- hostnames are case-insensitive, compare lowercase e-mails
- fix permissions regardless of whether we generated the cert or not
# Mark Huang <mlhuang@cs.princeton.edu>
# Copyright (C) 2006 The Trustees of Princeton University
#
# Mark Huang <mlhuang@cs.princeton.edu>
# Copyright (C) 2006 The Trustees of Princeton University
#
-# $Id: ssl,v 1.10 2006/07/24 19:30:45 mlhuang Exp $
+# $Id: ssl,v 1.11 2007/01/18 18:44:18 mlhuang Exp $
#
# Source function library and configuration
#
# Source function library and configuration
ssl_cname ()
{
openssl x509 -noout -in $1 -subject | \
ssl_cname ()
{
openssl x509 -noout -in $1 -subject | \
- sed -n -e 's@.*/CN=\([^/]*\).*@\1@p'
-}
-
-# Print the emailAddress of an SSL certificate
-ssl_email ()
-{
- openssl x509 -noout -in $1 -subject | \
- sed -n -e 's@.*/emailAddress=\([^/]*\).*@\1@p'
+ sed -n -e 's@.*/CN=\([^/]*\).*@\1@p' | \
+ lower
}
# Verify a certificate. If invalid, generate a new self-signed
}
# Verify a certificate. If invalid, generate a new self-signed
# If the CA certificate does not exist, assume that the
# certificate is self-signed.
# If the CA certificate does not exist, assume that the
# certificate is self-signed.
verify=$(openssl verify -CAfile $ca $crt)
# Delete if invalid or if the subject has changed
if grep -q "error" <<<$verify || \
verify=$(openssl verify -CAfile $ca $crt)
# Delete if invalid or if the subject has changed
if grep -q "error" <<<$verify || \
- [ "$(ssl_cname $crt)" != "$cname" ] || \
- [ "$(ssl_email $crt)" != "$email" ] ; then
+ [ "$(ssl_cname $crt)" != "$cname" ] ; then
if [ -n "$cname" ] ; then
subj="$subj/CN=$cname"
fi
if [ -n "$cname" ] ; then
subj="$subj/CN=$cname"
fi
- if [ -n "$email" ] ; then
- subj="$subj/emailAddress=$email"
- fi
# Generate new self-signed certificate
mkdir -p $(dirname $crt)
# Generate new self-signed certificate
mkdir -p $(dirname $crt)
-batch -subj "$subj" \
-nodes -keyout $key -out $crt
check
-batch -subj "$subj" \
-nodes -keyout $key -out $crt
check
# The certificate it self-signed, so it is its own CA
cp -a $crt $ca
fi
# The certificate it self-signed, so it is its own CA
cp -a $crt $ca
fi
+
+ # Fix permissions
+ chmod 644 $crt $ca