diff options
author | Stephen Gallagher <sgallagh@redhat.com> | 2017-09-20 14:18:24 -0400 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2017-09-20 15:00:20 -0400 |
commit | 180ad320f452c4c58f6edc75a5749f665bf7459f (patch) | |
tree | a12c749faa2f84c9ef4f63dc5af8fe09b56c90b6 /httpd-ssl-gencerts | |
parent | 870b71c4f0c8e363d0e46c365f5d85fa76b62803 (diff) | |
download | httpd-180ad320f452c4c58f6edc75a5749f665bf7459f.tar.gz httpd-180ad320f452c4c58f6edc75a5749f665bf7459f.tar.xz httpd-180ad320f452c4c58f6edc75a5749f665bf7459f.zip |
Generate SSL keys on service start
This defers the creation of self-signed SSL certificates to the
first time that httpd starts up. This has several advantages:
* Waiting until the first boot will help avoid some issues with
limited entropy in the install process.
* The certificates can be regenerated automatically whenever they
are removed, which helps with tools such as virt-sysprep
* The certificates are now generated by SSCG, which produces a
limited-trust CA alongside it that can be safely imported by a
client.
For more information on SSCG, see:
https://sgallagh.wordpress.com/2016/05/02/self-signed-ssltls-certificates-why-they-are-terrible-and-a-better-alternative/
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
Diffstat (limited to 'httpd-ssl-gencerts')
-rwxr-xr-x | httpd-ssl-gencerts | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/httpd-ssl-gencerts b/httpd-ssl-gencerts new file mode 100755 index 0000000..0771b73 --- /dev/null +++ b/httpd-ssl-gencerts @@ -0,0 +1,24 @@ +#!/usr/bin/bash + +set -e + +FQDN=`hostname` +# A >59 char FQDN means "root@FQDN" exceeds 64-char max length for emailAddress +if [ "x${FQDN}" = "x" -o ${#FQDN} -gt 59 ]; then + FQDN=localhost.localdomain +fi + +sscg -q \ + --cert-file /etc/pki/tls/certs/localhost.crt \ + --cert-key-file /etc/pki/tls/private/localhost.key \ + --ca-file /etc/pki/tls/certs/localhost-ca.crt \ + --hash-alg sha256 \ + --key-strength 2048 \ + --lifetime 365 \ + --country "--" \ + --state SomeState \ + --locality SomeCity \ + --organization SomeOrganization \ + --organizational-unit SomeOrganizationalUnit \ + --hostname $FQDN \ + --email root@$FQDN |