From patchwork Tue Sep 5 04:21:39 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 1403 Return-Path: Received: from mail01.ipfire.org (unknown [172.28.1.200]) by web02.ipfire.org (Postfix) with ESMTP id 03C2661AB5 for ; Mon, 4 Sep 2017 20:21:54 +0200 (CEST) Received: from mail01.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 29E6D2845; Mon, 4 Sep 2017 20:21:52 +0200 (CEST) Received: from mx.link38.eu (mx.link38.eu [188.68.43.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPS id 7B1E22845 for ; Mon, 4 Sep 2017 20:21:50 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mx.link38.eu Received: from mx-fra.brokers.link38.eu (mx-fra.brokers.link38.eu [10.141.75.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.link38.eu (Postfix) with ESMTPS id 3B2AB410BC for ; Mon, 4 Sep 2017 20:21:40 +0200 (CEST) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx-fra.brokers.link38.eu (Postfix) with ESMTPSA id F2E0F9F315 for ; Mon, 4 Sep 2017 20:21:39 +0200 (CEST) Date: Mon, 4 Sep 2017 20:21:39 +0200 From: Peter =?utf-8?q?M=C3=BCller?= To: "development@lists.ipfire.org" Subject: [PATCH 1/3] add ECDSA key generation to httpscert Message-ID: <20170904202139.4255a2fe.peter.mueller@link38.eu> Organization: Link38 MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Add ECDSA server certificate and key generation to httpscert. The key has a length of 384 bits, which equals > 4096 bits RSA and should be sufficient. Signed-off-by: Peter Müller diff --git a/src/scripts/httpscert b/src/scripts/httpscert index e20f789ed..b38db9fbb 100644 --- a/src/scripts/httpscert +++ b/src/scripts/httpscert @@ -7,16 +7,23 @@ case "$1" in new) if [ ! -f /etc/httpd/server.key ]; then - echo "Generating https server key." + echo "Generating https RSA server key." /usr/bin/openssl genrsa -out /etc/httpd/server.key 4096 + echo "Generating https ECDSA server key." + /usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key fi - echo "Generating CSR" + echo "Generating CSRs" /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \ req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr - echo "Signing certificate" + /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \ + req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr + echo "Signing certificates" /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \ /etc/httpd/server.crt + /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ + /etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \ + /etc/httpd/server-ecdsa.crt ;; read) if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then