f0c4143d98
This defers the creation of self-signed SSL certificates to the first time that httpd starts up. This has several advantages: * Waiting until the first boot will help avoid some issues with limited entropy in the install process. * The certificates can be regenerated automatically whenever they are removed, which helps with tools such as virt-sysprep * The certificates are now generated by SSCG, which produces a limited-trust CA alongside it that can be safely imported by a client. For more information on SSCG, see: https://sgallagh.wordpress.com/2016/05/02/self-signed-ssltls-certificates-why-they-are-terrible-and-a-better-alternative/ Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
25 lines
1.1 KiB
Bash
Executable File
25 lines
1.1 KiB
Bash
Executable File
#!/usr/bin/bash
|
|
|
|
set -e
|
|
|
|
FQDN=`hostname`
|
|
# A >59 char FQDN means "root@FQDN" exceeds 64-char max length for emailAddress
|
|
if [ "x${FQDN}" = "x" -o ${#FQDN} -gt 59 ]; then
|
|
FQDN=localhost.localdomain
|
|
fi
|
|
|
|
sscg -q \
|
|
--cert-file /etc/pki/tls/certs/localhost.crt \
|
|
--cert-key-file /etc/pki/tls/private/localhost.key \
|
|
--ca-file /etc/pki/tls/certs/localhost-ca.crt \
|
|
--hash-alg sha256 \
|
|
--key-strength 2048 \
|
|
--lifetime 365 \
|
|
--country "--" \
|
|
--state SomeState \
|
|
--locality SomeCity \
|
|
--organization SomeOrganization \
|
|
--organizational-unit SomeOrganizationalUnit \
|
|
--hostname $FQDN \
|
|
--email root@$FQDN
|