Return to
tog-pegasus-genSSLCerts.spec
CVS log
Up to [Pegasus] / pegasus / rpm / tog-specfiles
|
Return to
tog-pegasus-genSSLCerts.spec
CVS log
|
Up to [Pegasus] / pegasus / rpm / tog-specfiles
|
|
File: [Pegasus] / pegasus / rpm / tog-specfiles / tog-pegasus-genSSLCerts.spec
(download)
Revision: 1.7, Wed Sep 10 15:15:40 2014 UTC (9 years, 8 months ago) by dl.meetei Branch: MAIN CVS Tags: RELEASE_2_14_1, RELEASE_2_14_0-RC2, RELEASE_2_14_0-RC1, RELEASE_2_14_0, RELEASE_2_14-root, RELEASE_2_14-branch, HEAD Changes since 1.6: +107 -29 lines BUG#: 9831 TITLE: [SSL]Generate mini-CA and signed certificate instead of self-signed certificates DESCRIPTION: |
#
# Set up OpenSSL certificates for the tog-pegasus cimserver
#
# Creates a default ssl.cnf file.
# Generates a self-signed certificate for use by the cimserver.
#
function create_ssl_cnf #(config_file, CN)
{
SSL_CFG=$1
CA=$2 # Add a second argument to differentiate issuer from subject
# Create OpenSSL configuration files for generating certificates
echo "[ req ]" > $PEGASUS_CONFIG_DIR/$SSL_CFG
echo "distinguished_name = req_distinguished_name" >> \
$PEGASUS_CONFIG_DIR/$SSL_CFG
echo "prompt = no" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
# Include support for x509v3 so we can differentiate CA certificates
# from service certificates
echo "req_extensions = v3_req" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
echo "x509_extensions = v3_ca" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
echo "[ req_distinguished_name ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
echo "C = UK" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
echo "ST = Berkshire" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
echo "L = Reading" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
echo "O = The Open Group" >> \
$PEGASUS_CONFIG_DIR/$SSL_CFG
echo "OU = The OpenPegasus Project" >> \
$PEGASUS_CONFIG_DIR/$SSL_CFG
DN=`hostname`;
if [ -z "$DN" ] || [ "$DN" = "(none)" ]; then
DN='localhost.localdomain';
fi;
FQDN=`{ host -W1 $DN 2>/dev/null || echo "$DN has address "; } |\
grep 'has address' | head -1 | sed 's/\ .*$//'`;
if [ -z "$FQDN" ] ; then
FQDN="$DN";
fi;
# cannot use 'hostname --fqdn' because this can hang indefinitely
# Hack the $CA onto the end of the CN so we differentiate the issuer
# of the signature from the subject
echo "CN = $FQDN$CA" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
# Add x509v3 extensions
echo "[ v3_req ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
echo "basicConstraints = CA:FALSE" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
echo "[ v3_ca ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
echo "subjectKeyIdentifier=hash" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
echo "authorityKeyIdentifier=keyid:always,issuer" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
echo "basicConstraints = CA:TRUE" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
}
cnfChanged=0;
if [ ! -e $PEGASUS_CONFIG_DIR/ssl-ca.cnf ] ||
[ ! -e $PEGASUS_CONFIG_DIR/ssl-service.cnf ] ||
[ ! -e $PEGASUS_CONFIG_DIR/server.pem ] ||
[ ! -e $PEGASUS_CONFIG_DIR/file.pem ] ||
[ ! -e $PEGASUS_CONFIG_DIR/client.pem ]; then
mkdir -p ${PEGASUS_INSTALL_LOG%/*}
mkdir -p $PEGASUS_CONFIG_DIR
create_ssl_cnf ssl-ca.cnf CA
create_ssl_cnf ssl-service.cnf
chmod 400 $PEGASUS_CONFIG_DIR/ssl-*.cnf
chown root $PEGASUS_CONFIG_DIR/ssl-*.cnf
chgrp root $PEGASUS_CONFIG_DIR/ssl-*.cnf
cnfChanged=1;
fi
if [ $cnfChanged -eq 1 ] || \
[ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE ] || \
[ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE ]; then
# Restrict access of the key to root
OLDUMASK=`umask`
umask 0077
# Create private key for the CA certificate
TMPKEY=`mktemp --tmpdir=$PEGASUS_PEM_DIR XXXXXXXXXXXX`
/usr/bin/openssl genrsa -out $TMPKEY 2048
# Restore the umask for the other files
umask $OLDUMASK
# Create CA certificate:
/usr/bin/openssl req -new -x509 -days 3650 \
-config $PEGASUS_CONFIG_DIR/ssl-ca.cnf \
-key $TMPKEY \
-out $PEGASUS_PEM_DIR/ca.crt \
# Create private key for the service certificate
/usr/bin/openssl genrsa -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE 2048
# Create a signing request for the service certificate
/usr/bin/openssl req -new \
-config $PEGASUS_CONFIG_DIR/ssl-service.cnf \
-key $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE \
-out $PEGASUS_PEM_DIR/server.csr
# Sign the request with the CA certificate
/usr/bin/openssl x509 -req -days 3650 \
-in $PEGASUS_PEM_DIR/server.csr \
-CA $PEGASUS_PEM_DIR/ca.crt \
-CAkey $TMPKEY \
-CAcreateserial \
-out $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE \
-extfile $PEGASUS_CONFIG_DIR/ssl-ca.cnf
# Set file permissions appropriately
chmod 400 $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE
chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE
# Remove the certificate signing request
# It is not needed after the signature is complete
rm -f $PEGASUS_PEM_DIR/server.csr
# Remove the private key for the CA certificate
# This will ensure that it cannot be used to sign any other
# (possibly suspicious) certificates
# This does mean that generating a new certificate for this
# service will need a new CA cert, but most real deployments
# will use real infrastructure.
# This does not impart perfect security; there is a fairly
# long race here between the key generation and its deletion.
# The random filename should significantly mitigate this.
rm -f $TMPKEY
fi;
if [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE ]; then
cp -fp $PEGASUS_PEM_DIR/ca.crt \
$PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE
chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE;
fi;
| No CVS admin address has been configured |
Powered by ViewCVS 0.9.2 |