1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
Author: Diane Trout <diane@ghic.org>
Subject: Delete keys that are too small
Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898969
--- a/dnssec-trigger-control-setup.sh.in
+++ b/dnssec-trigger-control-setup.sh.in
@@ -172,6 +172,22 @@
exit 0
fi
+# remove (to regenerate) keys that are too small)
+function debian_get_x509_bits () {
+ openssl x509 -in $1 -text | \
+ grep 'Public-Key:' |
+ awk 'match($0,/[0-9]+/) {print substr($0, RSTART, RLENGTH)}';
+}
+function debian_remove_small_keys () {
+ if test -f $1.pem; then
+ if [ $(debian_get_x509_bits $1.pem) -lt $BITS ]; then
+ rm $1.{key,pem};
+ fi
+ fi
+}
+debian_remove_small_keys $SVR_BASE
+debian_remove_small_keys $CTL_BASE
+
# create certificate keys; do not recreate if they already exist.
if test -f $SVR_BASE.key; then
echo "$SVR_BASE.key exists"
@@ -186,8 +202,11 @@
openssl genrsa -out $CTL_BASE.key $BITS || error "could not genrsa"
fi
-# create self-signed cert for server
-cat >request.cfg <<EOF
+if test -f $SVR_BASE.pem; then
+ echo "$SVR_BASE.pem exists"
+else
+ # create self-signed cert for server
+ cat >request.cfg <<EOF
[req]
default_bits=$BITS
default_md=$HASH
@@ -197,15 +216,19 @@
[req_distinguished_name]
commonName=$SERVERNAME
EOF
-test -f request.cfg || error "could not create request.cfg"
+ test -f request.cfg || error "could not create request.cfg"
-echo "create $SVR_BASE.pem (self signed certificate)"
-openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
-# create trusted usage pem
-openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
+ echo "create $SVR_BASE.pem (self signed certificate)"
+ openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
+ # create trusted usage pem
+ openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
+fi
-# create client request and sign it, piped
-cat >request.cfg <<EOF
+if test -f $CTL_BASE.pem; then
+ echo "$CTL_BASE.pem already exists"
+else
+ # create client request and sign it, piped
+ cat >request.cfg <<EOF
[req]
default_bits=$BITS
default_md=$HASH
@@ -215,11 +238,13 @@
[req_distinguished_name]
commonName=$CLIENTNAME
EOF
-test -f request.cfg || error "could not create request.cfg"
+ test -f request.cfg || error "could not create request.cfg"
+
+ echo "create $CTL_BASE.pem (signed client certificate)"
+ openssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -$HASH -out $CTL_BASE.pem
+ test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem"
+fi
-echo "create $CTL_BASE.pem (signed client certificate)"
-openssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -$HASH -out $CTL_BASE.pem
-test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem"
# create trusted usage pem
# openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem"
|
