Re: [PATCH v2 1/3] add ECDSA key generation to httpscert

Hi,

this patch doesn't apply because all tabs seem to have been converted to spaces.

Also, where is patch 2 of this patchset?

-Michael

On Wed, 2017-10-04 at 21:38 +0200, Peter Müller wrote:

Add ECDSA server certificate and key generation to httpscert. The key has a length of 384 bits, which equals > 4096 bits RSA and should be sufficient.

Changed since v1: Do not regenerate or oversign existing keys or CSRs.

This patch depends on:

• v1 2/3 add ECDSA certificate and key files to Apache configuration
• v2 3/3 generate ECDSA certificate and key on existing installations

Signed-off-by: Peter Müller peter.mueller@link38.eu

diff --git a/src/scripts/httpscert b/src/scripts/httpscert index e20f789ed..52932bc70 100644 --- a/src/scripts/httpscert +++ b/src/scripts/httpscert @@ -7,16 +7,35 @@ case "$1" in new) if [ ! -f /etc/httpd/server.key ]; then

•           echo "Generating https server key."
  

•           echo "Generating HTTPS RSA server key."
            /usr/bin/openssl genrsa -out /etc/httpd/server.key 4096
    fi
  

•   echo "Generating CSR"
  

•   /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" |
  

/usr/bin/openssl \

•           req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
  

•   echo "Signing certificate"
  

•   /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
  

•           /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
  

•           /etc/httpd/server.crt
  

•   if [ ! -f /etc/httpd/server-ecdsa.key ]; then
  

•           echo "Generating HTTPS ECDSA server key."
  

•           /usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec
  

-out /etc/httpd/server-ecdsa.key

•   fi
  

•   echo "Generating CSRs"
  

•   if [ ! -f /etc/httpd/server.csr ]; then
  

•           /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" |
  

/usr/bin/openssl \

•                   req -new -key /etc/httpd/server.key -out
  

/etc/httpd/server.csr

•   fi
  

•   if [ ! -f /etc/httpd/server-ecdsa.csr ]; then
  

•           /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" |
  

/usr/bin/openssl \

•                   req -new -key /etc/httpd/server-ecdsa.key -out
  

/etc/httpd/server-ecdsa.csr

•   fi
  

•   echo "Signing certificates"
  

•   if [ ! -f /etc/httpd/server.crt ]; then
  

•           /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
  

•                   /etc/httpd/server.csr -signkey /etc/httpd/server.key
  

-out \

•                   /etc/httpd/server.crt
  

•   fi
  

•   if [ ! -f /etc/httpd/server-ecdsa.crt ]; then
  

•           /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
  

•                   /etc/httpd/server-ecdsa.csr -signkey
  

/etc/httpd/server-ecdsa.key -out \

•                   /etc/httpd/server-ecdsa.crt
  

•   fi
    ;;
  

  read) if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f

/etc/httpd/server.csr ]; then