[v2,1/3] add ECDSA key generation to httpscert
Commit Message
Add ECDSA server certificate and key generation to httpscert.
The key has a length of 384 bits, which equals > 4096 bits RSA
and should be sufficient.
Changed since v1: Do not regenerate or oversign existing keys
or CSRs.
This patch depends on:
- v1 2/3 add ECDSA certificate and key files to Apache configuration
- v2 3/3 generate ECDSA certificate and key on existing installations
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
Comments
Hi,
this patch doesn't apply because all tabs seem to have been converted to spaces.
Also, where is patch 2 of this patchset?
-Michael
On Wed, 2017-10-04 at 21:38 +0200, Peter Müller wrote:
> Add ECDSA server certificate and key generation to httpscert.
> The key has a length of 384 bits, which equals > 4096 bits RSA
> and should be sufficient.
>
> Changed since v1: Do not regenerate or oversign existing keys
> or CSRs.
>
> This patch depends on:
> - v1 2/3 add ECDSA certificate and key files to Apache configuration
> - v2 3/3 generate ECDSA certificate and key on existing installations
>
> Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> ---
> diff --git a/src/scripts/httpscert b/src/scripts/httpscert
> index e20f789ed..52932bc70 100644
> --- a/src/scripts/httpscert
> +++ b/src/scripts/httpscert
> @@ -7,16 +7,35 @@
> case "$1" in
> new)
> if [ ! -f /etc/httpd/server.key ]; then
> - echo "Generating https server key."
> + echo "Generating HTTPS RSA server key."
> /usr/bin/openssl genrsa -out /etc/httpd/server.key 4096
> fi
> - echo "Generating CSR"
> - /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" |
> /usr/bin/openssl \
> - req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
> - echo "Signing certificate"
> - /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
> - /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
> - /etc/httpd/server.crt
> + if [ ! -f /etc/httpd/server-ecdsa.key ]; then
> + echo "Generating HTTPS ECDSA server key."
> + /usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec
> -out /etc/httpd/server-ecdsa.key
> + fi
> +
> + echo "Generating CSRs"
> + if [ ! -f /etc/httpd/server.csr ]; then
> + /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" |
> /usr/bin/openssl \
> + req -new -key /etc/httpd/server.key -out
> /etc/httpd/server.csr
> + fi
> + if [ ! -f /etc/httpd/server-ecdsa.csr ]; then
> + /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" |
> /usr/bin/openssl \
> + req -new -key /etc/httpd/server-ecdsa.key -out
> /etc/httpd/server-ecdsa.csr
> + fi
> +
> + echo "Signing certificates"
> + if [ ! -f /etc/httpd/server.crt ]; then
> + /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
> + /etc/httpd/server.csr -signkey /etc/httpd/server.key
> -out \
> + /etc/httpd/server.crt
> + fi
> + if [ ! -f /etc/httpd/server-ecdsa.crt ]; then
> + /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
> + /etc/httpd/server-ecdsa.csr -signkey
> /etc/httpd/server-ecdsa.key -out \
> + /etc/httpd/server-ecdsa.crt
> + fi
> ;;
> read)
> if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f
> /etc/httpd/server.csr ]; then
@@ -7,16 +7,35 @@
case "$1" in
new)
if [ ! -f /etc/httpd/server.key ]; then
- echo "Generating https server key."
+ echo "Generating HTTPS RSA server key."
/usr/bin/openssl genrsa -out /etc/httpd/server.key 4096
fi
- echo "Generating CSR"
- /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
- req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
- echo "Signing certificate"
- /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
- /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
- /etc/httpd/server.crt
+ if [ ! -f /etc/httpd/server-ecdsa.key ]; then
+ echo "Generating HTTPS ECDSA server key."
+ /usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key
+ fi
+
+ echo "Generating CSRs"
+ if [ ! -f /etc/httpd/server.csr ]; then
+ /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
+ req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
+ fi
+ if [ ! -f /etc/httpd/server-ecdsa.csr ]; then
+ /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
+ req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr
+ fi
+
+ echo "Signing certificates"
+ if [ ! -f /etc/httpd/server.crt ]; then
+ /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
+ /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
+ /etc/httpd/server.crt
+ fi
+ if [ ! -f /etc/httpd/server-ecdsa.crt ]; then
+ /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
+ /etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \
+ /etc/httpd/server-ecdsa.crt
+ fi
;;
read)
if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then