ftp.sberbank.sumy.ua

home *** CD-ROM | disk | FTP | other *** search

/ ftp.sberbank.sumy.ua / 2014.11.ftp.sberbank.sumy.ua.tar / ftp.sberbank.sumy.ua / incoming / sxtech / regen_sslkeys < prev next >

Wrap

Text File | 2014-08-29 | 3KB | 149 lines

#!/bin/sh GUI_CERT=/var/eq/eqssl/server SIBD_CERT=/var/eq/eqssl/sibd key_check() { REMOVE=0 if [ ! -f $SERVER_CRT -o ! -f $SERVER_KEY ]; then PROBLEM="is missing." REMOVE=1 return fi # Get and validate various parameters of old certificate and key. ISSUER=$(openssl x509 -issuer -noout -in $SERVER_CRT | \ awk '{$1=""; print}') O="$(echo $ISSUER | awk -F '[/=]' '{print $9}')" OU="$(echo $ISSUER | awk -F '[/=]' '{print $11}')" SERIAL=$(openssl x509 -serial -noout -in $SERVER_CRT | \ awk -F= '{print $2}') if [ "$O" = "Snake Oil, Ltd" -a \ "$OU" = "Certificate Authority" -a \ "$SERIAL" = "01" ]; then PROBLEM="is an old Apache example key (unsafe)." REMOVE=1 return fi if [ "$SERIAL" = "00" -a "$1" = "-s" ]; then PROBLEM="has an invalid serial number." REMOVE=1 return fi KEYMOD=$(openssl rsa -modulus -in $SERVER_KEY -noout | \ awk -F= '{print $2}') CERTMOD=$(openssl x509 -modulus -in $SERVER_CRT -noout | \ awk -F= '{print $2}') if [ "$KEYMOD" != "$CERTMOD" ]; then PROBLEM="is corrupt (private and public key do not match)." REMOVE=1 return fi } get_ans() { ANSWER="x" while [ $ANSWER = "x" ] do while read line do ANSWER="$line" done < $inputfile sleep 1 done echo "x" > $inputfile return } key_clear() { if [ "$PROMPT" != 1 ]; then ANSWER=y else if [ "$inputfile" = "" ]; then read -p "Enter 'Y' to acknowledge this message and continue: " \ ANSWER else echo "Enter 'y' to acknowledge this message and continue? [y/n]" echo get_ans fi fi if [ "$ANSWER" = "Y" -o "$ANSWER" = "y" ]; then if mount | grep ' / .*read' > /dev/null; then mount -u -w / REMOUNT=1 fi rm -f $SERVER_CRT rm -f $SERVER_KEY rm -f /.master$SERVER_CRT rm -f /.master$SERVER_KEY sync if [ "$REMOUNT" = "1" ]; then mount -u -r / fi else echo "****ABORT*****" exit 1 fi } check_all_keys() { SERVER_CRT=$SIBD_CERT.crt SERVER_KEY=$SIBD_CERT.key key_check if [ $REMOVE -eq 1 ]; then if [ $SIBNUM -eq 2 ]; then cat << ZOG Your failover SSL certificate $PROBLEM This means that your failover peers currently cannot communicate with each other over SSL. At the next reboot of this Equalizer its failover certificate will be regenerated to re-enable failover operation. Please see the Technical Note at http://docs.coyotepoint.com for additional steps to follow after the reboot. ZOG PROMPT=1 fi key_clear fi SERVER_CRT=$GUI_CERT.crt SERVER_KEY=$GUI_CERT.key key_check -s if [ $REMOVE -eq 1 ]; then cat << ZOG ^G^G Your GUI SSL certificate $PROBLEM This means that the Equalizer GUI is currently inaccessible over HTTPS with some or all browsers. At the next reboot of this Equalizer its GUI certificate will be regenerated. ZOG PROMPT=1 key_clear fi } while getopts G: o do case "$o" in G) inputfile="$OPTARG";; [?]) echo "Usage: $0 [-G] file ..." exit 1;; esac done SIBNUM=$(grep sibling /var/eq/eq.conf | wc -l) check_all_keys