diff options
| author | Jonas Smedegaard <dr@jones.dk> | 2005-10-17 21:16:19 +0000 |
|---|---|---|
| committer | Jonas Smedegaard <dr@jones.dk> | 2005-10-17 21:16:19 +0000 |
| commit | 0164b44c5d65aab7a2f5b36ed7665a51dad5cee0 (patch) | |
| tree | f07e5872c37107366f2df587fd69b885cbbac47d /localmksslcerts | |
| parent | d7380ce9f947061fa214d8879ceda3d28c4b50f6 (diff) | |
Always use full paths. Quote all paths. openssl routines as functions.
Diffstat (limited to 'localmksslcerts')
| -rwxr-xr-x | localmksslcerts | 161 |
1 files changed, 93 insertions, 68 deletions
diff --git a/localmksslcerts b/localmksslcerts index b9b30ca..3cf2f2b 100755 --- a/localmksslcerts +++ b/localmksslcerts @@ -3,7 +3,7 @@ # /usr/local/sbin/localmksslcerts # Copyright 2001-2004 Jonas Smedegaard <dr@jones.dk> # -# $Id: localmksslcerts,v 1.17 2005-07-01 11:33:18 jonas Exp $ +# $Id: localmksslcerts,v 1.18 2005-10-17 21:16:19 jonas Exp $ # # Generate certificates for mail (and other) servers # Based on uw-imapd-ssl post-install script @@ -17,6 +17,12 @@ set -e prg=$(basename $0) copyright="(C) 2001-2004 Jonas Smedegaard <dr@jones.dk>" +# Set some defaults +PATH="$PATH:/usr/bin/ssl" +DAYS2EXPIRE="365" +SSLCERTDIR="/etc/ssl/certs" +SSLPRIVDIR="/etc/ssl/private" + usage() { echo "$prg, $copyright @@ -58,10 +64,65 @@ If issuer is not given, \"postmaster@<localdomain>\" is used." exit 1 } -# Set some defaults -CWD=`pwd` -PATH=$PATH:/usr/bin/ssl -DAYS2EXPIRE=365 +mkcerthash() { + filebase="$1" + filename="$filebase.pem" + certhash="$(openssl x509 -noout -hash -in "$SSLCERTDIR/$filename")" + hashfile="$certhash.0" + ln -sf "$filename" "$SSLCERTDIR/$hashfile" +} + +mkselfcert() { + filebase="$1" + cn="$2" + state="$3" + loc="$4" + org="$5" + ou="$6" + fqdn="$7" + issuer="$8" + filename="$filebase.pem" + openssl req -new -x509 -nodes \ + -days "$DAYS2EXPIRE" \ + -keyout "$SSLCERTDIR/$filename" \ + -out "$SSLCERTDIR/$filename" > /dev/null 2>&1 <<+ +$cn +$state +$loc +$org +$ou +$fqdn +$issuer ++ + mkcerthash "$filebase" + chown root:root "$SSLCERTDIR/$filename" + chmod 0640 "$SSLCERTDIR/$filename" +} + +mkcertreq() { + filebase="$1" + cn="$2" + state="$3" + loc="$4" + org="$5" + ou="$6" + fqdn="$7" + issuer="$8" + filename="$filebase.pem" + openssl req -new \ + -key "$SSLPRIVDIR/$filename" \ + -out "$SSLCERTDIR/$filename" > /dev/null 2>&1 <<+ +$cn +$state +$loc +$org +$ou +$fqdn +$issuer ++ + chown root:root "$SSLCERTDIR/$filename" + chmod 0640 "$SSLCERTDIR/$filename" +} fqdn='' cn='' @@ -134,24 +195,24 @@ for val in cn state loc; do done if [ -n "$cert" ]; then - if [ ! -s /etc/ssl/certs/$fqdn.pem ] || [ ! -s /etc/ssl/private/$fqdn.pem ]; then + if [ ! -s "$SSLCERTDIR/$fqdn.pem" ] || [ ! -s "$SSLPRIVDIR/$fqdn.pem" ]; then echo "WARNING: Host certificate for \"$fqdn\" missing..." if [ -z "$cacert" ]; then echo "ERROR: The \"--cacert\" option is required when making a host certificate!" exit 1 fi # Cleaning up - if allowed - for file in /etc/ssl/private/$fqdn.pem /etc/ssl/certs/$fqdn.csr /etc/ssl/certs/$fqdn.pem; do - if [ -e $file ]; then + for file in "$SSLPRIVDIR/$fqdn.pem" "$SSLCERTDIR/$fqdn.csr" "$SSLCERTDIR/$fqdn.pem"; do + if [ -e "$file" ]; then if [ -n "$force" ]; then - rm -f $file + rm -f "$file" else - echo "ERROR: File $file already exists!" + echo "ERROR: File \"$file\" already exists!" exit 1 fi fi done - if [ ! -s /etc/ssl/certs/$cacert.pem ] || [ ! -s /etc/ssl/private/$cacert.pem ]; then + if [ ! -s "$SSLCERTDIR/$cacert.pem" ] || [ ! -s "$SSLPRIVDIR/$cacert.pem" ]; then echo "WARNING: CAcert (certifying authority certificate) missing..." if [ -z "$makeca" ]; then echo "ERROR: The \"--makeca\" option is required when making a CAcert!" @@ -159,60 +220,43 @@ if [ -n "$cert" ]; then fi # Generate private key for CA certificate echo "Generating CAcert \"$cacert\"..." - cd /etc/ssl/private #FIXME: Make strength configurable - openssl genrsa -des3 -out $cacert.pem 1024 - chown root:root $cacert.pem - chmod 0400 $cacert.pem + openssl genrsa -des3 -out "$SSLPRIVDIR/$cacert.pem" 1024 + chown root:root "$SSLPRIVDIR/$cacert.pem" + chmod 0400 "$SSLPRIVDIR/$cacert.pem" # Generate and pre-fill certification request - cd /etc/ssl/certs #FIXME: Make validity configurable openssl req -new \ - -key /etc/ssl/private/$cacert.pem \ + -key "$SSLPRIVDIR/$cacert.pem" \ -x509 -days 1095 \ - -out $cacert.pem + -out "$SSLCERTDIR/$cacert.pem" # Add hash to certified public certificate and cleanup - ln -sf $cacert.pem `openssl x509 -noout -hash -in $cacert.pem`.0 + mkcerthash $cacert fi echo "Generating host certificate for \"$fqdn\"..." # Generate private key for host certificate - cd /etc/ssl/private - openssl genrsa -out $fqdn.pem - chown root:root $fqdn.pem - chmod 0600 $fqdn.pem + openssl genrsa -out "$SSLPRIVDIR/$fqdn.pem" + chown root:root "$SSLPRIVDIR/$fqdn.pem" + chmod 0600 "$SSLPRIVDIR/$fqdn.pem" # Generate and pre-fill certification request - cd /etc/ssl/certs - openssl req -new \ - -key /etc/ssl/private/$fqdn.pem \ - -out $fqdn.csr > /dev/null 2>&1 <<+ -$cn -$state -$loc -$org -$ou -$fqdn -$issuer -. -. -+ + mkcertreq "$fqdn" "$cn" "$state" "$loc" "$org" "$ou" "$fqdn" "$issuer" # Generate public certificate from certification request openssl x509 -req \ -days $DAYS2EXPIRE \ - -CA /etc/ssl/certs/$cacert.pem \ - -CAkey /etc/ssl/private/$cacert.pem \ - -CAcreateserial -out $fqdn.pem -in $fqdn.csr + -CA "$SSLCERTDIR/$cacert.pem" \ + -CAkey "$SSLPRIVDIR/$cacert.pem" \ + -CAcreateserial -out "$SSLCERTDIR/$fqdn.pem" -in "$SSLCERTDIR/$fqdn.csr" # Add hash to certified public certificate and cleanup - ln -sf $fqdn.pem `openssl x509 -noout -hash -in $fqdn.pem`.0 - rm $fqdn.csr + mkcerthash $fqdn + rm "$SSLCERTDIR/$fqdn.csr" fi fi -cd /etc/ssl/certs for daemon in $daemons $@; do - if [ -f $daemon.pem ]; then + if [ -f "$SSLCERTDIR/$daemon.pem" ]; then if [ -n "$force" ]; then - rm -f `openssl x509 -noout -hash < $daemon.pem`.0 - rm -f $daemon.pem + rm -f "$SSLCERTDIR/$(openssl x509 -noout -hash < "$SSLCERTDIR/$daemon.pem").0" + rm -f "$SSLCERTDIR/$daemon.pem" else echo "Ignoring certificate (/etc/ssl/certs/$daemon.pem already exists...)" continue @@ -220,30 +264,11 @@ for daemon in $daemons $@; do fi if [ -n "$cert" ]; then echo "Attaching $daemon to certified certificate for $fqdn." - ln -sf $fqdn.pem $daemon.pem - ( - cd /etc/ssl/private - ln -sf $fqdn.pem $daemon.pem - ) + ln -sf "$fqdn.pem" "$SSLCERTDIR/$daemon.pem" + ln -sf "$fqdn.pem" "$SSLPRIVDIR/$daemon.pem" else echo -n "Generating self-certifying $daemon certificate..." - openssl req -new -x509 -nodes \ - -days $DAYS2EXPIRE \ - -keyout $daemon.pem \ - -out $daemon.pem > /dev/null 2>&1 <<+ -$cn -$state -$loc -$org -$ou -$fqdn -$issuer -+ - ln -sf $daemon.pem `openssl x509 -noout -hash -in $daemon.pem`.0 - chown root:root $daemon.pem - chmod 0640 $daemon.pem + mkselfcert "$daemon" "$cn" "$state" "$loc" "$org" "$ou" "$fqdn" "$issuer" echo "Done!" fi done - -cd $CWD |