3c3
< # $FreeBSD: stable/10/etc/rc.d/sendmail 255654 2013-09-17 20:24:03Z hrs $
---
> # $FreeBSD: stable/10/etc/rc.d/sendmail 256982 2013-10-23 16:55:20Z jmg $
26a27,28
> CERTDIR=/etc/mail/certs
>
46a49,160
> sendmail_cert_create()
> {
> cnname="${sendmail_cert_cn:-`hostname`}"
> cnname="${cnname:-amnesiac}"
>
> # based upon:
> # http://www.sendmail.org/~ca/email/other/cagreg.html
> CAdir=`mktemp -d` &&
> certpass=`(date; ps ax ; hostname) | md5 -q`
>
> # make certificate authority
> ( cd "$CAdir" &&
> chmod 700 "$CAdir" &&
> mkdir certs crl newcerts &&
> echo "01" > serial &&
> :> index.txt &&
>
> cat <<-OPENSSL_CNF > openssl.cnf &&
> RANDFILE = $CAdir/.rnd
> [ ca ]
> default_ca = CA_default
> [ CA_default ]
> dir = .
> certs = \$dir/certs # Where the issued certs are kept
> crl_dir = \$dir/crl # Where the issued crl are kept
> database = \$dir/index.txt # database index file.
> new_certs_dir = \$dir/newcerts # default place for new certs.
> certificate = \$dir/cacert.pem # The CA certificate
> serial = \$dir/serial # The current serial number
> crlnumber = \$dir/crlnumber # the current crl number
> crl = \$dir/crl.pem # The current CRL
> private_key = \$dir/cakey.pem
> x509_extensions = usr_cert # The extentions to add to the cert
> name_opt = ca_default # Subject Name options
> cert_opt = ca_default # Certificate field options
> default_days = 365 # how long to certify for
> default_crl_days= 30 # how long before next CRL
> default_md = default # use public key default MD
> preserve = no # keep passed DN ordering
> policy = policy_anything
> [ policy_anything ]
> countryName = optional
> stateOrProvinceName = optional
> localityName = optional
> organizationName = optional
> organizationalUnitName = optional
> commonName = supplied
> emailAddress = optional
> [ req ]
> default_bits = 2048
> default_keyfile = privkey.pem
> distinguished_name = req_distinguished_name
> attributes = req_attributes
> x509_extensions = v3_ca # The extentions to add to the self signed cert
> string_mask = utf8only
> prompt = no
> [ req_distinguished_name ]
> countryName = XX
> stateOrProvinceName = Some-state
> localityName = Some-city
> 0.organizationName = Some-org
> CN = $cnname
> [ req_attributes ]
> challengePassword = foobar
> unstructuredName = An optional company name
> [ usr_cert ]
> basicConstraints=CA:FALSE
> nsComment = "OpenSSL Generated Certificate"
> subjectKeyIdentifier=hash
> authorityKeyIdentifier=keyid,issuer
> [ v3_req ]
> basicConstraints = CA:FALSE
> keyUsage = nonRepudiation, digitalSignature, keyEncipherment
> [ v3_ca ]
> subjectKeyIdentifier=hash
> authorityKeyIdentifier=keyid:always,issuer
> basicConstraints = CA:true
> OPENSSL_CNF
>
> # though we use a password, the key is discarded and never used
> openssl req -batch -passout pass:"$certpass" -new -x509 \
> -keyout cakey.pem -out cacert.pem -days 3650 \
> -config openssl.cnf -newkey rsa:2048 >/dev/null 2>&1 &&
>
> # make new certificate
> openssl req -batch -nodes -new -x509 -keyout newkey.pem \
> -out newreq.pem -days 365 -config openssl.cnf \
> -newkey rsa:2048 >/dev/null 2>&1 &&
>
> # sign certificate
> openssl x509 -x509toreq -in newreq.pem -signkey newkey.pem \
> -out tmp.pem >/dev/null 2>&1 &&
> openssl ca -notext -config openssl.cnf \
> -out newcert.pem -keyfile cakey.pem -cert cacert.pem \
> -key "$certpass" -batch -infiles tmp.pem >/dev/null 2>&1 &&
>
> mkdir -p "$CERTDIR" &&
> chmod 0755 "$CERTDIR" &&
> chmod 644 newcert.pem cacert.pem &&
> chmod 600 newkey.pem &&
> cp -p newcert.pem "$CERTDIR"/host.cert &&
> cp -p cacert.pem "$CERTDIR"/cacert.pem &&
> cp -p newkey.pem "$CERTDIR"/host.key &&
> ln -s cacert.pem "$CERTDIR"/`openssl x509 -hash -noout \
> -in cacert.pem`.0)
>
> retVal="$?"
> rm -rf "$CAdir"
>
> return "$retVal"
> }
>
73a188,198
>
> if checkyesno sendmail_cert_create && [ ! \( \
> -f "$CERTDIR/host.cert" -o -f "$CERTDIR/host.key" -o \
> -f "$CERTDIR/cacert.pem" \) ]; then
> if ! openssl version >/dev/null 2>&1; then
> warn "OpenSSL not available, but sendmail_cert_create is YES."
> else
> info Creating certificate for sendmail.
> sendmail_cert_create
> fi
> fi
< # $FreeBSD: stable/10/etc/rc.d/sendmail 255654 2013-09-17 20:24:03Z hrs $
---
> # $FreeBSD: stable/10/etc/rc.d/sendmail 256982 2013-10-23 16:55:20Z jmg $
26a27,28
> CERTDIR=/etc/mail/certs
>
46a49,160
> sendmail_cert_create()
> {
> cnname="${sendmail_cert_cn:-`hostname`}"
> cnname="${cnname:-amnesiac}"
>
> # based upon:
> # http://www.sendmail.org/~ca/email/other/cagreg.html
> CAdir=`mktemp -d` &&
> certpass=`(date; ps ax ; hostname) | md5 -q`
>
> # make certificate authority
> ( cd "$CAdir" &&
> chmod 700 "$CAdir" &&
> mkdir certs crl newcerts &&
> echo "01" > serial &&
> :> index.txt &&
>
> cat <<-OPENSSL_CNF > openssl.cnf &&
> RANDFILE = $CAdir/.rnd
> [ ca ]
> default_ca = CA_default
> [ CA_default ]
> dir = .
> certs = \$dir/certs # Where the issued certs are kept
> crl_dir = \$dir/crl # Where the issued crl are kept
> database = \$dir/index.txt # database index file.
> new_certs_dir = \$dir/newcerts # default place for new certs.
> certificate = \$dir/cacert.pem # The CA certificate
> serial = \$dir/serial # The current serial number
> crlnumber = \$dir/crlnumber # the current crl number
> crl = \$dir/crl.pem # The current CRL
> private_key = \$dir/cakey.pem
> x509_extensions = usr_cert # The extentions to add to the cert
> name_opt = ca_default # Subject Name options
> cert_opt = ca_default # Certificate field options
> default_days = 365 # how long to certify for
> default_crl_days= 30 # how long before next CRL
> default_md = default # use public key default MD
> preserve = no # keep passed DN ordering
> policy = policy_anything
> [ policy_anything ]
> countryName = optional
> stateOrProvinceName = optional
> localityName = optional
> organizationName = optional
> organizationalUnitName = optional
> commonName = supplied
> emailAddress = optional
> [ req ]
> default_bits = 2048
> default_keyfile = privkey.pem
> distinguished_name = req_distinguished_name
> attributes = req_attributes
> x509_extensions = v3_ca # The extentions to add to the self signed cert
> string_mask = utf8only
> prompt = no
> [ req_distinguished_name ]
> countryName = XX
> stateOrProvinceName = Some-state
> localityName = Some-city
> 0.organizationName = Some-org
> CN = $cnname
> [ req_attributes ]
> challengePassword = foobar
> unstructuredName = An optional company name
> [ usr_cert ]
> basicConstraints=CA:FALSE
> nsComment = "OpenSSL Generated Certificate"
> subjectKeyIdentifier=hash
> authorityKeyIdentifier=keyid,issuer
> [ v3_req ]
> basicConstraints = CA:FALSE
> keyUsage = nonRepudiation, digitalSignature, keyEncipherment
> [ v3_ca ]
> subjectKeyIdentifier=hash
> authorityKeyIdentifier=keyid:always,issuer
> basicConstraints = CA:true
> OPENSSL_CNF
>
> # though we use a password, the key is discarded and never used
> openssl req -batch -passout pass:"$certpass" -new -x509 \
> -keyout cakey.pem -out cacert.pem -days 3650 \
> -config openssl.cnf -newkey rsa:2048 >/dev/null 2>&1 &&
>
> # make new certificate
> openssl req -batch -nodes -new -x509 -keyout newkey.pem \
> -out newreq.pem -days 365 -config openssl.cnf \
> -newkey rsa:2048 >/dev/null 2>&1 &&
>
> # sign certificate
> openssl x509 -x509toreq -in newreq.pem -signkey newkey.pem \
> -out tmp.pem >/dev/null 2>&1 &&
> openssl ca -notext -config openssl.cnf \
> -out newcert.pem -keyfile cakey.pem -cert cacert.pem \
> -key "$certpass" -batch -infiles tmp.pem >/dev/null 2>&1 &&
>
> mkdir -p "$CERTDIR" &&
> chmod 0755 "$CERTDIR" &&
> chmod 644 newcert.pem cacert.pem &&
> chmod 600 newkey.pem &&
> cp -p newcert.pem "$CERTDIR"/host.cert &&
> cp -p cacert.pem "$CERTDIR"/cacert.pem &&
> cp -p newkey.pem "$CERTDIR"/host.key &&
> ln -s cacert.pem "$CERTDIR"/`openssl x509 -hash -noout \
> -in cacert.pem`.0)
>
> retVal="$?"
> rm -rf "$CAdir"
>
> return "$retVal"
> }
>
73a188,198
>
> if checkyesno sendmail_cert_create && [ ! \( \
> -f "$CERTDIR/host.cert" -o -f "$CERTDIR/host.key" -o \
> -f "$CERTDIR/cacert.pem" \) ]; then
> if ! openssl version >/dev/null 2>&1; then
> warn "OpenSSL not available, but sendmail_cert_create is YES."
> else
> info Creating certificate for sendmail.
> sendmail_cert_create
> fi
> fi