[Linux-bruxelles] Apache-SSL

Eric Hanuise ehanuise at fantasybel.net
Mer 30 Juil 09:22:37 CEST 2003 

>
>Soit tu crées le certificat (man openssl).


c'est un peu court, jeune homme ... :-)

voici un script qui le fait :

generatekeys.sh
------------------------
#!/bin/bash
echo ----------------------------------------
echo creating dsa and rsa dirs
echo ----------------------------------------
mkdir ./dsa
mkdir ./rsa
echo ----------------------------------------
echo creating dsa parameters for CA
echo ----------------------------------------
/usr/bin/openssl dsaparam -out ./dsa/CA.prm -rand /var/log/messages 1024
echo ----------------------------------------
echo generating CA RSA private key
echo do NOT use same CN and ON for CA and target
echo use for instance self-cert.yourdomain.net
echo ----------------------------------------
/usr/bin/openssl genrsa -out ./rsa/CA.key -rand /var/log/messages 1024
echo ----------------------------------------
echo generating CA DSA private key
echo do NOT use same CN and ON for CA and target
echo use for instance self-cert.yourdomain.net
echo ----------------------------------------
/usr/bin/openssl gendsa -out ./dsa/CA.key -rand /var/log/messages ./dsa/CA.prm
echo ----------------------------------------
echo generating RSA CA certification signing request
echo ----------------------------------------
/usr/bin/openssl req -new -key ./rsa/CA.key -out ./rsa/CA.csr
echo ----------------------------------------
echo generating DSA CA certification signing request
echo ----------------------------------------
/usr/bin/openssl req -new -key ./dsa/CA.key -out ./dsa/CA.csr
echo ----------------------------------------
echo generating self-signed RSA CA x509 certificate
echo ----------------------------------------
/usr/bin/openssl x509 -in ./rsa/CA.csr -out ./rsa/CA.crt -req -signkey 
./rsa/CA.key
echo ----------------------------------------
echo generating self-signed DSA CA x509 certificate
echo ----------------------------------------
/usr/bin/openssl x509 -in ./dsa/CA.csr -out ./dsa/CA.crt -req -signkey 
./dsa/CA.key
echo ----------------------------------------
echo generating DSA server parameters
echo ----------------------------------------
/usr/bin/openssl dsaparam -out ./dsa/server.prm -rand /var/log/messages 1024
echo ----------------------------------------
echo generating RSA server private key
echo ----------------------------------------
/usr/bin/openssl genrsa -out ./rsa/server.key -rand /var/log/messages 1024
echo ----------------------------------------
echo generating DSA server private key
echo ----------------------------------------
/usr/bin/openssl gendsa -out ./dsa/server.key -rand /var/log/messages 
./dsa/server.prm
echo ----------------------------------------
echo generating RSA server certification signing request
echo ----------------------------------------
/usr/bin/openssl req -new -key ./rsa/server.key -out ./rsa/server.csr
echo ----------------------------------------
echo generating DSA server certification signing request
echo ----------------------------------------
/usr/bin/openssl req -new -key ./dsa/server.key -out ./dsa/server.csr
echo ----------------------------------------
echo generating CA signed server RSA certificate
echo ----------------------------------------
/usr/bin/openssl x509 -in ./rsa/server.csr -days 365 -CAcreateserial -CA 
./rsa/CA.crt -CAkey ./rsa/CA.key -req -out ./rsa/server.crt
echo ----------------------------------------
echo generating CA signed DSA server certificate
echo ----------------------------------------
/usr/bin/openssl x509 -in ./dsa/server.csr -days 365 -CAcreateserial -CA 
./dsa/CA.crt -CAkey ./dsa/CA.key -req -out ./dsa/server.crt
echo ----------------------------------------
echo                  Done
echo ----------------------------------------
ls -al ./rsa/
echo ----------------------------------------
ls -al ./dsa/
echo ----------------------------------------
echo now run copykeys.sh and then do issue a make
echo in each folder with a makefile in etc-apache-ssl.xxx
echo -----------------------------------------


copykeys.sh
-------------------
#!/bin/bash
cp ./rsa/server.crt   /etc/apache/ssl.crt/rsa-server.crt
cp ./dsa/server.crt   /etc/apache/ssl.crt/dsa-server.crt
cp ./rsa/CA.crt   /etc/apache/ssl.crt/rsa-CA.crt
cp ./dsa/CA.crt   /etc/apache/ssl.crt/dsa-CA.crt

openssl rsa -in ./rsa/server.key -out /etc/apache/ssl.key/rsa-server.key
openssl dsa -in ./dsa/server.key -out /etc/apache/ssl.key/dsa-server.key

chmod 400 /etc/apache/ssl.key/rsa-server.key

chmod 400 /etc/apache/ssl.key/dsa-server.key

/etc/apache/ssl.crt make clean
/etc/apache/ssl.crt make



et tant qu'on y est, les mêmes pour le mail :

makekeys.sh
---------------------
#!/bin/bash
openssl req -rand /var/run/egd-pool -new -x509 -nodes -out imapd.pem -days 
365 -keyout imapd.pem -days 365


copykeys.sh
-------------------
#!/bin/bash
cp imapd.pem /etc/ssl/certs/



alors juste une derniere chose :
ON LIT ET ON CHERCHE A COMPRENDRE, ON EXECUTE PAS BETEMENT SANS REFLECHIR
sinon tot ou tard on aura des ennuis :)

Plus d'informations sur la liste de diffusion Linux-bruxelles