From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 1/3] add ECDSA key generation to httpscert Date: Sun, 24 Sep 2017 23:06:53 +0100 Message-ID: <1506290813.2813.32.camel@ipfire.org> In-Reply-To: <20170904202139.4255a2fe.peter.mueller@link38.eu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8716042120427462000==" List-Id: --===============8716042120427462000== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, On Mon, 2017-09-04 at 20:21 +0200, Peter M=C3=BCller wrote: > Add ECDSA server certificate and key generation to httpscert. > The key has a length of 384 bits, which equals > 4096 bits RSA > and should be sufficient. Why 384 and not longer? >=20 > Signed-off-by: Peter M=C3=BCller > --- > diff --git a/src/scripts/httpscert b/src/scripts/httpscert > index e20f789ed..b38db9fbb 100644 > --- a/src/scripts/httpscert > +++ b/src/scripts/httpscert > @@ -7,16 +7,23 @@ > case "$1" in > new) > if [ ! -f /etc/httpd/server.key ]; then > - echo "Generating https server key." > + echo "Generating https RSA server key." > /usr/bin/openssl genrsa -out /etc/httpd/server.key 4096 > + echo "Generating https ECDSA server key." > + /usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/= httpd/server-ecdsa.key=20 > fi This command should have its own if block so that it will be generated if the RSA key already exists. Not sure if this script will keep the RSA certificate or sign that again when run with the "new" parameter. Is that good or bad? > - echo "Generating CSR" > + echo "Generating CSRs" > /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/ope= nssl \ > req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr > - echo "Signing certificate" > + /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/ope= nssl \ > + req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.c= sr > + echo "Signing certificates" > /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ > /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \ > /etc/httpd/server.crt > + /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ > + /etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \ > + /etc/httpd/server-ecdsa.crt > ;; > read) > if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/http= d/server.csr ]; then -Michael --===============8716042120427462000== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl Mnlwa3R4Z0hudy8yK1FDUWNGQWxuSUxIMEFDZ2tRZ0hudy8yK1EKQ1FjdzF3LzhDNml3eWJ4Z1Y0 S3RrUWw0QWNvQ1cyRXNaclNFaW1mdzVIeStzQnVSNWJBZkNPd3dOeGl0QUhrcwpSa2lic1Frek9s Rm1xVGZPZG9lSGNYV3B3T0xnVnRsNHBhSTE2TVlUZGlmNlAzK1QzaDZ4d3VzVi8rN2tsdmFmCk5j NXE0aDlhVDNRS0Exa0FMRStKWS91SlFoY0J1VUovTnNyTU5yZ0ZhL1lNd1krUERHM0ZqZUE2c0dq eWR2NlcKeTZzRXdiWVJMcjlYZWRac2NlNWFFcUc5QkRCVHc2eFAwbU40d0pmU3lDb3krczZQc2Vu TE56NzFrWjNzTWZLawp3TUkyemdLb2tPY2MrK05kUkVIWkJBZFBGSm1VU2hja3M1Rm10ZlNmVzEy NWJWNURuYjJJYjRlMUhJbE41OFhaCjJMTkxqUk1BSHdRTFE4VHRYZWVpb3RycncrbFJiUVNteGM5 R2NNUllBc3loS1p6RXZ4ZStKeTU1TFRubWFWeWUKV2d0Tm03ZjJQZk5nT2x3YXFMMkJmMnZCaW5h Tkw4WVdORmZhNWh4dkpwOG53K2tmbSs1MUZ5Z1hJS0tiSXd1UQo5UnhUOHVqUEw3N241cVRpSVE3 NGE1NW1iNkZ5MzE5Q2hidkxxaElCdkZLbWlsZm52eXZuMitUcitGaFZYZjdvCk1NVmdIdFY0RHBL V0U1dTFPZHBtZ0R2SE8vbUk0Qmp6Ump1MDZXM0R2dWhiRVg4QmJGU3ZIZUJmZFpTREExOTYKMkUz U0VPWjh6UmhJcFVDR1ZZU25sbGk0VkhYaGt4emRheWlEN04wM2J4ZVRQa0pkbWFwdXpNMUhEdTEx QjZTRwpqNFpMRHp1SGpka1dhN3NzSjV6MWRvLzQwUTZrR3hwK3VGZlNwaVVsSENKeFBEemhqYzg9 Cj1LS0czCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============8716042120427462000==--