#!/bin/bash if [ "$1" ] ; then password=$1 else echo "password required" exit 1 fi if [ "$2" -a -d "$2" ] ; then secdir="$2" else secdir=/etc/dirsrv/slapd-localhost fi if [ "$3" ] ; then myhost=$3 else myhost=`hostname --fqdn` fi if [ "$4" ] ; then ldapport=$4 else ldapport=389 fi me=`whoami` if [ "$me" = "root" ] ; then isroot=1 fi # see if there are already certs and keys if [ -f $secdir/cert8.db ] ; then # look for CA cert if certutil -L -d $secdir -n "CA certificate" 2> /dev/null ; then echo "Using existing CA certificate" else echo "No CA certificate found - will create new one" needCA=1 fi # look for server cert if certutil -L -d $secdir -n "Server-Cert" 2> /dev/null ; then echo "Using existing directory Server-Cert" else echo "No Server Cert found - will create new one" needServerCert=1 fi prefix="new-" prefixarg="-P $prefix" else needCA=1 needServerCert=1 fi if test -z "$needCA" -a -z "$needServerCert" ; then echo "No certs needed - exiting" exit 0 fi # get our user and group if test -n "$isroot" ; then uid=`/bin/ls -ald $secdir | awk '{print $3}'` gid=`/bin/ls -ald $secdir | awk '{print $4}'` fi # 2. Create a password file for your security token password: if [ -f $secdir/pwdfile.txt ] ; then echo "Using existing $secdir/pwdfile.txt" else (ps -ef ; w ) | sha1sum | awk '{print $1}' > $secdir/pwdfile.txt if test -n "$isroot" ; then chown $uid:$gid $secdir/pwdfile.txt fi chmod 400 $secdir/pwdfile.txt fi # 3. Create a "noise" file for your encryption mechanism: if [ -f $secdir/noise.txt ] ; then echo "Using existing $secdir/noise.txt file" else (w ; ps -ef ; date ) | sha1sum | awk '{print $1}' > $secdir/noise.txt if test -n "$isroot" ; then chown $uid:$gid $secdir/noise.txt fi chmod 400 $secdir/noise.txt fi # 4. Create the key3.db and cert8.db databases: certutil -N $prefixarg -d $secdir -f $secdir/pwdfile.txt if test -n "$isroot" ; then chown $uid:$gid $secdir/${prefix}key3.db $secdir/${prefix}cert8.db fi chmod 600 $secdir/${prefix}key3.db $secdir/${prefix}cert8.db if test -n "$needCA" ; then # 5. Generate the encryption key: certutil -G $prefixarg -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt # 6. Generate the self-signed certificate: certutil -S $prefixarg -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt # export the CA cert for use with other apps certutil -L $prefixarg -d $secdir -n "CA certificate" -a > $secdir/cacert.asc pk12util -d $secdir $prefixarg -o $secdir/cacert.p12 -n "CA certificate" -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt fi if test -n "$needServerCert" ; then # 7. Generate the server certificate: certutil -S $prefixarg -n "Server-Cert" -s "cn=$myhost,ou=Fedora Directory Server" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt fi # create the pin file if [ ! -f $secdir/pin.txt ] ; then pinfile=$secdir/pin.txt echo 'Internal (Software) Token:'`cat $secdir/pwdfile.txt` > $pinfile if test -n "$isroot" ; then chown $uid:$gid $pinfile fi chmod 400 $pinfile else echo Using existing $secdir/pin.txt fi if [ -n "$prefix" ] ; then # move the old files out of the way mv $secdir/cert8.db $secdir/orig-cert8.db mv $secdir/key3.db $secdir/orig-key3.db # move in the new files - will be used after server restart mv $secdir/${prefix}cert8.db $secdir/cert8.db mv $secdir/${prefix}key3.db $secdir/key3.db fi # enable SSL in the directory server ldapmodify -x -h localhost -p $ldapport -D "cn=Directory Manager" -w $password <