[1/3] add ECDSA key generation to httpscert
Commit Message
Add ECDSA server certificate and key generation to httpscert.
The key has a length of 384 bits, which equals > 4096 bits RSA
and should be sufficient.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
Comments
Hi,
On Mon, 2017-09-04 at 20:21 +0200, Peter Müller wrote:
> Add ECDSA server certificate and key generation to httpscert.
> The key has a length of 384 bits, which equals > 4096 bits RSA
> and should be sufficient.
Why 384 and not longer?
>
> Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> ---
> diff --git a/src/scripts/httpscert b/src/scripts/httpscert
> index e20f789ed..b38db9fbb 100644
> --- a/src/scripts/httpscert
> +++ b/src/scripts/httpscert
> @@ -7,16 +7,23 @@
> case "$1" in
> new)
> if [ ! -f /etc/httpd/server.key ]; then
> - echo "Generating https server key."
> + echo "Generating https RSA server key."
> /usr/bin/openssl genrsa -out /etc/httpd/server.key 4096
> + echo "Generating https ECDSA server key."
> + /usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key
> fi
This command should have its own if block so that it will be generated
if the RSA key already exists.
Not sure if this script will keep the RSA certificate or sign that
again when run with the "new" parameter. Is that good or bad?
> - echo "Generating CSR"
> + echo "Generating CSRs"
> /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
> req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
> - echo "Signing certificate"
> + /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
> + req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr
> + echo "Signing certificates"
> /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
> /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
> /etc/httpd/server.crt
> + /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
> + /etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \
> + /etc/httpd/server-ecdsa.crt
> ;;
> read)
> if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then
-Michael
Hello Michael,
> Hi,
>
> On Mon, 2017-09-04 at 20:21 +0200, Peter Müller wrote:
> > Add ECDSA server certificate and key generation to httpscert.
> > The key has a length of 384 bits, which equals > 4096 bits RSA
> > and should be sufficient.
>
> Why 384 and not longer?
Because some browsers (even modern ones) do not support anything
longer. Further, it still is better than anything we get with 4096-RSA,
so I assume 384 bits ECDSA is enough.
>
> >
> > Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> > ---
> > diff --git a/src/scripts/httpscert b/src/scripts/httpscert
> > index e20f789ed..b38db9fbb 100644
> > --- a/src/scripts/httpscert
> > +++ b/src/scripts/httpscert
> > @@ -7,16 +7,23 @@
> > case "$1" in
> > new)
> > if [ ! -f /etc/httpd/server.key ]; then
> > - echo "Generating https server key."
> > + echo "Generating https RSA server key."
> > /usr/bin/openssl genrsa -out /etc/httpd/server.key 4096
> > + echo "Generating https ECDSA server key."
> > + /usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key
> > fi
>
> This command should have its own if block so that it will be generated
> if the RSA key already exists.
OK, I will change this.
>
> Not sure if this script will keep the RSA certificate or sign that
> again when run with the "new" parameter. Is that good or bad?
I will do some research here, but it seems more elegant to me to pack
key generation and signing commands in one block for each RSA and ECDSA.
That way, if one of them already exists, it won't be touched.
Best regards,
Peter Müller
>
> > - echo "Generating CSR"
> > + echo "Generating CSRs"
> > /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
> > req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
> > - echo "Signing certificate"
> > + /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
> > + req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr
> > + echo "Signing certificates"
> > /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
> > /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
> > /etc/httpd/server.crt
> > + /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
> > + /etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \
> > + /etc/httpd/server-ecdsa.crt
> > ;;
> > read)
> > if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then
>
> -Michael
@@ -7,16 +7,23 @@
case "$1" in
new)
if [ ! -f /etc/httpd/server.key ]; then
- echo "Generating https server key."
+ echo "Generating https RSA server key."
/usr/bin/openssl genrsa -out /etc/httpd/server.key 4096
+ echo "Generating https ECDSA server key."
+ /usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key
fi
- echo "Generating CSR"
+ echo "Generating CSRs"
/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
- echo "Signing certificate"
+ /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
+ req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr
+ echo "Signing certificates"
/usr/bin/openssl x509 -req -days 999999 -sha256 -in \
/etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
/etc/httpd/server.crt
+ /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
+ /etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \
+ /etc/httpd/server-ecdsa.crt
;;
read)
if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then