TurnKey Linux Virtual Appliance Library

Manually regenerating cryptographic keys

Regenerating SSH keys

Users of recent appliance versions (2009.02+) can execute the installer hook directly:

/usr/lib/live-installer.d/20regen-sshkeys

Users of older appliance versions should execute the following commands in a command line shell:

rm -f /etc/ssh/ssh_host_[dr]sa_key*
ssh-keygen -q -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
ssh-keygen -q -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa

Regenerating self-signed SSL certificate

By default, SSL-supporting web services (e.g., Webmin, Apache) running on the appliance are configured to use a self-signed SSL certificate located at /etc/ssl/certs/cert.pem.

Users of recent appliance versions (2009.02+) can execute the installer hook directly:

/usr/lib/live-installer.d/25regen-sslcert

Users of older versions can create this script manually and execute it:

cat > /root/regen-sslcert << 'EOF'
#!/bin/bash
# Generate SSL certificate
# Note: daemons using certificate need to be restarted for changes to take effect

if [ $# -ne "0" ]; then
    HELP=y
fi

set ${C:=""}
set ${ST:=""}
set ${L:=""}
set ${O:="TurnKey Linux"}
set ${OU:="Software appliances"}
set ${CN:=""}
set ${emailAddress:=""}

set ${DAYS:=3650}
set ${BITS:=1024}
set ${KEYPASS:=}           # workaround: no way of passing a blank pass
set ${CERTFILE:="/etc/ssl/certs/cert.pem"}

if [ $HELP ]; then
    echo "Generate SSL certificate"
    echo
    echo "# VARIABLE      EXPLANATION          [VALUE]"
    echo "  C             Country Code         $C"
    echo "  ST            State or province    $ST"
    echo "  L             Locality (city)      $L"
    echo "  O             Organization name    $O"
    echo "  OU            Organizational unit  $OU"
    echo "  CN            Common name          $CN"
    echo "  emailAddress  Email address        $emailAddress"
    echo
    echo "  DAYS          Duration in days     $DAYS"
    echo "  BITS          RSA bits to use      $BITS"
    echo "  KEYPASS       Key password         $KEYPASS"
    echo
    echo "  CERTFILE      Output file          $CERTFILE"
    echo
    echo "# NOTES"
    echo "  Warning: only set password if you know what your doing"
    echo "  Display certificate: openssl x509 -text < $CERTFILE"
    exit 1
fi

TMPCERT=.tmpcert.pem
TMPKEY=.tmpkey.pem

RDN="/"
[ "$C"  ] && RDN="${RDN}C=${C}/"
[ "$ST" ] && RDN="${RDN}ST=${ST}/"
[ "$L"  ] && RDN="${RDN}L=${L}/"
[ "$O"  ] && RDN="${RDN}O=${O}/"
[ "$OU" ] && RDN="${RDN}OU=${OU}/"
[ "$CN" ] && RDN="${RDN}CN=${CN}/"
[ "$emailAddress" ] && RDN="${RDN}emailAddress=${emailAddress}/"

# create key and password protected cert
openssl req -x509 \
    -newkey rsa:$BITS \
    -keyout $TMPKEY -out $TMPCERT \
    -passout pass:$KEYPASS \
    -days $DAYS \
    -multivalue-rdn -subj "$RDN"

# remove password protection from key if not set by user
if [ "$KEYPASS" == "" ]; then
    openssl rsa -passin pass:$KEYPASS < $TMPKEY > $CERTFILE
else
    cat $TMPKEY > $CERTFILE
fi

# add certificate to certificate file and set permissions
cat $TMPCERT >> $CERTFILE
chmod 600 $CERTFILE

# cleanup
rm $TMPCERT $TMPKEY
EOF

chmod +x /root/regen-sslcert
/root/regen-sslcert