[1/3] add ECDSA key generation to httpscert

Message ID 20170904202139.4255a2fe.peter.mueller@link38.eu
State New
Headers show
Series
  • [1/3] add ECDSA key generation to httpscert
Related show

Commit Message

Peter Müller Sept. 4, 2017, 6:21 p.m.
Add ECDSA server certificate and key generation to httpscert.
The key has a length of 384 bits, which equals > 4096 bits RSA
and should be sufficient.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---

Patch

diff --git a/src/scripts/httpscert b/src/scripts/httpscert
index e20f789ed..b38db9fbb 100644
--- a/src/scripts/httpscert
+++ b/src/scripts/httpscert
@@ -7,16 +7,23 @@ 
 case "$1" in
   new)
 	if [ ! -f /etc/httpd/server.key ]; then
-		echo "Generating https server key."
+		echo "Generating https RSA server key."
 		/usr/bin/openssl genrsa -out /etc/httpd/server.key 4096
+		echo "Generating https ECDSA server key."
+		/usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key 
 	fi
-	echo "Generating CSR"
+	echo "Generating CSRs"
 	/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
 		req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
-	echo "Signing certificate"
+	/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
+		req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr
+	echo "Signing certificates"
 	/usr/bin/openssl x509 -req -days 999999 -sha256 -in \
 		/etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
 		/etc/httpd/server.crt
+	/usr/bin/openssl x509 -req -days 999999 -sha256 -in \
+		/etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \
+		/etc/httpd/server-ecdsa.crt
  	;;
   read)
 	if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then