From a99787630b853f6678c80c761ce4dd72cd399b10 Mon Sep 17 00:00:00 2001 From: Denys Otrishko Date: Thu, 21 May 2020 19:13:04 +0300 Subject: [PATCH 1/2] Improve cert generate.sh script Use ECDSA curve ed25519 key instead of RSA if possible. Minor improvements: * Add shebang * Make sure to not override existing key without explicit approval * Add explanation messages for each step --- cert/generate.sh | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/cert/generate.sh b/cert/generate.sh index c11abf5..20bd60a 100755 --- a/cert/generate.sh +++ b/cert/generate.sh @@ -1,5 +1,29 @@ +#!/bin/sh + cd "$(dirname "$0")" -openssl genrsa -out key.pem 2048 -openssl req -new -out self.pem -key key.pem -subj '/CN=localhost' + +KEY_FILE=key.pem +if [ -f "$KEY_FILE" ]; then + read -e -p "Are you sure you want to replace existing key? [y/N] " YES_NO + if [ "$YES_NO" != "y" ] && [ "$YES_NO" != "Y" ]; then + exit 0 + fi +fi + +echo "Generating private ed25519 key" +openssl genpkey -algorithm ed25519 -out $KEY_FILE +if [ $? = 1 ]; then + echo "Failed to generate ed25519 key, fallback to RSA" + echo "Generating private RSA2048 key" + openssl genrsa -out key.pem 2048 +fi + +set -e + +echo "Generating certificate signing request" +openssl req -new -out self.pem -key $KEY_FILE -subj '/CN=localhost' + openssl req -text -noout -in self.pem -openssl x509 -req -days 1024 -in self.pem -signkey key.pem -out cert.pem -extfile generate.ext + +echo "Generating certificate" +openssl x509 -req -days 1024 -in self.pem -signkey $KEY_FILE -out cert.pem -extfile generate.ext From 51a97128c1ceff0ff1677a54ec7fa3081a3490ab Mon Sep 17 00:00:00 2001 From: Denys Otrishko Date: Fri, 22 May 2020 20:24:50 +0300 Subject: [PATCH 2/2] fixup! Improve cert generate.sh script --- cert/generate.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cert/generate.sh b/cert/generate.sh index 20bd60a..b51aba1 100755 --- a/cert/generate.sh +++ b/cert/generate.sh @@ -12,7 +12,7 @@ fi echo "Generating private ed25519 key" openssl genpkey -algorithm ed25519 -out $KEY_FILE -if [ $? = 1 ]; then +if [ $? != 0 ]; then echo "Failed to generate ed25519 key, fallback to RSA" echo "Generating private RSA2048 key" openssl genrsa -out key.pem 2048