httpd/httpd-ssl-gencerts

#!/usr/bin/bash

set -e

FQDN=`hostname`

if test -f /etc/pki/tls/certs/localhost.crt -a \
        -f /etc/pki/tls/private/localhost.key; then
    exit 0
fi

if test -f /etc/pki/tls/certs/localhost.crt -a \
        ! -f /etc/pki/tls/private/localhost.key; then
    echo "Missing certificate key!"
    exit 1
fi

if test ! -f /etc/pki/tls/certs/localhost.crt -a \
         -f /etc/pki/tls/private/localhost.key; then
    echo "Missing certificate, but key is present!"
    exit 1
fi


sscg -q                                                             \
     --cert-file           /etc/pki/tls/certs/localhost.crt         \
     --cert-key-file       /etc/pki/tls/private/localhost.key       \
     --ca-file             /etc/pki/tls/certs/localhost.crt         \
     --lifetime            365                                      \
     --hostname            $FQDN                                    \
     --email               root@$FQDN
Generate SSL keys on service start This defers the creation of self-signed SSL certificates to the first time that httpd starts up. This has several advantages: * Waiting until the first boot will help avoid some issues with limited entropy in the install process. * The certificates can be regenerated automatically whenever they are removed, which helps with tools such as virt-sysprep * The certificates are now generated by SSCG, which produces a limited-trust CA alongside it that can be safely imported by a client. For more information on SSCG, see: https://sgallagh.wordpress.com/2016/05/02/self-signed-ssltls-certificates-why-they-are-terrible-and-a-better-alternative/ Signed-off-by: Stephen Gallagher <sgallagh@redhat.com> 2017-09-20 18:18:24 +00:00			`#!/usr/bin/bash`

			`set -e`

			FQDN=`hostname`
use sscg defaults; append CA cert to generated cert document httpd-init.service in httpd-init.service(8) 2017-09-21 15:41:20 +00:00
Handle edge-cases in gencerts Make sure that we exit with success if the files already exist and that we exit with failure and a message if only one or the other is present. 2017-09-22 14:29:43 +00:00			`if test -f /etc/pki/tls/certs/localhost.crt -a \`
Require sscg 2.2.0 for creating service and CA certificates together Signed-off-by: Stephen Gallagher <sgallagh@redhat.com> 2017-09-21 18:55:16 +00:00			`-f /etc/pki/tls/private/localhost.key; then`
Handle edge-cases in gencerts Make sure that we exit with success if the files already exist and that we exit with failure and a message if only one or the other is present. 2017-09-22 14:29:43 +00:00			`exit 0`
			`fi`

			`if test -f /etc/pki/tls/certs/localhost.crt -a \`
			`! -f /etc/pki/tls/private/localhost.key; then`
			`echo "Missing certificate key!"`
			`exit 1`
			`fi`

			`if test ! -f /etc/pki/tls/certs/localhost.crt -a \`
			`-f /etc/pki/tls/private/localhost.key; then`
			`echo "Missing certificate, but key is present!"`
use sscg defaults; append CA cert to generated cert document httpd-init.service in httpd-init.service(8) 2017-09-21 15:41:20 +00:00			`exit 1`
Generate SSL keys on service start This defers the creation of self-signed SSL certificates to the first time that httpd starts up. This has several advantages: * Waiting until the first boot will help avoid some issues with limited entropy in the install process. * The certificates can be regenerated automatically whenever they are removed, which helps with tools such as virt-sysprep * The certificates are now generated by SSCG, which produces a limited-trust CA alongside it that can be safely imported by a client. For more information on SSCG, see: https://sgallagh.wordpress.com/2016/05/02/self-signed-ssltls-certificates-why-they-are-terrible-and-a-better-alternative/ Signed-off-by: Stephen Gallagher <sgallagh@redhat.com> 2017-09-20 18:18:24 +00:00			`fi`

Handle edge-cases in gencerts Make sure that we exit with success if the files already exist and that we exit with failure and a message if only one or the other is present. 2017-09-22 14:29:43 +00:00
Generate SSL keys on service start This defers the creation of self-signed SSL certificates to the first time that httpd starts up. This has several advantages: * Waiting until the first boot will help avoid some issues with limited entropy in the install process. * The certificates can be regenerated automatically whenever they are removed, which helps with tools such as virt-sysprep * The certificates are now generated by SSCG, which produces a limited-trust CA alongside it that can be safely imported by a client. For more information on SSCG, see: https://sgallagh.wordpress.com/2016/05/02/self-signed-ssltls-certificates-why-they-are-terrible-and-a-better-alternative/ Signed-off-by: Stephen Gallagher <sgallagh@redhat.com> 2017-09-20 18:18:24 +00:00			`sscg -q \`
			`--cert-file /etc/pki/tls/certs/localhost.crt \`
			`--cert-key-file /etc/pki/tls/private/localhost.key \`
Require sscg 2.2.0 for creating service and CA certificates together Signed-off-by: Stephen Gallagher <sgallagh@redhat.com> 2017-09-21 18:55:16 +00:00			`--ca-file /etc/pki/tls/certs/localhost.crt \`
Generate SSL keys on service start This defers the creation of self-signed SSL certificates to the first time that httpd starts up. This has several advantages: * Waiting until the first boot will help avoid some issues with limited entropy in the install process. * The certificates can be regenerated automatically whenever they are removed, which helps with tools such as virt-sysprep * The certificates are now generated by SSCG, which produces a limited-trust CA alongside it that can be safely imported by a client. For more information on SSCG, see: https://sgallagh.wordpress.com/2016/05/02/self-signed-ssltls-certificates-why-they-are-terrible-and-a-better-alternative/ Signed-off-by: Stephen Gallagher <sgallagh@redhat.com> 2017-09-20 18:18:24 +00:00			`--lifetime 365 \`
			`--hostname $FQDN \`
			`--email root@$FQDN`
use sscg defaults; append CA cert to generated cert document httpd-init.service in httpd-init.service(8) 2017-09-21 15:41:20 +00:00