[ssl_mgmt] Set ownership and rights of keycert
This commit is contained in:
parent
ccfdd24ff3
commit
519303988c
|
@ -285,6 +285,7 @@ generate_cert ()
|
||||||
certFile=${certPath##*/}
|
certFile=${certPath##*/}
|
||||||
keyFile=${keyPath##*/}
|
keyFile=${keyPath##*/}
|
||||||
keycertFile=${service}-keycert.pem
|
keycertFile=${service}-keycert.pem
|
||||||
|
keycertPath=${keyPath%/*}/$keycertFile
|
||||||
|
|
||||||
# Create the CSR and the key
|
# Create the CSR and the key
|
||||||
openssl req -new -nodes -out $csrSubdir/$reqFile -keyout $keySubdir/$keyFile -config $opensslCnfFile
|
openssl req -new -nodes -out $csrSubdir/$reqFile -keyout $keySubdir/$keyFile -config $opensslCnfFile
|
||||||
|
@ -298,6 +299,7 @@ generate_cert ()
|
||||||
then
|
then
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
# Sets ownership and access rights of the key
|
||||||
getfacl "$keyPath" | setfacl --set-file=- $keySubdir/$keyFile
|
getfacl "$keyPath" | setfacl --set-file=- $keySubdir/$keyFile
|
||||||
chown --reference="$keyPath" $keySubdir/$keyFile
|
chown --reference="$keyPath" $keySubdir/$keyFile
|
||||||
|
|
||||||
|
@ -306,8 +308,11 @@ generate_cert ()
|
||||||
-keyfile $CAKeyPath -passin file:$rootCAPwdPath \
|
-keyfile $CAKeyPath -passin file:$rootCAPwdPath \
|
||||||
-out $certSubdir/$certFile -infiles $csrSubdir/$reqFile
|
-out $certSubdir/$certFile -infiles $csrSubdir/$reqFile
|
||||||
|
|
||||||
# Create the keycert file (file with merged key and certificate)
|
# Create the keycert file (file with merged key and certificate) and
|
||||||
|
# sets its ownership and access rights
|
||||||
cat $keySubdir/$keyFile $certSubdir/$certFile > $keySubdir/$keycertFile
|
cat $keySubdir/$keyFile $certSubdir/$certFile > $keySubdir/$keycertFile
|
||||||
|
getfacl "$keycertPath" | setfacl --set-file=- $keySubdir/$keycertFile
|
||||||
|
chown --reference="$keycertPath" $keySubdir/$keycertFile
|
||||||
|
|
||||||
# Safety check
|
# Safety check
|
||||||
if ! openssl x509 -noout -text -in $certSubdir/$certFile >/dev/null 2>&1 ||
|
if ! openssl x509 -noout -text -in $certSubdir/$certFile >/dev/null 2>&1 ||
|
||||||
|
@ -333,11 +338,9 @@ generate_cert ()
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Sets ownership and rights of generated files
|
# Sets ownership and access rights of the certificate
|
||||||
getfacl "$certPath" | setfacl --set-file=- $certSubdir/$certFile
|
getfacl "$certPath" | setfacl --set-file=- $certSubdir/$certFile
|
||||||
chown --reference="$certPath" $certSubdir/$certFile
|
chown --reference="$certPath" $certSubdir/$certFile
|
||||||
getfacl "$keyPath" | setfacl --set-file=- $keySubdir/$keycertFile
|
|
||||||
chown --reference="$keyPath" $keySubdir/$keycertFile
|
|
||||||
|
|
||||||
# Notify and install the new certificate
|
# Notify and install the new certificate
|
||||||
if [ -z "$no_overwrite" ]
|
if [ -z "$no_overwrite" ]
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
chmod u+rwx ./destdir/private/foo-keycert.pem \
|
||||||
|
&& keyId= cnfFilePath=./ssl_mgmt.conf ../ssl_mgmt renew foo \
|
||||||
|
&& getfacl ./destdir/private/foo-keycert.pem | grep "user::rwx"
|
|
@ -0,0 +1,2 @@
|
||||||
|
echo
|
||||||
|
echo "y"
|
|
@ -0,0 +1 @@
|
||||||
|
../restore_foo_fini
|
|
@ -0,0 +1 @@
|
||||||
|
../save_foo_init
|
Loading…
Reference in New Issue