[ssl_mgmt] Add some sanity checks
Check openssl can read both certificate and key and that they match each other.
This commit is contained in:
parent
4d5efe91cc
commit
7bc13c2c89
|
@ -278,28 +278,54 @@ generate_cert ()
|
|||
certFile=${certPath##*/}
|
||||
keyFile=${keyPath##*/}
|
||||
keycertFile=${service}-keycert.pem
|
||||
|
||||
# Create the CSR and the key
|
||||
openssl req -new -nodes -out $csrSubdir/$reqFile -keyout $keySubdir/$keyFile -config $opensslCnfFile
|
||||
openssl req -in $csrSubdir/$reqFile -text -verify -noout
|
||||
if ! openssl req -in $csrSubdir/$reqFile -text -verify -noout 2>/dev/null
|
||||
then
|
||||
echo "Generated CSR is corrupted." >&2
|
||||
rm $csrSubdir/$reqFile $keySubdir/$keyFile
|
||||
return 1
|
||||
fi
|
||||
if ! ask_user_default_no "Is the Certificate Signing Request correct?"
|
||||
then
|
||||
return 1
|
||||
fi
|
||||
getfacl "$keyPath" | setfacl --set-file=- $keySubdir/$keyFile
|
||||
chown --reference="$keyPath" $keySubdir/$keyFile
|
||||
if [ -z "$no_overwrite" ]
|
||||
then
|
||||
if [ ! -f "$keyDestDir/$keyFile" ]
|
||||
then
|
||||
echo "Error! No file named $keyFile in directory $keyDestDir:" >&2
|
||||
echo "there might be a problem." >&2
|
||||
fi
|
||||
mv $keySubdir/$keyFile $keyDestDir
|
||||
fi
|
||||
|
||||
# Sign the CSR to make a certificate
|
||||
openssl ca -batch -config $opensslCnfFile -cert $CACertPath \
|
||||
-keyfile $CAKeyPath -passin file:$rootCAPwdPath \
|
||||
-out $certSubdir/$certFile -infiles $csrSubdir/$reqFile
|
||||
getfacl "$certPath" | setfacl --set-file=- $certSubdir/$certFile
|
||||
chown --reference="$certPath" $certSubdir/$certFile
|
||||
|
||||
# Safety check
|
||||
if ! openssl x509 -noout -text -in $certSubdir/$certFile >/dev/null 2>&1 ||
|
||||
! openssl verify -CAfile $CACertPath $certSubdir/$certFile >/dev/null 2>&1
|
||||
then
|
||||
echo "Generated certificate is corrupted." >&2
|
||||
rm $certSubdir/$certFile $keySubdir/$keyFile
|
||||
return 1
|
||||
fi
|
||||
if ! openssl rsa -noout -text -in $keySubdir/$keyFile >/dev/null 2>&1
|
||||
then
|
||||
echo "Generated key is corrupted." >&2
|
||||
rm $certSubdir/$certFile $keySubdir/$keyFile
|
||||
return 1
|
||||
fi
|
||||
certModulus=$(openssl x509 -noout -modulus -in $certSubdir/$certFile)
|
||||
keyModulus=$(openssl rsa -noout -modulus -in $keySubdir/$keyFile)
|
||||
if [ -z "$certModulus" -o "$certModulus" != "$keyModulus" ]
|
||||
then
|
||||
echo -n "Generated certificate and key do not match." >&2
|
||||
echo " Aborting." >&2
|
||||
rm $certSubdir/$certFile $keySubdir/$keyFile
|
||||
return 1
|
||||
fi
|
||||
|
||||
# Notify and install the new certificate
|
||||
if [ -z "$no_overwrite" ]
|
||||
then
|
||||
if [ ! -f "$certDestDir/$certFile" ]
|
||||
|
@ -307,6 +333,12 @@ generate_cert ()
|
|||
echo "No file named $certFile in directory $certDestDir:" >&2
|
||||
echo "there might be a problem" >&2
|
||||
fi
|
||||
if [ ! -f "$keyDestDir/$keyFile" ]
|
||||
then
|
||||
echo "Error! No file named $keyFile in directory $keyDestDir:" >&2
|
||||
echo "there might be a problem." >&2
|
||||
fi
|
||||
mv $keySubdir/$keyFile $keyDestDir
|
||||
fingerprint="$(openssl x509 -in "$certPath" -noout -fingerprint)"
|
||||
fingerprint=${fingerprint#*=}
|
||||
if [ -n "$notifiedUsers" ]
|
||||
|
|
Loading…
Reference in New Issue