/[smeserver]/rpms/openldap/sme9/libexec-generate-server-cert.sh
ViewVC logotype

Contents of /rpms/openldap/sme9/libexec-generate-server-cert.sh

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download) (as text)
Tue Nov 11 00:46:15 2014 UTC (9 years, 11 months ago) by vip-ire
Branch: MAIN
CVS Tags: openldap-2_4_39-8_el6_sme, HEAD
Content type: application/x-sh
Import openldap

1 #!/bin/bash
2 # Author: Jan Vcelak <jvcelak@redhat.com>
3
4 set -e
5
6 # default options
7
8 CERTDB_DIR=/etc/openldap/certs
9 CERT_NAME="OpenLDAP Server"
10 PASSWORD_FILE=
11 HOSTNAME_FQDN="$(hostname --fqdn)"
12 ALT_NAMES=
13 ONCE=0
14
15 # internals
16
17 RANDOM_SOURCE=/dev/urandom
18 CERT_RANDOM_BYTES=256
19 CERT_KEY_TYPE=rsa
20 CERT_KEY_SIZE=1024
21 CERT_VALID_MONTHS=12
22
23 # parse arguments
24
25 usage() {
26 printf "usage: generate-server-cert.sh [-d certdb-dir] [-n cert-name]\n" >&2
27 printf " [-p password-file] [-h hostnames]\n" >&2
28 printf " [-a dns-alt-names] [-o]\n" >&2
29 exit 1
30 }
31
32 while getopts "d:n:p:h:a:o" opt; do
33 case "$opt" in
34 d)
35 CERTDB_DIR="$OPTARG"
36 ;;
37 n)
38 CERT_NAME="$OPTARG"
39 ;;
40 p)
41 PASSWORD_FILE="$OPTARG"
42 ;;
43 h)
44 HOSTNAME_FQDN="$OPTARG"
45 ;;
46 a)
47 ALT_NAMES="$OPTARG"
48 ;;
49 o)
50 ONCE=1
51 ;;
52 \?)
53 usage
54 ;;
55 esac
56 done
57
58 [ "$OPTIND" -le "$#" ] && usage
59
60 # generated options
61
62 ONCE_FILE="$CERTDB_DIR/.slapd-leave"
63 PASSWORD_FILE="${PASSWORD_FILE:-${CERTDB_DIR}/password}"
64 ALT_NAMES="${ALT_NAMES:-${HOSTNAME_FQDN},localhost,localhost.localdomain}"
65
66 # verify target location
67
68 if [ "$ONCE" -eq 1 -a -f "$ONCE_FILE" ]; then
69 printf "Skipping certificate generating, '%s' exists.\n" "$ONCE_FILE" >&2
70 exit 0
71 fi
72
73 if ! certutil -d "$CERTDB_DIR" -U &>/dev/null; then
74 printf "Directory '%s' is not a valid certificate database.\n" "$CERTDB_DIR" >&2
75 exit 1
76 fi
77
78 printf "Creating new server certificate in '%s'.\n" "$CERTDB_DIR" >&2
79
80 if [ ! -r "$PASSWORD_FILE" ]; then
81 printf "Password file '%s' is not readable.\n" "$PASSWORD_FILE" >&2
82 exit 1
83 fi
84
85 if certutil -d "$CERTDB_DIR" -L -a -n "$CERT_NAME" &>/dev/null; then
86 printf "Certificate '%s' already exists in the certificate database.\n" "$CERT_NAME" >&2
87 exit 1
88 fi
89
90 # generate server certificate (self signed)
91
92
93 CERT_RANDOM=$(mktemp)
94 dd if=$RANDOM_SOURCE bs=$CERT_RANDOM_BYTES count=1 of=$CERT_RANDOM &>/dev/null
95
96 certutil -d "$CERTDB_DIR" -f "$PASSWORD_FILE" -z "$CERT_RANDOM" \
97 -S -x -n "$CERT_NAME" \
98 -s "CN=$HOSTNAME_FQDN" \
99 -t TC,, \
100 -k $CERT_KEY_TYPE -g $CERT_KEY_SIZE \
101 -v $CERT_VALID_MONTHS \
102 -8 "$ALT_NAMES" \
103 &>/dev/null
104
105 rm -f $CERT_RANDOM
106
107 # tune permissions
108
109 if [ "$(id -u)" -eq 0 ]; then
110 chgrp ldap "$PASSWORD_FILE"
111 chmod g+r "$PASSWORD_FILE"
112 else
113 printf "WARNING: The server requires read permissions on the password file in order to\n" >&2
114 printf " load it's private key from the certificate database.\n" >&2
115 fi
116
117 touch "$ONCE_FILE"
118 exit 0

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed