From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH 1/3] add ECDSA key generation to httpscert
Date: Sun, 24 Sep 2017 23:06:53 +0100 [thread overview]
Message-ID: <1506290813.2813.32.camel@ipfire.org> (raw)
In-Reply-To: <20170904202139.4255a2fe.peter.mueller@link38.eu>
[-- Attachment #1: Type: text/plain, Size: 2024 bytes --]
Hi,
On Mon, 2017-09-04 at 20:21 +0200, Peter Müller wrote:
> Add ECDSA server certificate and key generation to httpscert.
> The key has a length of 384 bits, which equals > 4096 bits RSA
> and should be sufficient.
Why 384 and not longer?
>
> Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
> ---
> diff --git a/src/scripts/httpscert b/src/scripts/httpscert
> index e20f789ed..b38db9fbb 100644
> --- a/src/scripts/httpscert
> +++ b/src/scripts/httpscert
> @@ -7,16 +7,23 @@
> case "$1" in
> new)
> if [ ! -f /etc/httpd/server.key ]; then
> - echo "Generating https server key."
> + echo "Generating https RSA server key."
> /usr/bin/openssl genrsa -out /etc/httpd/server.key 4096
> + echo "Generating https ECDSA server key."
> + /usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key
> fi
This command should have its own if block so that it will be generated
if the RSA key already exists.
Not sure if this script will keep the RSA certificate or sign that
again when run with the "new" parameter. Is that good or bad?
> - echo "Generating CSR"
> + echo "Generating CSRs"
> /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
> req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
> - echo "Signing certificate"
> + /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
> + req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr
> + echo "Signing certificates"
> /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
> /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
> /etc/httpd/server.crt
> + /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
> + /etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \
> + /etc/httpd/server-ecdsa.crt
> ;;
> read)
> if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then
-Michael
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2017-09-24 22:06 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-04 18:21 Peter Müller
2017-09-24 22:06 ` Michael Tremer [this message]
2017-09-25 16:07 ` Peter Müller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1506290813.2813.32.camel@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox