* [PATCH 1/3] add ECDSA key generation to httpscert
@ 2017-09-04 18:21 Peter Müller
2017-09-24 22:06 ` Michael Tremer
0 siblings, 1 reply; 3+ messages in thread
From: Peter Müller @ 2017-09-04 18:21 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1604 bytes --]
Add ECDSA server certificate and key generation to httpscert.
The key has a length of 384 bits, which equals > 4096 bits RSA
and should be sufficient.
Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
---
diff --git a/src/scripts/httpscert b/src/scripts/httpscert
index e20f789ed..b38db9fbb 100644
--- a/src/scripts/httpscert
+++ b/src/scripts/httpscert
@@ -7,16 +7,23 @@
case "$1" in
new)
if [ ! -f /etc/httpd/server.key ]; then
- echo "Generating https server key."
+ echo "Generating https RSA server key."
/usr/bin/openssl genrsa -out /etc/httpd/server.key 4096
+ echo "Generating https ECDSA server key."
+ /usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key
fi
- echo "Generating CSR"
+ echo "Generating CSRs"
/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
- echo "Signing certificate"
+ /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
+ req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr
+ echo "Signing certificates"
/usr/bin/openssl x509 -req -days 999999 -sha256 -in \
/etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
/etc/httpd/server.crt
+ /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
+ /etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \
+ /etc/httpd/server-ecdsa.crt
;;
read)
if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH 1/3] add ECDSA key generation to httpscert
2017-09-04 18:21 [PATCH 1/3] add ECDSA key generation to httpscert Peter Müller
@ 2017-09-24 22:06 ` Michael Tremer
2017-09-25 16:07 ` Peter Müller
0 siblings, 1 reply; 3+ messages in thread
From: Michael Tremer @ 2017-09-24 22:06 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2024 bytes --]
Hi,
On Mon, 2017-09-04 at 20:21 +0200, Peter Müller wrote:
> Add ECDSA server certificate and key generation to httpscert.
> The key has a length of 384 bits, which equals > 4096 bits RSA
> and should be sufficient.
Why 384 and not longer?
>
> Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
> ---
> diff --git a/src/scripts/httpscert b/src/scripts/httpscert
> index e20f789ed..b38db9fbb 100644
> --- a/src/scripts/httpscert
> +++ b/src/scripts/httpscert
> @@ -7,16 +7,23 @@
> case "$1" in
> new)
> if [ ! -f /etc/httpd/server.key ]; then
> - echo "Generating https server key."
> + echo "Generating https RSA server key."
> /usr/bin/openssl genrsa -out /etc/httpd/server.key 4096
> + echo "Generating https ECDSA server key."
> + /usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key
> fi
This command should have its own if block so that it will be generated
if the RSA key already exists.
Not sure if this script will keep the RSA certificate or sign that
again when run with the "new" parameter. Is that good or bad?
> - echo "Generating CSR"
> + echo "Generating CSRs"
> /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
> req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
> - echo "Signing certificate"
> + /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
> + req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr
> + echo "Signing certificates"
> /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
> /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
> /etc/httpd/server.crt
> + /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
> + /etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \
> + /etc/httpd/server-ecdsa.crt
> ;;
> read)
> if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then
-Michael
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH 1/3] add ECDSA key generation to httpscert
2017-09-24 22:06 ` Michael Tremer
@ 2017-09-25 16:07 ` Peter Müller
0 siblings, 0 replies; 3+ messages in thread
From: Peter Müller @ 2017-09-25 16:07 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2597 bytes --]
Hello Michael,
> Hi,
>
> On Mon, 2017-09-04 at 20:21 +0200, Peter Müller wrote:
> > Add ECDSA server certificate and key generation to httpscert.
> > The key has a length of 384 bits, which equals > 4096 bits RSA
> > and should be sufficient.
>
> Why 384 and not longer?
Because some browsers (even modern ones) do not support anything
longer. Further, it still is better than anything we get with 4096-RSA,
so I assume 384 bits ECDSA is enough.
>
> >
> > Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
> > ---
> > diff --git a/src/scripts/httpscert b/src/scripts/httpscert
> > index e20f789ed..b38db9fbb 100644
> > --- a/src/scripts/httpscert
> > +++ b/src/scripts/httpscert
> > @@ -7,16 +7,23 @@
> > case "$1" in
> > new)
> > if [ ! -f /etc/httpd/server.key ]; then
> > - echo "Generating https server key."
> > + echo "Generating https RSA server key."
> > /usr/bin/openssl genrsa -out /etc/httpd/server.key 4096
> > + echo "Generating https ECDSA server key."
> > + /usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key
> > fi
>
> This command should have its own if block so that it will be generated
> if the RSA key already exists.
OK, I will change this.
>
> Not sure if this script will keep the RSA certificate or sign that
> again when run with the "new" parameter. Is that good or bad?
I will do some research here, but it seems more elegant to me to pack
key generation and signing commands in one block for each RSA and ECDSA.
That way, if one of them already exists, it won't be touched.
Best regards,
Peter Müller
>
> > - echo "Generating CSR"
> > + echo "Generating CSRs"
> > /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
> > req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
> > - echo "Signing certificate"
> > + /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
> > + req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr
> > + echo "Signing certificates"
> > /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
> > /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
> > /etc/httpd/server.crt
> > + /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
> > + /etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \
> > + /etc/httpd/server-ecdsa.crt
> > ;;
> > read)
> > if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then
>
> -Michael
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-09-25 16:07 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-09-04 18:21 [PATCH 1/3] add ECDSA key generation to httpscert Peter Müller
2017-09-24 22:06 ` Michael Tremer
2017-09-25 16:07 ` Peter Müller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox