Commit 3459a0a7 authored by Xueshan Feng's avatar Xueshan Feng
Browse files

added script to verify cert, key and cert chain. Useful for generating haproxy cert bundle.

parent e9907d97
# Script to verify
[ -z "$fqdn" ] && echo "Usage: ./$(basename $0) <fqdn>" && exit 1
echo Checking key file $fqdn
[ ! -f $fqdn.key ] && echo "$fqdn.key doesn't exit." && exit 1
keymd5=$(openssl rsa -noout -modulus -in $fqdn.key | openssl md5)
echo "md5 = $keymd5"
echo Checking server cert $cert
cert="$(echo $fqdn | tr '.' '_')_cert.cer"
[ ! -f $cert ] && echo "$cert doesn't exit." && exit 1
certmd5=$(openssl x509 -noout -modulus -in $cert | openssl md5)
echo "md5 = $certmd5"
if [ "$keymd5" != "$certmd5" ]
echo "Certificate and private key doesn't match."
exit 1
echo Checking CA chain
interm="$(echo $fqdn | tr '.' '_')_interm.cer"
[ ! -f $interm ] && echo "$interm doesn't exit." && exit 1
if ! openssl verify -CAfile $interm $cert |grep OK ;
echo "CA chain verification failed."
exit 1
echo Check CAfile. Should be in intermidate1, intermiate2,...rootca format.
if ! openssl x509 -noout -text -in words_stanford_edu_interm.cer | grep CN=InCommon ;
echo Haproxy needs CA bundle should be in this order: intermidate1, intermiate2,...rootca.
echo ""
echo "You can generate $fqdn.pem by cancadinating $cert $interm, and $fqdn.key together."
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment