Re: [PATCH 1/3] add ECDSA key generation to httpscert

Hi,

On Mon, 2017-09-04 at 20:21 +0200, Peter Müller wrote:

Add ECDSA server certificate and key generation to httpscert. The key has a length of 384 bits, which equals > 4096 bits RSA and should be sufficient.

Why 384 and not longer?

Signed-off-by: Peter Müller peter.mueller@link38.eu

diff --git a/src/scripts/httpscert b/src/scripts/httpscert index e20f789ed..b38db9fbb 100644 --- a/src/scripts/httpscert +++ b/src/scripts/httpscert @@ -7,16 +7,23 @@ case "$1" in new) if [ ! -f /etc/httpd/server.key ]; then

• echo "Generating https server key."
  

• echo "Generating https RSA server key."
  

  /usr/bin/openssl genrsa -out /etc/httpd/server.key 4096

• echo "Generating https ECDSA server key."
  

• /usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key 
  

  fi

This command should have its own if block so that it will be generated if the RSA key already exists.

Not sure if this script will keep the RSA certificate or sign that again when run with the "new" parameter. Is that good or bad?

• echo "Generating CSR"

• echo "Generating CSRs" /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \ req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr

• echo "Signing certificate"

• /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \

• req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr
  

• echo "Signing certificates" /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \ /etc/httpd/server.crt
• /usr/bin/openssl x509 -req -days 999999 -sha256 -in \

• /etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \
  

• /etc/httpd/server-ecdsa.crt
  

  ;; read) if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then

-Michael