#!/bin/bash # Peter Poeml # # Script to generate ssl keys for mod_ssl, without requiring user input # most of it is copied from mkcert.sh of the mod_ssl distribution # # XXX This is just a hack, it won't be able to do anything you want! # function usage { cat <<-EOF `basename $0` will generate a test certificate "the quick way", i.e. without interaction. You can change some defaults however. It will overwrite /root/.mkcert.cfg These options are recognized: Default: -C Common name "$name" -N comment "$comment" -c country (two letters, e.g. DE) $C -s state $ST -l city $L -o organisation "$O" -u organisational unit "$U" -n fully qualified domain name $CN (\$FQHOSTNAME) -e email address of webmaster webmaster@$CN -y days server cert is valid for $srvdays -Y days CA cert is valid for $CAdays -d run in debug mode -h show usage EOF } test -t && { BRIGHT=''; RED=''; NORMAL=''; } function myecho { echo $BRIGHT$@$NORMAL; } function error { echo $RED$@$NORMAL; } function myexit { error something ugly seems to have happened in line $1...; exit $2; } r=$ROOT . $r/etc/sysconfig/network/config FQHOSTNAME=`cat /etc/HOSTNAME` # defaults comment="mod_ssl server certificate" name= C=XY ST=unknown L=unknown U="web server" O="SUSE Linux Web Server" CN=$FQHOSTNAME email=webmaster@$FQHOSTNAME CAdays=$((365 * 6)) srvdays=$((365 * 2)) while getopts C:N:c:s:l:o:u:n:e:y:Y:dh OPT; do case $OPT in C) name=$OPTARG-;; N) comment=$OPTARG;; c) C=$OPTARG;; s) ST=$OPTARG;; l) L=$OPTARG;; u) U=$OPTARG;; o) O=$OPTARG;; n) CN=$OPTARG;; e) email=$OPTARG;; y) srvdays=$OPTARG;; Y) CAdays=$OPTARG;; d) set -x;; h) usage; exit 2;; *) echo unrecognized option: $OPT; usage; exit 2;; esac done GO_LEFT="\033[80D" GO_MIDDLE="$GO_LEFT\033[15C" for i in comment name C ST L U O CN email srvdays CAdays; do eval "echo -e $i\"$GO_MIDDLE\" \$$i;" done openssl=$r/usr/bin/openssl sslcrtdir=$r/etc/apache2/ssl.crt sslcsrdir=$r/etc/apache2/ssl.csr sslkeydir=$r/etc/apache2/ssl.key sslprmdir=$r/etc/apache2/ssl.prm # # CA # echo;myecho creating CA key ... (umask 0377 ; $openssl genrsa -rand $r/var/log/y2log:$r/var/log/messages -out $sslkeydir/${name}ca.key 2048 || myexit $LINENO $?) cat >$r/root/.mkcert.cfg <$r/root/.mkcert.cfg <$r/root/.mkcert.cfg <$r/root/.mkcert.serial myecho "creating server certificate ..." (umask 0377 ; $openssl x509 \ -extfile $r/root/.mkcert.cfg \ -days $srvdays \ -CAserial $r/root/.mkcert.serial \ -CA $sslcrtdir/${name}ca.crt \ -CAkey $sslkeydir/${name}ca.key \ -in $sslcsrdir/${name}server.csr -req \ -out $sslcrtdir/${name}server.crt || myexit $LINENO $?) rm -f $r/root/.mkcert.cfg echo;myecho "Verify: matching certificate & key modulus" modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/${name}server.crt | sed -e 's;.*Modulus=;;' || myexit $LINENO $?` modkey=`$openssl rsa -noout -modulus -in $sslkeydir/${name}server.key | sed -e 's;.*Modulus=;;' || myexit $LINENO $?` if [ ".$modcrt" != ".$modkey" ]; then error "gensslcert:Error: Failed to verify modulus on resulting X.509 certificate" 1>&2 myexit $LINENO $? fi echo;myecho Verify: matching certificate signature $openssl verify -CAfile $sslcrtdir/${name}ca.crt $sslcrtdir/${name}server.crt || myexit $LINENO $? if [ $? -ne 0 ]; then error "gensslcert:Error: Failed to verify signature on resulting X.509 certificate" 1>&2 myexit $LINENO $? fi echo;myecho generating dhparams and appending it to the server certificate file... openssl dhparam 2048 >> $sslcrtdir/${name}server.crt exit 0