From 4d4939240615cfcae1421e82d2385de2d9be79cd Mon Sep 17 00:00:00 2001 From: Jonas Smedegaard Date: Tue, 4 May 2004 20:30:31 +0000 Subject: Fix generating certified host certificates. Fail on error. --- localmksslcerts | 33 +++++++++++++++++++++------------ 1 file changed, 21 insertions(+), 12 deletions(-) (limited to 'localmksslcerts') diff --git a/localmksslcerts b/localmksslcerts index db6da7a..489b463 100755 --- a/localmksslcerts +++ b/localmksslcerts @@ -3,13 +3,15 @@ # /usr/local/sbin/localmksslcerts # Copyright 2001-2004 Jonas Smedegaard # -# $Id: localmksslcerts,v 1.9 2004-05-04 19:43:36 jonas Exp $ +# $Id: localmksslcerts,v 1.10 2004-05-04 20:30:31 jonas Exp $ # # Generate certificates for mail (and other) servers # Based on uw-imapd-ssl post-install script # # TODO: Use getopts +set -e + prg=$(basename $0) copyright="(C) 2001-2004 Jonas Smedegaard " @@ -31,7 +33,7 @@ Options: --issuer Email address of the person responsible for the certificate --cert Use certified host certificate --cacert CAcert used for creating missing host certificate - -f, --force Force overwriting existing certificate + -f, --force Force overwriting existing certificate(s) -h, --help This help text If issuer is not given, \"postmaster@\" is used." @@ -125,21 +127,24 @@ if [ -n "$cert" ]; then echo "Generating host certificate for \"$fqdn\"..." for file in /etc/ssl/private/$fqdn.pem /etc/ssl/certs/$fqdn.csr /etc/ssl/certs/$fqdn.pem; do if [ -e $file ]; then - echo "ERROR: File $file already exists!" - exit 1 + if [ -n "$force" ]; then + rm -f $file + else + echo "ERROR: File $file already exists!" + exit 1 + fi fi done - # Generate host certificate (private key) + # Generate ptivate key for host certificate cd /etc/ssl/private openssl genrsa -out $fqdn.pem - ln -sf $fqdn.pem `openssl x509 -noout -hash -in $fqdn.pem`.0 chown root:root $fqdn.pem chmod 0600 $fqdn.pem - # Generate and fill-out certification request for host certificate + # Generate and pre-filled certification request cd /etc/ssl/certs openssl req -new \ - -key /etc/ssl/private/$daemon.pem \ - -out $daemon.csr > /dev/null 2>&1 <<+ + -key /etc/ssl/private/$fqdn.pem \ + -out $fqdn.csr > /dev/null 2>&1 <<+ $cn $state $loc @@ -147,14 +152,18 @@ $org $ou $fqdn $issuer +. +. + - # Authorize certification request (= public part of certificate) + # Generate public ccertificate from certification request openssl x509 -req \ -days $DAYS2EXPIRE \ -CA /etc/ssl/certs/$cacert.pem \ -CAkey /etc/ssl/private/$cacert.pem \ - -CAcreateserial -out $daemon.pem -in new.csr - rm new.csr + -CAcreateserial -out $fqsn.pem -in $fqdn.csr + # Add hash to certified public certificate and cleanup + ln -sf $fqdn.pem `openssl x509 -noout -hash -in $fqdn.pem`.0 + rm $fqdn.csr fi fi -- cgit v1.2.3