#!/bin/sh if [ "$1" ] ; then password=$1 else echo "password required" exit 1 fi if [ "$2" -a -d "$2" ] ; then secdir="$2" else secdir=/etc/fedora-ds/slapd-localhost fi if [ "$3" ] ; then myhost=$3 else myhost=`hostname --fqdn` fi if [ "$4" ] ; then ldapport=$4 else ldapport=389 fi me=`whoami` if [ "$me" = "root" ] ; then isroot=1 fi # see if there are already certs and keys if [ -f $secdir/cert8.db ] ; then # look for CA cert if certutil -L -d $secdir -n "CA certificate" 2> /dev/null ; then echo "Using existing CA certificate" else echo "No CA certificate found - will create new one" needCA=1 fi # look for server cert if certutil -L -d $secdir -n "Server-Cert" 2> /dev/null ; then echo "Using existing directory Server-Cert" else echo "No Server Cert found - will create new one" needServerCert=1 fi # look for admin server cert if certutil -L -d $secdir -n "server-cert" 2> /dev/null ; then echo "Using existing admin server-cert" else echo "No Admin Server Cert found - will create new one" needASCert=1 fi prefix="new-" prefixarg="-P $prefix" else needCA=1 needServerCert=1 needASCert=1 fi if test -z "$needCA" -a -z "$needServerCert" -a -z "$needASCert" ; then echo "No certs needed - exiting" exit 0 fi # get our user and group if test -n "$isroot" ; then uid=`/bin/ls -ald $secdir | awk '{print $3}'` gid=`/bin/ls -ald $secdir | awk '{print $4}'` fi # 2. Create a password file for your security token password: if [ -f $secdir/pwdfile.txt ] ; then echo "Using existing $secdir/pwdfile.txt" else (ps -ef ; w ) | sha1sum | awk '{print $1}' > $secdir/pwdfile.txt if test -n "$isroot" ; then chown $uid:$gid $secdir/pwdfile.txt fi chmod 400 $secdir/pwdfile.txt fi # 3. Create a "noise" file for your encryption mechanism: if [ -f $secdir/noise.txt ] ; then echo "Using existing $secdir/noise.txt file" else (w ; ps -ef ; date ) | sha1sum | awk '{print $1}' > $secdir/noise.txt if test -n "$isroot" ; then chown $uid:$gid $secdir/noise.txt fi chmod 400 $secdir/noise.txt fi # 4. Create the key3.db and cert8.db databases: certutil -N $prefixarg -d $secdir -f $secdir/pwdfile.txt if test -n "$isroot" ; then chown $uid:$gid $secdir/${prefix}key3.db $secdir/${prefix}cert8.db fi chmod 600 $secdir/${prefix}key3.db $secdir/${prefix}cert8.db if test -n "$needCA" ; then # 5. Generate the encryption key: certutil -G $prefixarg -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt # 6. Generate the self-signed certificate: certutil -S $prefixarg -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt # export the CA cert for use with other apps certutil -L $prefixarg -d $secdir -n "CA certificate" -a > $secdir/cacert.asc pk12util -d $secdir $prefixarg -o $secdir/cacert.p12 -n "CA certificate" -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt fi if test -n "$needServerCert" ; then # 7. Generate the server certificate: certutil -S $prefixarg -n "Server-Cert" -s "cn=$myhost,ou=Fedora Directory Server" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt fi if test -n "$needASCert" ; then # Generate the admin server certificate certutil -S $prefixarg -n "server-cert" -s "cn=$myhost,ou=Fedora Administration Server" -c "CA certificate" -t "u,u,u" -m 1002 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt # export the admin server certificate/private key for import into its key/cert db pk12util -d $secdir $prefixarg -o $secdir/adminserver.p12 -n server-cert -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt if test -n "$isroot" ; then chown $uid:$gid $secdir/adminserver.p12 fi chmod 400 $secdir/adminserver.p12 fi # create the pin file if [ ! -f $secdir/pin.txt ] ; then pinfile=$secdir/pin.txt echo 'Internal (Software) Token:'`cat $secdir/pwdfile.txt` > $pinfile if test -n "$isroot" ; then chown $uid:$gid $pinfile fi chmod 400 $pinfile else echo Using existing $secdir/pin.txt fi if [ -n "$prefix" ] ; then # move the old files out of the way mv $secdir/cert8.db $secdir/orig-cert8.db mv $secdir/key3.db $secdir/orig-key3.db # move in the new files - will be used after server restart mv $secdir/${prefix}cert8.db $secdir/cert8.db mv $secdir/${prefix}key3.db $secdir/key3.db fi # create the admin server key/cert db asprefix=admin-serv- if [ ! -f ${asprefix}cert8.db ] ; then certutil -N -d $secdir -P $asprefix -f $secdir/pwdfile.txt if test -n "$isroot" ; then chown $uid:$gid $secdir/admin-serv-*.db fi chmod 600 $secdir/admin-serv-*.db fi if test -n "$needASCert" ; then # import the admin server key/cert pk12util -d $secdir -P $asprefix -n server-cert -i $secdir/adminserver.p12 -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt # import the CA cert to the admin server cert db certutil -A -d $secdir -P $asprefix -n "CA certificate" -t "CT,," -a -i $secdir/cacert.asc fi if [ ! -f $secdir/password.conf ] ; then # create the admin server password file echo 'internal:'`cat $secdir/pwdfile.txt` > $secdir/password.conf if test -n "$isroot" ; then chown $uid:$gid $secdir/password.conf fi chmod 400 $secdir/password.conf fi # tell admin server to use the password file if [ -f ../admin-serv/config/nss.conf ] ; then sed -e "s@^NSSPassPhraseDialog .*@NSSPassPhraseDialog file:`pwd`/password.conf@" ../admin-serv/config/nss.conf > /tmp/nss.conf && mv /tmp/nss.conf ../admin-serv/config/nss.conf if test -n "$isroot" ; then chown $uid:$gid ../admin-serv/config/nss.conf fi chmod 400 ../admin-serv/config/nss.conf fi # enable SSL in the directory server ldapmodify -x -h localhost -p $ldapport -D "cn=Directory Manager" -w $password <