pegasus/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec - diff

Return to tog-pegasus-genSSLCerts.spec CVS log

Up to [Pegasus] / pegasus / rpm / tog-specfiles

Diff for /pegasus/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec between version 1.6 and 1.7

version 1.6, 2008/12/17 01:14:51

version 1.7, 2014/09/10 16:15:40

Line 4

# Creates a default ssl.cnf file.

# Generates a self-signed certificate for use by the cimserver.

cnfChanged=0;

if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then

function create_ssl_cnf #(config_file, CN)

mkdir -p ${PEGASUS_INSTALL_LOG%/*}

{

mkdir -p $PEGASUS_CONFIG_DIR

SSL_CFG=$1

echo "[ req ]" > $PEGASUS_CONFIG_DIR/ssl.cnf

CA=$2 # Add a second argument to differentiate issuer from subject

# Create OpenSSL configuration files for generating certificates

echo "[ req ]" > $PEGASUS_CONFIG_DIR/$SSL_CFG

echo "distinguished_name = req_distinguished_name" >> \

$PEGASUS_CONFIG_DIR/ssl.cnf

$PEGASUS_CONFIG_DIR/$SSL_CFG

echo "prompt = no" >> $PEGASUS_CONFIG_DIR/ssl.cnf

echo "prompt = no" >> $PEGASUS_CONFIG_DIR/$SSL_CFG

echo "[ req_distinguished_name ]" >> $PEGASUS_CONFIG_DIR/ssl.cnf

echo "C = UK" >> $PEGASUS_CONFIG_DIR/ssl.cnf

# Include support for x509v3 so we can differentiate CA certificates

echo "ST = Berkshire" >> $PEGASUS_CONFIG_DIR/ssl.cnf

# from service certificates

echo "L = Reading" >> $PEGASUS_CONFIG_DIR/ssl.cnf

echo "req_extensions = v3_req" >> $PEGASUS_CONFIG_DIR/$SSL_CFG

echo "x509_extensions = v3_ca" >> $PEGASUS_CONFIG_DIR/$SSL_CFG

echo "[ req_distinguished_name ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG

echo "C = UK" >> $PEGASUS_CONFIG_DIR/$SSL_CFG

echo "ST = Berkshire" >> $PEGASUS_CONFIG_DIR/$SSL_CFG

echo "L = Reading" >> $PEGASUS_CONFIG_DIR/$SSL_CFG

echo "O = The Open Group" >> \

$PEGASUS_CONFIG_DIR/ssl.cnf

$PEGASUS_CONFIG_DIR/$SSL_CFG

echo "OU = The OpenPegasus Project" >> \

$PEGASUS_CONFIG_DIR/ssl.cnf

$PEGASUS_CONFIG_DIR/$SSL_CFG

DN=`hostname`;

if [ -z "$DN" ] || [ "$DN" = "(none)" ]; then

DN='localhost.localdomain';

Line 30

Line 39

FQDN="$DN";

fi;

# cannot use 'hostname --fqdn' because this can hang indefinitely

echo "CN = $FQDN" >> $PEGASUS_CONFIG_DIR/ssl.cnf

# Hack the $CA onto the end of the CN so we differentiate the issuer

chmod 400 $PEGASUS_CONFIG_DIR/ssl.cnf

# of the signature from the subject

chown root $PEGASUS_CONFIG_DIR/ssl.cnf

echo "CN = $FQDN$CA" >> $PEGASUS_CONFIG_DIR/$SSL_CFG

chgrp root $PEGASUS_CONFIG_DIR/ssl.cnf

# Add x509v3 extensions

echo "[ v3_req ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG

echo "basicConstraints = CA:FALSE" >> $PEGASUS_CONFIG_DIR/$SSL_CFG

echo "[ v3_ca ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG

echo "subjectKeyIdentifier=hash" >> $PEGASUS_CONFIG_DIR/$SSL_CFG

echo "authorityKeyIdentifier=keyid:always,issuer" >> $PEGASUS_CONFIG_DIR/$SSL_CFG

echo "basicConstraints = CA:TRUE" >> $PEGASUS_CONFIG_DIR/$SSL_CFG

}

cnfChanged=0;

if [ ! -e $PEGASUS_CONFIG_DIR/ssl-ca.cnf ] ||

[ ! -e $PEGASUS_CONFIG_DIR/ssl-service.cnf ] ||

[ ! -e $PEGASUS_CONFIG_DIR/server.pem ] ||

[ ! -e $PEGASUS_CONFIG_DIR/file.pem ] ||

[ ! -e $PEGASUS_CONFIG_DIR/client.pem ]; then

mkdir -p ${PEGASUS_INSTALL_LOG%/*}

mkdir -p $PEGASUS_CONFIG_DIR

create_ssl_cnf ssl-ca.cnf CA

create_ssl_cnf ssl-service.cnf

chmod 400 $PEGASUS_CONFIG_DIR/ssl-*.cnf

chown root $PEGASUS_CONFIG_DIR/ssl-*.cnf

chgrp root $PEGASUS_CONFIG_DIR/ssl-*.cnf

cnfChanged=1;

if [ $cnfChanged -eq 1 ] || \

[ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE ] || \

[ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE ]; then

/usr/bin/openssl req -x509 -days 3650 -newkey rsa:2048 \

-nodes -config $PEGASUS_CONFIG_DIR/ssl.cnf \

# Restrict access of the key to root

-keyout $PEGASUS_PEM_DIR/key.pem \

OLDUMASK=`umask`

-out $PEGASUS_PEM_DIR/cert.pem 2>>$PEGASUS_INSTALL_LOG

umask 0077

chmod 700 $PEGASUS_PEM_DIR/*.pem

cp -fp $PEGASUS_PEM_DIR/cert.pem \

# Create private key for the CA certificate

$PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE

TMPKEY=`mktemp --tmpdir=$PEGASUS_PEM_DIR XXXXXXXXXXXX`

cp -fp $PEGASUS_PEM_DIR/key.pem \

$PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE

/usr/bin/openssl genrsa -out $TMPKEY 2048

# Restore the umask for the other files

umask $OLDUMASK

# Create CA certificate:

/usr/bin/openssl req -new -x509 -days 3650 \

-config $PEGASUS_CONFIG_DIR/ssl-ca.cnf \

-key $TMPKEY \

-out $PEGASUS_PEM_DIR/ca.crt \

# Create private key for the service certificate

/usr/bin/openssl genrsa -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE 2048

# Create a signing request for the service certificate

/usr/bin/openssl req -new \

-config $PEGASUS_CONFIG_DIR/ssl-service.cnf \

-key $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE \

-out $PEGASUS_PEM_DIR/server.csr

# Sign the request with the CA certificate

/usr/bin/openssl x509 -req -days 3650 \

-in $PEGASUS_PEM_DIR/server.csr \

-CA $PEGASUS_PEM_DIR/ca.crt \

-CAkey $TMPKEY \

-CAcreateserial \

-out $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE \

-extfile $PEGASUS_CONFIG_DIR/ssl-ca.cnf

# Set file permissions appropriately

chmod 400 $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE

chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE

rm -f $PEGASUS_PEM_DIR/key.pem $PEGASUS_PEM_DIR/cert.pem

# Remove the certificate signing request

# It is not needed after the signature is complete

rm -f $PEGASUS_PEM_DIR/server.csr

# Remove the private key for the CA certificate

# This will ensure that it cannot be used to sign any other

# (possibly suspicious) certificates

# This does mean that generating a new certificate for this

# service will need a new CA cert, but most real deployments

# will use real infrastructure.

# This does not impart perfect security; there is a fairly

# long race here between the key generation and its deletion.

# The random filename should significantly mitigate this.

rm -f $TMPKEY

fi;

if [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE ]; then

cp -fp $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE \

cp -fp $PEGASUS_PEM_DIR/ca.crt \

$PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE

chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE;

fi;

Legend:

Removed from v.1.6
changed lines
	Added in v.1.7

No CVS admin address has been configured