Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE
apache2.12481
gensslcert
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File gensslcert of Package apache2.12481
#!/bin/bash # Peter Poeml <apache@suse.de> # # Script to generate ssl keys for mod_ssl, without requiring user input # most of it is copied from mkcert.sh of the mod_ssl distribution # # XXX This is just a hack, it won't be able to do anything you want! # function usage { cat <<-EOF `basename $0` will generate a test certificate "the quick way", i.e. without interaction. You can change some defaults however. It will overwrite /root/.mkcert.cfg These options are recognized: Default: -N comment "$comment" -c country (two letters, e.g. DE) $C -s state $ST -l city $L -o organisation "$O" -u organisational unit "$U" -n fully qualified domain name $CN (hostname -f) -e email address of webmaster webmaster@$CN -y days server cert is valid for $srvdays -Y days CA cert is valid for $CAdays -d run in debug mode -h show usage EOF } test -t && { BRIGHT='[01m'; RED='[31m'; NORMAL='[00m'; } function myecho { echo $BRIGHT$@$NORMAL; } function error { echo $RED$@$NORMAL; } function myexit { error something ugly seems to have happened in line $1...; exit $2; } hostname=/usr/bin/hostname FQHOSTNAME="" if [ -x $hostname ]; then FQHOSTNAME=`$hostname -f 2>/dev/null` # bsc#1035829 fqlength=`echo -n $FQHOSTNAME|wc -c` if [ $fqlength -gt 64 ]; then FQHOSTNAME=`$hostname 2>/dev/null` fi fi # bsc#1057406 if [ -z $FQHOSTNAME ]; then FQHOSTNAME='localhost' fi # defaults comment="mod_ssl server certificate" C=XY ST=unknown L=unknown U="web server" O="SUSE Linux Web Server" CN=$FQHOSTNAME email=webmaster@$FQHOSTNAME CAdays=$((365 * 6)) srvdays=$((365 * 2)) while getopts C:N:c:s:l:o:u:n:e:y:Y:dh OPT; do case $OPT in N) comment=$OPTARG;; c) C=$OPTARG;; s) ST=$OPTARG;; l) L=$OPTARG;; u) U=$OPTARG;; o) O=$OPTARG;; n) CN=$OPTARG;; e) email=$OPTARG;; y) srvdays=$OPTARG;; Y) CAdays=$OPTARG;; d) set -x;; h) usage; exit 2;; *) echo unrecognized option: $OPT; usage; exit 2;; esac done GO_LEFT="\033[80D" GO_MIDDLE="$GO_LEFT\033[15C" for i in comment C ST L U O CN email srvdays CAdays; do eval "echo -e $i\"$GO_MIDDLE\" \$$i;" done openssl=/usr/bin/openssl sslcrtdir=/etc/apache2/ssl.crt sslcsrdir=/etc/apache2/ssl.csr sslkeydir=/etc/apache2/ssl.key sslprmdir=/etc/apache2/ssl.prm name="$CN-" # # CA # echo;myecho creating CA key ... (umask 0377 ; $openssl genrsa -rand /dev/urandom -out $sslkeydir/${name}ca.key 2048 || myexit $LINENO $?) cat >/root/.mkcert.cfg <<EOT [ req ] default_bits = 2048 default_keyfile = keyfile.pem distinguished_name = req_distinguished_name attributes = req_attributes prompt = no output_password = mypass [ req_distinguished_name ] C = $C ST = $ST L = $L O = $O OU = CA CN = $CN emailAddress = $email [ req_attributes ] challengePassword = $RANDOM$RANDOMA challenge password EOT echo;myecho creating CA request/certificate ... (umask 0377 ; $openssl req -config /root/.mkcert.cfg -new -x509 -days $CAdays -key $sslkeydir/${name}ca.key -out $sslcrtdir/${name}ca.crt || myexit $LINENO $?) cp -pv $sslcrtdir/${name}ca.crt /srv/www/htdocs/$(echo $name | tr 'a-z' 'A-Z')CA.crt # # Server CERT # echo;myecho creating server key ... (umask 0377 ; $openssl genrsa -rand /dev/urandom -out $sslkeydir/${name}server.key 2048 || myexit $LINENO $?) cat >/root/.mkcert.cfg <<EOT [ req ] default_bits = 2048 default_keyfile = keyfile.pem distinguished_name = req_distinguished_name attributes = req_attributes prompt = no output_password = mypass req_extensions = x509v3 [ req_distinguished_name ] C = $C ST = $ST L = $L O = $O OU = $U CN = $CN emailAddress = $email [ x509v3 ] subjectAltName = DNS:$CN nsComment = $comment nsCertType = server [ req_attributes ] challengePassword = $RANDOM$RANDOMA challenge password EOT echo;myecho creating server request ... (umask 0377 ; $openssl req -config /root/.mkcert.cfg -new -key $sslkeydir/${name}server.key -out $sslcsrdir/${name}server.csr || myexit $LINENO $?) cat >/root/.mkcert.cfg <<EOT extensions = x509v3 [ x509v3 ] subjectAltName = DNS:$CN nsComment = $comment nsCertType = server EOT test -f /root/.mkcert.serial || echo 01 >/root/.mkcert.serial myecho "creating server certificate ..." (umask 0377 ; $openssl x509 \ -extfile /root/.mkcert.cfg \ -days $srvdays \ -CAserial /root/.mkcert.serial \ -CA $sslcrtdir/${name}ca.crt \ -CAkey $sslkeydir/${name}ca.key \ -in $sslcsrdir/${name}server.csr -req \ -out $sslcrtdir/${name}server.crt || myexit $LINENO $?) rm -f /root/.mkcert.cfg echo;myecho "Verify: matching certificate & key modulus" modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/${name}server.crt | sed -e 's;.*Modulus=;;' || myexit $LINENO $?` modkey=`$openssl rsa -noout -modulus -in $sslkeydir/${name}server.key | sed -e 's;.*Modulus=;;' || myexit $LINENO $?` if [ ".$modcrt" != ".$modkey" ]; then error "gensslcert:Error: Failed to verify modulus on resulting X.509 certificate" 1>&2 myexit $LINENO $? fi echo;myecho Verify: matching certificate signature $openssl verify -CAfile $sslcrtdir/${name}ca.crt $sslcrtdir/${name}server.crt || myexit $LINENO $? if [ $? -ne 0 ]; then error "gensslcert:Error: Failed to verify signature on resulting X.509 certificate" 1>&2 myexit $LINENO $? fi echo;myecho generating dhparams and appending it to the server certificate file... openssl dhparam 2048 >> $sslcrtdir/${name}server.crt exit 0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor