File gensslcert of Package apache2 (Revision ede55ee8d62ba2344369dafb45ec00cd)
Currently displaying revision ede55ee8d62ba2344369dafb45ec00cd , Show latest
226
1
#!/bin/bash
2
# Peter Poeml <apache@suse.de>
3
#
4
# Script to generate ssl keys for mod_ssl, without requiring user input
5
# most of it is copied from mkcert.sh of the mod_ssl distribution
6
#
7
# XXX This is just a hack, it won't be able to do anything you want!
8
#
9
10
function usage
11
{
12
cat <<-EOF
13
`basename $0` will generate a test certificate "the quick way", i.e. without interaction.
14
You can change some defaults however.
15
It will overwrite /root/.mkcert.cfg
16
17
These options are recognized: Default:
18
19
-N comment "$comment"
20
-c country (two letters, e.g. DE) $C
21
-s state $ST
22
-l city $L
23
-o organisation "$O"
24
-u organisational unit "$U"
25
-n fully qualified domain name $CN (hostname -f)
26
-e email address of webmaster webmaster@$CN
27
-a subject alternative name $altName
28
-y days server cert is valid for $srvdays
29
-Y days CA cert is valid for $CAdays
30
-d run in debug mode
31
-h show usage
32
EOF
33
}
34
35
36
test -t && { BRIGHT='[01m'; RED='[31m'; NORMAL='[00m'; }
37
function myecho { echo $BRIGHT$@$NORMAL; }
38
function error { echo $RED$@$NORMAL; }
39
function myexit { error something ugly seems to have happened in line $1...; exit $2; }
40
41
hostname=/usr/bin/hostname
42
FQHOSTNAME=""
43
if [ -x $hostname ]; then
44
FQHOSTNAME=`$hostname -f 2>/dev/null`
45
# bsc#1035829
46
fqlength=`echo -n $FQHOSTNAME|wc -c`
47
if [ $fqlength -gt 64 ]; then
48
FQHOSTNAME=`$hostname 2>/dev/null`
49
fi
50
fi
51
# bsc#1057406
52
if [ -z $FQHOSTNAME ]; then
53
FQHOSTNAME='localhost'
54
fi
55
56
# defaults
57
comment="mod_ssl server certificate"
58
C=XY
59
ST=unknown
60
L=unknown
61
U="web server"
62
O="SUSE Linux Web Server"
63
CN=$FQHOSTNAME
64
email=webmaster@$FQHOSTNAME
65
altName=DNS:$CN
66
CAdays=$((365 * 6))
67
srvdays=$((365 * 2))
68
69
while getopts C:N:c:s:l:o:u:n:e:a:y:Y:dh OPT; do
70
case $OPT in
71
N) comment=$OPTARG;;
72
c) C=$OPTARG;;
73
s) ST=$OPTARG;;
74
l) L=$OPTARG;;
75
u) U=$OPTARG;;
76
o) O=$OPTARG;;
77
n) CN=$OPTARG;;
78
e) email=$OPTARG;;
79
a) altName=$OPTARG;;
80
y) srvdays=$OPTARG;;
81
Y) CAdays=$OPTARG;;
82
d) set -x;;
83
h) usage; exit 2;;
84
*) echo unrecognized option: $OPT; usage; exit 2;;
85
esac
86
done
87
88
GO_LEFT="\033[80D"
89
GO_MIDDLE="$GO_LEFT\033[15C"
90
for i in comment C ST L U O CN email altName srvdays CAdays; do
91
eval "echo -e $i\"$GO_MIDDLE\" \$$i;"
92
done
93
94
95
openssl=/usr/bin/openssl
96
sslcrtdir=/etc/apache2/ssl.crt
97
sslcsrdir=/etc/apache2/ssl.csr
98
sslkeydir=/etc/apache2/ssl.key
99
sslprmdir=/etc/apache2/ssl.prm
100
101
name="$CN-"
102
103
#
104
# CA
105
#
106
echo;myecho creating CA key ...
107
(umask 0377 ; $openssl genrsa -rand /dev/urandom -out $sslkeydir/${name}ca.key 2048 || myexit $LINENO $?)
108
109
cat >/root/.mkcert.cfg <<EOT
110
[ req ]
111
default_bits = 2048
112
default_keyfile = keyfile.pem
113
distinguished_name = req_distinguished_name
114
attributes = req_attributes
115
prompt = no
116
output_password = mypass
117
x509_extensions = req_v3_ca
118
119
[ req_distinguished_name ]
120
C = $C
121
ST = $ST
122
L = $L
123
O = $O
124
OU = CA
125
CN = $CN
126
emailAddress = $email
127
128
[ req_attributes ]
129
challengePassword = $RANDOM$RANDOMA challenge password
130
131
[req_v3_ca]
132
# bsc#1180530
133
basicConstraints = critical,CA:true
134
EOT
135
136
echo;myecho creating CA request/certificate ...
137
(umask 0377 ; $openssl req -config /root/.mkcert.cfg -new -x509 -days $CAdays -key $sslkeydir/${name}ca.key -out $sslcrtdir/${name}ca.crt || myexit $LINENO $?)
138
139
cp -pv $sslcrtdir/${name}ca.crt /srv/www/htdocs/$(echo $name | tr 'a-z' 'A-Z')CA.crt
140
141
#
142
# Server CERT
143
#
144
echo;myecho creating server key ...
145
(umask 0377 ; $openssl genrsa -rand /dev/urandom -out $sslkeydir/${name}server.key 2048 || myexit $LINENO $?)
146
147
cat >/root/.mkcert.cfg <<EOT
148
[ req ]
149
default_bits = 2048
150
default_keyfile = keyfile.pem
151
distinguished_name = req_distinguished_name
152
attributes = req_attributes
153
prompt = no
154
output_password = mypass
155
req_extensions = x509v3
156
157
[ req_distinguished_name ]
158
C = $C
159
ST = $ST
160
L = $L
161
O = $O
162
OU = $U
163
CN = $CN
164
emailAddress = $email
165
166
[ x509v3 ]
167
subjectAltName = $altName
168
nsComment = $comment
169
nsCertType = server
170
171
[ req_attributes ]
172
challengePassword = $RANDOM$RANDOMA challenge password
173
EOT
174
175
echo;myecho creating server request ...
176
(umask 0377 ; $openssl req -config /root/.mkcert.cfg -new -key $sslkeydir/${name}server.key -out $sslcsrdir/${name}server.csr || myexit $LINENO $?)
177
178
179
cat >/root/.mkcert.cfg <<EOT
180
extensions = x509v3
181
[ x509v3 ]
182
subjectAltName = $altName
183
nsComment = $comment
184
nsCertType = server
185
EOT
186
187
188
test -f /root/.mkcert.serial || echo 01 >/root/.mkcert.serial
189
myecho "creating server certificate ..."
190
(umask 0377 ; $openssl x509 \
191
-extfile /root/.mkcert.cfg \
192
-days $srvdays \
193
-CAserial /root/.mkcert.serial \
194
-CA $sslcrtdir/${name}ca.crt \
195
-CAkey $sslkeydir/${name}ca.key \
196
-in $sslcsrdir/${name}server.csr -req \
197
-out $sslcrtdir/${name}server.crt || myexit $LINENO $?)
198
199
rm -f /root/.mkcert.cfg
200
201
202
203
204
echo;myecho "Verify: matching certificate & key modulus"
205
modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/${name}server.crt | sed -e 's;.*Modulus=;;' || myexit $LINENO $?`
206
modkey=`$openssl rsa -noout -modulus -in $sslkeydir/${name}server.key | sed -e 's;.*Modulus=;;' || myexit $LINENO $?`
207
208
if [ ".$modcrt" != ".$modkey" ]; then
209
error "gensslcert:Error: Failed to verify modulus on resulting X.509 certificate" 1>&2
210
myexit $LINENO $?
211
fi
212
213
echo;myecho Verify: matching certificate signature
214
$openssl verify -CAfile $sslcrtdir/${name}ca.crt $sslcrtdir/${name}server.crt || myexit $LINENO $?
215
if [ $? -ne 0 ]; then
216
error "gensslcert:Error: Failed to verify signature on resulting X.509 certificate" 1>&2
217
myexit $LINENO $?
218
fi
219
220
echo;myecho generating dhparams and appending it to the server certificate file...
221
openssl dhparam 2048 >> $sslcrtdir/${name}server.crt
222
223
224
exit 0
225
226