You are here
Regenerating SSH keys
Users of recent appliance versions (2009.02+) can execute the installer hook directly:
/usr/lib/live-installer.d/20regen-sshkeys
Users of older appliance versions should execute the following commands in a command line shell:
rm -f /etc/ssh/ssh_host_[dr]sa_key* ssh-keygen -q -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa ssh-keygen -q -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa
Regenerating self-signed SSL certificate
By default, SSL-supporting web services (e.g., Webmin, Apache) running on the appliance are configured to use a self-signed SSL certificate located at /etc/ssl/certs/cert.pem.
Users of recent appliance versions (2009.02+) can execute the installer hook directly:
/usr/lib/live-installer.d/25regen-sslcert
Users of older versions can create this script manually and execute it:
cat > /root/regen-sslcert << 'EOF' #!/bin/bash # Generate SSL certificate # Note: daemons using certificate need to be restarted for changes to take effect if [ $# -ne "0" ]; then HELP=y fi set ${C:=""} set ${ST:=""} set ${L:=""} set ${O:="TurnKey Linux"} set ${OU:="Software appliances"} set ${CN:=""} set ${emailAddress:=""} set ${DAYS:=3650} set ${BITS:=1024} set ${KEYPASS:=} # workaround: no way of passing a blank pass set ${CERTFILE:="/etc/ssl/certs/cert.pem"} if [ $HELP ]; then echo "Generate SSL certificate" echo echo "# VARIABLE EXPLANATION [VALUE]" echo " C Country Code $C" echo " ST State or province $ST" echo " L Locality (city) $L" echo " O Organization name $O" echo " OU Organizational unit $OU" echo " CN Common name $CN" echo " emailAddress Email address $emailAddress" echo echo " DAYS Duration in days $DAYS" echo " BITS RSA bits to use $BITS" echo " KEYPASS Key password $KEYPASS" echo echo " CERTFILE Output file $CERTFILE" echo echo "# NOTES" echo " Warning: only set password if you know what your doing" echo " Display certificate: openssl x509 -text < $CERTFILE" exit 1 fi TMPCERT=.tmpcert.pem TMPKEY=.tmpkey.pem RDN="/" [ "$C" ] && RDN="${RDN}C=${C}/" [ "$ST" ] && RDN="${RDN}ST=${ST}/" [ "$L" ] && RDN="${RDN}L=${L}/" [ "$O" ] && RDN="${RDN}O=${O}/" [ "$OU" ] && RDN="${RDN}OU=${OU}/" [ "$CN" ] && RDN="${RDN}CN=${CN}/" [ "$emailAddress" ] && RDN="${RDN}emailAddress=${emailAddress}/" # create key and password protected cert openssl req -x509 \ -newkey rsa:$BITS \ -keyout $TMPKEY -out $TMPCERT \ -passout pass:$KEYPASS \ -days $DAYS \ -multivalue-rdn -subj "$RDN" # remove password protection from key if not set by user if [ "$KEYPASS" == "" ]; then openssl rsa -passin pass:$KEYPASS < $TMPKEY > $CERTFILE else cat $TMPKEY > $CERTFILE fi # add certificate to certificate file and set permissions cat $TMPCERT >> $CERTFILE chmod 600 $CERTFILE # cleanup rm $TMPCERT $TMPKEY EOF chmod +x /root/regen-sslcert /root/regen-sslcert