From 180ad320f452c4c58f6edc75a5749f665bf7459f Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Wed, 20 Sep 2017 14:18:24 -0400 Subject: Generate SSL keys on service start This defers the creation of self-signed SSL certificates to the first time that httpd starts up. This has several advantages: * Waiting until the first boot will help avoid some issues with limited entropy in the install process. * The certificates can be regenerated automatically whenever they are removed, which helps with tools such as virt-sysprep * The certificates are now generated by SSCG, which produces a limited-trust CA alongside it that can be safely imported by a client. For more information on SSCG, see: https://sgallagh.wordpress.com/2016/05/02/self-signed-ssltls-certificates-why-they-are-terrible-and-a-better-alternative/ Signed-off-by: Stephen Gallagher --- httpd-ssl-gencerts | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100755 httpd-ssl-gencerts (limited to 'httpd-ssl-gencerts') diff --git a/httpd-ssl-gencerts b/httpd-ssl-gencerts new file mode 100755 index 0000000..0771b73 --- /dev/null +++ b/httpd-ssl-gencerts @@ -0,0 +1,24 @@ +#!/usr/bin/bash + +set -e + +FQDN=`hostname` +# A >59 char FQDN means "root@FQDN" exceeds 64-char max length for emailAddress +if [ "x${FQDN}" = "x" -o ${#FQDN} -gt 59 ]; then + FQDN=localhost.localdomain +fi + +sscg -q \ + --cert-file /etc/pki/tls/certs/localhost.crt \ + --cert-key-file /etc/pki/tls/private/localhost.key \ + --ca-file /etc/pki/tls/certs/localhost-ca.crt \ + --hash-alg sha256 \ + --key-strength 2048 \ + --lifetime 365 \ + --country "--" \ + --state SomeState \ + --locality SomeCity \ + --organization SomeOrganization \ + --organizational-unit SomeOrganizationalUnit \ + --hostname $FQDN \ + --email root@$FQDN -- cgit