From db1e67a62f527b87faeb52839c91da4eabc2ad62 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 3 Jun 2015 19:15:48 +0200 Subject: genkeypair.sh: Merge privkey and pubkey for identical filekeys. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Also, set ‘subjectKeyIdentifier = hash’ in the CSR. --- roles/common/files/usr/local/bin/genkeypair.sh | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) (limited to 'roles/common') diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh index 982c1d9..5bf67f2 100755 --- a/roles/common/files/usr/local/bin/genkeypair.sh +++ b/roles/common/files/usr/local/bin/genkeypair.sh @@ -168,10 +168,11 @@ if [ -z "$config" -a \( "$cmd" = x509 -o "$cmd" = csr \) ]; then commonName = $cn [ v3_req ] - subjectAltName = email:admin@fripost.org${dns:+, $dns} - basicConstraints = critical, CA:FALSE + subjectAltName = email:admin@fripost.org${dns:+, $dns} + basicConstraints = critical, CA:FALSE # https://security.stackexchange.com/questions/24106/which-key-usages-are-required-by-each-key-exchange-method - keyUsage = critical, ${usage:-digitalSignature, keyEncipherment, keyCertSign} + keyUsage = critical, ${usage:-digitalSignature, keyEncipherment, keyCertSign} + subjectKeyIdentifier = hash EOF fi @@ -188,7 +189,12 @@ elif [ ! -s "$privkey" -o $force -ge 2 ]; then [ "$cmd" = dkim ] && { dkiminfo; exit; } fi -if [ "$cmd" = x509 -o "$cmd" = csr ]; then +if [ "$cmd" = x509 -a "$pubkey" = "$privkey" ]; then + pubkey=$(mktemp) + openssl req -config "$config" -new -x509 ${hash:+-$hash} -days 3650 -key "$privkey" >"$pubkey" || exit 2 + cat "$pubkey" >>"$privkey" || exit 2 + rm -f "$pubkey" +elif [ "$cmd" = x509 -o "$cmd" = csr ]; then if [ -s "$pubkey" -a $force -eq 0 ]; then echo "Error: public key exists: $pubkey" >&2 exit 1 -- cgit v1.2.3