Package: ssl-cert Version: 1.0.39 Severity: normal Dear Maintainer,
using the script to create a custom self-signed cert, for example like so # make-ssl-cert /usr/share/ssl-cert/ssleay.cnf cert.pem produces only one file, cert.pem, containing both the public and the private key (script uses same file arg for --out and --keyout). This is, at least, not useful out-of-the box. I would expect the script to produce private and public key in separate files (like for the snakeoil case). The attached patch is a suggestion, assuming the script argument as stem and creating separate .pem/.key files (ideally however, both filenames can be given as argument). Hth! S -- System Information: Debian Release: 10.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-0.bpo.4-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages ssl-cert depends on: ii adduser 3.118 ii debconf [debconf-2.0] 1.5.72 ii openssl 1.1.1b-2 ssl-cert recommends no packages. Versions of packages ssl-cert suggests: pn openssl-blacklist <none> -- debconf information excluded
commit edb701ff5440a09dc90f07038965f3c154fd8358 Author: Stephan Sürken <abs...@olurdix.de> Date: Fri May 17 14:02:03 2019 +0200 make-ssl-cert[.8]: Make script work for the non-snakeoil case. diff --git a/make-ssl-cert b/make-ssl-cert index 152e9f9..45bcac7 100755 --- a/make-ssl-cert +++ b/make-ssl-cert @@ -104,16 +104,17 @@ umask 077 if [ "$1" != "generate-default-snakeoil" ]; then if ! openssl req -config $TMPFILE -new -x509 -days 3650 -nodes -sha256 \ - -out $output -keyout $output > $TMPOUT 2>&1 + -out ${output}.pem -keyout ${output}.key > $TMPOUT 2>&1 then echo Could not create certificate. Openssl output was: >&2 cat $TMPOUT >&2 exit 1 fi - chmod 600 $output + chmod 600 $output.key + chmod 644 $output.pem # hash symlink - cd $(dirname $output) - ln -sf $(basename $output) $(openssl x509 -hash -noout -in $(basename $output)) + cd $(dirname $output.pem) + ln -sf $(basename $output.pem) $(openssl x509 -hash -noout -in $(basename $output.pem)) else if ! openssl req -config $TMPFILE -new -x509 -days 3650 -nodes -sha256 \ -out /etc/ssl/certs/ssl-cert-snakeoil.pem \ diff --git a/make-ssl-cert.8 b/make-ssl-cert.8 index 7916b25..a384a7e 100644 --- a/make-ssl-cert.8 +++ b/make-ssl-cert.8 @@ -3,7 +3,7 @@ make-ssl-cert - Debconf wrapper for openssl .SH SYNOPSIS .B make-ssl-cert -\fItemplate\fR \fIoutput-certificate\fR [\fB\-\-force\-overwrite\fR] +\fItemplate\fR \fIoutput-certificate-base\fR [\fB\-\-force\-overwrite\fR] .br .B make-ssl-cert generate-default-snakeoil [\fB\-\-force\-overwrite\fR] @@ -11,9 +11,9 @@ make-ssl-cert - Debconf wrapper for openssl .SH "DESCRIPTION" make-ssl-cert is a simple debconf to openssl wrapper to create self-signed certificates. -It requires a source template (Ex: /usr/share/ssl-cert/ssleay.cnf) -and it will place the new generated certificate in the specified -output file. +It requires a source template (Ex: /usr/share/ssl-cert/ssleay.cnf) and +it will place the new generated certificate in resp. file appendixed .pem +(public cert) and .key (private key) from the given base name. .br Invoked with "generate-default-snakeoil", it will generate /etc/ssl/certs/ssl-cert-snakeoil.pem and /etc/ssl/private/ssl-cert-snakeoil.key.