From 939e7bba0ca3feae799098d0076c2a0245d83b07 Mon Sep 17 00:00:00 2001 From: Jonas Smedegaard Date: Sat, 4 Jan 2003 02:24:43 +0000 Subject: Add options for remaining certificate parameters. Add TODO with hints on true signed certificates using openssl. Correct parsing error and help: FQDN cannot be optionally prepended (no way to distinguish between FQDN and multiple services). --- localmksslcerts | 62 +++++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 49 insertions(+), 13 deletions(-) (limited to 'localmksslcerts') diff --git a/localmksslcerts b/localmksslcerts index 5cd7066..bf9b8b9 100755 --- a/localmksslcerts +++ b/localmksslcerts @@ -3,11 +3,23 @@ # /usr/local/sbin/localmksslcerts # Copyright 2001-2002 Jonas Smedegaard # -# $Id: localmksslcerts,v 1.7 2002-10-17 17:23:36 jonas Exp $ +# $Id: localmksslcerts,v 1.8 2003-01-04 02:24:43 jonas Exp $ # # Generate certificates for mail (and other) servers # Based on uw-imapd-ssl post-install script # +# TODO: Check if /etc/ssl/{certs,private}/cacert.pem exists and instead +# create /etc/ssl/{certs,private}/.pem and symlink to hash of +# certificate and each of /etc/ssl/{certs,private}/.pem using +# commands similar to these: +# +# openssl genrsa -out new.key +# openssl req -new -key new.key -out new.csr +# openssl x509 -req -days 365 -in new.csr -CA /etc/ssl/certs/cacert.pem -CAkey /etc/ssl/private/cacert.pem -CAcreateserial -out new.crt +# ln -s new.crt `openssl x509 -hash -noout -in new.crt`.0 +# rm new.csr +# +# TODO: Use getopts prg=$(basename $0) copyright="(C) 2001-2002 Jonas Smedegaard " @@ -15,11 +27,16 @@ copyright="(C) 2001-2002 Jonas Smedegaard " usage() { echo "$prg, $copyright -Usage: $prg [--fqdn ] [--issuer ] --daemon [...] [--force] - or: $prg [] [...] [-f] +Usage: $prg [--fqdn ] [...] --daemon [...] [--force] + or: $prg [...] [-f] Options: --fqdn Fully Qualified Domain Name for this host. + --cn Country Name (2 letter code) + --state State or Province Name (full name) + --loc Locality Name (eg, city) + --org Organisation/company + --ou Organisational unit/department --daemon Daemon(s) in need for a certificate (separate certificate is generated for each daemon) --issuer Email address of the person responsible for the certificate @@ -33,12 +50,15 @@ exit 1 # Set some defaults CWD=`pwd` PATH=$PATH:/usr/bin/ssl -COUNTRY='.' -STATE='.' -LOCALITY='.' DAYS2EXPIRE=365 fqdn='' +cn='' +state='' +loc='' +org='' +ou='' +daemon='' daemons='' issuer='' force='' @@ -47,6 +67,11 @@ while [ $# -gt 0 ]; do doubleshift='' case $1 in --fqdn) fqdn="$2"; doubleshift=1;; + --cn) cn="$2"; doubleshift=1;; + --state) state="$2"; doubleshift=1;; + --loc) loc="$2"; doubleshift=1;; + --org) org="$2"; doubleshift=1;; + --ou) ou="$2"; doubleshift=1;; --daemon) daemons="$daemons$2 "; doubleshift=1;; --issuer) issuer="$2"; doubleshift=1;; --force|-f) force=1;; @@ -72,14 +97,25 @@ fi if [ -z "$fqdn" ]; then if [ $# -gt 0 ]; then - fqdn=$1 - shift + fqdn=`hostname -f` else echo "Too few parameters!" usage fi fi +for val in org ou; do + if eval [ -z "\$$val" ]; then + eval $val=$fqdn + fi +done + +for val in cn state loc; do + if eval [ -z "\$$val" ]; then + eval $val="." + fi +done + cd /etc/ssl/certs for daemon in $daemons $@; do if [ -f $daemon.pem ]; then @@ -93,11 +129,11 @@ for daemon in $daemons $@; do fi echo -n "Generating $daemon certificate..." openssl req -new -x509 -nodes -out $daemon.pem -keyout $daemon.pem -days $DAYS2EXPIRE > /dev/null 2>&1 <<+ -$COUNTRY -$STATE -$LOCALITY -$fqdn -$fqdn +$cn +$state +$loc +$org +$ou $fqdn $issuer + -- cgit v1.2.3