[ssl_mgmt] Allow to specify a cert file

This commit is contained in:
Thomas Preud'homme 2014-03-09 16:54:06 +08:00
parent d6f92888a8
commit cd637fbbfa
1 changed files with 40 additions and 16 deletions

View File

@ -30,10 +30,10 @@ usage ()
progname=$1
echo "Usage :"
echo
echo "$progname [-c] renew <service>"
echo "$progname [-c] renew { <service> | <certificate file> }"
echo "$progname -h"
echo
echo "First form renew the certificate of the given service"
echo "First form renew the certificate specified as a file or a service name"
echo
echo "Possible option:"
echo
@ -131,15 +131,15 @@ get_field_from_line ()
get_cert_params ()
{
local - subject issuer dates ext fromDate toDate
local - subject issuer dates ext fromDate toDate certPath
certFile="/etc/ssl/certs/${service}-cert.pem"
subject="$(openssl x509 -in "$certFile" -noout -subject)"
dates="$(openssl x509 -in "$certFile" -noout -dates)"
certPath="$1"
subject="$(openssl x509 -in "$certPath" -noout -subject)"
dates="$(openssl x509 -in "$certPath" -noout -dates)"
exclNoExt="-certopt no_header,no_version,no_serial,no_signame"
exclNoExt="$exclNoExt,no_validity,no_subject,no_issuer,no_pubkey"
exclNoExt="$exclNoExt,no_sigdump,no_aux"
altName="$(openssl x509 -in "$certFile" -text $exclNoExt | while read ext
altName="$(openssl x509 -in "$certPath" -text $exclNoExt | while read ext
do
if [ "$ext" = "X509v3 Subject Alternative Name:" ]
then
@ -206,22 +206,31 @@ generate_config ()
generate_cert ()
{
openssl req -new -nodes -out csr/${service}-req.pem -keyout newkeys/${service}-key.pem -config $confFile
openssl req -in csr/${service}-req.pem -text -verify -noout
local - service certPath keyPath reqFile certFile keyFile keycertFile
service="$1"
certPath="$2"
keyPath="$3"
reqFile=${service}-req.pem
certFile=${certPath##*/}
keyFile=${keyPath##*/}
keycertFile=${service}-keycert.pem
openssl req -new -nodes -out csr/$reqFile -keyout newkeys/$keyFile -config $confFile
openssl req -in csr/$reqFile -text -verify -noout
if ! ask_user_default_no "Is the Certificate Signing Request correct?"
then
return 1
fi
mv newkeys/${service}-key.pem private
openssl ca -batch -out newcerts/${service}-cert.pem -config $confFile -passin file:/root/passwords/root_ca -infiles csr/${service}-req.pem
mv newcerts/${service}-cert.pem certs
cat private/${service}-key.pem certs/${service}-cert.pem > private/${service}-keycert.pem
mv newkeys/$keyFile private
openssl ca -batch -out newcerts/$certFile -config $confFile -passin file:/root/passwords/root_ca -infiles csr/$reqFile
mv newcerts/$certFile certs
cat private/$keyFile certs/$certFile > private/$keycertFile
return 0
}
main ()
{
local - ret servicesok
local - ret servicesok certPath keyPath
ret=0
parse_args "$@"
# This test should be useless if rights on this file are corrects
@ -244,13 +253,28 @@ main ()
for service in $services
do
servicesok=""
get_cert_params
certPath="$service"
if [ -f "$certPath" ]
then
service="${service##*/}"
service="${service%.*}"
keyPath="/etc/ssl/private/${service}.key"
else
certPath="/etc/ssl/certs/${service}-cert.pem"
keyPath="/etc/ssl/private/${service}-key.pem"
fi
if [ ! -f "$certPath" ]
then
ret=1
continue
fi
get_cert_params "$certPath"
generate_config
if [ -n "$config_only" ]
then
continue
fi
if ! generate_cert
if ! generate_cert "$service" "$certPath" "$keyPath"
then
ret=1
else