[ipfire-2.x.git] / src / scripts / httpscert

#!/bin/sh
#
# new : generate new certificate
# read: read issuer in certificate and verify if it is the same as hostname

# See how we were called.
case "$1" in
  new)
	if [ ! -f /etc/httpd/server.key ]; then
		echo "Generating HTTPS RSA server key."
		/usr/bin/openssl genrsa -out /etc/httpd/server.key 4096
	fi
	if [ ! -f /etc/httpd/server-ecdsa.key ]; then
		echo "Generating HTTPS ECDSA server key."
		/usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key
	fi

	echo "Generating CSRs"
	if [ ! -f /etc/httpd/server.csr ]; then
		/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
			req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
	fi
	if [ ! -f /etc/httpd/server-ecdsa.csr ]; then
		/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
			req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr
	fi

	echo "Signing certificates"
	if [ ! -f /etc/httpd/server.crt ]; then
		/usr/bin/openssl x509 -req -days 999999 -sha256 -in \
			/etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
			/etc/httpd/server.crt
	fi
	if [ ! -f /etc/httpd/server-ecdsa.crt ]; then
		/usr/bin/openssl x509 -req -days 999999 -sha256 -in \
			/etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \
			/etc/httpd/server-ecdsa.crt
	fi
	;;
  read)
	if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then
		ISSUER=`openssl x509 -in /etc/httpd/server.crt -text -noout | grep Issuer | /usr/bin/cut -f2 -d '='`
		HOSTNAME=`/bin/hostname -f`
		if [ "$ISSUER" != "$HOSTNAME" ]; then
			echo "Certificate issuer '$ISSUER' is not the same as the hostname '$HOSTNAME'"
			echo "Probably host or domain name has been changed in setup"
			echo "You could remake server certificate with '/usr/local/bin/httpscert new'"
			exit 1
		else
			echo "https certificate issuer match $HOSTNAME"
		fi
	else
		echo "Certificate not found"
		exit 1
	fi
	;;
  *)
	/bin/echo "Usage: $0 {read|new}"
	exit 1
	;;
esac
Commit	Line	Data
cd1a2927 MT	1	#!/bin/sh
cd1a2927 MT	2	#
cd1a2927 MT	3	# new : generate new certificate
	4	# read: read issuer in certificate and verify if it is the same as hostname
	5
	6	# See how we were called.
	7	case "$1" in
	8	new)
cd1a2927	9	if [ ! -f /etc/httpd/server.key ]; then
5760f93a	10	echo "Generating HTTPS RSA server key."
325aa1e1	11	/usr/bin/openssl genrsa -out /etc/httpd/server.key 4096
cd1a2927	12	fi
5760f93a PM	13	if [ ! -f /etc/httpd/server-ecdsa.key ]; then
	14	echo "Generating HTTPS ECDSA server key."
	15	/usr/bin/openssl ecparam -genkey -name secp384r1 \| openssl ec -out /etc/httpd/server-ecdsa.key
	16	fi
	17
	18	echo "Generating CSRs"
	19	if [ ! -f /etc/httpd/server.csr ]; then
	20	/bin/cat /etc/certparams \| sed "s/HOSTNAME/`hostname -f`/" \| /usr/bin/openssl \
	21	req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
	22	fi
	23	if [ ! -f /etc/httpd/server-ecdsa.csr ]; then
	24	/bin/cat /etc/certparams \| sed "s/HOSTNAME/`hostname -f`/" \| /usr/bin/openssl \
	25	req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr
	26	fi
	27
	28	echo "Signing certificates"
	29	if [ ! -f /etc/httpd/server.crt ]; then
	30	/usr/bin/openssl x509 -req -days 999999 -sha256 -in \
	31	/etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
	32	/etc/httpd/server.crt
	33	fi
	34	if [ ! -f /etc/httpd/server-ecdsa.crt ]; then
	35	/usr/bin/openssl x509 -req -days 999999 -sha256 -in \
	36	/etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \
	37	/etc/httpd/server-ecdsa.crt
	38	fi
	39	;;
cd1a2927 MT	40	read)
	41	if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then
	42	ISSUER=`openssl x509 -in /etc/httpd/server.crt -text -noout \| grep Issuer \| /usr/bin/cut -f2 -d '='`
	43	HOSTNAME=`/bin/hostname -f`
	44	if [ "$ISSUER" != "$HOSTNAME" ]; then
65998e0a	45	echo "Certificate issuer '$ISSUER' is not the same as the hostname '$HOSTNAME'"
cd1a2927 MT	46	echo "Probably host or domain name has been changed in setup"
	47	echo "You could remake server certificate with '/usr/local/bin/httpscert new'"
	48	exit 1
	49	else
	50	echo "https certificate issuer match $HOSTNAME"
	51	fi
	52	else
	53	echo "Certificate not found"
	54	exit 1
	55	fi
	56	;;
	57	*)
	58	/bin/echo "Usage: $0 {read\|new}"
	59	exit 1
	60	;;
	61	esac