Add ECDSA server certificate and key generation to httpscert. The key has a length of 384 bits, which equals > 4096 bits RSA and should be sufficient.
Signed-off-by: Peter Müller peter.mueller@link38.eu --- diff --git a/src/scripts/httpscert b/src/scripts/httpscert index e20f789ed..b38db9fbb 100644 --- a/src/scripts/httpscert +++ b/src/scripts/httpscert @@ -7,16 +7,23 @@ case "$1" in new) if [ ! -f /etc/httpd/server.key ]; then - echo "Generating https server key." + echo "Generating https RSA server key." /usr/bin/openssl genrsa -out /etc/httpd/server.key 4096 + echo "Generating https ECDSA server key." + /usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key fi - echo "Generating CSR" + echo "Generating CSRs" /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \ req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr - echo "Signing certificate" + /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \ + req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr + echo "Signing certificates" /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \ /etc/httpd/server.crt + /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ + /etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \ + /etc/httpd/server-ecdsa.crt ;; read) if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then
Hi,
On Mon, 2017-09-04 at 20:21 +0200, Peter Müller wrote:
Add ECDSA server certificate and key generation to httpscert. The key has a length of 384 bits, which equals > 4096 bits RSA and should be sufficient.
Why 384 and not longer?
Signed-off-by: Peter Müller peter.mueller@link38.eu
diff --git a/src/scripts/httpscert b/src/scripts/httpscert index e20f789ed..b38db9fbb 100644 --- a/src/scripts/httpscert +++ b/src/scripts/httpscert @@ -7,16 +7,23 @@ case "$1" in new) if [ ! -f /etc/httpd/server.key ]; then
echo "Generating https server key."
/usr/bin/openssl genrsa -out /etc/httpd/server.key 4096echo "Generating https RSA server key."
echo "Generating https ECDSA server key."
fi/usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key
This command should have its own if block so that it will be generated if the RSA key already exists.
Not sure if this script will keep the RSA certificate or sign that again when run with the "new" parameter. Is that good or bad?
- echo "Generating CSR"
- echo "Generating CSRs" /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \ req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
- echo "Signing certificate"
- /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr
- echo "Signing certificates" /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \ /etc/httpd/server.crt
- /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
/etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \
;; read) if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then/etc/httpd/server-ecdsa.crt
-Michael
Hello Michael,
Hi,
On Mon, 2017-09-04 at 20:21 +0200, Peter Müller wrote:
Add ECDSA server certificate and key generation to httpscert. The key has a length of 384 bits, which equals > 4096 bits RSA and should be sufficient.
Why 384 and not longer?
Because some browsers (even modern ones) do not support anything longer. Further, it still is better than anything we get with 4096-RSA, so I assume 384 bits ECDSA is enough.
Signed-off-by: Peter Müller peter.mueller@link38.eu
diff --git a/src/scripts/httpscert b/src/scripts/httpscert index e20f789ed..b38db9fbb 100644 --- a/src/scripts/httpscert +++ b/src/scripts/httpscert @@ -7,16 +7,23 @@ case "$1" in new) if [ ! -f /etc/httpd/server.key ]; then
echo "Generating https server key."
/usr/bin/openssl genrsa -out /etc/httpd/server.key 4096echo "Generating https RSA server key."
echo "Generating https ECDSA server key."
fi/usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key
This command should have its own if block so that it will be generated if the RSA key already exists.
OK, I will change this.
Not sure if this script will keep the RSA certificate or sign that again when run with the "new" parameter. Is that good or bad?
I will do some research here, but it seems more elegant to me to pack key generation and signing commands in one block for each RSA and ECDSA. That way, if one of them already exists, it won't be touched.
Best regards, Peter Müller
- echo "Generating CSR"
- echo "Generating CSRs" /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \ req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
- echo "Signing certificate"
- /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr
- echo "Signing certificates" /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \ /etc/httpd/server.crt
- /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
/etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \
;; read) if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then/etc/httpd/server-ecdsa.crt
-Michael