webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-26 19:00:34 +02:00
Code Issues Packages Projects Releases Wiki Activity

generate ECDSA key on existing installations

Browse Source 
Generate ECDSA key (and sign it) in case it does not exist. That way,
httpscert can be ran on existing installations without breaking already
generated (RSA) keys.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit is contained in:
Peter Müller
2017-10-11 19:45:33 +02:00
committed by Michael Tremer
parent f227ae4fd2
commit 5760f93a74
1 changed files with 28 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
src/scripts/httpscert
View File

@@ -7,17 +7,36 @@
case "$1" in
new)
if [ ! -f /etc/httpd/server.key ]; then
echo "Generating https server key."
echo "Generating HTTPS RSA server key."
/usr/bin/openssl genrsa -out /etc/httpd/server.key 4096
fi
echo "Generating CSR"
/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
echo "Signing certificate"
/usr/bin/openssl x509 -req -days 999999 -sha256 -in \
/etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
/etc/httpd/server.crt
;;
if [ ! -f /etc/httpd/server-ecdsa.key ]; then
echo "Generating HTTPS ECDSA server key."
/usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key
fi
echo "Generating CSRs"
if [ ! -f /etc/httpd/server.csr ]; then
/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
fi
if [ ! -f /etc/httpd/server-ecdsa.csr ]; then
/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr
fi
echo "Signing certificates"
if [ ! -f /etc/httpd/server.crt ]; then
/usr/bin/openssl x509 -req -days 999999 -sha256 -in \
/etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
/etc/httpd/server.crt
fi
if [ ! -f /etc/httpd/server-ecdsa.crt ]; then
/usr/bin/openssl x509 -req -days 999999 -sha256 -in \
/etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \
/etc/httpd/server-ecdsa.crt
fi
;;
read)
if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then
ISSUER=`openssl x509 -in /etc/httpd/server.crt -text -noout | grep Issuer | /usr/bin/cut -f2 -d '='`