mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-29 10:21:18 -06:00
1e59adbe45
which should also be the name used in DS 8.0, change all occurences
185 lines
5.3 KiB
Bash
185 lines
5.3 KiB
Bash
#!/bin/bash
|
|
|
|
if [ "$1" ] ; then
|
|
password=$1
|
|
else
|
|
echo "password required"
|
|
exit 1
|
|
fi
|
|
|
|
if [ "$2" -a -d "$2" ] ; then
|
|
secdir="$2"
|
|
else
|
|
secdir=/etc/dirsrv/slapd-localhost
|
|
fi
|
|
|
|
if [ "$3" ] ; then
|
|
myhost=$3
|
|
else
|
|
myhost=`hostname --fqdn`
|
|
fi
|
|
|
|
|
|
if [ "$4" ] ; then
|
|
ldapport=$4
|
|
else
|
|
ldapport=389
|
|
fi
|
|
|
|
me=`whoami`
|
|
if [ "$me" = "root" ] ; then
|
|
isroot=1
|
|
fi
|
|
|
|
# see if there are already certs and keys
|
|
if [ -f $secdir/cert8.db ] ; then
|
|
# look for CA cert
|
|
if certutil -L -d $secdir -n "CA certificate" 2> /dev/null ; then
|
|
echo "Using existing CA certificate"
|
|
else
|
|
echo "No CA certificate found - will create new one"
|
|
needCA=1
|
|
fi
|
|
|
|
# look for server cert
|
|
if certutil -L -d $secdir -n "Server-Cert" 2> /dev/null ; then
|
|
echo "Using existing directory Server-Cert"
|
|
else
|
|
echo "No Server Cert found - will create new one"
|
|
needServerCert=1
|
|
fi
|
|
|
|
prefix="new-"
|
|
prefixarg="-P $prefix"
|
|
else
|
|
needCA=1
|
|
needServerCert=1
|
|
fi
|
|
|
|
if test -z "$needCA" -a -z "$needServerCert" ; then
|
|
echo "No certs needed - exiting"
|
|
exit 0
|
|
fi
|
|
|
|
# get our user and group
|
|
if test -n "$isroot" ; then
|
|
uid=`/bin/ls -ald $secdir | awk '{print $3}'`
|
|
gid=`/bin/ls -ald $secdir | awk '{print $4}'`
|
|
fi
|
|
|
|
# 2. Create a password file for your security token password:
|
|
if [ -f $secdir/pwdfile.txt ] ; then
|
|
echo "Using existing $secdir/pwdfile.txt"
|
|
else
|
|
(ps -ef ; w ) | sha1sum | awk '{print $1}' > $secdir/pwdfile.txt
|
|
if test -n "$isroot" ; then
|
|
chown $uid:$gid $secdir/pwdfile.txt
|
|
fi
|
|
chmod 400 $secdir/pwdfile.txt
|
|
fi
|
|
|
|
# 3. Create a "noise" file for your encryption mechanism:
|
|
if [ -f $secdir/noise.txt ] ; then
|
|
echo "Using existing $secdir/noise.txt file"
|
|
else
|
|
(w ; ps -ef ; date ) | sha1sum | awk '{print $1}' > $secdir/noise.txt
|
|
if test -n "$isroot" ; then
|
|
chown $uid:$gid $secdir/noise.txt
|
|
fi
|
|
chmod 400 $secdir/noise.txt
|
|
fi
|
|
|
|
# 4. Create the key3.db and cert8.db databases:
|
|
certutil -N $prefixarg -d $secdir -f $secdir/pwdfile.txt
|
|
if test -n "$isroot" ; then
|
|
chown $uid:$gid $secdir/${prefix}key3.db $secdir/${prefix}cert8.db
|
|
fi
|
|
chmod 600 $secdir/${prefix}key3.db $secdir/${prefix}cert8.db
|
|
|
|
|
|
if test -n "$needCA" ; then
|
|
# 5. Generate the encryption key:
|
|
certutil -G $prefixarg -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
|
|
# 6. Generate the self-signed certificate:
|
|
certutil -S $prefixarg -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
|
|
# export the CA cert for use with other apps
|
|
certutil -L $prefixarg -d $secdir -n "CA certificate" -a > $secdir/cacert.asc
|
|
pk12util -d $secdir $prefixarg -o $secdir/cacert.p12 -n "CA certificate" -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt
|
|
fi
|
|
|
|
if test -n "$needServerCert" ; then
|
|
# 7. Generate the server certificate:
|
|
certutil -S $prefixarg -n "Server-Cert" -s "cn=$myhost,ou=Fedora Directory Server" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
|
|
fi
|
|
|
|
# 8. Generate the web service client certificate:
|
|
echo -e "0\n2\n9\nn\n0\n9\nn\n" | certutil -S $prefixarg -n webservice -s "uid=webservice, CN=Web Service, OU=Fedora Directory Server" -c "CA certificate" -t u,pu,u -m 1002 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt -1 -5
|
|
|
|
pk12util -d $secdir $prefixarg -o $secdir/webservice.p12 -n "webservice" -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt
|
|
|
|
openssl pkcs12 -in $secdir/webservice.p12 -clcerts -nokeys -out /usr/share/ipa/cert.pem -passin file:$secdir/pwdfile.txt
|
|
openssl pkcs12 -in $secdir/webservice.p12 -nocerts -nodes -out /usr/share/ipa/key.pem -passin file:$secdir/pwdfile.txt
|
|
|
|
cp -p $secdir/cacert.asc /usr/share/ipa
|
|
chown apache:apache /usr/share/ipa/cert.pem /usr/share/ipa/key.pem /usr/share/ipa/cacert.asc
|
|
chmod 600 /usr/share/ipa/cert.pem /usr/share/ipa/key.pem
|
|
|
|
# create the pin file
|
|
if [ ! -f $secdir/pin.txt ] ; then
|
|
pinfile=$secdir/pin.txt
|
|
echo 'Internal (Software) Token:'`cat $secdir/pwdfile.txt` > $pinfile
|
|
if test -n "$isroot" ; then
|
|
chown $uid:$gid $pinfile
|
|
fi
|
|
chmod 400 $pinfile
|
|
else
|
|
echo Using existing $secdir/pin.txt
|
|
fi
|
|
|
|
if [ -n "$prefix" ] ; then
|
|
# move the old files out of the way
|
|
mv $secdir/cert8.db $secdir/orig-cert8.db
|
|
mv $secdir/key3.db $secdir/orig-key3.db
|
|
# move in the new files - will be used after server restart
|
|
mv $secdir/${prefix}cert8.db $secdir/cert8.db
|
|
mv $secdir/${prefix}key3.db $secdir/key3.db
|
|
fi
|
|
|
|
# enable SSL in the directory server
|
|
|
|
ldapmodify -x -h localhost -p $ldapport -D "cn=Directory Manager" -w $password <<EOF
|
|
dn: cn=encryption,cn=config
|
|
changetype: modify
|
|
replace: nsSSL3
|
|
nsSSL3: on
|
|
-
|
|
replace: nsSSLClientAuth
|
|
nsSSLClientAuth: allowed
|
|
-
|
|
add: nsSSL3Ciphers
|
|
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
|
|
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,
|
|
+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,
|
|
+tls_rsa_export1024_with_des_cbc_sha
|
|
|
|
dn: cn=config
|
|
changetype: modify
|
|
add: nsslapd-security
|
|
nsslapd-security: on
|
|
-
|
|
replace: nsslapd-ssl-check-hostname
|
|
nsslapd-ssl-check-hostname: off
|
|
|
|
dn: cn=RSA,cn=encryption,cn=config
|
|
changetype: add
|
|
objectclass: top
|
|
objectclass: nsEncryptionModule
|
|
cn: RSA
|
|
nsSSLPersonalitySSL: Server-Cert
|
|
nsSSLToken: internal (software)
|
|
nsSSLActivation: on
|
|
|
|
EOF
|
|
|
|
|