CA_VERIFY_SRV=0 #to check PEER/client remote certificate
#------------------------------------------------
#Defining CLIENT mode Certificate data
-CA_ROOT_SRV="/etc/pki/tls/make-ca/ca-bundle.crt"
+CA_ROOT_CLT="/etc/pki/tls/make-ca/ca-bundle.crt"
CA_CERT_CLT="/etc/pki/mailleur/mailleur-cert.pem"
CA_KEY_CLT="/etc/pki/mailleur/mailleur-key.pem"
CA_VERIFY_CLT=0 #to check PEER/server remote certificate
--- /dev/null
+#! /usr/bin/bash
+#-------------------------------------------------------------------
+#procedure to generate a lets encrypt certificate with a contanst
+#public/private key
+#-------------------------------------------------------------------
+#comment in if working in production
+DRY_RUN="--dry-run"
+#-------------------------------------------------------------------
+WRKDIR=/tmp
+MRKR=`date +"%F"`
+
+(
+#Set working directory
+cd $WRKDIR
+mkdir -p data
+
+#Generate an Elliptic Curve Digital Signature Algorithm
+openssl ecparam \
+ -out ./data/ec_key.pem \
+ -genkey \
+ -name prime256v1
+
+#generate a config file
+cat > ./data/cnffile << EOT
+[req]
+distinguished_name=req_dn
+[req_dn]
+commonName=`uname -n`
+[SAN]
+subjectAltName=DNS:`uname -n`
+EOT
+
+#Generate the CSR request
+openssl req \
+ -config ./data/cnffile \
+ -outform PEM \
+ -new \
+ -nodes \
+ -subj '/' \
+ -reqexts SAN \
+ -out ./data/request.csr \
+ -keyout ./data/privkey.pem \
+ -key ./data/ec_key.pem
+
+
+#Request certificate (with a steady key) via cerbot
+#Note" this is done in dry-run mode (remove it to
+#pass in production mode)
+ls -ails ./data/request.csr
+certbot certonly \
+ --apache \
+ --csr ./data/request.csr \
+ --fullchain-path ./data/$MRKR-fullchain.pem \
+ --chain-path ./data/$MRKR-chain.pem \
+ --cert-path ./data/$MRKR-cert.pem \
+ --work-dir ./data \
+ --logs-dir ./data \
+ --config-dir ./data \
+ $DRY_RUN
+
+)
vps2: / jmp / mailleur / commitdiff