
openssl dhparam 2048 >> $sslcrtdir/${name}server.crt
exit 0