apache2/gensslcert
Roman Drahtmueller 9386014e7c Accepting request 128919 from home:saschpe:branches:Apache
- gensslcert: Use 0400 permissions for generated SSL certificate files
  instead of 0644

OBS-URL: https://build.opensuse.org/request/show/128919
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=368
2012-07-27 11:17:03 +00:00

199 lines
5.5 KiB
Bash
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/bin/bash
# Peter Poeml <apache@suse.de>
#
# Script to generate ssl keys for mod_ssl, without requiring user input
# most of it is copied from mkcert.sh of the mod_ssl distribution
#
# XXX This is just a hack, it won't be able to do anything you want!
#
function usage
{
cat <<-EOF
`basename $0` will generate a test certificate "the quick way", i.e. without interaction.
You can change some defaults however.
It will overwrite /root/.mkcert.cfg
These options are recognized: Default:
-C Common name "$name"
-N comment "$comment"
-c country (two letters, e.g. DE) $C
-s state $ST
-l city $L
-o organisation "$O"
-u organisational unit "$U"
-n fully qualified domain name $CN (\$FQHOSTNAME)
-e email address of webmaster webmaster@$CN
-y days server cert is valid for $srvdays
-Y days CA cert is valid for $CAdays
-d run in debug mode
-h show usage
EOF
}
test -t && { BRIGHT=''; RED=''; NORMAL=''; }
function myecho { echo $BRIGHT$@$NORMAL; }
function error { echo $RED$@$NORMAL; }
function myexit { error something ugly seems to have happened in line $1...; exit $2; }
r=$ROOT
. $r/etc/sysconfig/network/config
FQHOSTNAME=`cat /etc/HOSTNAME`
# defaults
comment="mod_ssl server certificate"
name=
C=XY
ST=unknown
L=unknown
U="web server"
O="SuSE Linux Web Server"
CN=$FQHOSTNAME
email=webmaster@$FQHOSTNAME
CAdays=$((365 * 6))
srvdays=$((365 * 2))
while getopts C:N:c:s:l:o:u:n:e:y:Y:dh OPT; do
case $OPT in
C) name=$OPTARG-;;
N) comment=$OPTARG;;
c) C=$OPTARG;;
s) ST=$OPTARG;;
l) L=$OPTARG;;
u) U=$OPTARG;;
o) O=$OPTARG;;
n) CN=$OPTARG;;
e) email=$OPTARG;;
y) srvdays=$OPTARG;;
Y) CAdays=$OPTARG;;
d) set -x;;
h) usage; exit 2;;
*) echo unrecognized option: $OPT; usage; exit 2;;
esac
done
GO_LEFT="\033[80D"
GO_MIDDLE="$GO_LEFT\033[15C"
for i in comment name C ST L U O CN email srvdays CAdays; do
eval "echo -e $i\"$GO_MIDDLE\" \$$i;"
done
openssl=$r/usr/bin/openssl
sslcrtdir=$r/etc/apache2/ssl.crt
sslcsrdir=$r/etc/apache2/ssl.csr
sslkeydir=$r/etc/apache2/ssl.key
sslprmdir=$r/etc/apache2/ssl.prm
#
# CA
#
echo;myecho creating CA key ...
(umask 0377 ; $openssl genrsa -rand $r/var/log/y2log:$r/var/log/messages -out $sslkeydir/${name}ca.key 2048 || myexit $LINENO $?)
cat >$r/root/.mkcert.cfg <<EOT
[ req ]
default_bits = 1024
default_keyfile = keyfile.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
output_password = mypass
[ req_distinguished_name ]
C = $C
ST = $ST
L = $L
O = $O
OU = CA
CN = $CN
emailAddress = $email
[ req_attributes ]
challengePassword = $RANDOM$RANDOMA challenge password
EOT
echo;myecho creating CA request/certificate ...
(umask 0377 ; $openssl req -config $r/root/.mkcert.cfg -new -x509 -days $CAdays -key $sslkeydir/${name}ca.key -out $sslcrtdir/${name}ca.crt || myexit $LINENO $?)
cp -pv $sslcrtdir/${name}ca.crt $r/srv/www/htdocs/$(echo $name | tr 'a-z' 'A-Z')CA.crt
#
# Server CERT
#
echo;myecho creating server key ...
(umask 0377 ; $openssl genrsa -rand $r/etc/rc.config:$r/var/log/messages -out $sslkeydir/${name}server.key 1024 || myexit $LINENO $?)
cat >$r/root/.mkcert.cfg <<EOT
[ req ]
default_bits = 1024
default_keyfile = keyfile.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
output_password = mypass
[ req_distinguished_name ]
C = $C
ST = $ST
L = $L
O = $O
OU = $U
CN = $CN
emailAddress = $email
[ req_attributes ]
challengePassword = $RANDOM$RANDOMA challenge password
EOT
echo;myecho creating server request ...
(umask 0377 ; $openssl req -config $r/root/.mkcert.cfg -new -key $sslkeydir/${name}server.key -out $sslcsrdir/${name}server.csr || myexit $LINENO $?)
cat >$r/root/.mkcert.cfg <<EOT
extensions = x509v3
[ x509v3 ]
subjectAltName = email:copy
nsComment = $comment
nsCertType = server
EOT
test -f $r/root/.mkcert.serial || echo 01 >$r/root/.mkcert.serial
myecho "creating server certificate ..."
(umask 0377 ; $openssl x509 \
-extfile $r/root/.mkcert.cfg \
-days $srvdays \
-CAserial $r/root/.mkcert.serial \
-CA $sslcrtdir/${name}ca.crt \
-CAkey $sslkeydir/${name}ca.key \
-in $sslcsrdir/${name}server.csr -req \
-out $sslcrtdir/${name}server.crt || myexit $LINENO $?)
rm -f $r/root/.mkcert.cfg
echo;myecho "Verify: matching certificate & key modulus"
modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/${name}server.crt | sed -e 's;.*Modulus=;;' || myexit $LINENO $?`
modkey=`$openssl rsa -noout -modulus -in $sslkeydir/${name}server.key | sed -e 's;.*Modulus=;;' || myexit $LINENO $?`
if [ ".$modcrt" != ".$modkey" ]; then
error "mkcert.sh:Error: Failed to verify modulus on resulting X.509 certificate" 1>&2
myexit $LINENO $?
fi
echo;myecho Verify: matching certificate signature
$openssl verify -CAfile $sslcrtdir/${name}ca.crt $sslcrtdir/${name}server.crt || myexit $LINENO $?
if [ $? -ne 0 ]; then
error "mkcert.sh:Error: Failed to verify signature on resulting X.509 certificate" 1>&2
myexit $LINENO $?
fi
exit 0