diff options
Diffstat (limited to 'ipa-server/ipa-install/ipa-server-setupssl')
-rw-r--r-- | ipa-server/ipa-install/ipa-server-setupssl | 216 |
1 files changed, 0 insertions, 216 deletions
diff --git a/ipa-server/ipa-install/ipa-server-setupssl b/ipa-server/ipa-install/ipa-server-setupssl deleted file mode 100644 index 1774f214d..000000000 --- a/ipa-server/ipa-install/ipa-server-setupssl +++ /dev/null @@ -1,216 +0,0 @@ -#!/bin/bash - -if [ "$1" ] ; then - password=$1 -else - echo "password required" - exit 1 -fi - -if [ "$2" -a -d "$2" ] ; then - secdir="$2" -else - secdir=/etc/dirsrv/slapd-localhost -fi - -if [ "$3" ] ; then - myhost=$3 -else - myhost=`hostname --fqdn` -fi - - -if [ "$4" ] ; then - ldapport=$4 -else - ldapport=389 -fi - -me=`whoami` -if [ "$me" = "root" ] ; then - isroot=1 -fi - -# see if there are already certs and keys -if [ -f $secdir/cert8.db ] ; then - # look for CA cert - if certutil -L -d $secdir -n "CA certificate" 2> /dev/null ; then - echo "Using existing CA certificate" - else - echo "No CA certificate found - will create new one" - needCA=1 - fi - - # look for server cert - if certutil -L -d $secdir -n "Server-Cert" 2> /dev/null ; then - echo "Using existing directory Server-Cert" - else - echo "No Server Cert found - will create new one" - needServerCert=1 - fi - - prefix="new-" - prefixarg="-P $prefix" -else - needCA=1 - needServerCert=1 -fi - -if test -z "$needCA" -a -z "$needServerCert" ; then - echo "No certs needed - exiting" - exit 0 -fi - -# get our user and group -if test -n "$isroot" ; then - uid=`/bin/ls -ald $secdir | awk '{print $3}'` - gid=`/bin/ls -ald $secdir | awk '{print $4}'` -fi - -# 2. Create a password file for your security token password: -if [ -f $secdir/pwdfile.txt ] ; then - echo "Using existing $secdir/pwdfile.txt" -else - (ps -ef ; w ) | sha1sum | awk '{print $1}' > $secdir/pwdfile.txt - if test -n "$isroot" ; then - chown $uid:$gid $secdir/pwdfile.txt - fi - chmod 400 $secdir/pwdfile.txt -fi - -# 3. Create a "noise" file for your encryption mechanism: -if [ -f $secdir/noise.txt ] ; then - echo "Using existing $secdir/noise.txt file" -else - (w ; ps -ef ; date ) | sha1sum | awk '{print $1}' > $secdir/noise.txt - if test -n "$isroot" ; then - chown $uid:$gid $secdir/noise.txt - fi - chmod 400 $secdir/noise.txt -fi - -# 4. Create the key3.db and cert8.db databases: -certutil -N $prefixarg -d $secdir -f $secdir/pwdfile.txt -if test -n "$isroot" ; then - chown $uid:$gid $secdir/${prefix}key3.db $secdir/${prefix}cert8.db -fi -chmod 600 $secdir/${prefix}key3.db $secdir/${prefix}cert8.db - - -if test -n "$needCA" ; then -# 5. Generate the encryption key: - certutil -G $prefixarg -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt -# 6. Generate the self-signed certificate: - certutil -S $prefixarg -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt -# export the CA cert for use with other apps - certutil -L $prefixarg -d $secdir -n "CA certificate" -a > $secdir/cacert.asc - pk12util -d $secdir $prefixarg -o $secdir/cacert.p12 -n "CA certificate" -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt -fi - -if test -n "$needServerCert" ; then -# 7. Generate the server certificate: - certutil -S $prefixarg -n "Server-Cert" -s "cn=$myhost,ou=Fedora Directory Server" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt -fi - -# create the pin file -if [ ! -f $secdir/pin.txt ] ; then - pinfile=$secdir/pin.txt - echo 'Internal (Software) Token:'`cat $secdir/pwdfile.txt` > $pinfile - if test -n "$isroot" ; then - chown $uid:$gid $pinfile - fi - chmod 400 $pinfile -else - echo Using existing $secdir/pin.txt -fi - -if [ -n "$prefix" ] ; then - # move the old files out of the way - mv $secdir/cert8.db $secdir/orig-cert8.db - mv $secdir/key3.db $secdir/orig-key3.db - # move in the new files - will be used after server restart - mv $secdir/${prefix}cert8.db $secdir/cert8.db - mv $secdir/${prefix}key3.db $secdir/key3.db -fi - -modnssdir=/etc/httpd/alias - -# Setup SSL in Apache -if [ -e $modnssdir ]; then - mkdir ${modnssdir}.ipa - mv $modnssdir/cert8.db ${modnssdir}.ipa - mv $modnssdir/key3.db ${modnssdir}.ipa -fi - -# Create a new database for mod_nss -echo -e "\n" > $modnssdir/pw.txt -certutil -N -d $modnssdir -f $modnssdir/pw.txt - -# Add the CA we created -certutil -A -d $modnssdir -n "CA certificate" -t "CT,CT," -a -i $secdir/cacert.asc - -# Request a new server cert -certutil -R -d $modnssdir \ - -s "cn=$myhost,ou=Apache Web Server" \ - -o $modnssdir/tmpcertreq \ - -g 1024 \ - -z $secdir/noise.txt \ - -f $modnssdir/pw.txt - -# Have the FDS CA issue the cert -echo -e "2\n9\nn\n1\n9\nn\n" | \ -certutil -C -d $secdir \ - -c "CA certificate" \ - -i $modnssdir/tmpcertreq \ - -o $modnssdir/tmpcert.der \ - -m 1002 \ - -v 120 \ - -f $secdir/pwdfile.txt \ - -1 \ - -5 - -# Now add this cert to the Apache database -certutil -A -d $modnssdir -n "Server-Cert"\ - -t u,u,u \ - -i $modnssdir/tmpcert.der \ - -f $modnsdir/tmpcert.der - -rm -f $modnssdir/pw.txt $modnssdir/tmpcertreq $modnssder/tmpcert.der - -# enable SSL in the directory server - -ldapmodify -x -h localhost -p $ldapport -D "cn=Directory Manager" -w $password <<EOF -dn: cn=encryption,cn=config -changetype: modify -replace: nsSSL3 -nsSSL3: on -- -replace: nsSSLClientAuth -nsSSLClientAuth: allowed -- -add: nsSSL3Ciphers -nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, - +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza, - +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha, - +tls_rsa_export1024_with_des_cbc_sha - -dn: cn=config -changetype: modify -add: nsslapd-security -nsslapd-security: on -- -replace: nsslapd-ssl-check-hostname -nsslapd-ssl-check-hostname: off - -dn: cn=RSA,cn=encryption,cn=config -changetype: add -objectclass: top -objectclass: nsEncryptionModule -cn: RSA -nsSSLPersonalitySSL: Server-Cert -nsSSLToken: internal (software) -nsSSLActivation: on - -EOF - - |