Bug#175849: diff
here is a diff; but it is not very interesting: I have rewritten most
of the script
the biggest difference is : I dont use
/usr/share/apache-ssl/ssleay.conf
I could not understand exactly what is going on, I oly noticed that
openssl req
generates a valid certificate, whereas
openssl req -conf /usr/share/apache-ssl/ssleay.conf
generates an invalid certificate.
so I use the default config file of openssl , with minor changes
(done with an awk script) so that the script asks for
the server name instead of asking for the person name
(and I also added some small autoconfiguration, so that
the script tries to guess the server name and state and organization,
the latter from sslwrap)
a.
--
Andrea Mennucc
"E' un mondo difficile. Che vita intensa!" (Tonino Carotone)
--- /usr/sbin/ssl-certificate Sat Oct 26 14:34:34 2002
+++ tmp/ssl-certificate Fri Jan 10 12:54:41 2003
@@ -1,7 +1,14 @@
-#!/bin/sh -e
+#!/bin/sh
-if [ "$1" != "--force" -a -f /etc/apache-ssl/apache.pem ]; then
- echo "/etc/apache-ssl/apache.pem exists! Use \"$0 --force.\""
+set -e
+
+export RANDFILE=/dev/random
+
+[ "$CERTDIR" ] || CERTDIR=/etc/apache-ssl
+[ "$CERTNAME" ] || CERTNAME=$CERTDIR/apache.pem
+
+if [ "$1" != "--force" -a -f $CERTNAME ]; then
+ echo "$CERTNAME exists! Use \"$0 --force.\""
exit 0
fi
@@ -10,7 +17,7 @@
fi
echo
-echo creating selfsingned certificate
+echo creating selfsigned certificate
echo "replace it with one signed by a certification authority (CA)"
echo
echo enter your ServerName at the Common Name prompt
@@ -18,14 +25,42 @@
echo If you want your certificate to expire after x days call this programm
echo with "-days x"
-# use special .cnf, because with normal one no valid selfsigned
-# certificate is created
-export RANDFILE=/dev/random
-openssl req $@ -config /usr/share/apache-ssl/ssleay.cnf \
- -new -x509 -nodes -out /etc/apache-ssl/apache.pem \
- -keyout /etc/apache-ssl/apache.pem
-chmod 600 /etc/apache-ssl/apache.pem
-ln -sf /etc/apache-ssl/apache.pem \
- /etc/apache-ssl/`/usr/bin/openssl \
- x509 -noout -hash < /etc/apache-ssl/apache.pem`.0
+
+T=`tempfile`
+
+#stolen from sslwrap
+country="US"
+state=""
+locality=""
+organization=""
+unit=""
+hostname=`hostname -f`
+email="webmaster@"`hostname -f`
+[ -r /etc/sslwrap/debian_config ] && source /etc/sslwrap/debian_config
+
+
+awk '
+/commonName.*=.*YOUR.*/\
+{$0="commonName = server name (eg. ssl.domain.tld; required!!!)\ncommonName_default='"$hostname"'"}
+/0.organizationName_default/\
+{$0="0.organizationName_default ='"$organization"'"}
+/countryName_default/\
+{$0="countryName_default='"$country"'"}
+/stateOrProvinceName_default/\
+{$0="stateOrProvinceName_default='"$state"'"}
+//{print}' /usr/lib/ssl/openssl.cnf > $T
+
+openssl req $@ -config $T \
+ -new -x509 -nodes -out $CERTNAME~new -keyout $CERTNAME~new
+
+chmod 600 $CERTNAME~new
+
+openssl verify $CERTNAME~new
+
+ln -sf $CERTNAME $CERTDIR/`/usr/bin/openssl \
+ x509 -noout -hash < $CERTNAME~new `.0
+
+#move only if everything went OK
+mv -b $CERTNAME~new $CERTNAME
+rm $T
Reply to: