#!/bin/bash # Generate a certificate for the systemtap server and add it to the # database of trusted servers for the client. # # Copyright (C) 2008-2010 Red Hat Inc. # # This file is part of systemtap, and is free software. You can # redistribute it and/or modify it under the terms of the GNU General # Public License (GPL); either version 2, or (at your option) any # later version. # Initialize the environment . ${PKGLIBEXECDIR}stap-env # Obtain the certificate database directory name. serverdb="$1" if test "X$serverdb" = "X"; then serverdb="$stap_ssl_db/server" fi rm -fr "$serverdb" # Create the server's certificate database directory. if ! mkdir -p -m 755 "$serverdb"; then echo "Unable to create the server certificate database directory: $serverdb" >&2 exit 1 fi # Create the certificate database password file. Care must be taken # that this file is only readable by the owner. if ! (touch "$serverdb/pw" && chmod 600 "$serverdb/pw"); then echo "Unable to create the server certificate database password file: $serverdb/pw" >&2 exit 1 fi # Generate a random password. mkpasswd -l 20 > "$serverdb/pw" 2>/dev/null || \ apg -a 1 -n 1 -m 20 -x 20 > "$serverdb/pw" 2>/dev/null || \ (read -n20 password "$serverdb/pw") # Generate the server certificate database if ! certutil -N -d "$serverdb" -f "$serverdb/pw" > /dev/null; then echo "Unable to initialize the server certificate database directory: $serverdb" >&2 exit 1 fi # We need some random noise for generating keys dd bs=123 count=1 < /dev/urandom > "$serverdb/noise" 2> /dev/null # Generate a request for the server's certificate. certutil -R -d "$serverdb" -f "$serverdb/pw" -s "CN=Systemtap Compile Server, OU=Systemtap, O=Red Hat, C=US" \ -o "$serverdb/stap.req" -z "$serverdb/noise" 2> /dev/null rm -fr "$serverdb/noise" # Create the certificate file first so that it always has the proper access permissions. if ! (touch "$serverdb/$stap_certfile" && chmod 644 "$serverdb/$stap_certfile"); then echo "Unable to create the server certificate file: $serverdb/$stap_certfile" >&2 exit 1 fi # Now generate the actual certificate. Make is valid for 1 year. certutil -C -i "$serverdb/stap.req" -o "$serverdb/$stap_certfile" -x -d "$serverdb" \ -f "$serverdb/pw" -v 12 -5 -8 "$HOSTNAME,localhost" >/dev/null <<-EOF 1 3 7 8 y EOF rm -fr "$serverdb/stap.req" # Add the certificate to the server's certificate/key database as a trusted peer, ssl server and object signer certutil -A -n stap-server -t "PCu,,PCu" -i "$serverdb/$stap_certfile" -d "$serverdb" -f "$serverdb/pw" # Print some information about the certificate. echo "Certificate $serverdb/$stap_certfile created and added to database $serverdb" certutil -L -d "$serverdb" -n stap-server | \ awk '/Validity|Not After|Not Before/ { print $0 }' | \ sed 's/^ */ /' exit 0