Generate SSL keys on service start

This defers the creation of self-signed SSL certificates to the first time that httpd starts up. This has several advantages: * Waiting until the first boot will help avoid some issues with limited entropy in the install process. * The certificates can be regenerated automatically whenever they are removed, which helps with tools such as virt-sysprep * The certificates are now generated by SSCG, which produces a limited-trust CA alongside it that can be safely imported by a client. For more information on SSCG, see: https://sgallagh.wordpress.com/2016/05/02/self-signed-ssltls-certificates-why-they-are-terrible-and-a-better-alternative/ Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
author: Stephen Gallagher <sgallagh@redhat.com> 2017-09-20 14:18:24 -0400
committer: Stephen Gallagher <sgallagh@redhat.com> 2017-09-20 15:00:20 -0400
commit: 180ad320f452c4c58f6edc75a5749f665bf7459f (patch)
tree: a12c749faa2f84c9ef4f63dc5af8fe09b56c90b6 /httpd-ssl-gencerts
parent: 870b71c4f0c8e363d0e46c365f5d85fa76b62803 (diff)
download: httpd-180ad320f452c4c58f6edc75a5749f665bf7459f.tar.gz
httpd-180ad320f452c4c58f6edc75a5749f665bf7459f.tar.xz
httpd-180ad320f452c4c58f6edc75a5749f665bf7459f.zip
1 files changed, 24 insertions, 0 deletions
diff --git a/httpd-ssl-gencerts b/httpd-ssl-gencerts
new file mode 100755
index 0000000..0771b73
--- /dev/null
+++ b/httpd-ssl-gencerts
@@ -0,0 +1,24 @@
+#!/usr/bin/bash
+
+set -e
+
+FQDN=`hostname`
+# A >59 char FQDN means "root@FQDN" exceeds 64-char max length for emailAddress
+if [ "x${FQDN}" = "x" -o ${#FQDN} -gt 59 ]; then
+   FQDN=localhost.localdomain
+fi
+
+sscg -q                                                             \
+     --cert-file           /etc/pki/tls/certs/localhost.crt         \
+     --cert-key-file       /etc/pki/tls/private/localhost.key       \
+     --ca-file             /etc/pki/tls/certs/localhost-ca.crt      \
+     --hash-alg            sha256                                   \
+     --key-strength        2048                                     \
+     --lifetime            365                                      \
+     --country             "--"                                     \
+     --state               SomeState                                \
+     --locality            SomeCity                                 \
+     --organization        SomeOrganization                         \
+     --organizational-unit SomeOrganizationalUnit                   \
+     --hostname            $FQDN                                    \
+     --email               root@$FQDN
author	Stephen Gallagher <sgallagh@redhat.com>	2017-09-20 14:18:24 -0400
committer	Stephen Gallagher <sgallagh@redhat.com>	2017-09-20 15:00:20 -0400
commit	180ad320f452c4c58f6edc75a5749f665bf7459f (patch)
tree	a12c749faa2f84c9ef4f63dc5af8fe09b56c90b6 /httpd-ssl-gencerts
parent	870b71c4f0c8e363d0e46c365f5d85fa76b62803 (diff)
download	httpd-180ad320f452c4c58f6edc75a5749f665bf7459f.tar.gz httpd-180ad320f452c4c58f6edc75a5749f665bf7459f.tar.xz httpd-180ad320f452c4c58f6edc75a5749f665bf7459f.zip