You are here

Home » API reference » Aegir HTTPS 7.3 » SelfSigned.php » Provision_Service_Certificate_SelfSigned

function Provision_Service_Certificate_SelfSigned::generate_certificates in Aegir HTTPS 7.3

Generate a self-signed certificate for the provided key.

Because we only generate certificates for sites we make some assumptions based on the uri, but this cert may be replaced by the admin if they already have an existing certificate.

Overrides Provision_Service_Certificate::generate_certificates

File

submodules/self_signed/drush/Provision/Service/Certificate/SelfSigned.php, line 99

Class

Provision_Service_Certificate_SelfSigned
A SelfSigned implementation of the Certificate service type.

Code

function generate_certificates($https_key) {
  $path = $this
    ->get_source_path($https_key);
  provision_file()
    ->create_dir($path, dt("HTTPS certificate directory for %https_key", array(
    '%https_key' => $https_key,
  )), 0700);
  if (provision_file()
    ->exists($path)
    ->status()) {
    drush_log(dt('generating 2048 bit RSA key in %path/', array(
      '%path' => $path,
    )));

    /*
     * according to RSA security and most sites I could read, 1024
     * was recommended until 2010-2015 and 2048 is now the
     * recommended length for more sensitive data. we are therefore
     * taking the safest route.
     *
     * http://www.javamex.com/tutorials/cryptography/rsa_key_length.shtml
     * http://www.vocal.com/cryptography/rsa-key-size-selection/
     * https://en.wikipedia.org/wiki/Key_size#Key_size_and_encryption_system
     * http://www.redkestrel.co.uk/Articles/CSR.html
     */
    drush_shell_exec('openssl genrsa -out %s/openssl.key 2048', $path) || drush_set_error('HTTPS_KEY_GEN_FAIL', dt('failed to generate HTTPS key in %path', array(
      '%path' => $path . '/openssl.key',
    )));

    // Generate the CSR to make the key certifiable by third parties
    $domain = $https_key == 'default' ? 'default.invalid' : d()->uri;
    $ident = "/CN={$domain}/emailAddress=abuse@{$domain}";
    drush_shell_exec("openssl req -new -subj '%s' -key %s/openssl.key -out %s/openssl.csr -batch", $ident, $path, $path) || drush_log(dt('failed to generate signing request for certificate in %path', array(
      '%path' => $path . '/openssl.csr',
    )));

    // sign the certificate with itself, generating a self-signed
    // certificate. this will make a SHA1 certificate by default in
    // current OpenSSL.
    drush_shell_exec("openssl x509 -req -days 365 -in %s/openssl.csr -signkey %s/openssl.key  -out %s/openssl.crt", $path, $path, $path) || drush_set_error('HTTPS_CERT_GEN_FAIL', dt('failed to generate self-signed certificate in %path', array(
      '%path' => $path . '/openssl.crt',
    )));
  }
}