Chinaunix首页 | 论坛 | 博客
  • 博客访问: 7698025
  • 博文数量: 637
  • 博客积分: 10265
  • 博客等级: 上将
  • 技术积分: 6165
  • 用 户 组: 普通用户
  • 注册时间: 2004-12-12 22:00
文章分类

全部博文(637)

文章存档

2011年(1)

2010年(1)

2009年(3)

2008年(12)

2007年(44)

2006年(156)

2005年(419)

2004年(1)

分类: 系统运维

2005-05-23 19:08:29

Apache中的TLS Howto里面经常提到的sign.sh文件,由于不是所有人都安装mod_ssl,在apache2.0以后也不用这个包了,所以单独弄出来

Securing and Optimizing Linux: RedHat Edition -A Hands on Guide
Prev Chapter 24. Software -Networking/Encryption Next

The openssl ca commands has some strange requirements and the default OpenSSL config doesn't allow one easily to use openssl ca directly. Therefore, well create this sign.sh program to replace it. Create the sign.sh program file, touch /usr/bin/sign.sh and add to this file:

         #!/bin/sh
##
## sign.sh -- Sign a SSL Certificate Request (CSR)
## Copyright (c) 1998-1999 Ralf S. Engelschall, All Rights Reserved.
##

# argument line handling
CSR=$1
if [ $# -ne 1 ]; then
echo "Usage: sign.sign .csr"; exit 1
fi
if [ ! -f $CSR ]; then
echo "CSR not found: $CSR"; exit 1
fi
case $CSR in
*.csr ) CERT="`echo $CSR | sed -e 's/.csr/.crt/'`" ;;
* ) CERT="$CSR.crt" ;;
esac

# make sure environment exists
if [ ! -d ca.db.certs ]; then
mkdir ca.db.certs
fi
if [ ! -f ca.db.serial ]; then
echo '01' >ca.db.serial
fi
if [ ! -f ca.db.index ]; then
cp /dev/null ca.db.index
fi

# create an own SSLeay config
cat >ca.config < [ ca ]
default_ca = CA_own
[ CA_own ]
dir = /etc/ssl
certs = /etc/ssl/certs
new_certs_dir = /etc/ssl/ca.db.certs
database = /etc/ssl/ca.db.index
serial = /etc/ssl/ca.db.serial
RANDFILE = /etc/ssl/ca.db.rand
certificate = /etc/ssl/certs/ca.crt
private_key = /etc/ssl/private/ca.key
default_days = 365
default_crl_days = 30
default_md = md5
preserve = no
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOT

# sign the certificate
echo "CA signing: $CSR -> $CERT:"
openssl ca -config ca.config -out $CERT -infiles $CSR
echo "CA verifying: $CERT <-> CA cert"
openssl verify -CAfile /etc/ssl/certs/ca.crt $CERT

# cleanup after SSLeay
rm -f ca.config
rm -f ca.db.serial.old
rm -f ca.db.index.old

# die gracefully
exit 0

Now, make this program executable, and change its default permissions:

         [root@deep] /# chmod 755 /usr/bin/sign.sh

Tip: You can also find this program sign.sh in the mod_ssl distribution under the mod_ssl-version/pkg.contrib/ subdirectory, or on our floppy.tgz archive file. Also note that the section [ CA_own ] must be changed to refect your own environment and don't forget to change the openssl verify -CAfile /etc/ssl/certs/ca.crt $CERT line too.

阅读(1131) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~