function ssl_cname() {
local crt=$1; shift
openssl x509 -noout -in $crt -subject | \
- sed -e 's|.*CN *= *\([-_a-zA-Z0-9.]*\).*|\1|' | \
- lower
+ sed -e 's|.*CN *= *\([-_a-zA-Z0-9.]*\).*|\1|' | \
+ lower
+}
+
+function ssl_alt_names() {
+ local crt=$1; shift
+ openssl x509 -noout -in $crt -ext subjectAltName | \
+ tail -1 | \
+ sed -e 's|DNS:||g' -e 's|,||' | \
+ lower
+}
+
+function name_in_cert() {
+ local name=$1; shift
+ local crt=$1; shift
+ local cname=$(ssl_cname $crt)
+ local alt_names=$(ssl_alt_names $crt)
+ if [ "$name" = "$cname" ] ; then
+ return 0
+ fi
+ for alt_name in $alt_names; do
+ if [ "$name" = "$alt_name" ] ; then
+ return 0
+ fi
+ done
+ return 1
+}
+
+function cert_is_valid_and_about() {
+ local crt="$1"; shift
+ local ca="$1"; shift
+ local cname="$1"; shift
+
+ # needs to be about the right name
+ name_in_cert $cname $crt || return 1
+ # needs to be signed by CA
+ openssl verify -CAfile $ca $crt >& /dev/null || return 1
+ return 0
+
}
function backup_file() {
fi
if [ -f $crt ] ; then
- # Check if certificate is valid
- # Backup if invalid or if the subject has changed
- if openssl verify -CAfile $ca $crt | grep -q "error" || \
- [ "$(ssl_cname $crt)" != "$cname" ] ; then
- backup_file $crt
- backup_file $ca
- backup_file $key
- fi
+ # Backup (i.e. move under other name) if invalid or if cname is not in that cert
+ cert_is_valid_and_about $crt $ca $cname || {
+ backup_file $crt
+ backup_file $ca
+ backup_file $key
+ }
fi
if [ ! -f $crt ] ; then
symlink ${!ssl_crt} /etc/pki/tls/certs/localhost.crt
symlink ${!ssl_key} /etc/pki/tls/private/localhost.key
symlink ${!ssl_ca_crt} /etc/pki/tls/certs/server-chain.crt
- symlink ${!ssl_crt} /etc/httpd/conf/ssl.crt/server.crt
- symlink ${!ssl_key} /etc/httpd/conf/ssl.key/server.key
+ # symlink ${!ssl_crt} /etc/httpd/conf/ssl.crt/server.crt
+ # symlink ${!ssl_key} /etc/httpd/conf/ssl.key/server.key
done
# Ensure that the server-chain gets used, as it is off by
git://git.onelab.eu / myplc.git / commitdiff