- 论坛徽章:
- 0
|
Apache中的TLS Howto里面经常提到的sign.sh文件,由于不是所有人都安装mod_ssl,在apache2.0以后也不用这个包了,所以单独弄出来
Securing and Optimizing Linux: RedHat Edition -A Hands on Guide
Prev
Chapter 24. Software -Networking/Encryption
Next
24.5. Create the /usr/bin/sign.sh program file
The openssl ca commands has some strange requirements and the default OpenSSL config doesn't allow one easily to use openssl ca directly. Therefore, well create this sign.sh program to replace it. Create the sign.sh program file, touch /usr/bin/sign.sh and add to this file:
#!/bin/sh
##
## sign.sh -- Sign a SSL Certificate Request (CSR)
## Copyright (c) 1998-1999 Ralf S. Engelschall, All Rights Reserved.
##
# argument line handling
CSR=$1
if [ $# -ne 1 ]; then
echo "Usage: sign.sign .csr"; exit 1
fi
if [ ! -f $CSR ]; then
echo "CSR not found: $CSR"; exit 1
fi
case $CSR in
*.csr ) CERT="`echo $CSR | sed -e 's/.csr/.crt/'`" ;;
* ) CERT="$CSR.crt" ;;
esac
# make sure environment exists
if [ ! -d ca.db.certs ]; then
mkdir ca.db.certs
fi
if [ ! -f ca.db.serial ]; then
echo '01' >ca.db.serial
fi
if [ ! -f ca.db.index ]; then
cp /dev/null ca.db.index
fi
# create an own SSLeay config
cat >ca.config $CERT:"
openssl ca -config ca.config -out $CERT -infiles $CSR
echo "CA verifying: $CERT CA cert"
openssl verify -CAfile /etc/ssl/certs/ca.crt $CERT
# cleanup after SSLeay
rm -f ca.config
rm -f ca.db.serial.old
rm -f ca.db.index.old
# die gracefully
exit 0
Now, make this program executable, and change its default permissions:
[root@deep] /# chmod 755 /usr/bin/sign.sh
![]()
: You can also find this program sign.sh in the mod_ssl distribution under the mod_ssl-version/pkg.contrib/ subdirectory, or on our floppy.tgz archive file. Also note that the section [ CA_own ] must be changed to refect your own environment and don't forget to change the openssl verify -CAfile /etc/ssl/certs/ca.crt $CERT line too.
Prev
Home
Next
The /etc/ssl/openssl.cnf file
Up
Commands -often used
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/2389/showart_27364.html |
|
免费注册
发表于 2005-05-23 19:08
