#!/bin/sh # This script will find all the ServerNames and ServerAliases # that are in files in the $HTTPD_VHOSTS_DIR directory and # it will then generates a Certificate Signing Request for a # new CAcert.org certificate. # PLEASE NOTE: # # 1. You need each ServerAlias on a new line, multiple aliases # on one line doesn't work with this. # # 2. The variables below WILL need editing for each sever you # install this on. # # Chris # 29th April 2007 # =========================== # # Please check all the variables in this part of the script # Most will probably need changing for each server you install # this on. # ##HTTPD_VHOSTS_DIR=/etc/httpd/vhosts-ssl.d/ HTTPD_VHOSTS_DIR="/etc/apache-ssl/redcta_hacks/" DATE=`date "+%Y-%m-%d_%H-%M-%S"` CERTS_DIR="/root/certs/crypt" CERTS_DIR_NEW="$CERTS_DIR/.$DATE" HOST=german COMMONNAME=ssl.redcta.org.ar # #=========================== # be safe about permissions LASTUMASK=`umask` umask 077 # OpenSSL for HPUX needs a random file RANDOMFILE=$HOME/.rnd # create a config file for openssl CONFIG=`mktemp -q $CERTS_DIR/openssl-conf.XXXXXXXX` if [ ! $? -eq 0 ]; then echo "Could not create temporary config file. exiting" exit 1 fi echo "Private Key and Certificate Signing Request Generator" echo "This script was designed to suit the request format needed by" echo "the CAcert Certificate Authority. www.CAcert.org" echo # if the certs directory doesn't exist then create it if [[ ! -d $CERTS_DIR_NEW ]]; then mkdir -p $CERTS_DIR_NEW fi # get the ServerNames SERVER_NAMES=`grep -h ServerName $HTTPD_VHOSTS_DIR/* | sed s/ServerName//g ` for name in $SERVER_NAMES do if [ "$SANAMES" = "" ]; then SANAMES="DNS:$name" else SANAMES="$SANAMES, DNS:$name" fi done # get the ServerAliases SERVER_ALIASES=`grep -h ServerAlias $HTTPD_VHOSTS_DIR/* | sed s/ServerAlias//g ` for name in $SERVER_ALIASES do if [ "$SANAMES" = "" ]; then SANAMES="DNS:$name" else SANAMES="$SANAMES, DNS:$name" fi done MAILMAN_DOMAINS=`cat /etc/mailman/domains_list.txt ` for name in $MAILMAN_DOMAINS do if [ "$SANAMES" = "" ]; then SANAMES="DNS:$name" else SANAMES="$SANAMES, DNS:$name" fi done # Config File Generation cat < $CONFIG # -------------- BEGIN custom openssl.cnf ----- HOME = $CERTS_DIR_NEW oid_section = new_oids [ new_oids ] [ req ] default_days = 730 default_keyfile = $CERTS_DIR_NEW/${HOST}-privatekey.pem distinguished_name = req_distinguished_name encrypt_key = no string_mask = nombstr req_extensions = v3_req [ req_distinguished_name ] commonName = Common Name (eg, YOUR name) commonName_default = $COMMONNAME commonName_max = 64 [ v3_req ] EOF if [ ! "$SANAMES" = "" ]; then echo "subjectAltName=$SANAMES" >> $CONFIG fi echo "# -------------- END custom openssl.cnf -----" >> $CONFIG echo "Running OpenSSL..." echo "Running OpenSSL..." openssl req -batch -config $CONFIG -newkey rsa:2048 -out ${CERTS_DIR_NEW}/${HOST}-csr.pem echo "Copy the following Certificate Request and paste into CAcert website to obtain a Certificate." echo "When you receive your certificate, you save it to" echo "${CERTS_DIR_NEW}/${HOST}-cert.pem" echo cat ${CERTS_DIR_NEW}/${HOST}-csr.pem echo echo The Certificate request is also available in ${CERTS_DIR_NEW}/${HOST}-csr.pem echo The Private Key is stored in ${CERTS_DIR_NEW}/${HOST}-privatekey.pem echo These will all need moving to ${CERTS_DIR}, like this: echo mv ${CERTS_DIR_NEW}/\* ${CERTS_DIR}/ echo #rm $CONFIG #restore umask umask $LASTUMASK