diff options
| -rw-r--r-- | certs/ldap/ldap.fripost.org.pem | 39 | ||||
| -rw-r--r-- | certs/ldap/mx.pem | 31 | ||||
| -rw-r--r-- | certs/ldap/syncrepl/mx@civett.pem | 12 | ||||
| -rw-r--r-- | certs/ldap/syncrepl/mx@elefant.pem | 12 | ||||
| -rw-r--r-- | roles/common-LDAP/tasks/main.yml | 34 | ||||
| -rw-r--r-- | roles/common-LDAP/templates/etc/ldap/database.ldif.j2 | 2 | ||||
| -rwxr-xr-x | roles/common/files/usr/local/bin/genkeypair.sh | 10 |
7 files changed, 62 insertions, 78 deletions
diff --git a/certs/ldap/ldap.fripost.org.pem b/certs/ldap/ldap.fripost.org.pem index f9d9e94..02b1237 100644 --- a/certs/ldap/ldap.fripost.org.pem +++ b/certs/ldap/ldap.fripost.org.pem @@ -1,31 +1,12 @@ -----BEGIN CERTIFICATE----- -MIIFXzCCA0egAwIBAgIJALUdgbcP0QegMA0GCSqGSIb3DQEBCwUAME8xEDAOBgNV -BAoTB0ZyaXBvc3QxETAPBgNVBAsTCFNTTGNlcnRzMQ0wCwYDVQQLEwRMREFQMRkw -FwYDVQQDExBsZGFwLmZyaXBvc3Qub3JnMB4XDTE0MDkxMjE2NDM1NloXDTI0MDkw -OTE2NDM1NlowTzEQMA4GA1UEChMHRnJpcG9zdDERMA8GA1UECxMIU1NMY2VydHMx -DTALBgNVBAsTBExEQVAxGTAXBgNVBAMTEGxkYXAuZnJpcG9zdC5vcmcwggIiMA0G -CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCqwdXg+Jst/vZ6NUPfT4DwXCwt7Xl4 -L2txiwGbpHqgC5B2ZcSePpoGCyT1CC7GsFCw+4qSDtB+7kDqDcomZsru1+n3onET -YC7cSFzs6ks9PtpRMmnWC7184X0bUm6wkvpdJE8tlaqWzkt8S1RlGS/4g5bLKbmz -ClYz/IrG68yPLWU9MHwlrV79Uf29mwLZGwK1PBV29QOiKDTp1KribRepjiO/bKVd -+NIrHY8k7rdbZoe4z1Hp/SBdr7WyospSLwbJgNAFXPw/Nju9B/xEkQhDL+DkUR1X -6JmIik1iAIxv3t1YgctL3Dyc8+RP0vjekrBWUYgRK9dBqia7Etmn7pGB19dqZe6g -y30OsI9TcpW8Elqwg768QUCYZjwI2LN1SyR/et7hL3FQasjMjJOwqlT/PIQAJsLF -CdqK+zZKBi/fNpdzJIb7TW7g4p8NJaICU0n9PMsoSdp4yi4n3OEYq6c8fKUuDF1i -w8pCZE7SHW4qB1Vz5BgZjGmRk+MRzF48VigiZvL+WYoKEvNK7bhXQJ1DACc60j5h -hrX5mleUANrhgwG72+m7gyZNCo2p15SausLup9ImyImZoQT88xRgz8txsDxe08Oa -fO7z9dTuenY/tNVYHMkiJ/0RskOs7fDnSRpHzcwzWf1u4iEDS6lEbUWDdkyZ3XEP -wLoBBaRhexm4mQIDAQABoz4wPDAcBgNVHREEFTATgRFhZG1pbkBmcmlwb3N0Lm9y -ZzAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwICpDANBgkqhkiG9w0BAQsFAAOC -AgEAglkIiXCYMajASIjJuVp8e3Eu+k3FKXvW7SPfga6SxcKUTmVPyzNAIVUWXxDq -3nHArOEgrHW8ZAa9aFvLHKcUFOo9hmFZe+dxCXBK++XSyf2Au8PQ7B+8uznaC8/w -JhSq+VarhItd3KMcW9ueG8YMCAxL7yahC0NQkMmwdecvdNB1gNRNnefvjhGIGFOJ -Af5EPSckv+M6f4tFiX8EiabE4t4YW1yHHQ+6SStZL8vBJgT4OCeXaARirGAUiL7K -xVR55ilO3dOdTEg7/+9ASNqygxtz53flnGltKfzt+QwzFK37WSBvGyp+tvmh6EE7 -XaqhBTYepWoiWJ2oRZsQet3QL4goCQGug0HFhYjW2sIl6TjlczuHXc3ynC6kkTD5 -8fhHNDt2bqXPfWmLqHXFP8RFapj+j/PzSXFH0JgllYGXtJufLXzGfN5Bg+6zpJSo -COuZcoWw0e4BgNlc3gT8lKDqjK7zBoAVoxxvsOOaDB27T0sWwg3SERZXKD3xn7Jw -vOIAWYkaQLonYuexW3KUX7OoG9d8HQAOyEkgoU0R6CfwGmK5VbGUQCFAwjF0VHqz -9rKQrRB5+Oh4wK0dQhtU1m5IuxRrRyV7CX/n79vlBePdUIbDRWgJOvaSD125P+9l -RHOSUOZ3tq6IltCLetUMM+qgDkVUFvRvXy2tev5ZBFUpJQs= +MIIBvTCCAW+gAwIBAgIUHA3QvHLOo4JVBaYkVrDL9xv+sdMwBQYDK2VwME8xEDAO +BgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ0wCwYDVQQLDARMREFQ +MRkwFwYDVQQDDBBsZGFwLmZyaXBvc3Qub3JnMB4XDTI0MDkwODE4MzMyM1oXDTM0 +MDkwNjE4MzMyM1owTzEQMA4GA1UECgwHRnJpcG9zdDERMA8GA1UECwwIU1NMY2Vy +dHMxDTALBgNVBAsMBExEQVAxGTAXBgNVBAMMEGxkYXAuZnJpcG9zdC5vcmcwKjAF +BgMrZXADIQAvg/MmR2tVDRb0MYcfQ8T9CMm6xNSWLt+2JDpXs7W0x6NdMFswHAYD +VR0RBBUwE4ERYWRtaW5AZnJpcG9zdC5vcmcwDAYDVR0TAQH/BAIwADAOBgNVHQ8B +Af8EBAMCBaAwHQYDVR0OBBYEFEJgdyZi8bgHZljJaUT/p8e8ZIWeMAUGAytlcANB +APqO/lJ6WkT2rr8MG7kG+3IvBa7+KWKCmzV8ew9SoSF+enaCkNjOBtvW85W0lHBT +i4DzFM0IxdgxgWIEP/NsrgQ= -----END CERTIFICATE----- diff --git a/certs/ldap/mx.pem b/certs/ldap/mx.pem deleted file mode 100644 index 2e6275e..0000000 --- a/certs/ldap/mx.pem +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFaTCCA1GgAwIBAgIJAMFfcQJWxnoSMA0GCSqGSIb3DQEBCwUAMFQxEDAOBgNV -BAoTB0ZyaXBvc3QxETAPBgNVBAsTCFNTTGNlcnRzMQ0wCwYDVQQLEwRMREFQMREw -DwYDVQQLEwhTeW5jUmVwbDELMAkGA1UEAxMCbXgwHhcNMTQwOTEyMTY0MzM3WhcN -MjQwOTA5MTY0MzM3WjBUMRAwDgYDVQQKEwdGcmlwb3N0MREwDwYDVQQLEwhTU0xj -ZXJ0czENMAsGA1UECxMETERBUDERMA8GA1UECxMIU3luY1JlcGwxCzAJBgNVBAMT -Am14MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArdTG5Uh17j85iOs2 -8+92wHtIR/95ic3+E0Ao8KsWNXYduKLGGrLLAh7T9JPMK80M3gF32nZcbTD5pBuW -NpuClezmCHtPN5ZtTMN6sRl3I/OGhu4vrOkfjOvRNTSByQo3ZC48rcgZbUPTzrCq -+2eDc3R+TbllGhXB9JyZtM71nIix6c6vuERuj6uPQ64oonNWL5eVPH/Ww8wlTDzp -Q69ATXQ92KoIILWllN7zqoU6ldVUyNswo0/wZsqDjxajh7s0qQwQLt7jMLV5JGNd -kWvzyeMJMrmZj5C7Ch54usZh1gdOyf+ZnpnrhCERNOKpkxL59WOrglQPNiKMBZin -MYVcpeCG3UdFaN59kuExUut8U3AVVflYuDfQIP9iHGdHKsBazqUTfqgLIZyWIMoe -MdERazvRANPNHBMjIYYLlcWyjDch3k5iY1pyl8jskWi72F82XsiKMkr5H+tjFPve -H3VaUCY2XNYNI8Ztvn6lifjvA+uVAI084pHZUDQkZFbT4LnLKY79d5IOwE1uXHtf -6tUu8PHG9HeLZNiGex+kIPhg5gmQmipZwofbXX4xG0Km+3Dz2dWViOQri4n1s5xQ -G1bWJtVmyDKEfDGF2ZiUZ+dAiih3qit1rTFZoiMqtNgEiahh/8R78Qx2xsCcu/76 -GLg/qh8r+lR1wMkWcoUbToIpARcCAwEAAaM+MDwwHAYDVR0RBBUwE4ERYWRtaW5A -ZnJpcG9zdC5vcmcwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCAqQwDQYJKoZI -hvcNAQELBQADggIBAGmCGK8Q32nc1Ltc3S2XCkbMzn4qfFKu1agEk2fBgU1qrVnx -ioNWcct4trI8hwYwJ7QMQLx8ZdmuBbEyD60k9/qj+SCctrXnSA8p0SSCRUKgwyN0 -L14hvu+7P6G5VfPDNd+T1yqVMbMM2qgNYMHQDmf8e9IFa1DUSYks0v/3YdGwLSxj -5IoIvc1JxBlGmgRGgG4z5a4v0ikuDc+XAEV0wWT2xF/7CuJnwglpedOgE+l7PLgU -RQ4uPFQUnFUbcBBE+GLDxXxkOosD7GmAkvppaS8vwA+beqYX8LZMlCqqzXqk+3bp -FCgQ6IARyYWchp/x4PFy1uGkU8PKsVO4xzQ15WuyaJCy3jqum9TfQUW/ZjRFT+3m -sEgzarTxqP7CIlCHygVaDj2ALiaMjGbpHGA5JbwMFFaIuzVDj/DEJWKnxu5paJw1 -ERLBmZXhCqtveGmbI08RCMIZjlZ1xLAhFKGRQ4abDTfTlD4QU1EWh+NLHlSRTIg4 -Idbs9QDQH9Eb6p2+scEUL6ci2XGWRjet2wKdCPC3VMNwW/+pXG5YvrvHJBdx8V+F -w0jWYOg4RQQuB/tAbucj1fvCnj2yMJPCsnlbeN4RPG/xF/89qlSey3kxUfma5eid -m9kmjWPgXPgUQf+hmefL5HcN7M8zShTdSf81Xa0z3VqJENoQ4v4AqidEjVGY ------END CERTIFICATE----- diff --git a/certs/ldap/syncrepl/mx@civett.pem b/certs/ldap/syncrepl/mx@civett.pem new file mode 100644 index 0000000..430c3e6 --- /dev/null +++ b/certs/ldap/syncrepl/mx@civett.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBxzCCAXmgAwIBAgIUKkHGFnwdZ85QwHkb4cCfE8chdFEwBQYDK2VwMFQxEDAO +BgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ0wCwYDVQQLDARMREFQ +MREwDwYDVQQLDAhTeW5jUmVwbDELMAkGA1UEAwwCbXgwHhcNMjQwOTA4MTgzNjU2 +WhcNMzQwOTA2MTgzNjU2WjBUMRAwDgYDVQQKDAdGcmlwb3N0MREwDwYDVQQLDAhT +U0xjZXJ0czENMAsGA1UECwwETERBUDERMA8GA1UECwwIU3luY1JlcGwxCzAJBgNV +BAMMAm14MCowBQYDK2VwAyEATR5gkOjpEYhG4e2fRjcowwSWkwLFjWHy1mGEjaru +/jmjXTBbMBwGA1UdEQQVMBOBEWFkbWluQGZyaXBvc3Qub3JnMAwGA1UdEwEB/wQC +MAAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBSe9LYpYEdZNz7vx0Pe/LXFCJST +PDAFBgMrZXADQQC0Isvso/VBCBrQx2uOVRUC8hZiKhKHX3SozqYGgrxlQBjxy8dZ +cx3gsl4TGw/VWt80BSXQ+TqJHocjoyoy5/oE +-----END CERTIFICATE----- diff --git a/certs/ldap/syncrepl/mx@elefant.pem b/certs/ldap/syncrepl/mx@elefant.pem new file mode 100644 index 0000000..bbd5f56 --- /dev/null +++ b/certs/ldap/syncrepl/mx@elefant.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBxzCCAXmgAwIBAgIUcwEP5HP6psC+HGMXHZBwf3Y/++UwBQYDK2VwMFQxEDAO +BgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ0wCwYDVQQLDARMREFQ +MREwDwYDVQQLDAhTeW5jUmVwbDELMAkGA1UEAwwCbXgwHhcNMjQwOTA4MTgzNTIw +WhcNMzQwOTA2MTgzNTIwWjBUMRAwDgYDVQQKDAdGcmlwb3N0MREwDwYDVQQLDAhT +U0xjZXJ0czENMAsGA1UECwwETERBUDERMA8GA1UECwwIU3luY1JlcGwxCzAJBgNV +BAMMAm14MCowBQYDK2VwAyEAp7jKBb1mYic6E+k7awOmDU2HVV+Ly9BNSqoWPmoG +XhCjXTBbMBwGA1UdEQQVMBOBEWFkbWluQGZyaXBvc3Qub3JnMAwGA1UdEwEB/wQC +MAAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBQUeRpdKnUN37/2HJElOEgOiYNp +IzAFBgMrZXADQQADKZwI8lJT+o2tuJD9tbAyjgJU72IxVRNsV8jkE3SEmI0E6w/3 +gf7T9BSPKe1Z23+Sc7Y5lKwHdxGp0Toao/UL +-----END CERTIFICATE----- diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml index 37edb0b..e17bc3a 100644 --- a/roles/common-LDAP/tasks/main.yml +++ b/roles/common-LDAP/tasks/main.yml @@ -13,100 +13,108 @@ - libnet-ldap-perl - libauthen-sasl-perl - name: Configure slapd template: src=etc/default/slapd.j2 dest=/etc/default/slapd owner=root group=root mode=0644 register: r1 notify: - Restart slapd - name: Create directory /etc/ldap/ssl file: path=/etc/ldap/ssl state=directory owner=root group=root mode=0755 tags: - genkey -# XXX: It's ugly to list all roles here, and to prunes them with a -# conditional... - name: Generate a private key and a X.509 certificate for slapd - # XXX: GnuTLS (libgnutls26 2.12.20-8+deb7u2, found in Wheezy) doesn't - # support ECDSA; and slapd doesn't seem to support DHE (!?) so - # we're stuck with "plain RSA" Key-Exchange. Also, there is a bug with - # SHA-512. command: genkeypair.sh x509 --pubkey=/etc/ldap/ssl/{{ item.name }}.pem --privkey=/etc/ldap/ssl/{{ item.name }}.key --ou=LDAP {{ item.ou }} --cn={{ item.name }} - --usage=digitalSignature,keyEncipherment,keyCertSign - -t rsa -b 4096 -h sha256 + --usage=digitalSignature,keyEncipherment + -t ed25519 --owner=root --group=openldap --mode=0640 register: r2 changed_when: r2.rc == 0 failed_when: r2.rc > 1 with_items: - { group: 'LDAP_provider', name: ldap.fripost.org, ou: } - { group: 'MX', name: mx, ou: --ou=SyncRepl } - { group: 'lists', name: lists, ou: --ou=SyncRepl } when: "item.group in group_names" + notify: + - Restart slapd + tags: + - genkey + +- name: Fetch the SyncProv's X.509 certificate + # Ensure we don't fetch private data + become: False + fetch_cmd: cmd="openssl x509" + stdin=/etc/ldap/ssl/ldap.fripost.org.pem + dest=certs/ldap/ldap.fripost.org.pem + when: "'LDAP_provider' in group_names" tags: - genkey - name: Fetch slapd's X.509 certificate # Ensure we don't fetch private data become: False fetch_cmd: cmd="openssl x509" stdin=/etc/ldap/ssl/{{ item.name }}.pem - dest=certs/ldap/{{ item.name }}.pem + dest=certs/ldap/syncrepl/{{ item.name }}@{{ inventory_hostname_short }}.pem with_items: - - { group: 'LDAP_provider', name: ldap.fripost.org } - { group: 'MX', name: mx } - { group: 'lists', name: lists } when: "item.group in group_names" tags: - genkey - name: Copy the SyncProv's server certificate copy: src=certs/ldap/ldap.fripost.org.pem dest=/etc/ldap/ssl/ldap.fripost.org.pem owner=root group=root mode=0644 when: "'LDAP_provider' not in group_names" tags: - genkey - name: Copy the SyncRepls's client certificates - assemble: src=certs/ldap remote_src=no - dest=/etc/ldap/ssl/clients.pem + assemble: src=certs/ldap/syncrepl remote_src=no + dest=/etc/ldap/ssl/syncrepl.pem owner=root group=root mode=0644 when: "'LDAP_provider' in group_names" tags: - genkey + register: r3 + notify: + - Restart slapd - name: Start slapd service: name=slapd state=started - when: not (r1.changed or r2.changed) + when: not (r1.changed or r2.changed or r3.changed) - meta: flush_handlers - name: Copy fripost & amavis' schema copy: src=etc/ldap/schema/{{ item }} dest=/etc/ldap/schema/{{ item }} owner=root group=root mode=0644 # It'd certainly be nicer if we didn't have to deploy amavis' schema # everywhere, but we need the 'objectClass' in our replicates, hence # they need to be aware of the 'amavisAccount' class. with_items: - fripost.ldif - amavis.schema tags: - amavis - name: Load amavis' schema openldap: target=/etc/ldap/schema/amavis.schema format=slapd.conf name=amavis diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 index 2c0db0b..a0ac705 100644 --- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 +++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 @@ -17,41 +17,41 @@ dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /run/slapd/slapd.args olcPidFile: /run/slapd/slapd.pid olcLogLevel: none olcToolThreads: 1 {% if ansible_processor_vcpus > 4 %} olcThreads: {{ 2 * ansible_processor_vcpus }} {% else %} olcThreads: 8 {% endif %} {% if 'LDAP_provider' in group_names %} olcTLSCertificateFile: /etc/ldap/ssl/ldap.fripost.org.pem olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.fripost.org.key # If we are being offered a client cert, it has to be trusted (in which # case we map the X.509 subject to a DN in our namespace), or we # terminate the connection. Not providing a certificate is fine for # TLS-protected simple binds, though. olcTLSVerifyClient: try -olcTLSCACertificateFile: /etc/ldap/ssl/clients.pem +olcTLSCACertificateFile: /etc/ldap/ssl/syncrepl.pem olcAuthzRegexp: "^(cn=[^,]+,ou=syncRepl),ou=LDAP,ou=SSLcerts,o=Fripost$" "dn.exact:$1,dc=fripost,dc=org" olcSaslSecProps: minssf=128,noanonymous,noplain,nodict olcTLSCipherSuite: PFS:%LATEST_RECORD_VERSION:!CIPHER-ALL:+AES-128-GCM:+AES-256-GCM:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1 olcTLSDHParamFile: /etc/ssl/dhparams.pem {% endif %} olcLocalSSF: 128 # /!\ This is not portable! But we only use glibc's crypt(3), which # supports (salted, streched) SHA512 olcPasswordHash: {CRYPT} olcPasswordCryptSaltFormat: $6$%s dn: olcDatabase=monitor,cn=config objectClass: olcDatabaseConfig objectClass: olcMonitorConfig olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth olcAccess: to dn.subtree="cn=monitor" by dn.exact="username=munin,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" read by * =0 diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh index ad65aef..72102f4 100755 --- a/roles/common/files/usr/local/bin/genkeypair.sh +++ b/roles/common/files/usr/local/bin/genkeypair.sh @@ -102,48 +102,50 @@ while [ $# -gt 0 ]; do -f) force=$(( 1 + $force ));; --pubkey=?*) pubkey="${1#--pubkey=}";; --privkey=?*) privkey="${1#--privkey=}";; --usage=?*) usage="${usage:+$usage,}${1#--usage=}";; --config=?*) config="${1#--config=}";; --mode=?*) mode="${1#--mode=}";; --owner=?*) owner="${1#--owner=}";; --group=?*) group="${1#--group=}";; --help) usage; exit;; *) echo "Unrecognized argument: $1" >&2; exit 2 esac shift; done case "$type" in # XXX: genrsa and dsaparam have been deprecated in favor of genpkey. # genpkey can also create explicit EC parameters, but not named. - rsa) genkey=genrsa; genkeyargs="-f4 ${bits:-2048}";; - dsa) genkey=dsaparam; genkeyargs="-noout -genkey ${bits:-1024}";; + rsa) genkey=genrsa; genkeyargs="-rand /dev/urandom -f4 ${bits:-2048}";; + dsa) genkey=dsaparam; genkeyargs="-rand /dev/urandom -noout -genkey ${bits:-1024}";; # See 'openssl ecparam -list_curves' for the list of supported # curves. StrongSwan doesn't support explicit curve parameters # (however explicit parameters might be required to make exotic # curves work with some clients.) ecdsa) genkey=ecparam - genkeyargs="-noout -name ${bits:-secp224r1} -param_enc named_curve -genkey";; + genkeyargs="-rand /dev/urandom -noout -name ${bits:-secp224r1} -param_enc named_curve -genkey";; + x25519|x448|ed25519|ed448) genkey=genpkey + genkeyargs="-algorithm $type";; *) echo "Unrecognized key type: $type" >&2; exit 2 esac if [ "$cmd" = x509 -o "$cmd" = csr ]; then case "$hash" in md5|rmd160|sha1|sha224|sha256|sha384|sha512|'') ;; *) echo "Invalid digest algorithm: $hash" >&2; exit 2; esac [ "$cn" ] || cn="$(hostname --fqdn)" [ ${#cn} -le 64 ] || { echo "CommonName too long: $cn" >&2; exit 2; } fi if [ -z "$config" -a \( "$cmd" = x509 -o "$cmd" = csr \) ]; then config=$(mktemp) || exit 2 trap 'rm -f "$config"' EXIT # see /usr/share/ssl-cert/ssleay.cnf cat >"$config" <<- EOF [ req ] @@ -156,40 +158,40 @@ if [ -z "$config" -a \( "$cmd" = x509 -o "$cmd" = csr \) ]; then [ req_distinguished_name ] organizationName = Fripost organizationalUnitName = SSLcerts $(echo "$ou") commonName = ${cn:-/} [ v3_req ] subjectAltName = email:admin@fripost.org${dns:+, $dns} basicConstraints = critical, CA:FALSE # https://security.stackexchange.com/questions/24106/which-key-usages-are-required-by-each-key-exchange-method keyUsage = critical, ${usage:-digitalSignature, keyEncipherment, keyCertSign} subjectKeyIdentifier = hash EOF fi if [ -s "$privkey" -a $force -eq 0 ]; then echo "Error: private key exists: $privkey" >&2 exit 1 elif [ ! -s "$privkey" -o $force -ge 2 ]; then install --mode="${mode:-0600}" ${owner:+--owner="$owner"} ${group:+--group="$group"} /dev/null "$privkey" || exit 2 - openssl $genkey -rand /dev/urandom $genkeyargs >"$privkey" || exit 2 + openssl $genkey $genkeyargs >"$privkey" || exit 2 [ "$cmd" = dkim ] && exit fi if [ "$cmd" = x509 -a "$pubkey" = "$privkey" ]; then pubkey=$(mktemp) openssl req -config "$config" -new -x509 ${hash:+-$hash} -days 3650 -key "$privkey" >"$pubkey" || exit 2 cat "$pubkey" >>"$privkey" || exit 2 rm -f "$pubkey" elif [ "$cmd" = x509 -o "$cmd" = csr ]; then if [ -s "$pubkey" -a $force -eq 0 ]; then echo "Error: public key exists: $pubkey" >&2 exit 1 else [ "$cmd" = x509 ] && x509=-x509 || x509= openssl req -config "$config" -new $x509 ${hash:+-$hash} -days 3650 -key "$privkey" >"$pubkey" || exit 2 fi elif [ "$cmd" = keypair -a "$pubkey" ]; then openssl pkey -pubout <"$privkey" >"$pubkey" fi |