Skip to content
This repository has been archived by the owner on Jul 31, 2019. It is now read-only.

Commit

Permalink
Allow multible certificates to be handeld
Browse files Browse the repository at this point in the history
The first new option MULTIBLE_HPKP_CONF tells the script to generate the nginx
config file name from the common name of the certificate currently
handled. This allow the script to handle more than one Domain with different
private keys.

The second new config variable STATIC_PIN_FILE  allows it to define a file
from which the STATIC_PIN for each common name is read. This basically allows
it to have an different backup key per CN. The file is organized line wise
separated by a space the CN and the HPKP static pin.
  • Loading branch information
Akasch committed Feb 1, 2017
1 parent cf71d7f commit 99b4e0c
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 9 deletions.
32 changes: 23 additions & 9 deletions hpkpinx.sh
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ set -e

NGINX_ROOT='/etc/nginx'
HPKPINX_ROOT='/opt/hpkpinx'
MULTIPLE_HPKP_CONF=0
STATIC_PIN_FILE=""

. ${HPKPINX_ROOT}/config.sh

Expand Down Expand Up @@ -44,21 +46,33 @@ then
echo ""
elif [ ${1} = "deploy_cert" ]
then
if [ -e ${NGINX_ROOT}/hpkp.conf ]
CERT_NAME=${2} # The second argument is the name of the cert
if [ ${MULTIPLE_HPKP_CONF} -eq 1 ] # if we want multiple conf files we have to prefix the config file with the name
then
HPKP_CONF=${NGINX_ROOT}/${CERT_NAME}-hpkp.conf
else
HPKP_CONF=${NGINX_ROOT}/hpkp.conf
fi
if [ ${STATIC_PIN_FILE} != "" ] # if an path to an STATIC_PIN_FILE is set use it
then
# get the pin
STATIC_PIN=$(cat "${STATIC_PIN_FILE}" | grep "${CERT_NAME}" | cut -d ' ' -f 2)
fi
if [ -e ${HPKP_CONF} ]
then
echo 'Backing up current hpkp.conf'
\cp -f ${NGINX_ROOT}/hpkp.conf ${HPKPINX_ROOT}/hpkp.conf.bak
\cp -f ${HPKP_CONF} ${HPKP_CONF}.bak
fi
echo 'Regenerating public key pins using new private keys'
echo '# THIS FILE IS GENERATED, ANY MODIFICATION WILL BE DISCARDED' > ${NGINX_ROOT}/hpkp.conf
echo '# THIS FILE IS GENERATED, ANY MODIFICATION WILL BE DISCARDED' > ${HPKP_CONF}
if [ ${DEPLOY_HPKP} -eq 1 ]
then
echo -n "add_header Public-Key-Pins '" >> ${NGINX_ROOT}/hpkp.conf
echo -n "add_header Public-Key-Pins '" >> ${HPKP_CONF}
else
echo -n "add_header Public-Key-Pins-Report-Only '" > ${NGINX_ROOT}/hpkp.conf
echo -n "add_header Public-Key-Pins-Report-Only '" > ${HPKP_CONF}
fi
echo -n "pin-sha256=\"${STATIC_PIN}\"; " >> ${NGINX_ROOT}/hpkp.conf
generate_pin "${NGINX_ROOT}/certs/${2}/privkey.pem" >> ${NGINX_ROOT}/hpkp.conf
generate_pin "${NGINX_ROOT}/certs/${2}/privkey.roll.pem" >> ${NGINX_ROOT}/hpkp.conf
echo "max-age=${HPKP_AGE}';" >> ${NGINX_ROOT}/hpkp.conf
echo -n "pin-sha256=\"${STATIC_PIN}\"; " >> ${HPKP_CONF}
generate_pin "${NGINX_ROOT}/certs/${CERT_NAME}/privkey.pem" >> ${HPKP_CONF}
generate_pin "${NGINX_ROOT}/certs/${CERT_NAME}/privkey.roll.pem" >> ${HPKP_CONF}
echo "max-age=${HPKP_AGE}';" >> ${HPKP_CONF}
fi
17 changes: 17 additions & 0 deletions readme.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,23 @@ In this case, you can generate a pin for your private key with:
hpkpinx.sh generate_pin <your_key.pem>
~~~

### MULTIBLE_HPKP_CONF

If this config value is set to `1` it will generate an nginx hkpk config file for for each Certificate.
This is normally needed if more than one Key is in use.

### STATIC_PIN_FILE

An File to get the STATIC_PIN value for different Certificate CNs. This is used to have an seperat backup Key for each Certificate
The format should be the CN of the certificat, an space and then the PIN:

~~~
example.com 47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=
test.example.net 47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=
~~~

If this Option is used, `MULTIBLE_HPKP_CONF` should be enabled too in most cases.

### DEPLOY_HPKP

* If set to `0` (the default), Nginx will only send the `Public-Key-Pins-Report-Only` header and HPKP is not applied.
Expand Down

0 comments on commit 99b4e0c

Please sign in to comment.