Add ECDSA server certificate and key generation to httpscert. The key has a length of 384 bits, which equals > 4096 bits RSA and should be sufficient.
Changed since v1: Do not regenerate or oversign existing keys or CSRs.
This patch depends on: - v1 2/3 add ECDSA certificate and key files to Apache configuration - v2 3/3 generate ECDSA certificate and key on existing installations
Signed-off-by: Peter Müller peter.mueller@link38.eu --- diff --git a/src/scripts/httpscert b/src/scripts/httpscert index e20f789ed..52932bc70 100644 --- a/src/scripts/httpscert +++ b/src/scripts/httpscert @@ -7,16 +7,35 @@ case "$1" in new) if [ ! -f /etc/httpd/server.key ]; then - echo "Generating https server key." + echo "Generating HTTPS RSA server key." /usr/bin/openssl genrsa -out /etc/httpd/server.key 4096 fi - echo "Generating CSR" - /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \ - req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr - echo "Signing certificate" - /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ - /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \ - /etc/httpd/server.crt + if [ ! -f /etc/httpd/server-ecdsa.key ]; then + echo "Generating HTTPS ECDSA server key." + /usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key + fi + + echo "Generating CSRs" + if [ ! -f /etc/httpd/server.csr ]; then + /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \ + req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr + fi + if [ ! -f /etc/httpd/server-ecdsa.csr ]; then + /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \ + req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr + fi + + echo "Signing certificates" + if [ ! -f /etc/httpd/server.crt ]; then + /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ + /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \ + /etc/httpd/server.crt + fi + if [ ! -f /etc/httpd/server-ecdsa.crt ]; then + /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ + /etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \ + /etc/httpd/server-ecdsa.crt + fi ;; read) if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then