From: Peter Müller <peter.mueller@link38.eu>
Date: Wed, 11 Oct 2017 17:45:33 +0000 (+0200)
Subject: generate ECDSA key on existing installations
X-Git-Tag: v2.19-core115~34
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5760f93a74dc8569f206b742b3aa3035d9d582fd;p=ipfire-2.x.git

generate ECDSA key on existing installations

Generate ECDSA key (and sign it) in case it does not exist. That way,
httpscert can be ran on existing installations without breaking already
generated (RSA) keys.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/scripts/httpscert b/src/scripts/httpscert
index e20f789ed4..cae39fb74e 100644
--- a/src/scripts/httpscert
+++ b/src/scripts/httpscert
@@ -7,17 +7,36 @@
 case "$1" in
   new)
 	if [ ! -f /etc/httpd/server.key ]; then
-		echo "Generating https server key."
+		echo "Generating HTTPS RSA server key."
 		/usr/bin/openssl genrsa -out /etc/httpd/server.key 4096
 	fi
-	echo "Generating CSR"
-	/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
-		req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
-	echo "Signing certificate"
-	/usr/bin/openssl x509 -req -days 999999 -sha256 -in \
-		/etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
-		/etc/httpd/server.crt
- 	;;
+	if [ ! -f /etc/httpd/server-ecdsa.key ]; then
+		echo "Generating HTTPS ECDSA server key."
+		/usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key
+	fi
+
+	echo "Generating CSRs"
+	if [ ! -f /etc/httpd/server.csr ]; then
+		/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
+			req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
+	fi
+	if [ ! -f /etc/httpd/server-ecdsa.csr ]; then
+		/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
+			req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr
+	fi
+
+	echo "Signing certificates"
+	if [ ! -f /etc/httpd/server.crt ]; then
+		/usr/bin/openssl x509 -req -days 999999 -sha256 -in \
+			/etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
+			/etc/httpd/server.crt
+	fi
+	if [ ! -f /etc/httpd/server-ecdsa.crt ]; then
+		/usr/bin/openssl x509 -req -days 999999 -sha256 -in \
+			/etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \
+			/etc/httpd/server-ecdsa.crt
+	fi
+	;;
   read)
 	if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then
 		ISSUER=`openssl x509 -in /etc/httpd/server.crt -text -noout | grep Issuer | /usr/bin/cut -f2 -d '='`