diff options
Diffstat (limited to 'stap-gen-cert')
| -rwxr-xr-x | stap-gen-cert | 43 |
1 files changed, 25 insertions, 18 deletions
diff --git a/stap-gen-cert b/stap-gen-cert index 4f2650cd..4938817d 100755 --- a/stap-gen-cert +++ b/stap-gen-cert @@ -3,7 +3,7 @@ # Generate a certificate for the systemtap server and add it to the # database of trusted servers for the client. # -# Copyright (C) 2008, 2009 Red Hat Inc. +# Copyright (C) 2008-2010 Red Hat Inc. # # This file is part of systemtap, and is free software. You can # redistribute it and/or modify it under the terms of the GNU General @@ -14,61 +14,68 @@ . ${PKGLIBEXECDIR}stap-env # Obtain the certificate database directory name. -serverdb=$1 +serverdb="$1" if test "X$serverdb" = "X"; then - serverdb=$stap_ssl_db/server + serverdb="$stap_ssl_db/server" fi -rm -fr $serverdb +rm -fr "$serverdb" # Create the server's certificate database directory. -if ! mkdir -p -m 755 $serverdb; then +if ! mkdir -p -m 755 "$serverdb"; then echo "Unable to create the server certificate database directory: $serverdb" >&2 exit 1 fi # Create the certificate database password file. Care must be taken # that this file is only readable by the owner. -if ! (touch $serverdb/pw && chmod 600 $serverdb/pw); then +if ! (touch "$serverdb/pw" && chmod 600 "$serverdb/pw"); then echo "Unable to create the server certificate database password file: $serverdb/pw" >&2 exit 1 fi # Generate a random password. -mkpasswd -l 20 > $serverdb/pw 2>/dev/null || \ -apg -a 1 -n 1 -m 20 -x 20 > $serverdb/pw 2>/dev/null || \ -(read -n20 password </dev/urandom; echo "$password" > $serverdb/pw) +mkpasswd -l 20 > "$serverdb/pw" 2>/dev/null || \ +apg -a 1 -n 1 -m 20 -x 20 > "$serverdb/pw" 2>/dev/null || \ +(read -n20 password </dev/urandom; echo "$password" > "$serverdb/pw") # Generate the server certificate database -if ! certutil -N -d $serverdb -f $serverdb/pw > /dev/null; then +if ! certutil -N -d "$serverdb" -f "$serverdb/pw" > /dev/null; then echo "Unable to initialize the server certificate database directory: $serverdb" >&2 exit 1 fi # We need some random noise for generating keys -dd bs=123 count=1 < /dev/urandom > $serverdb/noise 2> /dev/null +dd bs=123 count=1 < /dev/urandom > "$serverdb/noise" 2> /dev/null # Generate a request for the server's certificate. -certutil -R -d $serverdb -f $serverdb/pw -s "CN=Systemtap Compile Server, OU=Systemtap, O=Red Hat, C=US" -o $serverdb/stap.req -z $serverdb/noise 2> /dev/null -rm -fr $serverdb/noise +certutil -R -d "$serverdb" -f "$serverdb/pw" -s "CN=Systemtap Compile Server, OU=Systemtap, O=Red Hat, C=US" \ + -o "$serverdb/stap.req" -z "$serverdb/noise" 2> /dev/null +rm -fr "$serverdb/noise" # Create the certificate file first so that it always has the proper access permissions. -if ! (touch $serverdb/$stap_certfile && chmod 644 $serverdb/$stap_certfile); then +if ! (touch "$serverdb/$stap_certfile" && chmod 644 "$serverdb/$stap_certfile"); then echo "Unable to create the server certificate file: $serverdb/$stap_certfile" >&2 exit 1 fi -# Now generate the actual certificate. -certutil -C -i $serverdb/stap.req -o $serverdb/$stap_certfile -x -d $serverdb -f $serverdb/pw -5 -8 "$HOSTNAME,localhost" >/dev/null <<-EOF +# Now generate the actual certificate. Make is valid for 1 year. +certutil -C -i "$serverdb/stap.req" -o "$serverdb/$stap_certfile" -x -d "$serverdb" \ + -f "$serverdb/pw" -v 12 -5 -8 "$HOSTNAME,localhost" >/dev/null <<-EOF 1 3 7 8 y EOF -rm -fr $serverdb/stap.req +rm -fr "$serverdb/stap.req" # Add the certificate to the server's certificate/key database as a trusted peer, ssl server and object signer -certutil -A -n stap-server -t "PCu,,PCu" -i $serverdb/$stap_certfile -d $serverdb -f $serverdb/pw +certutil -A -n stap-server -t "PCu,,PCu" -i "$serverdb/$stap_certfile" -d "$serverdb" -f "$serverdb/pw" +# Print some information about the certificate. echo "Certificate $serverdb/$stap_certfile created and added to database $serverdb" +certutil -L -d "$serverdb" -n stap-server | \ + awk '/Validity|Not After|Not Before/ { print $0 }' | \ + sed 's/^ */ /' + exit 0 |