Index: univention-ssl/debian/univention-ssl.univention-config-registry-variables =================================================================== --- univention-ssl/debian/univention-ssl.univention-config-registry-variables (Revision 63847) +++ univention-ssl/debian/univention-ssl.univention-config-registry-variables (Arbeitskopie) @@ -47,8 +47,8 @@ Categories=system-ssl [ssl/default/hashfunction] -Description[de]=Diese Hash-Funktion (Message Digest) wird in neu ausgestellten SSL-Zertifikaten verwendet: 'md5', 'sha1', ... -Description[en]=This hash function (message digest) is used in newly created SSL certificates: 'md5', 'sha1', ... +Description[de]=Diese Hash-Funktion (Message Digest) wird in neu ausgestellten SSL-Zertifikaten verwendet: 'sha1', 'sha256', ... +Description[en]=This hash function (message digest) is used in newly created SSL certificates: 'sha1', 'sha256', ... Type=str Categories=system-ssl @@ -58,6 +58,12 @@ Type=int Categories=system-ssl +[ssl/default/key_encryption] +Description[de]=Bestimmt den Verschlüsselungsalgorithmus für den privaten Schlüssel. Der Standard ist aes256. +Description[en]=Specifies the cipher the private key is encrypted with. Default is aes256. +Type=str +Categories=system-ssl + [ssl/validity/check] Description[de]=Ist diese Option aktiviert, wird durch einen täglichen Cron-Job die Gültigkeit der SSL-Zertifikate geprüft. Description[en]=If this option is activated, the validity of the SSL certificates is checked through a daily cron job. Index: univention-ssl/make-certificates.sh =================================================================== --- univention-ssl/make-certificates.sh (Revision 63847) +++ univention-ssl/make-certificates.sh (Arbeitskopie) @@ -53,6 +53,9 @@ if [ -z "$DEFAULT_BITS" ]; then DEFAULT_BITS="2048" fi +DEFAULT_KEY_ENC="$(/usr/sbin/univention-config-registry get ssl/default/key_encryption)" +if [ -z "$DEFAULT_KEY_ENC" ]; then + DEFAULT_KEY_ENC="aes256" if test -e "$SSLBASE/password"; then PASSWD=`cat "$SSLBASE/password"` @@ -264,7 +267,7 @@ # make the root-CA configuration file mk_config openssl.cnf "$PASSWD" "$DEFAULT_DAYS" "$ssl_common" - openssl genrsa -des3 -passout pass:"$PASSWD" -out "${CA}/private/CAkey.pem" 2048 + openssl genrsa -"$DEFAULT_KEY_ENC" -passout pass:"$PASSWD" -out "${CA}/private/CAkey.pem" "$DEFAULT_BITS" openssl req -batch -config openssl.cnf -new -x509 -days "$DEFAULT_DAYS" -key "${CA}/private/CAkey.pem" -out "${CA}/CAcert.pem" # copy the public key to a place, from where browsers can access it