generate ECDSA key on existing installations
authorPeter Müller <peter.mueller@link38.eu>
Wed, 11 Oct 2017 17:45:33 +0000 (19:45 +0200)
committerMichael Tremer <michael.tremer@ipfire.org>
Wed, 11 Oct 2017 19:05:34 +0000 (20:05 +0100)
Generate ECDSA key (and sign it) in case it does not exist. That way,
httpscert can be ran on existing installations without breaking already
generated (RSA) keys.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
src/scripts/httpscert

index e20f789..cae39fb 100644 (file)
@@ -7,17 +7,36 @@
 case "$1" in
   new)
        if [ ! -f /etc/httpd/server.key ]; then
-               echo "Generating https server key."
+               echo "Generating HTTPS RSA server key."
                /usr/bin/openssl genrsa -out /etc/httpd/server.key 4096
        fi
-       echo "Generating CSR"
-       /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
-               req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
-       echo "Signing certificate"
-       /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
-               /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
-               /etc/httpd/server.crt
-       ;;
+       if [ ! -f /etc/httpd/server-ecdsa.key ]; then
+               echo "Generating HTTPS ECDSA server key."
+               /usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key
+       fi
+
+       echo "Generating CSRs"
+       if [ ! -f /etc/httpd/server.csr ]; then
+               /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
+                       req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
+       fi
+       if [ ! -f /etc/httpd/server-ecdsa.csr ]; then
+               /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
+                       req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr
+       fi
+
+       echo "Signing certificates"
+       if [ ! -f /etc/httpd/server.crt ]; then
+               /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
+                       /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
+                       /etc/httpd/server.crt
+       fi
+       if [ ! -f /etc/httpd/server-ecdsa.crt ]; then
+               /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
+                       /etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \
+                       /etc/httpd/server-ecdsa.crt
+       fi
+       ;;
   read)
        if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then
                ISSUER=`openssl x509 -in /etc/httpd/server.crt -text -noout | grep Issuer | /usr/bin/cut -f2 -d '='`