2012-02-20 17:40:09 +01:00
|
|
|
ssl_mgmt is a helper to manage SSL certificates: creation, renewal and removal.
|
2012-02-20 17:23:33 +01:00
|
|
|
So far, only renewal is supported.
|
|
|
|
|
|
|
|
ssl_mgmt refers to certificates through the service they are associated with.
|
|
|
|
|
|
|
|
*** EXAMPLES ***
|
|
|
|
|
2012-02-20 17:40:09 +01:00
|
|
|
To renew the certificate associated to HTTPS, the command line is:
|
|
|
|
ssl_mgmt renew https
|
2012-02-20 17:23:33 +01:00
|
|
|
|
|
|
|
If you want to renew certificates of all services, you should do:
|
2012-02-20 17:40:09 +01:00
|
|
|
ssl_mgmt renew all
|
2012-02-20 17:23:33 +01:00
|
|
|
|
|
|
|
Note: This suppose that
|
|
|
|
* all services are listed in /root/homemade_certs;
|
|
|
|
* directories have special rights so that newly created certificates
|
|
|
|
automatically get proper rights;
|
2012-02-20 17:40:09 +01:00
|
|
|
* the root CA is already created;
|
|
|
|
* openssl.cnf.in is copied in the CA hierarchy's root.
|
2012-02-20 17:23:33 +01:00
|
|
|
|
|
|
|
The file system hierarchy assumed is:
|
|
|
|
lrwxrwxrwx 1 root root 14 6 janv. 2010 certs -> /etc/ssl/certs
|
|
|
|
drws--S---+ 2 root ssl-cert 4096 23 janv. 2011 csr
|
|
|
|
-rw------- 1 root ssl-cert 1937 20 févr. 16:38 index.txt
|
|
|
|
-rw------- 1 root ssl-cert 20 20 févr. 16:38 index.txt.attr
|
|
|
|
drwSr-Sr--+ 2 root ssl-cert 4096 20 févr. 16:38 newcerts
|
|
|
|
drwSr-S---+ 2 root ssl-cert 4096 20 févr. 16:38 newkeys
|
|
|
|
-rw-r--r-- 1 root ssl-cert 1546 20 févr. 14:24 openssl.cnf.in
|
|
|
|
lrwxrwxrwx 1 root root 16 6 janv. 2010 private -> /etc/ssl/private
|
|
|
|
-rw------- 1 root ssl-cert 3 20 févr. 16:38 serial
|
|
|
|
|
|
|
|
About csr, newcerts and newkeys:
|
|
|
|
|
|
|
|
# file: usr/lib/ssl/CA/csr
|
|
|
|
# owner: root
|
|
|
|
# group: ssl-cert
|
|
|
|
# flags: ss-
|
|
|
|
user::rwx
|
|
|
|
group::---
|
|
|
|
other::---
|
|
|
|
default:user::rw-
|
|
|
|
default:group::r--
|
|
|
|
default:other::---
|
|
|
|
|
|
|
|
# file: usr/lib/ssl/CA/newcerts
|
|
|
|
# owner: root
|
|
|
|
# group: ssl-cert
|
|
|
|
# flags: ss-
|
|
|
|
user::rw-
|
|
|
|
group::r--
|
|
|
|
other::r--
|
|
|
|
default:user::rw-
|
|
|
|
default:group::r--
|
|
|
|
default:other::r--
|
|
|
|
|
|
|
|
# file: usr/lib/ssl/CA/newkeys
|
|
|
|
# owner: root
|
|
|
|
# group: ssl-cert
|
|
|
|
# flags: ss-
|
|
|
|
user::rw-
|
|
|
|
group::r--
|
|
|
|
other::---
|
|
|
|
default:user::rw-
|
|
|
|
default:group::r--
|
|
|
|
default:other::---
|
|
|
|
|
|
|
|
To use this script, you have to be root, or to be able to execute
|
|
|
|
commands with root privileges through sudo.
|
|
|
|
You should install it in a directory within the PATH of the root user,
|
|
|
|
such as /usr/local/sbin.
|