freeipa/ipa-server/ipa-install/ipa-server-setupssl

#!/bin/bash

if [ "$1" ] ; then
    password=$1
else
    echo "password required"
    exit 1
fi

if [ "$2" -a -d "$2" ] ; then
    secdir="$2"
else
    secdir=/etc/dirsrv/slapd-localhost
fi

if [ "$3" ] ; then
    myhost=$3
else
    myhost=`hostname --fqdn`
fi


if [ "$4" ] ; then
    ldapport=$4
else
    ldapport=389
fi

me=`whoami`
if [ "$me" = "root" ] ; then
    isroot=1
fi

# see if there are already certs and keys
if [ -f $secdir/cert8.db ] ; then
    # look for CA cert
    if certutil -L -d $secdir -n "CA certificate" 2> /dev/null ; then
        echo "Using existing CA certificate"
    else
        echo "No CA certificate found - will create new one"
        needCA=1
    fi

    # look for server cert
    if certutil -L -d $secdir -n "Server-Cert" 2> /dev/null ; then
        echo "Using existing directory Server-Cert"
    else
        echo "No Server Cert found - will create new one"
        needServerCert=1
    fi

    prefix="new-"
    prefixarg="-P $prefix"
else
    needCA=1
    needServerCert=1
fi

if test -z "$needCA" -a -z "$needServerCert" ; then
    echo "No certs needed - exiting"
    exit 0
fi

# get our user and group
if test -n "$isroot" ; then
    uid=`/bin/ls -ald $secdir | awk '{print $3}'`
    gid=`/bin/ls -ald $secdir | awk '{print $4}'`
fi

# 2. Create a password file for your security token password:
if [ -f $secdir/pwdfile.txt ] ; then
    echo "Using existing $secdir/pwdfile.txt"
else
    (ps -ef ; w ) | sha1sum | awk '{print $1}' > $secdir/pwdfile.txt
    if test -n "$isroot" ; then
        chown $uid:$gid $secdir/pwdfile.txt
    fi
    chmod 400 $secdir/pwdfile.txt
fi

# 3. Create a "noise" file for your encryption mechanism: 
if [ -f $secdir/noise.txt ] ; then
    echo "Using existing $secdir/noise.txt file"
else
    (w ; ps -ef ; date ) | sha1sum | awk '{print $1}' > $secdir/noise.txt
    if test -n "$isroot" ; then
        chown $uid:$gid $secdir/noise.txt
    fi
    chmod 400 $secdir/noise.txt
fi

# 4. Create the key3.db and cert8.db databases:
certutil -N $prefixarg -d $secdir -f $secdir/pwdfile.txt
if test -n "$isroot" ; then
    chown $uid:$gid $secdir/${prefix}key3.db $secdir/${prefix}cert8.db
fi
chmod 600 $secdir/${prefix}key3.db $secdir/${prefix}cert8.db


if test -n "$needCA" ; then
# 5. Generate the encryption key:
    certutil -G $prefixarg -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
# 6. Generate the self-signed certificate: 
    certutil -S $prefixarg -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
# export the CA cert for use with other apps
    certutil -L $prefixarg -d $secdir -n "CA certificate" -a > $secdir/cacert.asc
    pk12util -d $secdir $prefixarg -o $secdir/cacert.p12 -n "CA certificate" -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt
fi

if test -n "$needServerCert" ; then
# 7. Generate the server certificate:
    certutil -S $prefixarg -n "Server-Cert" -s "cn=$myhost,ou=Fedora Directory Server" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
fi

# create the pin file
if [ ! -f $secdir/pin.txt ] ; then
    pinfile=$secdir/pin.txt
    echo 'Internal (Software) Token:'`cat $secdir/pwdfile.txt` > $pinfile
    if test -n "$isroot" ; then
        chown $uid:$gid $pinfile
    fi
    chmod 400 $pinfile
else
    echo Using existing $secdir/pin.txt
fi

if [ -n "$prefix" ] ; then
    # move the old files out of the way
    mv $secdir/cert8.db $secdir/orig-cert8.db
    mv $secdir/key3.db $secdir/orig-key3.db
    # move in the new files - will be used after server restart
    mv $secdir/${prefix}cert8.db $secdir/cert8.db
    mv $secdir/${prefix}key3.db $secdir/key3.db
fi

modnssdir=/etc/httpd/alias

# Setup SSL in Apache
if [ -e $modnssdir ]; then
    mkdir ${modnssdir}.ipa
    mv $modnssdir/cert8.db ${modnssdir}.ipa
    mv $modnssdir/key3.db ${modnssdir}.ipa
fi

# Create a new database for mod_nss
echo -e "\n" > $modnssdir/pw.txt
certutil -N -d $modnssdir -f $modnssdir/pw.txt

# Add the CA we created
certutil -A -d $modnssdir -n "CA certificate" -t "CT,CT," -a -i $secdir/cacert.asc

# Request a new server cert
certutil -R -d $modnssdir \
            -s "cn=$myhost,ou=Apache Web Server" \
            -o $modnssdir/tmpcertreq \
            -g 1024 \
            -z $secdir/noise.txt \
            -f $modnssdir/pw.txt

# Have the FDS CA issue the cert
echo -e "2\n9\nn\n1\n9\nn\n" | \
certutil -C -d $secdir \
            -c "CA certificate" \
            -i $modnssdir/tmpcertreq \
            -o $modnssdir/tmpcert.der \
            -m 1002 \
            -v 120 \
            -f $secdir/pwdfile.txt \
            -1 \
            -5

# Now add this cert to the Apache database
certutil -A -d $modnssdir -n "Server-Cert"\
         -t u,u,u \
         -i $modnssdir/tmpcert.der \
         -f $modnsdir/tmpcert.der

rm -f $modnssdir/pw.txt $modnssdir/tmpcertreq $modnssder/tmpcert.der

# enable SSL in the directory server

ldapmodify -x -h localhost -p $ldapport -D "cn=Directory Manager" -w $password <<EOF
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on
-
replace: nsSSLClientAuth
nsSSLClientAuth: allowed
-
add: nsSSL3Ciphers
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
 +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,
 +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,
 +tls_rsa_export1024_with_des_cbc_sha

dn: cn=config
changetype: modify
add: nsslapd-security
nsslapd-security: on
-
replace: nsslapd-ssl-check-hostname
nsslapd-ssl-check-hostname: off

dn: cn=RSA,cn=encryption,cn=config
changetype: add
objectclass: top
objectclass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: Server-Cert
nsSSLToken: internal (software)
nsSSLActivation: on

EOF