[PATCH 3/3] generate ECDSA key on existing installations - Development

11 Oct 2017

Generate ECDSA key (and sign it) in case it does not exist. That way,
httpscert can be ran on existing installations without breaking already
generated (RSA) keys.
Signed-off-by: Peter Müller peter.mueller@link38.eu
---
 src/scripts/httpscert | 37 ++++++++++++++++++++++++++++---------
 1 file changed, 28 insertions(+), 9 deletions(-)

diff --git a/src/scripts/httpscert b/src/scripts/httpscert
index e20f789ed..cae39fb74 100644
--- a/src/scripts/httpscert
+++ b/src/scripts/httpscert
@@ -7,17 +7,36 @@
 case "$1" in
   new)
    if [ ! -f /etc/httpd/server.key ]; then
-		echo "Generating https server key."
+		echo "Generating HTTPS RSA server key."
    	/usr/bin/openssl genrsa -out /etc/httpd/server.key 4096
    fi
-	echo "Generating CSR"
-	/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
-		req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
-	echo "Signing certificate"
-	/usr/bin/openssl x509 -req -days 999999 -sha256 -in \
-		/etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
-		/etc/httpd/server.crt
- 	;;
+	if [ ! -f /etc/httpd/server-ecdsa.key ]; then
+		echo "Generating HTTPS ECDSA server key."
+		/usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key
+	fi
+
+	echo "Generating CSRs"
+	if [ ! -f /etc/httpd/server.csr ]; then
+		/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
+			req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
+	fi
+	if [ ! -f /etc/httpd/server-ecdsa.csr ]; then
+		/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
+			req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr
+	fi
+
+	echo "Signing certificates"
+	if [ ! -f /etc/httpd/server.crt ]; then
+		/usr/bin/openssl x509 -req -days 999999 -sha256 -in \
+			/etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
+			/etc/httpd/server.crt
+	fi
+	if [ ! -f /etc/httpd/server-ecdsa.crt ]; then
+		/usr/bin/openssl x509 -req -days 999999 -sha256 -in \
+			/etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \
+			/etc/httpd/server-ecdsa.crt
+	fi
+	;;
   read)
    if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then
    	ISSUER=`openssl x509 -in /etc/httpd/server.crt -text -noout | grep Issuer | /usr/bin/cut -f2 -d '='`
-- 
2.13.6

    