#!/usr/bin/env bash ROOT_CA_DIR="certificates/root-ca" DIRSRV_CERTS_DIR="certificates/dirsrv" HTTPD_CERTS_DIR="certificates/httpd" PKINIT_CERTS_DIR="certificates/pkinit" PKCS12_PASSWORD="SomePKCS12password" # generate_ipa_pkcs12_certificate \ # $cert_name $ipa_fqdn $certs_dir $root_ca_cert $root_ca_private_key extensions_file extensions_name function generate_ipa_pkcs12_certificate { cert_name=$1 ipa_fqdn=$2 certs_dir=$3 root_ca_cert=$4 root_ca_private_key=$5 extensions_file=$6 extensions_name=$7 # Generate CSR and private key openssl req -new -newkey rsa:4096 -nodes \ -subj "/C=US/ST=Test/L=Testing/O=Default/CN=${ipa_fqdn}" \ -keyout "${certs_dir}/private.key" \ -out "${certs_dir}/request.csr" # Sign CSR to generate PEM certificate if [ -z "${extensions_file}" ]; then openssl x509 -req -days 365 -sha256 \ -CAcreateserial \ -CA "${root_ca_cert}" \ -CAkey "${root_ca_private_key}" \ -in "${certs_dir}/request.csr" \ -out "${certs_dir}/cert.pem" else openssl x509 -req -days 365 -sha256 \ -CAcreateserial \ -CA "${ROOT_CA_DIR}/cert.pem" \ -CAkey "${ROOT_CA_DIR}/private.key" \ -extfile "${extensions_file}" \ -extensions "${extensions_name}" \ -in "${certs_dir}/request.csr" \ -out "${certs_dir}/cert.pem" fi # Convert certificate to PKCS12 format openssl pkcs12 -export \ -name "${cert_name}" \ -certfile "${root_ca_cert}" \ -in "${certs_dir}/cert.pem" \ -inkey "${certs_dir}/private.key" \ -passout "pass:${PKCS12_PASSWORD}" \ -out "${certs_dir}/cert.p12" } # generate_ipa_pkcs12_certificates $ipa_fqdn $ipa_domain function generate_ipa_pkcs12_certificates { host=$1 if [ -z "$host" ]; then echo "ERROR: ipa-host-fqdn is not set" echo echo "usage: $0 create ipa-host-fqdn domain" exit 0; fi domain=$2 if [ -z "$domain" ]; then echo "ERROR: domain is not set" echo echo "usage: $0 create ipa-host-fqdn domain" exit 0; fi # Generate certificates folder structure mkdir -p "${ROOT_CA_DIR}" mkdir -p "${DIRSRV_CERTS_DIR}/$host" mkdir -p "${HTTPD_CERTS_DIR}/$host" mkdir -p "${PKINIT_CERTS_DIR}/$host" # Generate root CA if [ ! -f "${ROOT_CA_DIR}/private.key" ]; then openssl genrsa \ -out "${ROOT_CA_DIR}/private.key" 4096 openssl req -new -x509 -sha256 -nodes -days 3650 \ -subj "/C=US/ST=Test/L=Testing/O=Default" \ -key "${ROOT_CA_DIR}/private.key" \ -out "${ROOT_CA_DIR}/cert.pem" fi # Generate a certificate for the Directory Server if [ ! -f "${DIRSRV_CERTS_DIR}/$host/cert.pem" ]; then generate_ipa_pkcs12_certificate \ "dirsrv-cert" \ "$host" \ "${DIRSRV_CERTS_DIR}/$host" \ "${ROOT_CA_DIR}/cert.pem" \ "${ROOT_CA_DIR}/private.key" fi # Generate a certificate for the Apache server if [ ! -f "${HTTPD_CERTS_DIR}/$host/cert.pem" ]; then generate_ipa_pkcs12_certificate \ "httpd-cert" \ "$host" \ "${HTTPD_CERTS_DIR}/$host" \ "${ROOT_CA_DIR}/cert.pem" \ "${ROOT_CA_DIR}/private.key" fi # Generate a certificate for the KDC PKINIT if [ ! -f "${PKINIT_CERTS_DIR}/$host/cert.pem" ]; then export REALM=${domain^^} generate_ipa_pkcs12_certificate \ "pkinit-cert" \ "$host" \ "${PKINIT_CERTS_DIR}/$host" \ "${ROOT_CA_DIR}/cert.pem" \ "${ROOT_CA_DIR}/private.key" \ "${PKINIT_CERTS_DIR}/extensions.conf" \ "kdc_cert" fi } # delete_ipa_pkcs12_certificates $ipa_fqdn function delete_ipa_pkcs12_certificates { host=$1 if [ -z "$host" ]; then echo "ERROR: ipa-host-fqdn is not set" echo echo "usage: $0 delete ipa-host-fqdn" exit 0; fi rm -f certificates/*/"$host"/* rm -f "${ROOT_CA_DIR}"/* } # Entrypoint case "$1" in create) generate_ipa_pkcs12_certificates "$2" "$3" ;; delete) delete_ipa_pkcs12_certificates "$2" ;; *) echo $"Usage: $0 {create|delete}" ;; esac