diff options
| author | Jonas Smedegaard <dr@jones.dk> | 2004-05-04 20:55:21 +0000 |
|---|---|---|
| committer | Jonas Smedegaard <dr@jones.dk> | 2004-05-04 20:55:21 +0000 |
| commit | 6a0c5aa76416ec002bd6f1d30ebd9f2ec3e7da04 (patch) | |
| tree | 3dc804da0fca947b9141876bf1a4df0b2f944244 /localmksslcerts | |
| parent | 4d4939240615cfcae1421e82d2385de2d9be79cd (diff) | |
Implement generating CA certificate. Yet another fix for generating certified host certificates.
Diffstat (limited to 'localmksslcerts')
| -rwxr-xr-x | localmksslcerts | 32 |
1 files changed, 26 insertions, 6 deletions
diff --git a/localmksslcerts b/localmksslcerts index 489b463..40de3d4 100755 --- a/localmksslcerts +++ b/localmksslcerts @@ -3,7 +3,7 @@ # /usr/local/sbin/localmksslcerts # Copyright 2001-2004 Jonas Smedegaard <dr@jones.dk> # -# $Id: localmksslcerts,v 1.10 2004-05-04 20:30:31 jonas Exp $ +# $Id: localmksslcerts,v 1.11 2004-05-04 20:55:21 jonas Exp $ # # Generate certificates for mail (and other) servers # Based on uw-imapd-ssl post-install script @@ -33,6 +33,7 @@ Options: --issuer Email address of the person responsible for the certificate --cert Use certified host certificate --cacert CAcert used for creating missing host certificate + --makeca Create CA certificate if missing -f, --force Force overwriting existing certificate(s) -h, --help This help text @@ -56,6 +57,7 @@ daemons='' issuer='' cert='' cacert='' +makeca='' force='' args='' while [ $# -gt 0 ]; do @@ -71,6 +73,7 @@ while [ $# -gt 0 ]; do --issuer) issuer="$2"; doubleshift=1;; --cert) cert=1;; --cacert) cacert="$2"; doubleshift=1;; + --makeca) makeca=1;; --force|-f) force=1;; -*) usage;; *) args="$args$1 ";; @@ -120,9 +123,26 @@ if [ -n "$cert" ]; then exit 1 fi if [ ! -r /etc/ssl/certs/$cacert.pem -o ! -r /etc/ssl/private/$cacert.pem ]; then -#FIXME: Generate CAcert if --mkcacert is provided - echo "ERROR: CAcert (certifying authority certificate) missing!" - exit 1 + if [ -n "$makeca" ]; then + # Generate private key for CA certificate + cd /etc/ssl/private +#FIXME: Make strength configurable + openssl genrsa -des3 -out $cacert.pem 1024 + chown root:root $cacert.pem + chmod 0400 $cacert.pem + # Generate and pre-filled certification request + cd /etc/ssl/certs +#FIXME: Make validity configurable + openssl req -new \ + -key /etc/ssl/private/$cacert.pem \ + -x509 -days 1095 \ + -out $cacert.pem + # Add hash to certified public certificate and cleanup + ln -sf $cacert.pem `openssl x509 -noout -hash -in $cacert.pem`.0 + else + echo "ERROR: CAcert (certifying authority certificate) missing!" + exit 1 + fi fi echo "Generating host certificate for \"$fqdn\"..." for file in /etc/ssl/private/$fqdn.pem /etc/ssl/certs/$fqdn.csr /etc/ssl/certs/$fqdn.pem; do @@ -135,7 +155,7 @@ if [ -n "$cert" ]; then fi fi done - # Generate ptivate key for host certificate + # Generate private key for host certificate cd /etc/ssl/private openssl genrsa -out $fqdn.pem chown root:root $fqdn.pem @@ -160,7 +180,7 @@ $issuer -days $DAYS2EXPIRE \ -CA /etc/ssl/certs/$cacert.pem \ -CAkey /etc/ssl/private/$cacert.pem \ - -CAcreateserial -out $fqsn.pem -in $fqdn.csr + -CAcreateserial -out $fqdn.pem -in $fqdn.csr # Add hash to certified public certificate and cleanup ln -sf $fqdn.pem `openssl x509 -noout -hash -in $fqdn.pem`.0 rm $fqdn.csr |