httpd/httpd-ssl-gencerts

#!/usr/bin/bash

set -e

FQDN=`hostname`

if test -f /etc/pki/tls/certs/localhost.crt -o \
        -f /etc/pki/tls/private/localhost.key -o \
        -f /etc/pki/tls/certs/localhost-ca.crt; then
    exit 1
fi

sscg -q                                                             \
     --cert-file           /etc/pki/tls/certs/localhost.crt         \
     --cert-key-file       /etc/pki/tls/private/localhost.key       \
     --ca-file             /etc/pki/tls/certs/localhost-ca.crt      \
     --lifetime            365                                      \
     --hostname            $FQDN                                    \
     --email               root@$FQDN

# mod_ssl will send the CA cert if it's appended to the server cert.
cat /etc/pki/tls/certs/localhost-ca.crt >> /etc/pki/tls/certs/localhost.crt
Generate SSL keys on service start This defers the creation of self-signed SSL certificates to the first time that httpd starts up. This has several advantages: * Waiting until the first boot will help avoid some issues with limited entropy in the install process. * The certificates can be regenerated automatically whenever they are removed, which helps with tools such as virt-sysprep * The certificates are now generated by SSCG, which produces a limited-trust CA alongside it that can be safely imported by a client. For more information on SSCG, see: https://sgallagh.wordpress.com/2016/05/02/self-signed-ssltls-certificates-why-they-are-terrible-and-a-better-alternative/ Signed-off-by: Stephen Gallagher <sgallagh@redhat.com> 2017-09-20 18:18:24 +00:00			`#!/usr/bin/bash`

			`set -e`

			FQDN=`hostname`
use sscg defaults; append CA cert to generated cert document httpd-init.service in httpd-init.service(8) 2017-09-21 15:41:20 +00:00
			`if test -f /etc/pki/tls/certs/localhost.crt -o \`
			`-f /etc/pki/tls/private/localhost.key -o \`
			`-f /etc/pki/tls/certs/localhost-ca.crt; then`
			`exit 1`
Generate SSL keys on service start This defers the creation of self-signed SSL certificates to the first time that httpd starts up. This has several advantages: * Waiting until the first boot will help avoid some issues with limited entropy in the install process. * The certificates can be regenerated automatically whenever they are removed, which helps with tools such as virt-sysprep * The certificates are now generated by SSCG, which produces a limited-trust CA alongside it that can be safely imported by a client. For more information on SSCG, see: https://sgallagh.wordpress.com/2016/05/02/self-signed-ssltls-certificates-why-they-are-terrible-and-a-better-alternative/ Signed-off-by: Stephen Gallagher <sgallagh@redhat.com> 2017-09-20 18:18:24 +00:00			`fi`

			`sscg -q \`
			`--cert-file /etc/pki/tls/certs/localhost.crt \`
			`--cert-key-file /etc/pki/tls/private/localhost.key \`
			`--ca-file /etc/pki/tls/certs/localhost-ca.crt \`
			`--lifetime 365 \`
			`--hostname $FQDN \`
			`--email root@$FQDN`
use sscg defaults; append CA cert to generated cert document httpd-init.service in httpd-init.service(8) 2017-09-21 15:41:20 +00:00
			`# mod_ssl will send the CA cert if it's appended to the server cert.`
			`cat /etc/pki/tls/certs/localhost-ca.crt >> /etc/pki/tls/certs/localhost.crt`