Am 01.02.2015 um 22:26 schrieb LuKreme:
On 01 Feb 2015, at 05:41 , DTNX Postmaster <postmas...@dtnx.net> wrote:
By the way, CA-signed certificates start at less than $10/year, so if you ever
do run into an issue which might be resolved by getting one, and your
configuration isn't too complex, I would suggest spending that little bit of
money.
Not the case here though, as far as I can tell :-)
Thanks for the detailed response. The issue with the certs is not the cost, but
rather the maintenance of them. I don’t do this full-time and the interval
between expiry is long enough that I get to learn everything over from first
principles every time I have to replace a cert.
why?
just make it once in your lifetime, create a template for default params
and a script with minimal maintainance like for hash-method and
keylength - the script below in any case builds a self signed PEM with
key and cert as well as the CSR for submit to a CA
after you get back the signed crt just replace that one part in the PEM
and you are done - creating certs that way for 10 years now
[root@localhost~]$ cat generate-cert.sh
#!/usr/bin/bash
umask 066
WORKING_DIR="/buildserver/ssl-cert"
read -e -p "SERVER NAME: " COMMON_NAME
if [ "$COMMON_NAME" == "" ]; then
exit
fi
OUT_DIR="$WORKING_DIR/$COMMON_NAME"
mkdir "$OUT_DIR" 2> /dev/null
chmod 0700 "$OUT_DIR"
read -e -p "KEY LENGTH: " -i "4096" KEY_LENGTH
read -e -p "HASH METHOD: " -i "sha256" HASH_METHOD
echo "Random-Seed...."
RANDOM_FILE="$OUT_DIR/random-seed"
touch "$RANDOM_FILE"
chmod 0600 "$RANDOM_FILE"
dd if=/dev/random of="$RANDOM_FILE" bs=1 count=1024 2> /dev/null
sleep 2
rm -f "$OUT_DIR/$COMMON_NAME.key"
rm -f "$OUT_DIR/$COMMON_NAME.csr"
rm -f "$OUT_DIR/$COMMON_NAME.crt"
rm -f "$OUT_DIR/$COMMON_NAME.pem"
rm -f "$OUT_DIR/$COMMON_NAME.ec"
rm -f "$OUT_DIR/$COMMON_NAME.dh"
rm -f "$OUT_DIR/$COMMON_NAME.ecdh"
sed "s/my_common_name/$COMMON_NAME/g"
"$WORKING_DIR/openssl.conf.template" > "$WORKING_DIR/openssl.conf"
openssl req -config "$WORKING_DIR/openssl.conf" -nodes -$HASH_METHOD
-newkey rsa:$KEY_LENGTH -keyout "$OUT_DIR/$COMMON_NAME.key" -out
"$OUT_DIR/$COMMON_NAME.csr" -rand "$RANDOM_FILE"
openssl x509 -$HASH_METHOD -req -days 3650 -in $OUT_DIR/$COMMON_NAME.csr
-signkey "$OUT_DIR/$COMMON_NAME.key" -out "$OUT_DIR/$COMMON_NAME.crt"
cat "$OUT_DIR/$COMMON_NAME.crt" "$OUT_DIR/$COMMON_NAME.key" >
"$OUT_DIR/$COMMON_NAME.pem"
openssl ecparam -out "$OUT_DIR/$COMMON_NAME.ec" -name prime256v1
openssl gendh -out "$OUT_DIR/$COMMON_NAME.dh" -2 2048 -rand
"$RANDOM_FILE:$OUT_DIR/$COMMON_NAME.key"
cat "$OUT_DIR/$COMMON_NAME.ec" >> "$OUT_DIR/$COMMON_NAME.pem"
cat "$OUT_DIR/$COMMON_NAME.dh" >> "$OUT_DIR/$COMMON_NAME.pem"
cat "$OUT_DIR/$COMMON_NAME.ec" "$OUT_DIR/$COMMON_NAME.dh" >>
"$OUT_DIR/$COMMON_NAME.ecdh"
rm -f "$OUT_DIR/$COMMON_NAME.ec"
rm -f "$OUT_DIR/$COMMON_NAME.dh"
chmod 600 $OUT_DIR/*
touch $OUT_DIR/*
echo ""
/bin/ls -l -h --color=tty -X --group-directories-first
--time-style=long-iso "$OUT_DIR/$COMMON_NAME.csr"
/bin/ls -l -h --color=tty -X --group-directories-first
--time-style=long-iso "$OUT_DIR/$COMMON_NAME.key"
/bin/ls -l -h --color=tty -X --group-directories-first
--time-style=long-iso "$OUT_DIR/$COMMON_NAME.crt"
/bin/ls -l -h --color=tty -X --group-directories-first
--time-style=long-iso "$OUT_DIR/$COMMON_NAME.pem"
echo ""
rm -f "$WORKING_DIR/openssl.conf"
rm -f "$RANDOM_FILE"
sync
