[ssl_mgmt] Add some sanity checks
Check openssl can read both certificate and key and that they match each other.
This commit is contained in:
parent
4d5efe91cc
commit
7bc13c2c89
|
@ -278,28 +278,54 @@ generate_cert ()
|
||||||
certFile=${certPath##*/}
|
certFile=${certPath##*/}
|
||||||
keyFile=${keyPath##*/}
|
keyFile=${keyPath##*/}
|
||||||
keycertFile=${service}-keycert.pem
|
keycertFile=${service}-keycert.pem
|
||||||
|
|
||||||
|
# Create the CSR and the key
|
||||||
openssl req -new -nodes -out $csrSubdir/$reqFile -keyout $keySubdir/$keyFile -config $opensslCnfFile
|
openssl req -new -nodes -out $csrSubdir/$reqFile -keyout $keySubdir/$keyFile -config $opensslCnfFile
|
||||||
openssl req -in $csrSubdir/$reqFile -text -verify -noout
|
if ! openssl req -in $csrSubdir/$reqFile -text -verify -noout 2>/dev/null
|
||||||
|
then
|
||||||
|
echo "Generated CSR is corrupted." >&2
|
||||||
|
rm $csrSubdir/$reqFile $keySubdir/$keyFile
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
if ! ask_user_default_no "Is the Certificate Signing Request correct?"
|
if ! ask_user_default_no "Is the Certificate Signing Request correct?"
|
||||||
then
|
then
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
getfacl "$keyPath" | setfacl --set-file=- $keySubdir/$keyFile
|
getfacl "$keyPath" | setfacl --set-file=- $keySubdir/$keyFile
|
||||||
chown --reference="$keyPath" $keySubdir/$keyFile
|
chown --reference="$keyPath" $keySubdir/$keyFile
|
||||||
if [ -z "$no_overwrite" ]
|
|
||||||
then
|
# Sign the CSR to make a certificate
|
||||||
if [ ! -f "$keyDestDir/$keyFile" ]
|
|
||||||
then
|
|
||||||
echo "Error! No file named $keyFile in directory $keyDestDir:" >&2
|
|
||||||
echo "there might be a problem." >&2
|
|
||||||
fi
|
|
||||||
mv $keySubdir/$keyFile $keyDestDir
|
|
||||||
fi
|
|
||||||
openssl ca -batch -config $opensslCnfFile -cert $CACertPath \
|
openssl ca -batch -config $opensslCnfFile -cert $CACertPath \
|
||||||
-keyfile $CAKeyPath -passin file:$rootCAPwdPath \
|
-keyfile $CAKeyPath -passin file:$rootCAPwdPath \
|
||||||
-out $certSubdir/$certFile -infiles $csrSubdir/$reqFile
|
-out $certSubdir/$certFile -infiles $csrSubdir/$reqFile
|
||||||
getfacl "$certPath" | setfacl --set-file=- $certSubdir/$certFile
|
getfacl "$certPath" | setfacl --set-file=- $certSubdir/$certFile
|
||||||
chown --reference="$certPath" $certSubdir/$certFile
|
chown --reference="$certPath" $certSubdir/$certFile
|
||||||
|
|
||||||
|
# Safety check
|
||||||
|
if ! openssl x509 -noout -text -in $certSubdir/$certFile >/dev/null 2>&1 ||
|
||||||
|
! openssl verify -CAfile $CACertPath $certSubdir/$certFile >/dev/null 2>&1
|
||||||
|
then
|
||||||
|
echo "Generated certificate is corrupted." >&2
|
||||||
|
rm $certSubdir/$certFile $keySubdir/$keyFile
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
if ! openssl rsa -noout -text -in $keySubdir/$keyFile >/dev/null 2>&1
|
||||||
|
then
|
||||||
|
echo "Generated key is corrupted." >&2
|
||||||
|
rm $certSubdir/$certFile $keySubdir/$keyFile
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
certModulus=$(openssl x509 -noout -modulus -in $certSubdir/$certFile)
|
||||||
|
keyModulus=$(openssl rsa -noout -modulus -in $keySubdir/$keyFile)
|
||||||
|
if [ -z "$certModulus" -o "$certModulus" != "$keyModulus" ]
|
||||||
|
then
|
||||||
|
echo -n "Generated certificate and key do not match." >&2
|
||||||
|
echo " Aborting." >&2
|
||||||
|
rm $certSubdir/$certFile $keySubdir/$keyFile
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Notify and install the new certificate
|
||||||
if [ -z "$no_overwrite" ]
|
if [ -z "$no_overwrite" ]
|
||||||
then
|
then
|
||||||
if [ ! -f "$certDestDir/$certFile" ]
|
if [ ! -f "$certDestDir/$certFile" ]
|
||||||
|
@ -307,6 +333,12 @@ generate_cert ()
|
||||||
echo "No file named $certFile in directory $certDestDir:" >&2
|
echo "No file named $certFile in directory $certDestDir:" >&2
|
||||||
echo "there might be a problem" >&2
|
echo "there might be a problem" >&2
|
||||||
fi
|
fi
|
||||||
|
if [ ! -f "$keyDestDir/$keyFile" ]
|
||||||
|
then
|
||||||
|
echo "Error! No file named $keyFile in directory $keyDestDir:" >&2
|
||||||
|
echo "there might be a problem." >&2
|
||||||
|
fi
|
||||||
|
mv $keySubdir/$keyFile $keyDestDir
|
||||||
fingerprint="$(openssl x509 -in "$certPath" -noout -fingerprint)"
|
fingerprint="$(openssl x509 -in "$certPath" -noout -fingerprint)"
|
||||||
fingerprint=${fingerprint#*=}
|
fingerprint=${fingerprint#*=}
|
||||||
if [ -n "$notifiedUsers" ]
|
if [ -n "$notifiedUsers" ]
|
||||||
|
|
Loading…
Reference in New Issue