diff options
| -rwxr-xr-x | roles/common/files/usr/local/bin/genkeypair.sh | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh index 982c1d9..5bf67f2 100755 --- a/roles/common/files/usr/local/bin/genkeypair.sh +++ b/roles/common/files/usr/local/bin/genkeypair.sh @@ -151,49 +151,55 @@ fi if [ -z "$config" -a \( "$cmd" = x509 -o "$cmd" = csr \) ]; then config=$(mktemp) || exit 2 trap 'rm -f "$config"' EXIT # see /usr/share/ssl-cert/ssleay.cnf cat >"$config" <<- EOF [ req ] distinguished_name = req_distinguished_name prompt = no policy = policy_anything req_extensions = v3_req x509_extensions = v3_req [ req_distinguished_name ] organizationName = Fripost organizationalUnitName = SSLcerts $(echo "$ou") commonName = $cn [ v3_req ] - subjectAltName = email:admin@fripost.org${dns:+, $dns} - basicConstraints = critical, CA:FALSE + subjectAltName = email:admin@fripost.org${dns:+, $dns} + basicConstraints = critical, CA:FALSE # https://security.stackexchange.com/questions/24106/which-key-usages-are-required-by-each-key-exchange-method - keyUsage = critical, ${usage:-digitalSignature, keyEncipherment, keyCertSign} + keyUsage = critical, ${usage:-digitalSignature, keyEncipherment, keyCertSign} + subjectKeyIdentifier = hash EOF fi if [ -s "$privkey" -a $force -eq 0 ]; then echo "Error: private key exists: $privkey" >&2 [ "$cmd" = dkim ] && dkiminfo exit 1 elif [ ! -s "$privkey" -o $force -ge 2 ]; then # Ensure "$privkey" is created with umask 0077 mv -f "$(mktemp)" "$privkey" || exit 2 chmod "${chmod:-og-rwx}" "$privkey" || exit 2 [ -z "$chown" ] || chown "$chown" "$privkey" || exit 2 openssl $genkey -rand "${rand:-/dev/urandom}" $genkeyargs >"$privkey" || exit 2 [ "$cmd" = dkim ] && { dkiminfo; exit; } fi -if [ "$cmd" = x509 -o "$cmd" = csr ]; then +if [ "$cmd" = x509 -a "$pubkey" = "$privkey" ]; then + pubkey=$(mktemp) + openssl req -config "$config" -new -x509 ${hash:+-$hash} -days 3650 -key "$privkey" >"$pubkey" || exit 2 + cat "$pubkey" >>"$privkey" || exit 2 + rm -f "$pubkey" +elif [ "$cmd" = x509 -o "$cmd" = csr ]; then if [ -s "$pubkey" -a $force -eq 0 ]; then echo "Error: public key exists: $pubkey" >&2 exit 1 else [ "$cmd" = x509 ] && x509=-x509 || x509= openssl req -config "$config" -new $x509 ${hash:+-$hash} -days 3650 -key "$privkey" >"$pubkey" || exit 2 fi fi |