From 155d96b149138b4997926868d81576eebbda33ed Mon Sep 17 00:00:00 2001 From: Michael Mayer Date: Wed, 19 Oct 2022 20:25:10 +0200 Subject: [PATCH] Security: Improved scripts for creating local TLS certificates Signed-off-by: Michael Mayer --- scripts/openssl/create-ca.sh | 16 ++++++++-------- scripts/openssl/create-certs.sh | 15 ++++++--------- 2 files changed, 14 insertions(+), 17 deletions(-) diff --git a/scripts/openssl/create-ca.sh b/scripts/openssl/create-ca.sh index 292f045e1..1b4b69585 100755 --- a/scripts/openssl/create-ca.sh +++ b/scripts/openssl/create-ca.sh @@ -1,20 +1,20 @@ #!/usr/bin/env bash +# To add this certificate to your list of trusted issuers: +# sudo cp storage/config/certificates/photoprism.local.issuer.crt /usr/local/share/ca-certificates/photoprism.local.issuer.crt +# sudo update-ca-certificates + # shellcheck disable=SC2164 SCRIPT_PATH="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )" -CERTS_PATH="${SCRIPT_PATH}/../../storage/config/certs" +CERTS_PATH="${SCRIPT_PATH}/../../storage/config/certificates" echo "OpenSSL Scripts: ${SCRIPT_PATH}" echo "HTTPS Cert Path: ${CERTS_PATH}" mkdir -p "${CERTS_PATH}" -openssl genrsa -out "$CERTS_PATH/ca.key" 4096 +openssl genrsa -out "$CERTS_PATH/photoprism.local.issuer.key" 4096 -openssl req -x509 -new -nodes -key "$CERTS_PATH/ca.key" -sha256 -days 365 -out "$CERTS_PATH/ca.pem" -passin pass: -passout pass: -config "$SCRIPT_PATH/ca.conf" +openssl req -x509 -new -nodes -key "$CERTS_PATH/photoprism.local.issuer.key" -sha256 -days 365 -out "$CERTS_PATH/photoprism.local.issuer.pem" -passin pass: -passout pass: -config "$SCRIPT_PATH/ca.conf" -openssl x509 -outform der -in "$CERTS_PATH/ca.pem" -out "$CERTS_PATH/ca.crt" - -# To add this to the local cert list: -# sudo cp ./certs/ca.crt /usr/local/share/ca-certificates/local-ca.crt -# sudo update-ca-certificates \ No newline at end of file +openssl x509 -outform der -in "$CERTS_PATH/photoprism.local.issuer.pem" -out "$CERTS_PATH/photoprism.local.issuer.crt" diff --git a/scripts/openssl/create-certs.sh b/scripts/openssl/create-certs.sh index 5d3a60d3a..89a72441d 100755 --- a/scripts/openssl/create-certs.sh +++ b/scripts/openssl/create-certs.sh @@ -2,18 +2,15 @@ # shellcheck disable=SC2164 SCRIPT_PATH="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )" -CERTS_PATH="${SCRIPT_PATH}/../../storage/config/certs" - -echo "OpenSSL Scripts: ${SCRIPT_PATH}" -echo "HTTPS Cert Path: ${CERTS_PATH}" +CERTS_PATH="${SCRIPT_PATH}/../../storage/config/certificates" mkdir -p "${CERTS_PATH}" -openssl genrsa -out "$CERTS_PATH/local.key" 4096 +openssl genrsa -out "$CERTS_PATH/photoprism.local.key" 4096 -openssl req -new -config "$SCRIPT_PATH/openssl.conf" -key "$CERTS_PATH/local.key" -out "$CERTS_PATH/local.csr" +openssl req -new -config "$SCRIPT_PATH/openssl.conf" -key "$CERTS_PATH/photoprism.local.key" -out "$CERTS_PATH/photoprism.local.csr" -openssl x509 -req -in "$CERTS_PATH/local.csr" -CA "$CERTS_PATH/ca.pem" -CAkey "$CERTS_PATH/ca.key" -CAcreateserial \ --out "$CERTS_PATH/local.crt" -days 365 -sha256 -extfile "$SCRIPT_PATH/local.conf" +openssl x509 -req -in "$CERTS_PATH/photoprism.local.csr" -CA "$CERTS_PATH/photoprism.local.issuer.pem" -CAkey "$CERTS_PATH/photoprism.local.issuer.key" -CAcreateserial \ +-out "$CERTS_PATH/photoprism.local.crt" -days 365 -sha256 -extfile "$SCRIPT_PATH/local.conf" -openssl pkcs12 -export -in "$CERTS_PATH/local.crt" -inkey "$CERTS_PATH/local.key" -out "$CERTS_PATH/local.pfx" -passin pass: -passout pass: \ No newline at end of file +openssl pkcs12 -export -in "$CERTS_PATH/photoprism.local.crt" -inkey "$CERTS_PATH/photoprism.local.key" -out "$CERTS_PATH/photoprism.local.pfx" -passin pass: -passout pass: