Skip to content
Snippets Groups Projects
Select Git revision
  • e7d29715b4e0a3b3deb18d3afdfbd8c618e6fae0
  • master default protected
  • v2.28.0
  • v2.27.0
  • v2.25.1
  • v2.24.3
  • v2.26.0
  • v2.24.2
  • v2.25.0
  • v2.24.1
  • v2.22.2
  • v2.23.3
  • v2.24.0
  • v2.23.2
  • v2.23.1
  • v2.23.0
  • v2.22.1
  • v2.22.0
  • v2.21.0
  • v2.20.0
  • v2.19.1
  • v2.18.2
22 results

ci-setup.md

Blame
    • generate-certificates.sh 4.33 KiB
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    120
    121
    122
    123
    124
    125
    126
    127
    128
    129
    130
    131
    132
    133
    134
    135
    136
    137
    138
    139
    140
    141
    142
    143
    144
    145
    146
    147
    148
    149
    150
    151
    152
    153
    154 
    

    

    

    #!/usr/bin/env bash

ROOT_CA_DIR="certificates/root-ca"
DIRSRV_CERTS_DIR="certificates/dirsrv"
HTTPD_CERTS_DIR="certificates/httpd"
PKINIT_CERTS_DIR="certificates/pkinit"
PKCS12_PASSWORD="SomePKCS12password"

# generate_ipa_pkcs12_certificate \
#    $cert_name $ipa_fqdn $certs_dir $root_ca_cert $root_ca_private_key extensions_file extensions_name
function generate_ipa_pkcs12_certificate {

    cert_name=$1
    ipa_fqdn=$2
    certs_dir=$3
    root_ca_cert=$4
    root_ca_private_key=$5
    extensions_file=$6
    extensions_name=$7

    # Generate CSR and private key
    openssl req -new -newkey rsa:4096 -nodes \
        -subj "/C=US/ST=Test/L=Testing/O=Default/CN=${ipa_fqdn}" \
        -keyout "${certs_dir}/private.key" \
        -out "${certs_dir}/request.csr"

    # Sign CSR to generate PEM certificate
    if [ -z "${extensions_file}" ]; then
        openssl x509 -req -days 365 -sha256 \
            -CAcreateserial \
            -CA "${root_ca_cert}" \
            -CAkey "${root_ca_private_key}" \
            -in "${certs_dir}/request.csr" \
            -out "${certs_dir}/cert.pem"
    else
        openssl x509 -req -days 365 -sha256 \
            -CAcreateserial \
            -CA "${ROOT_CA_DIR}/cert.pem" \
            -CAkey "${ROOT_CA_DIR}/private.key" \
            -extfile "${extensions_file}" \
            -extensions "${extensions_name}" \
            -in "${certs_dir}/request.csr" \
            -out "${certs_dir}/cert.pem"
    fi

    # Convert certificate to PKCS12 format
    openssl pkcs12 -export \
        -name "${cert_name}" \
        -certfile "${root_ca_cert}" \
        -in "${certs_dir}/cert.pem" \
        -inkey "${certs_dir}/private.key" \
        -passout "pass:${PKCS12_PASSWORD}" \
        -out "${certs_dir}/cert.p12"
}

# generate_ipa_pkcs12_certificates $ipa_fqdn $ipa_domain
function generate_ipa_pkcs12_certificates {

    host=$1
    if [ -z "$host" ]; then
        echo "ERROR: ipa-host-fqdn is not set"
        echo
        echo "usage: $0 create ipa-host-fqdn domain"
        exit 0;
    fi

    domain=$2
    if [ -z "$domain" ]; then
        echo "ERROR: domain is not set"
        echo
        echo "usage: $0 create ipa-host-fqdn domain"
        exit 0;
    fi

    # Generate certificates folder structure
    mkdir -p "${ROOT_CA_DIR}"
    mkdir -p "${DIRSRV_CERTS_DIR}/$host"
    mkdir -p "${HTTPD_CERTS_DIR}/$host"
    mkdir -p "${PKINIT_CERTS_DIR}/$host"

    # Generate root CA
    if [ ! -f "${ROOT_CA_DIR}/private.key" ]; then
        openssl genrsa \
                -out "${ROOT_CA_DIR}/private.key" 4096

        openssl req -new -x509 -sha256 -nodes -days 3650 \
                -subj "/C=US/ST=Test/L=Testing/O=Default" \
                -key "${ROOT_CA_DIR}/private.key" \
                -out "${ROOT_CA_DIR}/cert.pem"
    fi

    # Generate a certificate for the Directory Server
    if [ ! -f "${DIRSRV_CERTS_DIR}/$host/cert.pem" ]; then
        generate_ipa_pkcs12_certificate \
            "dirsrv-cert" \
            "$host" \
            "${DIRSRV_CERTS_DIR}/$host" \
            "${ROOT_CA_DIR}/cert.pem" \
            "${ROOT_CA_DIR}/private.key"
    fi

    # Generate a certificate for the Apache server
    if [ ! -f "${HTTPD_CERTS_DIR}/$host/cert.pem" ]; then
        generate_ipa_pkcs12_certificate \
            "httpd-cert" \
            "$host" \
            "${HTTPD_CERTS_DIR}/$host" \
            "${ROOT_CA_DIR}/cert.pem" \
            "${ROOT_CA_DIR}/private.key"
    fi

    # Generate a certificate for the KDC PKINIT
    if [ ! -f "${PKINIT_CERTS_DIR}/$host/cert.pem" ]; then
        export REALM=${domain^^}

        generate_ipa_pkcs12_certificate \
            "pkinit-cert" \
            "$host" \
            "${PKINIT_CERTS_DIR}/$host" \
            "${ROOT_CA_DIR}/cert.pem" \
            "${ROOT_CA_DIR}/private.key" \
            "${PKINIT_CERTS_DIR}/extensions.conf" \
            "kdc_cert"
    fi
}

# delete_ipa_pkcs12_certificates $ipa_fqdn
function delete_ipa_pkcs12_certificates {

    host=$1
    if [ -z "$host" ]; then
        echo "ERROR: ipa-host-fqdn is not set"
        echo
        echo "usage: $0 delete ipa-host-fqdn"
        exit 0;
    fi

    rm -f certificates/*/"$host"/*
    rm -f "${ROOT_CA_DIR}"/*
}

# Entrypoint
case "$1" in
  create)
    generate_ipa_pkcs12_certificates "$2" "$3"
    ;;
  delete)
    delete_ipa_pkcs12_certificates "$2"
    ;;
  *)
    echo $"Usage: $0 {create|delete}"
    ;;
esac