3 # Added for Debian. The upstream version is installed in /etc/shibboleth and
4 # for Debian we wanted to move it to /usr/bin, so change directories so that
5 # it puts files in the correct location.
7 while getopts h:u:g:o:e:y:bf c
18 \?) echo "keygen [-o output directory (default .)] [-u username to own keypair] [-g owning groupname] [-h hostname for cert] [-y years to issue cert] [-e entityID to embed in cert]"
22 if [ -z "$OUT" ] ; then
26 if [ -n "$FORCE" ] ; then
27 rm $OUT/sp-key.pem $OUT/sp-cert.pem
30 if [ -s $OUT/sp-key.pem -o -s $OUT/sp-cert.pem ] ; then
31 if [ -z "$BATCH" ] ; then
32 echo The files $OUT/sp-key.pem and/or $OUT/sp-cert.pem already exist!
33 echo Use -f option to force recreation of keypair.
39 # --fqdn flag added for Debian to generate better names for certificates.
40 if [ -z "$FQDN" ] ; then
41 FQDN=`hostname --fqdn`
44 if [ -z "$YEARS" ] ; then
48 DAYS=`expr $YEARS \* 365`
50 if [ -z "$ENTITYID" ] ; then
53 ALTNAME=DNS:$FQDN,URI:$ENTITYID
56 SSLCNF=$OUT/sp-cert.cnf
58 # OpenSSL configuration file for creating sp-cert.pem
65 # PrintableStrings only
71 subjectAltName=$ALTNAME
72 subjectKeyIdentifier=hash
76 chmod 600 $OUT/sp-key.pem
77 if [ -z "$BATCH" ] ; then
78 openssl req -config $SSLCNF -new -x509 -days $DAYS -keyout $OUT/sp-key.pem -out $OUT/sp-cert.pem
80 openssl req -config $SSLCNF -new -x509 -days $DAYS -keyout $OUT/sp-key.pem -out $OUT/sp-cert.pem 2> /dev/null
84 if [ -s $OUT/sp-key.pem -a -n "$USER" ] ; then
85 chown $USER $OUT/sp-key.pem $OUT/sp-cert.pem
88 if [ -s $OUT/sp-key.pem -a -n "$GROUP" ] ; then
89 chgrp $GROUP $OUT/sp-key.pem $OUT/sp-cert.pem