diff options
Diffstat (limited to 'stap-gen-server-cert')
| -rwxr-xr-x | stap-gen-server-cert | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/stap-gen-server-cert b/stap-gen-server-cert new file mode 100755 index 00000000..8f9629ea --- /dev/null +++ b/stap-gen-server-cert @@ -0,0 +1,74 @@ +#!/bin/bash + +# Generate a certificate for the systemtap server and add it to the +# database of trusted servers for the client. +# +# Copyright (C) 2008 Red Hat Inc. +# +# This file is part of systemtap, and is free software. You can +# redistribute it and/or modify it under the terms of the GNU General +# Public License (GPL); either version 2, or (at your option) any +# later version. + +# Obtain the certificate database directory name. +if test "X$1" = "X"; then + echo "Certificate database directory must be specified" >&2 + exit 1 +fi +rm -fr $1 + +# Create the server's certificate database directory. +serverdb=$1/server +if ! mkdir -p $serverdb; then + echo "Unable to create the server certificate database directory: $serverdb" >&2 + exit 1 +fi + +# Create the certificate database password file. Care must be taken +# that this file is only readable by the owner. +if ! (touch $serverdb/pw && chmod 600 $serverdb/pw); then + echo "Unable to create the server certificate database password file: $serverdb/pw" >&2 + exit 1 +fi + +# Generate a random password. +mkpasswd -l 20 > $serverdb/pw + +# Generate the server certificate database +if ! certutil -N -d $serverdb -f $serverdb/pw > /dev/null; then + echo "Unable to initialize the server certificate database directory: $serverdb" >&2 + exit 1 +fi + +# We need some random noise for generating keys +dd bs=123 count=1 < /dev/urandom > $1/noise 2> /dev/null + +# Generate a request for the server's certificate. +certutil -R -d $serverdb -f $serverdb/pw -s "CN=Systemtap Compile Server, OU=Systemtap, O=Red Hat, C=US" -o $1/stap-server.req -z $1/noise 2> /dev/null +rm -fr $1/noise + +# Now generate the actual certificate. +certutil -C -i $1/stap-server.req -o $serverdb/stap-server.cert -x -d $serverdb -f $serverdb/pw -5 -8 "$HOSTNAME,localhost" >/dev/null <<-EOF +1 +3 +7 +8 +y +EOF +rm -fr $1/stap-server.req + +# Add the certificate to the server's certificate/key database as a trusted peer, ssl server and object signer +certutil -A -n stap-server -t "PCu,,PCu" -i $serverdb/stap-server.cert -d $serverdb -f $serverdb/pw + +# Now create a directory for the client's certificate database +clientdb=$1/client +if ! mkdir -p $clientdb; then + echo "Unable to create the client certificate database directory: $clientdb" >&2 + exit 1 +fi + +# Now add the server's certificate to the client's database, making it a trusted peer. +if ! certutil -A -n stap-server -d $clientdb -i $serverdb/stap-server.cert -t "P,P,P" > /dev/null; then + echo "Unable to add $serverdb/x509.cacert to the client certificate database: $clientdb" >&2 + exit 1 +fi |