|
Packit |
8cb997 |
#!/bin/bash
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
master=$1
|
|
Packit |
8cb997 |
if [ -z "$master" ]; then
|
|
Packit |
8cb997 |
echo "ERROR: master is not set"
|
|
Packit |
8cb997 |
echo
|
|
Packit |
8cb997 |
echo "usage: $0 master-fqdn domain"
|
|
Packit |
8cb997 |
exit 0;
|
|
Packit |
8cb997 |
fi
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
PASSWORD="SomeCApassword"
|
|
Packit |
8cb997 |
DBDIR="${master}-nssdb"
|
|
Packit |
8cb997 |
PWDFILE="$DBDIR/pwdfile.txt"
|
|
Packit |
8cb997 |
NOISE="$DBDIR/noise.txt"
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
domain=$2
|
|
Packit |
8cb997 |
if [ -z "$domain" ]; then
|
|
Packit |
8cb997 |
echo "ERROR: domain is not set"
|
|
Packit |
8cb997 |
echo
|
|
Packit |
8cb997 |
echo "usage: $0 master-fqdn domain"
|
|
Packit |
8cb997 |
exit 0;
|
|
Packit |
8cb997 |
fi
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if [ ! -f "${master}-ipa.csr" ]; then
|
|
Packit |
8cb997 |
echo "ERROR: ${master}-ipa.csr missing"
|
|
Packit |
8cb997 |
exit 1;
|
|
Packit |
8cb997 |
fi
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ROOT_KEY_ID=0x$(dd if=/dev/urandom bs=20 count=1 | xxd -p)
|
|
Packit |
8cb997 |
IPA_CA_KEY_ID=0x$(dd if=/dev/urandom bs=20 count=1 | xxd -p)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# Prepare a new NSS database to serve us as an external CA
|
|
Packit |
8cb997 |
rm -rf "$DBDIR"
|
|
Packit |
8cb997 |
mkdir "$DBDIR"
|
|
Packit |
8cb997 |
echo "$PASSWORD" > "$PWDFILE"
|
|
Packit |
8cb997 |
dd count=10 bs=1024 if=/dev/random of="$NOISE" 2>/dev/null
|
|
Packit |
8cb997 |
certutil -N -d "$DBDIR" -f "$PWDFILE"
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# Generate a CA certificate
|
|
Packit |
8cb997 |
echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\n${ROOT_KEY_ID}\nn\n" \
|
|
Packit |
8cb997 |
| certutil -d "$DBDIR" -f "$PWDFILE" -S -z "$NOISE" -n ca -x -t C,C,C \
|
|
Packit |
8cb997 |
-s "CN=PRIMARY,O=$domain" -x -1 -2 --extSKID -m 1
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# Change the form of the CSR from PEM to DER for the NSS database
|
|
Packit |
8cb997 |
openssl req -outform der -in "${master}-ipa.csr" -out "$DBDIR/req.csr"
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# Sign the certificate request
|
|
Packit |
8cb997 |
echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\ny\n${ROOT_KEY_ID}\n\n\nn\n${IPA_CA_KEY_ID}\nn\n" \
|
|
Packit |
8cb997 |
| certutil -d "$DBDIR" -f "$PWDFILE" -C -z "$NOISE" -c ca \
|
|
Packit |
8cb997 |
-i "$DBDIR/req.csr" -o "$DBDIR/external.cer" -1 -2 -3 --extSKID -m 2
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
openssl x509 -inform der -in "$DBDIR/external.cer" -out "$DBDIR/external.pem"
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# Export the NSS CA certificate and add it to a chain file
|
|
Packit |
8cb997 |
certutil -L -n ca -d "$DBDIR" -a > "$DBDIR/ca.crt"
|
|
Packit |
8cb997 |
openssl x509 -text -in "$DBDIR/external.pem" > "$DBDIR/chain.crt"
|
|
Packit |
8cb997 |
openssl x509 -text -in "$DBDIR/ca.crt" >> "$DBDIR/chain.crt"
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
cp "$DBDIR/chain.crt" "${master}-chain.crt"
|