Re: mod-ssl
On Sun, Mar 04, 2001 at 17:51:52 -0500, MaD dUCK wrote:
> so i established my own certificate authority and have a server
> certification - and now i would like to create a new server
> certificate, signed by the same ca. however, when i do
> mod-ssl-makecert
It appears mod-ssl-makecert wasn't written to deal with this case. Here's a
modified version - use at your own peril, and make sure you have a ca.config
(see the one that's commented out for inspiration).
HTH,
Ray
#!/bin/sh
##
## sign.sh -- Sign a SSL Certificate Request (CSR)
## Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved.
##
# Modified by Ray Dassen <jdassen@cistron-office.nl>
set -e
# argument line handling
CSR=$1
if [ $# -ne 1 ]; then
echo "Usage: sign.sign <whatever>.csr"; exit 1
fi
if [ ! -f $CSR ]; then
echo "CSR not found: $CSR"; exit 1
fi
case $CSR in
*.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
* ) CERT="$CSR.crt" ;;
esac
# make sure environment exists
if [ ! -d ca.db.certs ]; then
mkdir ca.db.certs
fi
if [ ! -f ca.db.serial ]; then
echo '01' >ca.db.serial
fi
if [ ! -f ca.db.index ]; then
cp /dev/null ca.db.index
fi
CACONFIG=/home/staff/admin/CA/ca.config
if [ ! -r $CACONFIG ]; then
echo "Can't read $CACONFIG"
exit 1
fi
## create an own SSLeay config
#cat >ca.config <<EOT
#[ ca ]
#default_ca = CA_own
#[ CA_own ]
#dir = .
#certs = \$dir
#new_certs_dir = \$dir/ca.db.certs
#database = \$dir/ca.db.index
#serial = \$dir/ca.db.serial
#RANDFILE = \$dir/ca.db.rand
#certificate = \$dir/ca.crt
#private_key = \$dir/ca.key
#default_days = 365
#default_crl_days = 30
#default_md = md5
#preserve = no
#policy = policy_anything
#[ policy_anything ]
#countryName = optional
#stateOrProvinceName = optional
#localityName = optional
#organizationName = optional
#organizationalUnitName = optional
#commonName = supplied
#emailAddress = optional
#EOT
# sign the certificate
echo "CA signing: $CSR -> $CERT:"
openssl ca -config $CACONFIG -out $CERT -infiles $CSR
echo "CA verifying: $CERT <-> CA cert"
openssl verify -CAfile ca.crt $CERT
# cleanup after SSLeay
rm -f ca.db.serial.old
rm -f ca.db.index.old
# die gracefully
exit 0
--
Tevens ben ik van mening dat Nederland overdekt dient te worden.
Reply to:
- References:
- mod-ssl
- From: MaD dUCK <madduck@madduck.net>