#!/usr/bin/env bash ROOT_CA_DIR="certificates/root-ca" DIRSRV_CERTS_DIR="certificates/dirsrv" HTTPD_CERTS_DIR="certificates/httpd" PKINIT_CERTS_DIR="certificates/pkinit" PKCS12_PASSWORD="SomePKCS12password" # generate_ipa_pkcs12_certificate \ # $cert_name $ipa_fqdn $certs_dir $root_ca_cert $root_ca_private_key extensions_file extensions_name function generate_ipa_pkcs12_certificate { cert_name=$1 ipa_fqdn=$2 certs_dir=$3 root_ca_cert=$4 root_ca_private_key=$5 extensions_file=$6 extensions_name=$7 # Generate CSR and private key openssl req -new -newkey rsa:4096 -nodes \ -subj "/C=US/ST=Test/L=Testing/O=Default/CN=${ipa_fqdn}" \ -keyout ${certs_dir}/private.key \ -out ${certs_dir}/request.csr # Sign CSR to generate PEM certificate if [ -z "${extensions_file}" ]; then openssl x509 -req -days 365 -sha256 \ -CAcreateserial \ -CA ${root_ca_cert} \ -CAkey ${root_ca_private_key} \ -in ${certs_dir}/request.csr \ -out ${certs_dir}/cert.pem else openssl x509 -req -days 365 -sha256 \ -CAcreateserial \ -CA ${ROOT_CA_DIR}/cert.pem \ -CAkey ${ROOT_CA_DIR}/private.key \ -extfile ${extensions_file} \ -extensions ${extensions_name} \ -in ${certs_dir}/request.csr \ -out ${certs_dir}/cert.pem fi # Convert certificate to PKCS12 format openssl pkcs12 -export \ -name ${cert_name} \ -certfile ${root_ca_cert} \ -in ${certs_dir}/cert.pem \ -inkey ${certs_dir}/private.key \ -passout "pass:${PKCS12_PASSWORD}" \ -out ${certs_dir}/cert.p12 } # generate_ipa_pkcs12_certificates $ipa_fqdn $ipa_domain function generate_ipa_pkcs12_certificates { host=$1 if [ -z "$host" ]; then echo "ERROR: ipa-host-fqdn is not set" echo echo "usage: $0 create ipa-host-fqdn domain" exit 0; fi domain=$2 if [ -z "$domain" ]; then echo "ERROR: domain is not set" echo echo "usage: $0 create ipa-host-fqdn domain" exit 0; fi # Generate certificates folder structure mkdir -p ${ROOT_CA_DIR} mkdir -p ${DIRSRV_CERTS_DIR}/$host mkdir -p ${HTTPD_CERTS_DIR}/$host mkdir -p ${PKINIT_CERTS_DIR}/$host # Generate root CA if [ ! -f "${ROOT_CA_DIR}/private.key" ]; then openssl genrsa \ -out ${ROOT_CA_DIR}/private.key 4096 openssl req -new -x509 -sha256 -nodes -days 3650 \ -subj "/C=US/ST=Test/L=Testing/O=Default" \ -key ${ROOT_CA_DIR}/private.key \ -out ${ROOT_CA_DIR}/cert.pem fi # Generate a certificate for the Directory Server if [ ! -f "${DIRSRV_CERTS_DIR}/$host/cert.pem" ]; then generate_ipa_pkcs12_certificate \ "dirsrv-cert" \ $host \ "${DIRSRV_CERTS_DIR}/$host" \ "${ROOT_CA_DIR}/cert.pem" \ "${ROOT_CA_DIR}/private.key" fi # Generate a certificate for the Apache server if [ ! -f "${HTTPD_CERTS_DIR}/$host/cert.pem" ]; then generate_ipa_pkcs12_certificate \ "httpd-cert" \ $host \ "${HTTPD_CERTS_DIR}/$host" \ "${ROOT_CA_DIR}/cert.pem" \ "${ROOT_CA_DIR}/private.key" fi # Generate a certificate for the KDC PKINIT if [ ! -f "${PKINIT_CERTS_DIR}/$host/cert.pem" ]; then export REALM=${domain^^} generate_ipa_pkcs12_certificate \ "pkinit-cert" \ $host \ "${PKINIT_CERTS_DIR}/$host" \ "${ROOT_CA_DIR}/cert.pem" \ "${ROOT_CA_DIR}/private.key" \ "${PKINIT_CERTS_DIR}/extensions.conf" \ "kdc_cert" fi } # delete_ipa_pkcs12_certificates $ipa_fqdn function delete_ipa_pkcs12_certificates { host=$1 if [ -z "$host" ]; then echo "ERROR: ipa-host-fqdn is not set" echo echo "usage: $0 delete ipa-host-fqdn" exit 0; fi rm -f certificates/*/$host/* rm -f ${ROOT_CA_DIR}/* } # Entrypoint case "$1" in create) generate_ipa_pkcs12_certificates $2 $3 ;; delete) delete_ipa_pkcs12_certificates $2 ;; *) echo $"Usage: $0 {create|delete}" ;; esac