Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:FrontRunner
apache2.34444
gensslcert
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File gensslcert of Package apache2.34444
#!/bin/bash # Peter Poeml <apache@suse.de> # # Script to generate ssl keys for mod_ssl, without requiring user input # most of it is copied from mkcert.sh of the mod_ssl distribution # # XXX This is just a hack, it won't be able to do anything you want! # function usage { cat <<-EOF `basename $0` will generate a test certificate "the quick way", i.e. without interaction. You can change some defaults however. It will overwrite /root/.mkcert.cfg These options are recognized: Default: -N comment "$comment" -c country (two letters, e.g. DE) $C -s state $ST -l city $L -o organisation "$O" -u organisational unit "$U" -n fully qualified domain name $CN (hostname -f) -e email address of webmaster webmaster@$CN -a subject alternative name $altName -y days server cert is valid for $srvdays -Y days CA cert is valid for $CAdays -d run in debug mode -h show usage EOF } test -t && { BRIGHT='[01m'; RED='[31m'; NORMAL='[00m'; } function myecho { echo $BRIGHT$@$NORMAL; } function error { echo $RED$@$NORMAL; } function myexit { error something ugly seems to have happened in line $1...; exit $2; } hostname=/usr/bin/hostname FQHOSTNAME="" if [ -x $hostname ]; then FQHOSTNAME=`$hostname -f 2>/dev/null` # bsc#1035829 fqlength=`echo -n $FQHOSTNAME|wc -c` if [ $fqlength -gt 64 ]; then FQHOSTNAME=`$hostname 2>/dev/null` fi fi # bsc#1057406 if [ -z $FQHOSTNAME ]; then FQHOSTNAME='localhost' fi # defaults comment="mod_ssl server certificate" C=XY ST=unknown L=unknown U="web server" O="SUSE Linux Web Server" CN=$FQHOSTNAME email=webmaster@$FQHOSTNAME altName=DNS:$CN CAdays=$((365 * 6)) srvdays=$((365 * 2)) while getopts C:N:c:s:l:o:u:n:e:a:y:Y:dh OPT; do case $OPT in N) comment=$OPTARG;; c) C=$OPTARG;; s) ST=$OPTARG;; l) L=$OPTARG;; u) U=$OPTARG;; o) O=$OPTARG;; n) CN=$OPTARG;; e) email=$OPTARG;; a) altName=$OPTARG;; y) srvdays=$OPTARG;; Y) CAdays=$OPTARG;; d) set -x;; h) usage; exit 2;; *) echo unrecognized option: $OPT; usage; exit 2;; esac done GO_LEFT="\033[80D" GO_MIDDLE="$GO_LEFT\033[15C" for i in comment C ST L U O CN email altName srvdays CAdays; do eval "echo -e $i\"$GO_MIDDLE\" \$$i;" done openssl=/usr/bin/openssl sslcrtdir=/etc/apache2/ssl.crt sslcsrdir=/etc/apache2/ssl.csr sslkeydir=/etc/apache2/ssl.key sslprmdir=/etc/apache2/ssl.prm name="$CN-" # # CA # echo;myecho creating CA key ... (umask 0377 ; $openssl genrsa -rand /dev/urandom -out $sslkeydir/${name}ca.key 2048 || myexit $LINENO $?) cat >/root/.mkcert.cfg <<EOT [ req ] default_bits = 2048 default_keyfile = keyfile.pem distinguished_name = req_distinguished_name attributes = req_attributes prompt = no output_password = mypass x509_extensions = req_v3_ca [ req_distinguished_name ] C = $C ST = $ST L = $L O = $O OU = CA CN = $CN emailAddress = $email [ req_attributes ] challengePassword = $RANDOM$RANDOMA challenge password [req_v3_ca] # bsc#1180530 basicConstraints = critical,CA:true EOT echo;myecho creating CA request/certificate ... (umask 0377 ; $openssl req -config /root/.mkcert.cfg -new -x509 -days $CAdays -key $sslkeydir/${name}ca.key -out $sslcrtdir/${name}ca.crt || myexit $LINENO $?) cp -pv $sslcrtdir/${name}ca.crt /srv/www/htdocs/$(echo $name | tr 'a-z' 'A-Z')CA.crt # # Server CERT # echo;myecho creating server key ... (umask 0377 ; $openssl genrsa -rand /dev/urandom -out $sslkeydir/${name}server.key 2048 || myexit $LINENO $?) cat >/root/.mkcert.cfg <<EOT [ req ] default_bits = 2048 default_keyfile = keyfile.pem distinguished_name = req_distinguished_name attributes = req_attributes prompt = no output_password = mypass req_extensions = x509v3 [ req_distinguished_name ] C = $C ST = $ST L = $L O = $O OU = $U CN = $CN emailAddress = $email [ x509v3 ] subjectAltName = $altName nsComment = $comment nsCertType = server [ req_attributes ] challengePassword = $RANDOM$RANDOMA challenge password EOT echo;myecho creating server request ... (umask 0377 ; $openssl req -config /root/.mkcert.cfg -new -key $sslkeydir/${name}server.key -out $sslcsrdir/${name}server.csr || myexit $LINENO $?) cat >/root/.mkcert.cfg <<EOT extensions = x509v3 [ x509v3 ] subjectAltName = $altName nsComment = $comment nsCertType = server EOT test -f /root/.mkcert.serial || echo 01 >/root/.mkcert.serial myecho "creating server certificate ..." (umask 0377 ; $openssl x509 \ -extfile /root/.mkcert.cfg \ -days $srvdays \ -CAserial /root/.mkcert.serial \ -CA $sslcrtdir/${name}ca.crt \ -CAkey $sslkeydir/${name}ca.key \ -in $sslcsrdir/${name}server.csr -req \ -out $sslcrtdir/${name}server.crt || myexit $LINENO $?) rm -f /root/.mkcert.cfg echo;myecho "Verify: matching certificate & key modulus" modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/${name}server.crt | sed -e 's;.*Modulus=;;' || myexit $LINENO $?` modkey=`$openssl rsa -noout -modulus -in $sslkeydir/${name}server.key | sed -e 's;.*Modulus=;;' || myexit $LINENO $?` if [ ".$modcrt" != ".$modkey" ]; then error "gensslcert:Error: Failed to verify modulus on resulting X.509 certificate" 1>&2 myexit $LINENO $? fi echo;myecho Verify: matching certificate signature $openssl verify -CAfile $sslcrtdir/${name}ca.crt $sslcrtdir/${name}server.crt || myexit $LINENO $? if [ $? -ne 0 ]; then error "gensslcert:Error: Failed to verify signature on resulting X.509 certificate" 1>&2 myexit $LINENO $? fi echo;myecho generating dhparams and appending it to the server certificate file... openssl genpkey -genparam -algorithm DH -pkeyopt dh_param:ffdhe4096 >> $sslcrtdir/${name}server.crt exit 0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
