Bug#929121: ssl-cert: Please produce separate key/pem files for the 'non-snakeoil' case
Package: ssl-cert
Version: 1.0.39
Severity: normal
Dear Maintainer,
using the script to create a custom self-signed cert, for example like so
# make-ssl-cert /usr/share/ssl-cert/ssleay.cnf cert.pem
produces only one file, cert.pem, containing both the public and the
private key (script uses same file arg for --out and --keyout).
This is, at least, not useful out-of-the box. I would expect the
script to produce private and public key in separate files (like for
the snakeoil case).
The attached patch is a suggestion, assuming the script argument as
stem and creating separate .pem/.key files (ideally however, both
filenames can be given as argument).
Hth!
S
-- System Information:
Debian Release: 10.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-0.bpo.4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages ssl-cert depends on:
ii adduser 3.118
ii debconf [debconf-2.0] 1.5.72
ii openssl 1.1.1b-2
ssl-cert recommends no packages.
Versions of packages ssl-cert suggests:
pn openssl-blacklist <none>
-- debconf information excluded
commit edb701ff5440a09dc90f07038965f3c154fd8358
Author: Stephan Sürken <absurd@olurdix.de>
Date: Fri May 17 14:02:03 2019 +0200
make-ssl-cert[.8]: Make script work for the non-snakeoil case.
diff --git a/make-ssl-cert b/make-ssl-cert
index 152e9f9..45bcac7 100755
--- a/make-ssl-cert
+++ b/make-ssl-cert
@@ -104,16 +104,17 @@ umask 077
if [ "$1" != "generate-default-snakeoil" ]; then
if ! openssl req -config $TMPFILE -new -x509 -days 3650 -nodes -sha256 \
- -out $output -keyout $output > $TMPOUT 2>&1
+ -out ${output}.pem -keyout ${output}.key > $TMPOUT 2>&1
then
echo Could not create certificate. Openssl output was: >&2
cat $TMPOUT >&2
exit 1
fi
- chmod 600 $output
+ chmod 600 $output.key
+ chmod 644 $output.pem
# hash symlink
- cd $(dirname $output)
- ln -sf $(basename $output) $(openssl x509 -hash -noout -in $(basename $output))
+ cd $(dirname $output.pem)
+ ln -sf $(basename $output.pem) $(openssl x509 -hash -noout -in $(basename $output.pem))
else
if ! openssl req -config $TMPFILE -new -x509 -days 3650 -nodes -sha256 \
-out /etc/ssl/certs/ssl-cert-snakeoil.pem \
diff --git a/make-ssl-cert.8 b/make-ssl-cert.8
index 7916b25..a384a7e 100644
--- a/make-ssl-cert.8
+++ b/make-ssl-cert.8
@@ -3,7 +3,7 @@
make-ssl-cert - Debconf wrapper for openssl
.SH SYNOPSIS
.B make-ssl-cert
-\fItemplate\fR \fIoutput-certificate\fR [\fB\-\-force\-overwrite\fR]
+\fItemplate\fR \fIoutput-certificate-base\fR [\fB\-\-force\-overwrite\fR]
.br
.B make-ssl-cert generate-default-snakeoil
[\fB\-\-force\-overwrite\fR]
@@ -11,9 +11,9 @@ make-ssl-cert - Debconf wrapper for openssl
.SH "DESCRIPTION"
make-ssl-cert is a simple debconf to openssl wrapper to create self-signed
certificates.
-It requires a source template (Ex: /usr/share/ssl-cert/ssleay.cnf)
-and it will place the new generated certificate in the specified
-output file.
+It requires a source template (Ex: /usr/share/ssl-cert/ssleay.cnf) and
+it will place the new generated certificate in resp. file appendixed .pem
+(public cert) and .key (private key) from the given base name.
.br
Invoked with "generate-default-snakeoil", it will generate
/etc/ssl/certs/ssl-cert-snakeoil.pem and /etc/ssl/private/ssl-cert-snakeoil.key.
Reply to: