diff options
| author | Jonas Smedegaard <dr@jones.dk> | 2004-05-04 20:30:31 +0000 |
|---|---|---|
| committer | Jonas Smedegaard <dr@jones.dk> | 2004-05-04 20:30:31 +0000 |
| commit | 4d4939240615cfcae1421e82d2385de2d9be79cd (patch) | |
| tree | 99ace353c8d76a7bcf1a616575980f09ec19a879 /localmksslcerts | |
| parent | 45064849e2292461bba795cbaee66068552b77d6 (diff) | |
Fix generating certified host certificates. Fail on error.
Diffstat (limited to 'localmksslcerts')
| -rwxr-xr-x | localmksslcerts | 33 |
1 files changed, 21 insertions, 12 deletions
diff --git a/localmksslcerts b/localmksslcerts index db6da7a..489b463 100755 --- a/localmksslcerts +++ b/localmksslcerts @@ -3,13 +3,15 @@ # /usr/local/sbin/localmksslcerts # Copyright 2001-2004 Jonas Smedegaard <dr@jones.dk> # -# $Id: localmksslcerts,v 1.9 2004-05-04 19:43:36 jonas Exp $ +# $Id: localmksslcerts,v 1.10 2004-05-04 20:30:31 jonas Exp $ # # Generate certificates for mail (and other) servers # Based on uw-imapd-ssl post-install script # # TODO: Use getopts +set -e + prg=$(basename $0) copyright="(C) 2001-2004 Jonas Smedegaard <dr@jones.dk>" @@ -31,7 +33,7 @@ Options: --issuer Email address of the person responsible for the certificate --cert Use certified host certificate --cacert CAcert used for creating missing host certificate - -f, --force Force overwriting existing certificate + -f, --force Force overwriting existing certificate(s) -h, --help This help text If issuer is not given, \"postmaster@<localdomain>\" is used." @@ -125,21 +127,24 @@ if [ -n "$cert" ]; then echo "Generating host certificate for \"$fqdn\"..." for file in /etc/ssl/private/$fqdn.pem /etc/ssl/certs/$fqdn.csr /etc/ssl/certs/$fqdn.pem; do if [ -e $file ]; then - echo "ERROR: File $file already exists!" - exit 1 + if [ -n "$force" ]; then + rm -f $file + else + echo "ERROR: File $file already exists!" + exit 1 + fi fi done - # Generate host certificate (private key) + # Generate ptivate key for host certificate cd /etc/ssl/private openssl genrsa -out $fqdn.pem - ln -sf $fqdn.pem `openssl x509 -noout -hash -in $fqdn.pem`.0 chown root:root $fqdn.pem chmod 0600 $fqdn.pem - # Generate and fill-out certification request for host certificate + # Generate and pre-filled certification request cd /etc/ssl/certs openssl req -new \ - -key /etc/ssl/private/$daemon.pem \ - -out $daemon.csr > /dev/null 2>&1 <<+ + -key /etc/ssl/private/$fqdn.pem \ + -out $fqdn.csr > /dev/null 2>&1 <<+ $cn $state $loc @@ -147,14 +152,18 @@ $org $ou $fqdn $issuer +. +. + - # Authorize certification request (= public part of certificate) + # Generate public ccertificate from certification request openssl x509 -req \ -days $DAYS2EXPIRE \ -CA /etc/ssl/certs/$cacert.pem \ -CAkey /etc/ssl/private/$cacert.pem \ - -CAcreateserial -out $daemon.pem -in new.csr - rm new.csr + -CAcreateserial -out $fqsn.pem -in $fqdn.csr + # Add hash to certified public certificate and cleanup + ln -sf $fqdn.pem `openssl x509 -noout -hash -in $fqdn.pem`.0 + rm $fqdn.csr fi fi |