apache2/gensslcert

#!/bin/bash
# Peter Poeml <apache@suse.de>
#
# Script to generate ssl keys for mod_ssl, without requiring user input
# most of it is copied from mkcert.sh of the mod_ssl distribution
#
# XXX This is just a hack, it won't be able to do anything you want!
#

function usage
{
	cat <<-EOF
	`basename $0` will generate a test certificate "the quick way", i.e. without interaction.
	You can change some defaults however.
	It will overwrite /root/.mkcert.cfg

	These options are recognized:		Default:

	-N	comment				"$comment"
	-c	country (two letters, e.g. DE)	$C
	-s	state				$ST
	-l 	city				$L
	-o 	organisation			"$O"
	-u 	organisational unit		"$U"
	-n	fully qualified domain name	$CN (hostname -f)
	-e 	email address of webmaster	webmaster@$CN
	-y      days server cert is valid for   $srvdays
	-Y      days CA cert is valid for       $CAdays
	-d	run in debug mode			
	-h      show usage
	EOF
}


test -t && { BRIGHT=''; RED=''; NORMAL=''; }
function myecho { echo $BRIGHT$@$NORMAL; }
function error { echo $RED$@$NORMAL; }
function myexit { error something ugly seems to have happened in line $1...; exit $2; }

hostname=/usr/bin/hostname
FQHOSTNAME=""
if [ -x $hostname ]; then
    FQHOSTNAME=`$hostname -f 2>/dev/null`
    # bsc#1035829
    fqlength=`echo -n $FQHOSTNAME|wc -c`
    if [ $fqlength -gt 64 ]; then
        FQHOSTNAME=`$hostname 2>/dev/null`
    fi
fi
# bsc#1057406
if [ -z $FQHOSTNAME ]; then
    FQHOSTNAME='localhost'
fi

# defaults
  comment="mod_ssl server certificate"
        C=XY
       ST=unknown
        L=unknown
        U="web server"
	O="SUSE Linux Web Server"
       CN=$FQHOSTNAME
    email=webmaster@$FQHOSTNAME
   CAdays=$((365 * 6))
  srvdays=$((365 * 2))

while getopts C:N:c:s:l:o:u:n:e:y:Y:dh OPT; do
    case $OPT in
        N) comment=$OPTARG;;
        c) C=$OPTARG;;
        s) ST=$OPTARG;;
        l) L=$OPTARG;;
        u) U=$OPTARG;;
        o) O=$OPTARG;;
        n) CN=$OPTARG;;
        e) email=$OPTARG;;
	y) srvdays=$OPTARG;;
	Y) CAdays=$OPTARG;;
        d) set -x;;
	h) usage; exit 2;;
        *) echo unrecognized option: $OPT; usage; exit 2;;
    esac
done

GO_LEFT="\033[80D"
GO_MIDDLE="$GO_LEFT\033[15C"
for i in comment C ST L U O CN email srvdays CAdays; do 
	eval "echo -e $i\"$GO_MIDDLE\" \$$i;"
done


openssl=/usr/bin/openssl
sslcrtdir=/etc/apache2/ssl.crt
sslcsrdir=/etc/apache2/ssl.csr
sslkeydir=/etc/apache2/ssl.key
sslprmdir=/etc/apache2/ssl.prm

name="$CN-"

#
# CA
#
echo;myecho creating CA key ...
(umask 0377 ; $openssl genrsa -rand /dev/urandom -out $sslkeydir/${name}ca.key 2048 || myexit $LINENO $?)

cat >/root/.mkcert.cfg <<EOT
[ req ]
default_bits           = 2048
default_keyfile        = keyfile.pem
distinguished_name     = req_distinguished_name
attributes             = req_attributes
prompt                 = no
output_password        = mypass

[ req_distinguished_name ]
C                      = $C
ST                     = $ST
L                      = $L
O                      = $O
OU                     = CA
CN                     = $CN
emailAddress           = $email

[ req_attributes ]
challengePassword              = $RANDOM$RANDOMA challenge password
EOT

echo;myecho creating CA request/certificate ...
(umask 0377 ; $openssl req -config /root/.mkcert.cfg -new -x509 -days $CAdays -key $sslkeydir/${name}ca.key -out $sslcrtdir/${name}ca.crt || myexit $LINENO $?)

cp -pv $sslcrtdir/${name}ca.crt /srv/www/htdocs/$(echo $name | tr 'a-z' 'A-Z')CA.crt

#
# Server CERT
#
echo;myecho creating server key ...
(umask 0377 ; $openssl genrsa -rand /dev/urandom -out $sslkeydir/${name}server.key 2048 || myexit $LINENO $?)

cat >/root/.mkcert.cfg <<EOT
[ req ]
default_bits           = 2048
default_keyfile        = keyfile.pem
distinguished_name     = req_distinguished_name
attributes             = req_attributes
prompt                 = no
output_password        = mypass
req_extensions         = x509v3

[ req_distinguished_name ]
C                      = $C
ST                     = $ST
L                      = $L
O                      = $O
OU                     = $U
CN                     = $CN
emailAddress           = $email

[ x509v3 ]
subjectAltName         = DNS:$CN
nsComment              = $comment
nsCertType             = server

[ req_attributes ]
challengePassword              = $RANDOM$RANDOMA challenge password
EOT

echo;myecho creating server request ...
(umask 0377 ; $openssl req -config /root/.mkcert.cfg -new -key $sslkeydir/${name}server.key -out $sslcsrdir/${name}server.csr || myexit $LINENO $?)


cat >/root/.mkcert.cfg <<EOT
extensions = x509v3
[ x509v3 ]
subjectAltName   = DNS:$CN
nsComment        = $comment
nsCertType       = server
EOT


test -f /root/.mkcert.serial || echo 01 >/root/.mkcert.serial
myecho "creating server certificate ..."
(umask 0377 ; $openssl x509 					\
	-extfile /root/.mkcert.cfg 			\
	-days $srvdays 				\
	-CAserial /root/.mkcert.serial 		\
	-CA $sslcrtdir/${name}ca.crt       	\
	-CAkey $sslkeydir/${name}ca.key   	\
	-in $sslcsrdir/${name}server.csr -req 	\
        -out $sslcrtdir/${name}server.crt || myexit $LINENO $?)

rm -f /root/.mkcert.cfg




echo;myecho "Verify: matching certificate & key modulus"
modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/${name}server.crt | sed -e 's;.*Modulus=;;' || myexit $LINENO $?`
modkey=`$openssl rsa -noout -modulus -in $sslkeydir/${name}server.key | sed -e 's;.*Modulus=;;' || myexit $LINENO $?`

if [ ".$modcrt" != ".$modkey" ]; then
    error "gensslcert:Error: Failed to verify modulus on resulting X.509 certificate" 1>&2
    myexit $LINENO $?
fi

echo;myecho Verify: matching certificate signature
    $openssl verify -CAfile $sslcrtdir/${name}ca.crt $sslcrtdir/${name}server.crt || myexit $LINENO $?
if [ $? -ne 0 ]; then
    error "gensslcert:Error: Failed to verify signature on resulting X.509 certificate" 1>&2
    myexit $LINENO $?
fi

echo;myecho generating dhparams and appending it to the server certificate file...
openssl dhparam 2048  >> $sslcrtdir/${name}server.crt


exit 0