Return-Path: Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 29478 invoked by uid 500); 21 Nov 2001 00:43:22 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 29467 invoked from network); 21 Nov 2001 00:43:22 -0000 Message-ID: From: "MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1)" To: "'dev@httpd.apache.org'" Subject: RE: SSL and certficates script Date: Tue, 20 Nov 2001 19:43:22 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C17225.85685C10" X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C17225.85685C10 Content-Type: text/plain; charset="iso-8859-1" Oops.. Sorry.. I thought I had posted a text/plain version (a wrong one must have sneaked in).. Here it comes again.. But, please note that this is just my small utility script, and I haven't tested it extensively.. If you wanted to add/remove any features, pl. do let me know.. -Madhu -----Original Message----- From: Aaron Bannert [mailto:aaron@clove.org] Sent: Tuesday, November 20, 2001 4:17 PM To: dev@httpd.apache.org Subject: Re: SSL and certficates script On Tue, Nov 20, 2001 at 07:00:34PM -0500, MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1) wrote: > Okay, here it comes.. Pl. do let me know if you have any problems. Hi Madhu, Sorry for giving you such a hard time today. :) Your work is appreciated. Would you mind reposting with either MIME-type text/plain or just posting the patch inline? Thanks, aaron ------_=_NextPart_000_01C17225.85685C10 Content-Type: text/plain; name="mkcert.sh.txt" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="mkcert.sh.txt" #!/bin/sh ## ## mkcert.sh -- SSL Certificate Generation Utility ## export certdir=3D/opt/apache2 export PATH=3D$certdir/ssl/bin:$PATH openssl=3D`whence openssl` type=3D algo=3D crt=3D key=3D view=3D function Usage { echo = "+---------------------------------------------------------------------+= "; echo "| Before you install the package you now should prepare the SSL = |"; echo "| certificate system by running the 'mkcert.sh' command. = |"; echo "| For different situations the following variants are provided: = |"; echo "| = |"; echo "| % mkcert.sh --type=3Ddummy (dummy self-signed Snake Oil = cert) |"; echo "| % mkcert.sh --type=3Dtest (test cert signed by Snake Oil = CA) |"; echo "| % mkcert.sh --type=3Dcustom (custom cert signed by own CA) = |"; echo "| % mkcert.sh --type=3Dexisting (existing cert) = |"; echo "| --crt=3D/path/to/your.crt [--key=3D/path/to/your.key] = |"; echo "| = |"; echo "| Use type=3Ddummy when you're a vendor package maintainer, = |"; echo "| the type=3Dtest when you're an admin but want to do tests = only, |"; echo "| the type=3Dcustom when you're an admin willing to run a real = server |"; echo "| and type=3Dexisting when you're an admin who upgrades a server. = |"; echo "| (The default is type=3Dtest) = |"; echo "| = |"; echo "| Additionally add --algo=3DRSA (default) or --algo=3DDSA to = select |"; echo "| the signature algorithm used for the generated certificate. = |"; echo "| = |"; echo "| Use 'mkcert.sh --view' to display the generated data. = |"; echo "| = |"; echo "| Thanks for using Apache = |"; echo = "+---------------------------------------------------------------------+= "; exit 0 } # Terminal Sequences case $TERM in xterm|xterm*|vt220|vt220*) BB=3D`echo dummy | awk '{ printf("%c%c%c%c", 27, 91, 49, 109); }'` BE=3D`echo dummy | awk '{ printf("%c%c%c", 27, 91, 109); }'` ;; vt100|vt100*) BB=3D`echo dummy | awk '{ printf("%c%c%c%c%c%c", 27, 91, 49, 109, = 0, 0); }'` BE=3D`echo dummy | awk '{ printf("%c%c%c%c%c", 27, 91, 109, 0, 0); = }'` ;; default) BB=3D'' BE=3D'' ;; esac # Check if the user has entered the required details : if [ $# -eq 0 ]; then Usage fi for opt do # If previous option needs an argument, assign it. if [ "x$prev" !=3D "x" ]; then eval "$prev=3D\$opt" prev=3D"" continue fi # Split out arguments case "$opt" in -*=3D*) arg=3D`echo "$opt" | sed 's/[-_a-zA-Z0-9]*=3D//'` ;; *) arg=3D ;; esac # Process arguments case "$opt" in -h|-help|--help) Usage exit 1 ;; -v|--view) view=3D1 ;; -t|--type=3D*) type=3D"$arg" ;; -a|--algo=3D*) algo=3D"$arg" ;; -c|--crt=3D*) crt=3D"$arg" ;; -k|--key=3D*) key=3D"$arg" ;; * ) echo "mkcert.sh:Error: invalid option '$opt'" 1>&2 exit 1 ;; esac done echo "${BB}SSL Certificate Generation Utility${BE} (mkcert.sh)" echo "Enter the Certificate(s) Location [$certdir] :\c" read ncertdir < /dev/tty if [ "x$ncertdir" !=3D "x" ]; then certdir=3D$ncertdir fi if [ ! -d $certdir ]; then echo "\nERROR: [$certdir] not found." echo "Please enter a valid location and try again." exit 1 fi crtdir=3D"$certdir/conf/ssl.crt" keydir=3D"$certdir/conf/ssl.key" # Check if the OPENSSL binary is available. if [ "x$openssl" =3D "x" ]; then for p in /usr/local/bin /usr/bin; do if test -f "$p/openssl"; then openssl=3D"$p/openssl" break fi done if [ "x$openssl" =3D "x" ]; then echo "Could not find OPENSSL in the path !!." exit 0 fi fi # View certificates. if [ ".$view" !=3D . ]; then if [ -f "$crtdir/ca.crt" -a -f "$keydir/ca.key" ]; then echo "" echo "${BB}CA X.509 Certificate${BE} [ca.crt]" echo = "______________________________________________________________________"= $openssl x509 -noout -text -in $crtdir/ca.crt echo "" if [ ".`$openssl x509 -noout -text -in $crtdir/ca.crt | grep = 'Signature Algorithm' | grep -i RSA`" !=3D . ]; then echo "${BB}CA RSA Private Key${BE} [ca.key]" echo = "______________________________________________________________________"= $openssl rsa -noout -text -in $keydir/ca.key else echo "${BB}CA DSA Private Key${BE} [ca.key]" echo = "______________________________________________________________________"= $openssl dsa -noout -text -in $keydir/ca.key fi else echo "" echo "NO CA Certificate found in the directory specified !!." fi if [ -f "$crtdir/server.crt" -a -f "$keydir/server.key" ]; then echo "" echo "${BB}Server X.509 Certificate${BE} [server.crt]" echo = "______________________________________________________________________"= $openssl x509 -noout -text -in $crtdir/server.crt echo "" if [ ".`$openssl x509 -noout -text -in $crtdir/server.crt | = grep 'Signature Algorithm' | grep -i RSA`" !=3D . ]; then echo "${BB}Server RSA Private Key${BE} [server.key]" echo = "______________________________________________________________________"= $openssl rsa -noout -text -in $keydir/server.key else echo "${BB}Server DSA Private Key${BE} [server.key]" echo = "______________________________________________________________________"= $openssl dsa -noout -text -in $keydir/server.key fi else echo "" echo "NO Server Certificate found in the directory specified = !!." fi exit 0 fi # Create the directories if required. if [ ! -d $crtdir ]; then echo "Creating Certificates directory [$crtdir]" mkdir -p $crtdir fi if [ ! -d $keydir ]; then echo "Creating keys directory [$crtdir]" mkdir -p $keydir fi # Find random files and initialize the RANDFILE environment variable randfiles=3D'' for file in /var/log/messages /var/adm/messages /var/log/system.log = /var/wtmp \ /etc/hosts /etc/group /etc/resolv.conf /bin/ls; do if [ -r $file ]; then if [ ".$randfiles" =3D . ]; then randfiles=3D"$file" else randfiles=3D"${randfiles}:$file" fi fi done if [ -f $HOME/.rnd ]; then RANDFILE=3D"$HOME/.rnd" else RANDFILE=3D".mkcert.rnd" (ps; date) >$RANDFILE fi export RANDFILE # Extract parameters case "x$type" in x ) type=3Dtest ;; esac case "x$algo" in xRSA|xrsa )=20 algo=3DRSA ;; xDSA|xdsa )=20 algo=3DDSA=20 ;; x )=20 algo=3Dchoose ;; * ) echo "Unknown algorithm \'$algo' (use RSA or DSA!)" 1>&2 exit 1 ;; esac # processing case $type in dummy) echo "" echo "${BB}Generating self-signed Snake Oil certificate = [DUMMY]${BE}" echo = "______________________________________________________________________"= echo "" if [ ".$algo" =3D .choose ]; then algo=3DRSA fi if [ ".$algo" =3D .RSA ]; then if [ ! -f "$crtdir/server-rsa.crt" -a ! -f = "$keydir/server-rsa.key" ]; then echo "" echo "" echo "There are no dummy certificates loaded on your = system." echo "You can create certificates using the --custom = option." exit 1 fi cp $crtdir/server-rsa.crt $crtdir/server.crt (umask 077; cp $keydir/server-rsa.key $keydir/server.key) else if [ ! -f "$crtdir/server-dsa.crt" -a ! -f = "$keydir/server-dsa.key" ]; then echo "" echo "" echo "There are no dummy certificates loaded on your = system." echo "You can create certificates using the --custom = option." exit 1 fi cp $crtdir/server-dsa.crt $crtdir/server.crt (umask 077; cp $keydir/server-dsa.key $keydir/server.key) fi echo "${BB}RESULT: Server Certification Files${BE}" echo "" echo "o ${BB}$keydir/server.key${BE}" echo " The PEM-encoded $algo private key file which you = configure" echo " with the 'SSLCertificateKeyFile' directive = (automatically done" echo " when you install via APACI). ${BB}KEEP THIS FILE = PRIVATE!${BE}" echo "" echo "o ${BB}$crtdir/server.crt${BE}" echo " The PEM-encoded X.509 certificate file which you = configure" echo " with the 'SSLCertificateFile' directive (automatically = done" echo " when you install via APACI)." echo "" echo "WARNING: Do not use this for real-life/production = systems" echo "" ;; test) echo "" echo "${BB}Generating test certificate signed by Snake Oil CA = [TEST]${BE}" echo "WARNING: Do not use this for real-life/production = systems" if [ ".$algo" =3D .choose ]; then echo = "______________________________________________________________________"= echo "" echo "${BB}STEP 0: Decide the signature algorithm used for = certificate${BE}" echo "The generated X.509 CA certificate can contain = either" echo "RSA or DSA based ingredients. Select the one you want = to use." def1=3DR def2=3Dr def=3DRSA prompt=3D"Signature Algorithm ((R)SA or (D)SA) [$def1]:" while [ 1 ]; do echo dummy | awk '{ printf("%s", prompt); }' = "prompt=3D$prompt" read algo if [ ".$algo" =3D ".$def1" -o ".$algo" =3D ".$def2" -o = ".$algo" =3D . ]; then algo=3D$def break elif [ ".$algo" =3D ".R" -o ".$algo" =3D ".r" ]; then algo=3DRSA break elif [ ".$algo" =3D ".D" -o ".$algo" =3D ".d" ]; then algo=3DDSA break else echo "mkcert.sh:Warning: Invalid selection" 1>&2 fi done fi if [ ".$algo" =3D ".DSA" ]; then echo "" echo "${BB}WARNING!${BE} You're generating a DSA based = certificate/key pair." echo " This implies that RSA based ciphers won't be = available later," echo " which for your web server currently still = means that mostly all" echo " popular web browsers cannot connect to it. = At least not until" echo " you also generate an additional RSA based = certificate/key pair" echo " and configure them in parallel." fi echo = "______________________________________________________________________"= echo "" echo "${BB}STEP 1: Generating $algo private key (1024 bit) = [server.key]${BE}" if [ ".$algo" =3D .RSA ]; then if [ ".$randfiles" !=3D . ]; then $openssl genrsa -rand $randfiles -out = $keydir/server.key 1024 else $openssl genrsa -out $keydir/server.key 1024 fi if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate RSA private = key" 1>&2 exit 1 fi else echo "Generating DSA private key via SnakeOil CA DSA = parameters" if [ ".$randfiles" !=3D . ]; then (umask 077 $openssl gendsa -rand $randfiles \ -out $keydir/server.key \ $keydir/ca-dsa.prm) else (umask 077 $openssl gendsa -out $keydir/server.key \ $keydir/ca-dsa.prm) fi if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate DSA private = key" 1>&2 exit 1 fi fi echo = "______________________________________________________________________"= echo "" echo "${BB}STEP 2: Generating X.509 certificate signing request = [server.csr]${BE}" cat >.mkcert.cfg <&2 exit 1 fi rm -f .mkcert.cfg prompt=3D"8. Certificate Validity (days) [365]:" echo dummy | awk '{ printf("%s", prompt); }' "prompt=3D$prompt" read days if [ ".$days" =3D . ]; then days=3D365 fi echo = "______________________________________________________________________"= echo "" echo "${BB}STEP 3: Generating X.509 certificate signed by Snake = Oil CA [server.crt]${BE}" echo dummy | awk '{ printf("%s", prompt); }' = "prompt=3DCertificate Version (1 or 3) [3]:" read certversion extfile=3D"" if [ ".$certversion" =3D .3 -o ".$certversion" =3D . ]; then extfile=3D"-extfile .mkcert.cfg" cat >.mkcert.cfg <.mkcert.serial fi if [ ".$algo" =3D .RSA ]; then $openssl x509 $extfile \ -days $days \ -CAserial .mkcert.serial \ -CA $crtdir/ca.crt \ -CAkey $keydir/ca.key \ -in $crtdir/server.csr -req \ -out $crtdir/server.crt else $openssl x509 $extfile \ -days $days \ -CAserial .mkcert.serial \ -CA $crtdir/ca-dsa.crt \ -CAkey $keydir/ca-dsa.key \ -in $crtdir/server.csr -req \ -out $crtdir/server.crt fi if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate X.509 = certificate" 1>&2 exit 1 fi rm -f .mkcert.cfg echo "Verify: matching certificate & key modulus" modcrt=3D`$openssl x509 -noout -modulus -in $crtdir/server.crt = | sed -e 's;.*Modulus=3D;;'` if [ ".$algo" =3D .RSA ]; then modkey=3D`$openssl rsa -noout -modulus -in = $keydir/server.key | sed -e 's;.*Modulus=3D;;'` else modkey=3D`$openssl dsa -noout -modulus -in = $keydir/server.key | sed -e 's;.*Key=3D;;'` fi if [ ".$modcrt" !=3D ".$modkey" ]; then echo "mkcert.sh:Error: Failed to verify modulus on = resulting X.509 certificate" 1>&2 exit 1 fi echo "Verify: matching certificate signature" if [ ".$algo" =3D .RSA ]; then $openssl verify -CAfile $crtdir/ca-rsa.crt = $crtdir/server.crt else $openssl verify -CAfile $crtdir/ca-dsa.crt = $crtdir/server.crt fi if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to verify signature on = resulting X.509 certificate" 1>&2 exit 1 fi echo = "______________________________________________________________________"= echo "" echo "${BB}STEP 4: Enrypting $algo private key with a pass = phrase for security [server.key]${BE}" echo "The contents of the server.key file (the generated = private key) has to be" echo "kept secret. So we strongly recommend you to encrypt the = server.key file" echo "with a Triple-DES cipher and a Pass Phrase." while [ 1 ]; do echo dummy | awk '{ printf("Encrypt the private key now? = [Y/n]: "); }' read rc if [ ".$rc" =3D .n -o ".$rc" =3D .N ]; then rc=3D"n" break fi if [ ".$rc" =3D .y -o ".$rc" =3D .Y -o ".$rc" =3D . ]; = then rc=3D"y" break fi done if [ ".$rc" =3D .y ]; then if [ ".$algo" =3D .RSA ]; then (umask 077 $openssl rsa -des3 \ -in $keydir/server.key \ -out $keydir/server.key.crypt) else (umask 077 $openssl dsa -des3 \ -in $keydir/server.key \ -out $keydir/server.key.crypt) fi if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to encrypt $algo private = key" 1>&2 exit 1 fi (umask 077; cp $keydir/server.key.crypt $keydir/server.key) rm -f $keydir/server.key.crypt echo "Fine, you're using an encrypted $algo private key." else echo "Warning, you're using an unencrypted $algo private = key." echo "Please notice this fact and do this on your own = risk." fi echo = "______________________________________________________________________"= echo "" echo "${BB}RESULT: Server Certification Files${BE}" echo "" echo "o ${BB}$keydir/server.key${BE}" echo " The PEM-encoded $algo private key file which you = configure" echo " with the 'SSLCertificateKeyFile' directive = (automatically done" echo " when you install via APACI). ${BB}KEEP THIS FILE = PRIVATE!${BE}" echo "" echo "o ${BB}$crtdir/server.crt${BE}" echo " The PEM-encoded X.509 certificate file which you = configure" echo " with the 'SSLCertificateFile' directive (automatically = done" echo " when you install via APACI)." echo "" echo "o ${BB}$crtdir/server.csr${BE}" echo " The PEM-encoded X.509 certificate signing request file = which"=20 echo " you can send to an official Certificate Authority (CA) = in order" echo " to request a real server certificate (signed by this = CA instead" echo " of our demonstration-only Snake Oil CA) which later = can replace" echo " the $crtdir/server.crt file." echo "" echo "WARNING: Do not use this for real-life/production = systems" echo "" ;; custom) echo "" echo "${BB}Generating custom certificate signed by own CA = [CUSTOM]${BE}" if [ ".$algo" =3D .choose ]; then echo = "______________________________________________________________________"= echo "" echo "${BB}STEP 0: Decide the signature algorithm used for = certificates${BE}" echo "The generated X.509 certificates can contain either" echo "RSA or DSA based ingredients. Select the one you want = to use." def1=3DR def2=3Dr def=3DRSA prompt=3D"Signature Algorithm ((R)SA or (D)SA) [$def1]:" while [ 1 ]; do echo dummy | awk '{ printf("%s", prompt); }' = "prompt=3D$prompt" read algo if [ ".$algo" =3D ".$def1" -o ".$algo" =3D ".$def2" -o = ".$algo" =3D . ]; then algo=3D$def break elif [ ".$algo" =3D ".R" -o ".$algo" =3D ".r" ]; then algo=3DRSA break elif [ ".$algo" =3D ".D" -o ".$algo" =3D ".d" ]; then algo=3DDSA break else echo "mkcert.sh:Warning: Invalid selection" 1>&2 fi done fi if [ ".$algo" =3D ".DSA" ]; then echo "" echo "${BB}WARNING!${BE} You're generating DSA based = certificate/key pairs." echo " This implies that RSA based ciphers won't be = available later," echo " which for your web server currently still = means that mostly all" echo " popular web browsers cannot connect to it. = At least not until" echo " you also generate an additional RSA based = certificate/key pair" echo " and configure them in parallel." fi echo = "______________________________________________________________________"= echo "" echo "${BB}STEP 1: Generating $algo private key for CA (1024 = bit) [ca.key]${BE}" if [ ".$algo" =3D .RSA ]; then if [ ".$randfiles" !=3D . ]; then $openssl genrsa -rand $randfiles -out $keydir/ca.key = 1024 else $openssl genrsa -out $keydir/ca.key 1024 fi if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate RSA private = key" 1>&2 exit 1 fi else if [ ".$randfiles" !=3D . ]; then $openssl dsaparam -rand $randfiles -out $keydir/ca.prm = 1024 echo "Generating DSA private key:" (umask 077 $openssl gendsa -rand $randfiles -out $keydir/ca.key = $keydir/ca.prm) else $openssl dsaparam -out $keydir/ca.prm 1024 echo "Generating DSA private key:" (umask 077 $openssl gendsa -out $keydir/ca.key $keydir/ca.prm) fi if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate DSA private = key" 1>&2 exit 1 fi fi echo = "______________________________________________________________________"= echo "" echo "${BB}STEP 2: Generating X.509 certificate signing request = for CA [ca.csr]${BE}" cat >.mkcert.cfg <&2 exit 1 fi rm -f .mkcert.cfg prompt=3D"8. Certificate Validity (days) [365]:" echo dummy | awk '{ printf("%s", prompt); }' "prompt=3D$prompt" read days if [ ".$days" =3D . ]; then days=3D365 fi echo = "______________________________________________________________________"= echo "" echo "${BB}STEP 3: Generating X.509 certificate for CA signed = by itself [ca.crt]${BE}" echo dummy | awk '{ printf("%s", prompt); }' = "prompt=3DCertificate Version (1 or 3) [3]:" read certversion extfile=3D"" if [ ".$certversion" =3D .3 -o ".$certversion" =3D . ]; then extfile=3D"-extfile .mkcert.cfg" cat >.mkcert.cfg <&2 exit 1 fi rm -f .mkcert.cfg echo "Verify: matching certificate & key modulus" modcrt=3D`$openssl x509 -noout -modulus -in $crtdir/ca.crt | = sed -e 's;.*Modulus=3D;;'` if [ ".$algo" =3D .RSA ]; then modkey=3D`$openssl rsa -noout -modulus -in $keydir/ca.key | = sed -e 's;.*Modulus=3D;;'` else modkey=3D`$openssl dsa -noout -modulus -in $keydir/ca.key | = sed -e 's;.*Key=3D;;'` fi if [ ".$modcrt" !=3D ".$modkey" ]; then echo "mkcert.sh:Error: Failed to verify modulus on = resulting X.509 certificate" 1>&2 exit 1 fi echo "Verify: matching certificate signature" $openssl verify $crtdir/ca.crt if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to verify signature on = resulting X.509 certificate" 1>&2 exit 1 fi echo "Saving the CA Certificates" if [ ".$algo" =3D .RSA ]; then cp -f $crtdir/ca.crt $crtdir/ca-rsa.crt cp -f $keydir/ca.key $keydir/ca-rsa.key else cp -f $crtdir/ca.crt $crtdir/ca-dsa.crt cp -f $keydir/ca.key $keydir/ca-dsa.key fi echo = "______________________________________________________________________"= echo "" echo "${BB}STEP 4: Generating $algo private key for SERVER = (1024 bit) [server.key]${BE}" if [ ".$algo" =3D .RSA ]; then if [ ".$randfiles" !=3D . ]; then $openssl genrsa -rand $randfiles -out = $keydir/server.key 1024 else $openssl genrsa -out $keydir/server.key 1024 fi if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate RSA private = key" 1>&2 exit 1 fi else if [ ".$randfiles" !=3D . ]; then (umask 077 $openssl gendsa -rand $randfiles \ -out $keydir/server.key = $keydir/ca.prm) else (umask 077 $openssl gendsa -out $keydir/server.key = $keydir/ca.prm) fi if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate DSA private = key" 1>&2 exit 1 fi fi echo = "______________________________________________________________________"= echo "" echo "${BB}STEP 5: Generating X.509 certificate signing request = for SERVER [server.csr]${BE}" cat >.mkcert.cfg <&2 exit 1 fi rm -f .mkcert.cfg prompt=3D"8. Certificate Validity (days) [365]:" echo dummy | awk '{ printf("%s", prompt); }' "prompt=3D$prompt" read days if [ ".$days" =3D . ]; then days=3D365 fi echo = "______________________________________________________________________"= echo "" echo "${BB}STEP 6: Generating X.509 certificate signed by own = CA [server.crt]${BE}" echo dummy | awk '{ printf("%s", prompt); }' = "prompt=3DCertificate Version (1 or 3) [3]:" read certversion extfile=3D"" if [ ".$certversion" =3D .3 -o ".$certversion" =3D . ]; then extfile=3D"-extfile .mkcert.cfg" cat >.mkcert.cfg <.mkcert.serial fi $openssl x509 $extfile \ -days $days \ -CAserial .mkcert.serial \ -CA $crtdir/ca.crt \ -CAkey $keydir/ca.key \ -in $crtdir/server.csr -req \ -out $crtdir/server.crt if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate X.509 = certificate" 1>&2 exit 1 fi rm -f .mkcert.cfg echo "Verify: matching certificate & key modulus" modcrt=3D`$openssl x509 -noout -modulus -in $crtdir/server.crt = | sed -e 's;.*Modulus=3D;;'` if [ ".$algo" =3D .RSA ]; then modkey=3D`$openssl rsa -noout -modulus -in = $keydir/server.key | sed -e 's;.*Modulus=3D;;'` else modkey=3D`$openssl dsa -noout -modulus -in = $keydir/server.key | sed -e 's;.*Key=3D;;'` fi if [ ".$modcrt" !=3D ".$modkey" ]; then echo "mkcert.sh:Error: Failed to verify modulus on = resulting X.509 certificate" 1>&2 exit 1 fi echo "Verify: matching certificate signature" $openssl verify -CAfile $crtdir/ca.crt $crtdir/server.crt if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to verify signature on = resulting X.509 certificate" 1>&2 exit 1 fi echo = "______________________________________________________________________"= echo "" echo "${BB}STEP 7: Enrypting $algo private key of CA with a = pass phrase for security [ca.key]${BE}" echo "The contents of the ca.key file (the generated private = key) has to be" echo "kept secret. So we strongly recommend you to encrypt the = server.key file" echo "with a Triple-DES cipher and a Pass Phrase." while [ 1 ]; do echo dummy | awk '{ printf("Encrypt the private key now? = [Y/n]: "); }' read rc if [ ".$rc" =3D .n -o ".$rc" =3D .N ]; then rc=3D"n" break fi if [ ".$rc" =3D .y -o ".$rc" =3D .Y -o ".$rc" =3D . ]; = then rc=3D"y" break fi done if [ ".$rc" =3D .y ]; then if [ ".$algo" =3D .RSA ]; then (umask 077 $openssl rsa -des3 \ -in $keydir/ca.key -out = $keydir/ca.key.crypt) else (umask 077 $openssl dsa -des3 \ -in $keydir/ca.key -out = $keydir/ca.key.crypt) fi if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to encrypt $algo private = key" 1>&2 exit 1 fi (umask 077; cp $keydir/ca.key.crypt $keydir/ca.key) rm -f $keydir/ca.key.crypt echo "Fine, you're using an encrypted private key." else echo "Warning, you're using an unencrypted private key." echo "Please notice this fact and do this on your own = risk." fi echo = "______________________________________________________________________"= echo "" echo "${BB}STEP 8: Enrypting $algo private key of SERVER with a = pass phrase for security [server.key]${BE}" echo "The contents of the server.key file (the generated = private key) has to be" echo "kept secret. So we strongly recommend you to encrypt the = server.key file" echo "with a Triple-DES cipher and a Pass Phrase." while [ 1 ]; do echo dummy | awk '{ printf("Encrypt the private key now? = [Y/n]: "); }' read rc if [ ".$rc" =3D .n -o ".$rc" =3D .N ]; then rc=3D"n" break fi if [ ".$rc" =3D .y -o ".$rc" =3D .Y -o ".$rc" =3D . ]; = then rc=3D"y" break fi done if [ ".$rc" =3D .y ]; then if [ ".$algo" =3D .RSA ]; then (umask 077 $openssl rsa -des3 \ -in $keydir/server.key \ -out $keydir/server.key.crypt) else (umask 077 $openssl dsa -des3 \ -in $keydir/server.key \ -out $keydir/server.key.crypt) fi if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to encrypt $algo private = key" 1>&2 exit 1 fi (umask 077; cp $keydir/server.key.crypt $keydir/server.key) rm -f $keydir/server.key.crypt echo "Fine, you're using an encrypted $algo private key." else echo "Warning, you're using an unencrypted $algo private = key." echo "Please notice this fact and do this on your own = risk." fi echo = "______________________________________________________________________"= echo "" echo "${BB}RESULT: CA and Server Certification Files${BE}" echo "" echo "o ${BB}$keydir/ca.key${BE}" echo " The PEM-encoded $algo private key file of the CA which = you can" echo " use to sign other servers or clients. ${BB}KEEP THIS = FILE PRIVATE!${BE}" echo "" echo "o ${BB}$crtdir/ca.crt${BE}" echo " The PEM-encoded X.509 certificate file of the CA which = you use to" echo " sign other servers or clients. When you sign clients = with it (for" echo " SSL client authentication) you can configure this file = with the" echo " 'SSLCACertificateFile' directive." echo "" echo "o ${BB}$keydir/server.key${BE}" echo " The PEM-encoded $algo private key file of the server = which you configure" echo " with the 'SSLCertificateKeyFile' directive = (automatically done" echo " when you install via APACI). ${BB}KEEP THIS FILE = PRIVATE!${BE}" echo "" echo "o ${BB}$crtdir/server.crt${BE}" echo " The PEM-encoded X.509 certificate file of the server = which you configure" echo " with the 'SSLCertificateFile' directive (automatically = done" echo " when you install via APACI)." echo "" echo "o ${BB}$crtdir/server.csr${BE}" echo " The PEM-encoded X.509 certificate signing request of = the server file which"=20 echo " you can send to an official Certificate Authority (CA) = in order" echo " to request a real server certificate (signed by this = CA instead" echo " of our own CA) which later can replace the = $crtdir/server.crt" echo " file." echo "" echo "Congratulations that you establish your server with real = certificates." echo "" ;; existing) echo "" echo "${BB}Using existing custom certificate [EXISTING]${BE}" echo = "______________________________________________________________________"= echo "" if [ ".$crt" =3D . ]; then echo "mkcert.sh: No certificate file given" 1>&2 exit 1 fi if [ ! -f "$crt" ]; then echo "mkcert.sh: Cannot find certificate file: $crt" 1>&2 exit 1 fi if [ ".$key" !=3D . ]; then if [ ! -f "$key" ]; then echo "mkcert.sh: Cannot find private key file: $key" = 1>&2 exit 1 fi cp $crt $crtdir/server.crt (umask 077; cp $key $keydir/server.key) else key=3D$crt umask 077 touch $keydir/server.key sed -e '/-----BEGIN CERTIFICATE/,/-----END CERTIFICATE/p' = -e '/.*/d' \ <$crt >$crtdir/server.crt sed -e '/-----BEGIN ... PRIVATE KEY/,/-----END ... PRIVATE = KEY/p' -e '/.*/d' \ <$key >$keydir/server.key fi $openssl x509 -noout -in $crtdir/server.crt if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to check certificate = contents: $crt" 1>&2 exit 1 fi if [ ".`grep 'PRIVATE KEY' $keydir/server.key | grep RSA`" !=3D = . ]; then algo=3DRSA else algo=3DDSA fi echo "${BB}RESULT: Server Certification Files${BE}" echo "" echo "o ${BB}$keydir/server.key${BE}" echo " The PEM-encoded $algo private key file which you = configure" echo " with the 'SSLCertificateKeyFile' directive = (automatically done" echo " when you install via APACI). ${BB}KEEP THIS FILE = PRIVATE!${BE}" echo "" echo "o ${BB}$crtdir/server.crt${BE}" echo " The PEM-encoded X.509 certificate file which you = configure" echo " with the 'SSLCertificateFile' directive (automatically = done" echo " when you install via APACI)." echo "" echo "Congratulations that you establish your server with real = certificates." echo "" ;; esac ##EOF## ------_=_NextPart_000_01C17225.85685C10--