subjectKeyIdentifier=hash
EOF
+# Added for Debian. Make the key mode 640 and readable by group _shibd so
+# that the Debian shibd can use a non-root user.
+touch sp-key.pem
+chgrp _shibd sp-key.pem
+chmod 640 sp-key.pem
if [ -z "$BATCH" ] ; then
openssl req -config sp-cert.cnf -new -x509 -days $DAYS -keyout sp-key.pem -out sp-cert.pem
else
openssl req -config sp-cert.cnf -new -x509 -days $DAYS -keyout sp-key.pem -out sp-cert.pem 2> /dev/null
fi
-chmod 600 sp-key.pem
rm sp-cert.cnf