src/scripts/httpscert

   1 #!/bin/sh
   2 #
   3 # new : generate new certificate
   4 # read: read issuer in certificate and verify if it is the same as hostname
   5
   6 # See how we were called.
   7 case "$1" in
   8   new)
   9         if [ ! -f /etc/httpd/server.key ]; then
  10                 echo "Generating https server key."
  11                 /usr/bin/openssl genrsa -out /etc/httpd/server.key 4096
  12         fi
  13         echo "Generating CSR"
  14         /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
  15                 req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
  16         echo "Signing certificate"
  17         /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
  18                 /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
  19                 /etc/httpd/server.crt
  20         ;;
  21   read)
  22         if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then
  23                 ISSUER=`openssl x509 -in /etc/httpd/server.crt -text -noout | grep Issuer | /usr/bin/cut -f2 -d '='`
  24                 HOSTNAME=`/bin/hostname -f`
  25                 if [ "$ISSUER" != "$HOSTNAME" ]; then
  26                         echo "Certificate issuer '$ISSUER' is not the same as the hostname '$HOSTNAME'"
  27                         echo "Probably host or domain name has been changed in setup"
  28                         echo "You could remake server certificate with '/usr/local/bin/httpscert new'"
  29                         exit 1
  30                 else
  31                         echo "https certificate issuer match $HOSTNAME"
  32                 fi
  33         else
  34                 echo "Certificate not found"
  35                 exit 1
  36         fi
  37         ;;
  38   *)
  39         /bin/echo "Usage: $0 {read|new}"
  40         exit 1
  41         ;;
  42 esac