[people/pmueller/ipfire-2.x.git] / src / scripts / httpscert

#!/bin/sh
#
# new : generate new certificate
# read: read issuer in certificate and verify if it is the same as hostname

# See how we were called.
case "$1" in
  new)
	# set temporary random file
	export RANDFILE=/root/.rnd
	if [ ! -f /etc/httpd/server.key ]; then
		echo "Generating https server key."
		/usr/bin/openssl genrsa -rand \
			/boot/vmlinuz:CONFIG_ROOT/ethernet/settings -out \
			/etc/httpd/server.key 1024
	fi
	echo "Generating CSR"
	/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
		req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
	echo "Signing certificate"
	/usr/bin/openssl x509 -req -days 999999 -in \
		/etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
		/etc/httpd/server.crt
	# unset and remove random file
	export -n RANDFILE
	rm -f /root/.rnd
 	;;
  read)
	if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then
		ISSUER=`openssl x509 -in /etc/httpd/server.crt -text -noout | grep Issuer | /usr/bin/cut -f2 -d '='`
		HOSTNAME=`/bin/hostname -f`
		if [ "$ISSUER" != "$HOSTNAME" ]; then
			echo "Certificate issuer '$ISSUER' is not the same as the hostname '$HOSTNAME'"
			echo "Probably host or domain name has been changed in setup"
			echo "You could remake server certificate with '/usr/local/bin/httpscert new'"
			exit 1
		else
			echo "https certificate issuer match $HOSTNAME"
		fi
	else
		echo "Certificate not found"
		exit 1
	fi
	;;
  *)
	/bin/echo "Usage: $0 {read|new}"
	exit 1
	;;
esac
Commit	Line	Data
cd1a2927 MT	1	#!/bin/sh
cd1a2927 MT	2	#
cd1a2927 MT	3	# new : generate new certificate
	4	# read: read issuer in certificate and verify if it is the same as hostname
	5
	6	# See how we were called.
	7	case "$1" in
	8	new)
	9	# set temporary random file
	10	export RANDFILE=/root/.rnd
	11	if [ ! -f /etc/httpd/server.key ]; then
	12	echo "Generating https server key."
	13	/usr/bin/openssl genrsa -rand \
	14	/boot/vmlinuz:CONFIG_ROOT/ethernet/settings -out \
	15	/etc/httpd/server.key 1024
	16	fi
	17	echo "Generating CSR"
	18	/bin/cat /etc/certparams \| sed "s/HOSTNAME/`hostname -f`/" \| /usr/bin/openssl \
	19	req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
	20	echo "Signing certificate"
	21	/usr/bin/openssl x509 -req -days 999999 -in \
	22	/etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
	23	/etc/httpd/server.crt
	24	# unset and remove random file
	25	export -n RANDFILE
	26	rm -f /root/.rnd
	27	;;
	28	read)
	29	if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then
	30	ISSUER=`openssl x509 -in /etc/httpd/server.crt -text -noout \| grep Issuer \| /usr/bin/cut -f2 -d '='`
	31	HOSTNAME=`/bin/hostname -f`
	32	if [ "$ISSUER" != "$HOSTNAME" ]; then
65998e0a	33	echo "Certificate issuer '$ISSUER' is not the same as the hostname '$HOSTNAME'"
cd1a2927 MT	34	echo "Probably host or domain name has been changed in setup"
	35	echo "You could remake server certificate with '/usr/local/bin/httpscert new'"
	36	exit 1
	37	else
	38	echo "https certificate issuer match $HOSTNAME"
	39	fi
	40	else
	41	echo "Certificate not found"
	42	exit 1
	43	fi
	44	;;
	45	*)
	46	/bin/echo "Usage: $0 {read\|new}"
	47	exit 1
	48	;;
	49	esac