[ssl_mgmt] Allow to specify a cert file
This commit is contained in:
parent
d6f92888a8
commit
cd637fbbfa
|
@ -30,10 +30,10 @@ usage ()
|
|||
progname=$1
|
||||
echo "Usage :"
|
||||
echo
|
||||
echo "$progname [-c] renew <service>"
|
||||
echo "$progname [-c] renew { <service> | <certificate file> }"
|
||||
echo "$progname -h"
|
||||
echo
|
||||
echo "First form renew the certificate of the given service"
|
||||
echo "First form renew the certificate specified as a file or a service name"
|
||||
echo
|
||||
echo "Possible option:"
|
||||
echo
|
||||
|
@ -131,15 +131,15 @@ get_field_from_line ()
|
|||
|
||||
get_cert_params ()
|
||||
{
|
||||
local - subject issuer dates ext fromDate toDate
|
||||
local - subject issuer dates ext fromDate toDate certPath
|
||||
|
||||
certFile="/etc/ssl/certs/${service}-cert.pem"
|
||||
subject="$(openssl x509 -in "$certFile" -noout -subject)"
|
||||
dates="$(openssl x509 -in "$certFile" -noout -dates)"
|
||||
certPath="$1"
|
||||
subject="$(openssl x509 -in "$certPath" -noout -subject)"
|
||||
dates="$(openssl x509 -in "$certPath" -noout -dates)"
|
||||
exclNoExt="-certopt no_header,no_version,no_serial,no_signame"
|
||||
exclNoExt="$exclNoExt,no_validity,no_subject,no_issuer,no_pubkey"
|
||||
exclNoExt="$exclNoExt,no_sigdump,no_aux"
|
||||
altName="$(openssl x509 -in "$certFile" -text $exclNoExt | while read ext
|
||||
altName="$(openssl x509 -in "$certPath" -text $exclNoExt | while read ext
|
||||
do
|
||||
if [ "$ext" = "X509v3 Subject Alternative Name:" ]
|
||||
then
|
||||
|
@ -206,22 +206,31 @@ generate_config ()
|
|||
|
||||
generate_cert ()
|
||||
{
|
||||
openssl req -new -nodes -out csr/${service}-req.pem -keyout newkeys/${service}-key.pem -config $confFile
|
||||
openssl req -in csr/${service}-req.pem -text -verify -noout
|
||||
local - service certPath keyPath reqFile certFile keyFile keycertFile
|
||||
service="$1"
|
||||
certPath="$2"
|
||||
keyPath="$3"
|
||||
|
||||
reqFile=${service}-req.pem
|
||||
certFile=${certPath##*/}
|
||||
keyFile=${keyPath##*/}
|
||||
keycertFile=${service}-keycert.pem
|
||||
openssl req -new -nodes -out csr/$reqFile -keyout newkeys/$keyFile -config $confFile
|
||||
openssl req -in csr/$reqFile -text -verify -noout
|
||||
if ! ask_user_default_no "Is the Certificate Signing Request correct?"
|
||||
then
|
||||
return 1
|
||||
fi
|
||||
mv newkeys/${service}-key.pem private
|
||||
openssl ca -batch -out newcerts/${service}-cert.pem -config $confFile -passin file:/root/passwords/root_ca -infiles csr/${service}-req.pem
|
||||
mv newcerts/${service}-cert.pem certs
|
||||
cat private/${service}-key.pem certs/${service}-cert.pem > private/${service}-keycert.pem
|
||||
mv newkeys/$keyFile private
|
||||
openssl ca -batch -out newcerts/$certFile -config $confFile -passin file:/root/passwords/root_ca -infiles csr/$reqFile
|
||||
mv newcerts/$certFile certs
|
||||
cat private/$keyFile certs/$certFile > private/$keycertFile
|
||||
return 0
|
||||
}
|
||||
|
||||
main ()
|
||||
{
|
||||
local - ret servicesok
|
||||
local - ret servicesok certPath keyPath
|
||||
ret=0
|
||||
parse_args "$@"
|
||||
# This test should be useless if rights on this file are corrects
|
||||
|
@ -244,13 +253,28 @@ main ()
|
|||
for service in $services
|
||||
do
|
||||
servicesok=""
|
||||
get_cert_params
|
||||
certPath="$service"
|
||||
if [ -f "$certPath" ]
|
||||
then
|
||||
service="${service##*/}"
|
||||
service="${service%.*}"
|
||||
keyPath="/etc/ssl/private/${service}.key"
|
||||
else
|
||||
certPath="/etc/ssl/certs/${service}-cert.pem"
|
||||
keyPath="/etc/ssl/private/${service}-key.pem"
|
||||
fi
|
||||
if [ ! -f "$certPath" ]
|
||||
then
|
||||
ret=1
|
||||
continue
|
||||
fi
|
||||
get_cert_params "$certPath"
|
||||
generate_config
|
||||
if [ -n "$config_only" ]
|
||||
then
|
||||
continue
|
||||
fi
|
||||
if ! generate_cert
|
||||
if ! generate_cert "$service" "$certPath" "$keyPath"
|
||||
then
|
||||
ret=1
|
||||
else
|
||||
|
|
Loading…
Reference in New Issue