blob: 5271ae9665de572cfff641a77c91c7aa53f1b725 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
#!/usr/bin/bash
DOMAIN="casperlefantom.net"
SERIAL="50" # crtversion
SERVERHOST=""
CLIENTHOST="$SERVERHOST sd-126263.dbjabber sd-128718.nfs sd-128718.bosh sd-128718.ws sd-128718.matrix sd-128718.dbcirrus sd-128718.dblinks sd-128718.redis"
SERVICELIST="manchester.nfs blackbird.ejabberd blackbird.dbjabber blackbird.dbcirrus blackbird.dblinks blackbird.postfix blackbird.dovecot blackbird.murmur blackbird.ws blackbird.bosh blackbird.matrix blackbird.redis sd-94125.postfix sd-94125.dovecot sd-126263.ejabberd sd-126263.nfs sd-126263.murmur sd-126263.ws sd-126263.bosh sd-126263.redis blackbird.nfs"
JABBERHOST="blackbird.ejabberd sd-126263.ejabberd"
SERVERCONFDIR="$HOME/park-admin/playbooks-ansible/openssl/config-server/"
CLIENTCONFDIR="$HOME/park-admin/playbooks-ansible/openssl/config-client/"
CERTDIR="$HOME/park-admin/playbooks-ansible/roles/imserver/files/certs/"
KEYDIR=$CERTDIR
CSRDIR=$CERTDIR
CADIR="$HOME/park-admin/playbooks-ansible/roles/imserver/files/certs/../.CA-2"
read -s -p "Password Root CA: " rootcapasswd
export MONCAPASSWD=$rootcapasswd
# pour la génération de certificats client
for i in $CLIENTHOST
do
# vérifie si le fichier existe
if [ -f $KEYDIR/$i.$SERIAL.key ]
then
echo "Error: existing file $i.$SERIAL.key"
exit 1
else
# gen certificat client
openssl req -new -config $CLIENTCONFDIR/$i.cnf -newkey rsa:4096 -keyout $KEYDIR/$i.$SERIAL.key -out $CSRDIR/$i.$SERIAL.csr
fi
done
# pour la génération de certificats serveur
##for i in $SERVERHOST
##do
## openssl req -new -config $SERVERCONFDIR/$DOMAIN-openssl.cnf -newkey rsa:4096 -keyout $KEYDIR/$DOMAIN.$i.$SERIAL.key -out $CSRDIR/$DOMAIN.$i.$SERIAL.csr
##done
# pour la génération de certificats serveur pour chaque service
for i in $SERVICELIST
do
# vérifie si le fichier existe
if [ -f $KEYDIR/$DOMAIN.$i.$SERIAL.key ]
then
echo "Error: existing file $DOMAIN.$i.$SERIAL.key"
exit 1
else
# gen certificat serveur pour chaque service
openssl req -new -config $SERVERCONFDIR/$DOMAIN.$i-openssl.cnf -newkey rsa:4096 -keyout $KEYDIR/$DOMAIN.$i.$SERIAL.key -out $CSRDIR/$DOMAIN.$i.$SERIAL.csr
fi
done
# pour la signature de clés publique
pushd $CADIR >/dev/null
if [[ "$?" -eq "0" ]]
then
for i in $SERVERHOST
do
openssl ca -batch -passin env:MONCAPASSWD -config openssl-server.cnf -in $CSRDIR/$DOMAIN.$i.$SERIAL.csr -out $CERTDIR/$DOMAIN.$i.$SERIAL.crt
done
for i in $CLIENTHOST
do
openssl ca -batch -passin env:MONCAPASSWD -config openssl-client.cnf -in $CSRDIR/$i.$SERIAL.csr -out $CERTDIR/$i.$SERIAL.crt
done
for i in $SERVICELIST
do
openssl ca -batch -passin env:MONCAPASSWD -config openssl-server.cnf -in $CSRDIR/$DOMAIN.$i.$SERIAL.csr -out $CERTDIR/$DOMAIN.$i.$SERIAL.crt
done
popd >/dev/null
else
echo "CA inaccessible !"
fi
MONCAPASSWD=""
# afficher fingerprint de la clé publique pour le service jabber
for j in $JABBERHOST
do
echo "$j:"
openssl pkey -in $CERTDIR/$DOMAIN.$j.$SERIAL.key -pubout -outform DER | openssl dgst -sha256 -hex -c | awk '{ print toupper ($2) }'
done
|
