mrc0mmand / rpms / openldap

Forked from rpms/openldap 3 years ago
Clone
Source Code
GIT

Blame SOURCES/libexec-generate-server-cert.sh

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c8s-sig-hyperscale
  1.   02ade0ee3610e1f848d397335d87f0c0b91f5da1
  2.   SOURCES
  3.   libexec-generate-server-cert.sh
Blob History Raw
767ab2 
#!/bin/bash
767ab2 
# Author: Jan Vcelak <jvcelak@redhat.com>
767ab2
767ab2 
set -e
767ab2
767ab2 
# default options
767ab2
767ab2 
CERTDB_DIR=/etc/openldap/certs
767ab2 
CERT_NAME="OpenLDAP Server"
767ab2 
PASSWORD_FILE=
767ab2 
HOSTNAME_FQDN="$(hostname --fqdn)"
767ab2 
ALT_NAMES=
767ab2 
ONCE=0
767ab2
767ab2 
# internals
767ab2
767ab2 
RANDOM_SOURCE=/dev/urandom
767ab2 
CERT_RANDOM_BYTES=256
767ab2 
CERT_KEY_TYPE=rsa
767ab2 
CERT_KEY_SIZE=1024
767ab2 
CERT_VALID_MONTHS=12
767ab2
767ab2 
# parse arguments
767ab2
767ab2 
usage() {
767ab2 
	printf "usage: generate-server-cert.sh [-d certdb-dir] [-n cert-name]\n" >&2
767ab2 
	printf "                               [-p password-file] [-h hostnames]\n" >&2
93fdd1 
	printf "                               [-a dns-alt-names] [-o]\n" >&2
767ab2 
	exit 1
767ab2 
}
767ab2
767ab2 
while getopts "d:n:p:h:a:o" opt; do
767ab2 
	case "$opt" in
767ab2 
	d)
767ab2 
		CERTDB_DIR="$OPTARG"
767ab2 
		;;
767ab2 
	n)
767ab2 
		CERT_NAME="$OPTARG"
767ab2 
		;;
767ab2 
	p)
767ab2 
		PASSWORD_FILE="$OPTARG"
767ab2 
		;;
767ab2 
	h)
767ab2 
		HOSTNAME_FQDN="$OPTARG"
767ab2 
		;;
767ab2 
	a)
767ab2 
		ALT_NAMES="$OPTARG"
767ab2 
		;;
767ab2 
	o)
767ab2 
		ONCE=1
767ab2 
		;;
767ab2 
	\?)
767ab2 
		usage
767ab2 
		;;
767ab2 
	esac
767ab2 
done
767ab2
767ab2 
[ "$OPTIND" -le "$#" ] && usage
767ab2
767ab2 
# generated options
767ab2
767ab2 
ONCE_FILE="$CERTDB_DIR/.slapd-leave"
767ab2 
PASSWORD_FILE="${PASSWORD_FILE:-${CERTDB_DIR}/password}"
767ab2 
ALT_NAMES="${ALT_NAMES:-${HOSTNAME_FQDN},localhost,localhost.localdomain}"
767ab2
767ab2 
# verify target location
767ab2
767ab2 
if [ "$ONCE" -eq 1 -a -f "$ONCE_FILE" ]; then
767ab2 
	printf "Skipping certificate generating, '%s' exists.\n" "$ONCE_FILE" >&2
767ab2 
	exit 0
767ab2 
fi
767ab2
767ab2 
if ! certutil -d "$CERTDB_DIR" -U &>/dev/null; then
767ab2 
	printf "Directory '%s' is not a valid certificate database.\n" "$CERTDB_DIR" >&2
767ab2 
	exit 1
767ab2 
fi
767ab2
767ab2 
printf "Creating new server certificate in '%s'.\n" "$CERTDB_DIR" >&2
767ab2
767ab2 
if [ ! -r "$PASSWORD_FILE" ]; then
767ab2 
	printf "Password file '%s' is not readable.\n" "$PASSWORD_FILE" >&2
767ab2 
	exit 1
767ab2 
fi
767ab2
767ab2 
if certutil -d "$CERTDB_DIR" -L -a -n "$CERT_NAME" &>/dev/null; then
767ab2 
	printf "Certificate '%s' already exists in the certificate database.\n" "$CERT_NAME" >&2
767ab2 
	exit 1
767ab2 
fi
767ab2
767ab2 
# generate server certificate (self signed)
767ab2
767ab2
767ab2 
CERT_RANDOM=$(mktemp --tmpdir=/var/run/openldap)
767ab2 
dd if=$RANDOM_SOURCE bs=$CERT_RANDOM_BYTES count=1 of=$CERT_RANDOM &>/dev/null
767ab2
767ab2 
certutil -d "$CERTDB_DIR" -f "$PASSWORD_FILE" -z "$CERT_RANDOM" \
767ab2 
	-S -x -n "$CERT_NAME" \
767ab2 
	-s "CN=$HOSTNAME_FQDN" \
767ab2 
	-t TC,, \
767ab2 
	-k $CERT_KEY_TYPE -g $CERT_KEY_SIZE \
767ab2 
	-v $CERT_VALID_MONTHS \
767ab2 
	-8 "$ALT_NAMES" \
767ab2 
	&>/dev/null
767ab2
93fdd1 
rm -f $CERT_RANDOM
767ab2
767ab2 
# tune permissions
767ab2
767ab2 
if [ "$(id -u)" -eq 0 ]; then
767ab2 
	chgrp ldap "$PASSWORD_FILE"
767ab2 
	chmod g+r "$PASSWORD_FILE"
767ab2 
else
767ab2 
	printf "WARNING: The server requires read permissions on the password file in order to\n" >&2
767ab2 
	printf "         load it's private key from the certificate database.\n" >&2
767ab2 
fi
767ab2
767ab2 
touch "$ONCE_FILE"
767ab2 
exit 0

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation