beenull/photoprism
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Security: Improved scripts for creating local TLS certificates

Browse source 
Signed-off-by: Michael Mayer <michael@photoprism.app>
This commit is contained in:
Michael Mayer 2022-10-19 20:25:10 +02:00
parent 5ca5bc66b7
commit 155d96b149
2 changed files with 14 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
scripts/openssl/create-ca.sh
View file

@ -1,20 +1,20 @@
#!/usr/bin/env bash
# To add this certificate to your list of trusted issuers:
# sudo cp storage/config/certificates/photoprism.local.issuer.crt /usr/local/share/ca-certificates/photoprism.local.issuer.crt
# sudo update-ca-certificates
# shellcheck disable=SC2164
SCRIPT_PATH="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
CERTS_PATH="${SCRIPT_PATH}/../../storage/config/certs"
CERTS_PATH="${SCRIPT_PATH}/../../storage/config/certificates"
echo "OpenSSL Scripts: ${SCRIPT_PATH}"
echo "HTTPS Cert Path: ${CERTS_PATH}"
mkdir -p "${CERTS_PATH}"
openssl genrsa -out "$CERTS_PATH/ca.key" 4096
openssl genrsa -out "$CERTS_PATH/photoprism.local.issuer.key" 4096
openssl req -x509 -new -nodes -key "$CERTS_PATH/ca.key" -sha256 -days 365 -out "$CERTS_PATH/ca.pem" -passin pass: -passout pass: -config "$SCRIPT_PATH/ca.conf"
openssl req -x509 -new -nodes -key "$CERTS_PATH/photoprism.local.issuer.key" -sha256 -days 365 -out "$CERTS_PATH/photoprism.local.issuer.pem" -passin pass: -passout pass: -config "$SCRIPT_PATH/ca.conf"
openssl x509 -outform der -in "$CERTS_PATH/ca.pem" -out "$CERTS_PATH/ca.crt"
# To add this to the local cert list:
# sudo cp ./certs/ca.crt /usr/local/share/ca-certificates/local-ca.crt
# sudo update-ca-certificates
openssl x509 -outform der -in "$CERTS_PATH/photoprism.local.issuer.pem" -out "$CERTS_PATH/photoprism.local.issuer.crt"

15
scripts/openssl/create-certs.sh
View file

@ -2,18 +2,15 @@
# shellcheck disable=SC2164
SCRIPT_PATH="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
CERTS_PATH="${SCRIPT_PATH}/../../storage/config/certs"
echo "OpenSSL Scripts: ${SCRIPT_PATH}"
echo "HTTPS Cert Path: ${CERTS_PATH}"
CERTS_PATH="${SCRIPT_PATH}/../../storage/config/certificates"
mkdir -p "${CERTS_PATH}"
openssl genrsa -out "$CERTS_PATH/local.key" 4096
openssl genrsa -out "$CERTS_PATH/photoprism.local.key" 4096
openssl req -new -config "$SCRIPT_PATH/openssl.conf" -key "$CERTS_PATH/local.key" -out "$CERTS_PATH/local.csr"
openssl req -new -config "$SCRIPT_PATH/openssl.conf" -key "$CERTS_PATH/photoprism.local.key" -out "$CERTS_PATH/photoprism.local.csr"
openssl x509 -req -in "$CERTS_PATH/local.csr" -CA "$CERTS_PATH/ca.pem" -CAkey "$CERTS_PATH/ca.key" -CAcreateserial \
-out "$CERTS_PATH/local.crt" -days 365 -sha256 -extfile "$SCRIPT_PATH/local.conf"
openssl x509 -req -in "$CERTS_PATH/photoprism.local.csr" -CA "$CERTS_PATH/photoprism.local.issuer.pem" -CAkey "$CERTS_PATH/photoprism.local.issuer.key" -CAcreateserial \
-out "$CERTS_PATH/photoprism.local.crt" -days 365 -sha256 -extfile "$SCRIPT_PATH/local.conf"
openssl pkcs12 -export -in "$CERTS_PATH/local.crt" -inkey "$CERTS_PATH/local.key" -out "$CERTS_PATH/local.pfx" -passin pass: -passout pass:
openssl pkcs12 -export -in "$CERTS_PATH/photoprism.local.crt" -inkey "$CERTS_PATH/photoprism.local.key" -out "$CERTS_PATH/photoprism.local.pfx" -passin pass: -passout pass: