mirror of
https://github.com/freeipa/ansible-freeipa.git
synced 2026-05-08 22:34:26 +00:00
b92da82661
The generated certificates have been X.509 v1. This is not supported any more. Only X.509 v3 is supported. A new certificates/extensions.conf file has been added to make v3 certificates. The existing certificates/pkinit/extensions.conf has been renamed to certificates/pkinit-extensions.conf with additional changes. For example "[kdc_cert]" had to be removed for v3. The extensions config files are using environment variables, which are set by the generate-certificates.sh script before calling openssl. The script generate-certificates.sh has been reworked for a simpler structure, also new options have been added: "ca" and "cleanup".
178 lines
4.8 KiB
Bash
Executable File
178 lines
4.8 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
CERTIFICATES="certificates"
|
|
ROOT_CA_DIR="${CERTIFICATES}/root-ca"
|
|
DIRSRV_CERTS_DIR="${CERTIFICATES}/dirsrv"
|
|
HTTPD_CERTS_DIR="${CERTIFICATES}/httpd"
|
|
PKINIT_CERTS_DIR="${CERTIFICATES}/pkinit"
|
|
EXTENSIONS_CONF="${CERTIFICATES}/extensions.conf"
|
|
PKINIT_EXTENSIONS_CONF="${CERTIFICATES}/pkinit-extensions.conf"
|
|
PKCS12_PASSWORD="SomePKCS12password"
|
|
|
|
# create_ca \
|
|
# $domain_name
|
|
function create_ca {
|
|
|
|
domain_name=$1
|
|
if [ -z "${domain_name}" ]; then
|
|
echo "ERROR: domain is not set"
|
|
echo
|
|
echo "usage: $0 ca <domain>"
|
|
exit 0;
|
|
fi
|
|
realm=${domain_name^^}
|
|
|
|
export REALM_NAME=${realm}
|
|
|
|
# Create certificates folder structure
|
|
mkdir -p "${ROOT_CA_DIR}"
|
|
|
|
# Create root CA
|
|
if [ ! -f "${ROOT_CA_DIR}/private.key" ]; then
|
|
# create aes encrypted private key
|
|
openssl genrsa -out "${ROOT_CA_DIR}/private.key" 4096
|
|
|
|
# create certificate, 1826 days = 5 years
|
|
openssl req -x509 -new -nodes -sha256 -days 1826 \
|
|
-subj "/C=US/ST=Test/L=Testing/O=Default/CN=Test Root CA" \
|
|
-key "${ROOT_CA_DIR}/private.key" \
|
|
-out "${ROOT_CA_DIR}/cert.pem"
|
|
fi
|
|
}
|
|
|
|
# create_host_pkcs12_certificate \
|
|
# $cert_name $certs_dir $root_ca_cert $extensions_file
|
|
function create_host_pkcs12_certificate {
|
|
|
|
cert_name=$1
|
|
certs_dir=$2
|
|
root_ca_cert=$3
|
|
extensions_file=$4
|
|
|
|
# Create CSR and private key
|
|
openssl req -new -nodes -newkey rsa:4096 \
|
|
-subj "/C=US/ST=Test/L=Testing/O=Default/CN=${cert_name}" \
|
|
-keyout "${certs_dir}/private.key" \
|
|
-out "${certs_dir}/request.csr"
|
|
|
|
# Sign CSR to create PEM certificate
|
|
openssl x509 -req -days 1460 -sha256 -CAcreateserial \
|
|
-CAkey "${ROOT_CA_DIR}/private.key" \
|
|
-CA "${root_ca_cert}" \
|
|
-in "${certs_dir}/request.csr" \
|
|
-out "${certs_dir}/cert.pem" \
|
|
-extfile "${extensions_file}"
|
|
|
|
# Convert certificate to PKCS12 format
|
|
openssl pkcs12 -export \
|
|
-name "${cert_name}" \
|
|
-certfile "${root_ca_cert}" \
|
|
-passout "pass:${PKCS12_PASSWORD}" \
|
|
-inkey "${certs_dir}/private.key" \
|
|
-in "${certs_dir}/cert.pem" \
|
|
-out "${certs_dir}/cert.p12"
|
|
}
|
|
|
|
# create_ipa_pkcs12_certificates \
|
|
# $host_fqdn $domain_name
|
|
function create_host_certificates {
|
|
|
|
host_fqdn=$1
|
|
if [ -z "${host_fqdn}" ]; then
|
|
echo "ERROR: host-fqdn is not set"
|
|
echo
|
|
echo "usage: $0 create <host-fqdn> [<domain>]"
|
|
exit 0;
|
|
fi
|
|
|
|
domain_name=$2
|
|
[ -z "${domain_name}" ] && domain_name=${host_fqdn#*.*}
|
|
if [ -z "${domain_name}" ]; then
|
|
echo "ERROR: domain is not set and can not be created from host fqdn"
|
|
echo
|
|
echo "usage: $0 create <host-fqdn> [<domain>]"
|
|
exit 0;
|
|
fi
|
|
realm=${domain_name^^}
|
|
|
|
export HOST_FQDN=${host_fqdn}
|
|
export REALM_NAME=${realm}
|
|
|
|
if [ ! -f "${ROOT_CA_DIR}/private.key" ]; then
|
|
create_ca "${domain_name}"
|
|
fi
|
|
|
|
# Create certificates folder structure
|
|
mkdir -p "${DIRSRV_CERTS_DIR}/${host_fqdn}"
|
|
mkdir -p "${HTTPD_CERTS_DIR}/${host_fqdn}"
|
|
mkdir -p "${PKINIT_CERTS_DIR}/${host_fqdn}"
|
|
|
|
# Create a certificate for the Directory Server
|
|
if [ ! -f "${DIRSRV_CERTS_DIR}/${host_fqdn}/cert.pem" ]; then
|
|
create_host_pkcs12_certificate \
|
|
"dirsrv-cert" \
|
|
"${DIRSRV_CERTS_DIR}/${host_fqdn}" \
|
|
"${ROOT_CA_DIR}/cert.pem" \
|
|
"${EXTENSIONS_CONF}"
|
|
fi
|
|
|
|
# Create a certificate for the Apache server
|
|
if [ ! -f "${HTTPD_CERTS_DIR}/${host_fqdn}/cert.pem" ]; then
|
|
create_host_pkcs12_certificate \
|
|
"httpd-cert" \
|
|
"${HTTPD_CERTS_DIR}/${host_fqdn}" \
|
|
"${ROOT_CA_DIR}/cert.pem" \
|
|
"${EXTENSIONS_CONF}"
|
|
fi
|
|
|
|
# Create a certificate for the KDC PKINIT
|
|
if [ ! -f "${PKINIT_CERTS_DIR}/${host_fqdn}/cert.pem" ]; then
|
|
create_host_pkcs12_certificate \
|
|
"pkinit-cert" \
|
|
"${PKINIT_CERTS_DIR}/${host_fqdn}" \
|
|
"${ROOT_CA_DIR}/cert.pem" \
|
|
"${PKINIT_EXTENSIONS_CONF}"
|
|
fi
|
|
}
|
|
|
|
# delete_host_certificates \
|
|
# $host_fqdn
|
|
function delete_host_certificates {
|
|
|
|
host_fqdn=$1
|
|
if [ -z "${host_fqdn}" ]; then
|
|
echo "ERROR: host-fqdn is not set"
|
|
echo
|
|
echo "usage: $0 delete <host-fqdn>"
|
|
exit 0;
|
|
fi
|
|
|
|
rm -rf certificates/*/"${host_fqdn}"/
|
|
}
|
|
|
|
# cleanup \
|
|
# $host_fqdn
|
|
function cleanup {
|
|
|
|
rm -rf certificates/*/
|
|
}
|
|
|
|
# Entrypoint
|
|
case "$1" in
|
|
ca)
|
|
create_ca "$2"
|
|
;;
|
|
create)
|
|
create_host_certificates "$2" "$3"
|
|
;;
|
|
delete)
|
|
delete_host_certificates "$2"
|
|
;;
|
|
cleanup)
|
|
cleanup
|
|
;;
|
|
*)
|
|
echo $"Usage: $0 {create|delete|ca|cleanup}"
|
|
;;
|
|
esac
|