pool/apache2
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
5bf56b4f63
apache2/gensslcert
Petr Gajdos a7a85e96b3 - gensslcert: 
* set also SAN [bsc#1045159]
  * drop -C argument, it was not mapped to CN actually
  * consider also case when hostname does return empty string or 
    does not exist [bsc#1057406]
  * do not consider environment ROOT variable

OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=529
2017-10-17 12:46:25 +00:00

218 lines
5.9 KiB
Bash
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/bin/bash
# Peter Poeml <apache@suse.de>
#
# Script to generate ssl keys for mod_ssl, without requiring user input
# most of it is copied from mkcert.sh of the mod_ssl distribution
#
# XXX This is just a hack, it won't be able to do anything you want!
#
function usage
{
cat <<-EOF
`basename $0` will generate a test certificate "the quick way", i.e. without interaction.
You can change some defaults however.
It will overwrite /root/.mkcert.cfg
These options are recognized: Default:
-N comment "$comment"
-c country (two letters, e.g. DE) $C
-s state $ST
-l city $L
-o organisation "$O"
-u organisational unit "$U"
-n fully qualified domain name $CN (hostname -f)
-e email address of webmaster webmaster@$CN
-y days server cert is valid for $srvdays
-Y days CA cert is valid for $CAdays
-d run in debug mode
-h show usage
EOF
}
test -t && { BRIGHT=''; RED=''; NORMAL=''; }
function myecho { echo $BRIGHT$@$NORMAL; }
function error { echo $RED$@$NORMAL; }
function myexit { error something ugly seems to have happened in line $1...; exit $2; }
hostname=/usr/bin/hostname
FQHOSTNAME=""
if [ -x $hostname ]; then
FQHOSTNAME=`$hostname -f 2>/dev/null`
# bsc#1035829
fqlength=`echo -n $FQHOSTNAME|wc -c`
if [ $fqlength -gt 64 ]; then
FQHOSTNAME=`$hostname 2>/dev/null`
fi
fi
# bsc#1057406
if [ -z $FQHOSTNAME ]; then
FQHOSTNAME='localhost'
fi
# defaults
comment="mod_ssl server certificate"
C=XY
ST=unknown
L=unknown
U="web server"
O="SUSE Linux Web Server"
CN=$FQHOSTNAME
email=webmaster@$FQHOSTNAME
CAdays=$((365 * 6))
srvdays=$((365 * 2))
while getopts C:N:c:s:l:o:u:n:e:y:Y:dh OPT; do
case $OPT in
N) comment=$OPTARG;;
c) C=$OPTARG;;
s) ST=$OPTARG;;
l) L=$OPTARG;;
u) U=$OPTARG;;
o) O=$OPTARG;;
n) CN=$OPTARG;;
e) email=$OPTARG;;
y) srvdays=$OPTARG;;
Y) CAdays=$OPTARG;;
d) set -x;;
h) usage; exit 2;;
*) echo unrecognized option: $OPT; usage; exit 2;;
esac
done
GO_LEFT="\033[80D"
GO_MIDDLE="$GO_LEFT\033[15C"
for i in comment C ST L U O CN email srvdays CAdays; do
eval "echo -e $i\"$GO_MIDDLE\" \$$i;"
done
openssl=/usr/bin/openssl
sslcrtdir=/etc/apache2/ssl.crt
sslcsrdir=/etc/apache2/ssl.csr
sslkeydir=/etc/apache2/ssl.key
sslprmdir=/etc/apache2/ssl.prm
name="$CN-"
#
# CA
#
echo;myecho creating CA key ...
(umask 0377 ; $openssl genrsa -rand /dev/urandom -out $sslkeydir/${name}ca.key 2048 || myexit $LINENO $?)
cat >/root/.mkcert.cfg <<EOT
[ req ]
default_bits = 2048
default_keyfile = keyfile.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
output_password = mypass
[ req_distinguished_name ]
C = $C
ST = $ST
L = $L
O = $O
OU = CA
CN = $CN
emailAddress = $email
[ req_attributes ]
challengePassword = $RANDOM$RANDOMA challenge password
EOT
echo;myecho creating CA request/certificate ...
(umask 0377 ; $openssl req -config /root/.mkcert.cfg -new -x509 -days $CAdays -key $sslkeydir/${name}ca.key -out $sslcrtdir/${name}ca.crt || myexit $LINENO $?)
cp -pv $sslcrtdir/${name}ca.crt /srv/www/htdocs/$(echo $name | tr 'a-z' 'A-Z')CA.crt
#
# Server CERT
#
echo;myecho creating server key ...
(umask 0377 ; $openssl genrsa -rand /dev/urandom -out $sslkeydir/${name}server.key 2048 || myexit $LINENO $?)
cat >/root/.mkcert.cfg <<EOT
[ req ]
default_bits = 2048
default_keyfile = keyfile.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
output_password = mypass
req_extensions = x509v3
[ req_distinguished_name ]
C = $C
ST = $ST
L = $L
O = $O
OU = $U
CN = $CN
emailAddress = $email
[ x509v3 ]
subjectAltName = DNS:$CN
nsComment = $comment
nsCertType = server
[ req_attributes ]
challengePassword = $RANDOM$RANDOMA challenge password
EOT
echo;myecho creating server request ...
(umask 0377 ; $openssl req -config /root/.mkcert.cfg -new -key $sslkeydir/${name}server.key -out $sslcsrdir/${name}server.csr || myexit $LINENO $?)
cat >/root/.mkcert.cfg <<EOT
extensions = x509v3
[ x509v3 ]
subjectAltName = DNS:$CN
nsComment = $comment
nsCertType = server
EOT
test -f /root/.mkcert.serial || echo 01 >/root/.mkcert.serial
myecho "creating server certificate ..."
(umask 0377 ; $openssl x509 \
-extfile /root/.mkcert.cfg \
-days $srvdays \
-CAserial /root/.mkcert.serial \
-CA $sslcrtdir/${name}ca.crt \
-CAkey $sslkeydir/${name}ca.key \
-in $sslcsrdir/${name}server.csr -req \
-out $sslcrtdir/${name}server.crt || myexit $LINENO $?)
rm -f /root/.mkcert.cfg
echo;myecho "Verify: matching certificate & key modulus"
modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/${name}server.crt | sed -e 's;.*Modulus=;;' || myexit $LINENO $?`
modkey=`$openssl rsa -noout -modulus -in $sslkeydir/${name}server.key | sed -e 's;.*Modulus=;;' || myexit $LINENO $?`
if [ ".$modcrt" != ".$modkey" ]; then
error "gensslcert:Error: Failed to verify modulus on resulting X.509 certificate" 1>&2
myexit $LINENO $?
fi
echo;myecho Verify: matching certificate signature
$openssl verify -CAfile $sslcrtdir/${name}ca.crt $sslcrtdir/${name}server.crt || myexit $LINENO $?
if [ $? -ne 0 ]; then
error "gensslcert:Error: Failed to verify signature on resulting X.509 certificate" 1>&2
myexit $LINENO $?
fi
echo;myecho generating dhparams and appending it to the server certificate file...
openssl dhparam 2048 >> $sslcrtdir/${name}server.crt
exit 0
Reference in New Issue View Git Blame Copy Permalink