rpms/httpd
7
0
Fork 0
Code Issues Pull Requests Releases Activity
180ad320f4
httpd/httpd-ssl-gencerts

25 lines
1.1 KiB
Plaintext
Raw Normal View History

Generate SSL keys on service start This defers the creation of self-signed SSL certificates to the first time that httpd starts up. This has several advantages: * Waiting until the first boot will help avoid some issues with limited entropy in the install process. * The certificates can be regenerated automatically whenever they are removed, which helps with tools such as virt-sysprep * The certificates are now generated by SSCG, which produces a limited-trust CA alongside it that can be safely imported by a client. For more information on SSCG, see: https://sgallagh.wordpress.com/2016/05/02/self-signed-ssltls-certificates-why-they-are-terrible-and-a-better-alternative/ Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2017-09-20 18:18:24 +00:00
#!/usr/bin/bash
set -e
FQDN=`hostname`
# A >59 char FQDN means "root@FQDN" exceeds 64-char max length for emailAddress
if [ "x${FQDN}" = "x" -o ${#FQDN} -gt 59 ]; then
FQDN=localhost.localdomain
fi
sscg -q \
--cert-file /etc/pki/tls/certs/localhost.crt \
--cert-key-file /etc/pki/tls/private/localhost.key \
--ca-file /etc/pki/tls/certs/localhost-ca.crt \
--hash-alg sha256 \
--key-strength 2048 \
--lifetime 365 \
--country "--" \
--state SomeState \
--locality SomeCity \
--organization SomeOrganization \
--organizational-unit SomeOrganizationalUnit \
--hostname $FQDN \
--email root@$FQDN
Reference in New Issue Copy Permalink