#!/bin/bash -e # # create_rhui_ssl_certs. will generate SSL certificates needed for a RHUI installation # # USAGE: create_rhui_ssl_certs.sh [rhua.fqdn] [cds1.fqdn] [cds2.fqdn] ... # # Authors: # John Boero # Matthew Mariani # John Matthews # Ian Pilcher # Vitaly Kuznetsov ###################### # VARIABLES ###################### # Below parameters will be used to form the 'subject' of the generated SSL certificates # C=Country Code # ST=State (fully spelled) # L=City # O=Org # OU=Org Unit # EMAIL=Email displayed in certifcate C="US" ST="North Carolina" L="Raleigh" O="RHUI_Org" OU="RHUI_Org_Unit" EMAIL="$USER@`hostname`" ENCRYPT_KEYS=1 PROG=`basename $0` OUTPUT=`pwd` VERBOSE= usage() { echo "Generate SSL certificates needed for a RHUI installation" echo echo "$0 [options] RHUA_HOSTNAME CDS1_HOSTNAME [CDS2_HOSTNAME] [CDS3_HOSTNAME] ..." echo echo "Options" echo " -o, --output Output directory (default: $OUTPUT)" echo " --country Country Code (default: $C)" echo " --state Stage (fully spelled) (default: $ST)" echo " --location City (default: $L)" echo " --org Organization (default: $O)" echo " --orgunit Organizational unit (default: $OU)" echo " --email Email (default: $EMAIL)" echo " -h, --help Help" echo " --noencrypt Do not encrypt keys" exit 2 } error() { echo "$1">&2 exit 1 } SOURCE_DIR=`dirname $0` # GNU enhanced getopt is used here #ARGS=`getopt --name "$PROG" --long country:,state:,location:,org:,orgunit:,email:,noencrypt,output:,help,verbose --options ho:v -- "$@"` #if [ $? -ne 0 ]; then # echo "$PROG: usage error (use -h for help)" >&2 # exit 2 #fi #eval set -- $ARGS # #while [ $# -gt 0 ]; do # case "$1" in # -h | --help) usage;; # -o | --output) OUTPUT="$2"; shift;; # --country) C="$2"; shift;; # --state) ST="$2"; shift;; # --location) L="$2"; shift;; # --org) O="$2"; shift;; # --orgunit) OU="$2"; shift;; # --email) EMAIL="$2"; shift;; # --noencrypt) ENCRYPT_KEYS=0;; # -v | --verbose) VERBOSE=1;; # --) shift; break;; # end of options # esac # shift #done #if [ $# -lt 2 ]; then #usage #fi # Verbose mode #[ ! -z "$VERBOSE" ] && set -x # Check if we have all required files #for sfile in answers.template openssl_ca.template openssl_server.template; do #[ ! -f "$SOURCE_DIR/$sfile" ] && error "Can't find $sfile in $SOURCE_DIR" #done # Create output directory if it doesn't exist [ ! -d "$OUTPUT" ] && mkdir "$OUTPUT" # Change to output directory pushd $OUTPUT CERT_DIR=`pwd`/certs #args=("$@") RHUA='test' echo "RHUA = ${RHUA}" # Shift args to skip first one. #shift # Cleanup for previous runs rm -rf root-ca server-ca answers ${CERT_DIR} # Copy answers template and replace RHUA #cat "$SOURCE_DIR/answers.template" | sed "s/###RHUAHOST###/$RHUA/g" > answers #sed -i "s|###CERT_DIR###|${CERT_DIR}|g" answers mkdir -p root-ca/{private,newcerts} server-ca/{private,newcerts} ${CERT_DIR} chmod 0700 root-ca/private server-ca/private touch root-ca/index.txt server-ca/index.txt echo 01 > root-ca/serial echo 01 > server-ca/serial wget http://zhongyong.usersys.redhat.com/pub/openssl_ca.template wget http://zhongyong.usersys.redhat.com/pub/openssl_server.template sed "s#___DIR___#`pwd`/root-ca#" "./openssl_ca.template" > root-ca/openssl.cnf sed "s#___DIR___#`pwd`/server-ca#" "./openssl_server.template" > server-ca/openssl.cnf pushd root-ca export OPENSSL_CONF=`pwd`/openssl.cnf echo -e "\033[32mGenerate private key for root\033[0m" openssl genrsa -out private/root-ca-key.pem 2048 || error "openssl genrsa -out private/root-ca-key.pem 2048 failed with exit code $?" openssl req -new -x509 -days 7305 -key private/root-ca-key.pem -out root-ca-cert.pem << EOF ${C} ${ST} ${L} ${O} ${OU} ${O} RHUI Root CA ${EMAIL} . . EOF popd pushd server-ca export OPENSSL_CONF=`pwd`/openssl.cnf echo -e "\033[32mGenerate private key for server CA\033[0m" openssl genrsa -out private/server-ca-key.pem 2048 || error "openssl genrsa -out private/server-ca-key.pem 2048 failed with exit code $?" openssl req -new -key private/server-ca-key.pem -out server-ca-req.pem << EOF ${C} ${ST} ${L} ${O} ${OU} ${O} RHUI Server CA ${EMAIL} . . EOF cp server-ca-req.pem ../root-ca/ popd pushd root-ca export OPENSSL_CONF=`pwd`/openssl.cnf echo -e "\033[32mSign CSR and chain\033[0m" openssl ca -in server-ca-req.pem -out server-ca-cert.pem -batch cat server-ca-cert.pem root-ca-cert.pem > server-ca-chain.pem cp server-ca-cert.pem ../server-ca cp server-ca-chain.pem ../server-ca popd pushd server-ca export OPENSSL_CONF=`pwd`/openssl.cnf echo -e "\033[32mGenerate private key for entitlement CA\033[0m" openssl genrsa -out entitlement-ca-key.pem 2048 || error "openssl genrsa -out entitlement-ca-key.pem 2048 failed with exit code $?" openssl req -new -key entitlement-ca-key.pem -out entitlement-ca-req.pem << EOF ${C} ${ST} ${L} ${O} ${OU} ${O} RHUI i CA ${EMAIL} . . EOF cp entitlement-ca-req.pem ../root-ca/ popd pushd root-ca export OPENSSL_CONF=`pwd`/openssl.cnf ### # Entitlement CA is used to sign the certificates given to yum clients to access content ## echo -e "\033[32mSign and chain\033[0m" openssl ca -in entitlement-ca-req.pem -out entitlement-ca-cert.pem -batch || error "openssl ca -in entitlement-ca-req.pem -out entitlement-ca-cert.pem -batch failed with exit code $?" cat entitlement-ca-cert.pem root-ca-cert.pem > entitlement-ca-chain.pem popd pushd server-ca export OPENSSL_CONF=`pwd`/openssl.cnf echo -e "\033[32mGenerate RHUA\033[0m" openssl genrsa -out $RHUA-key.pem 2048 || error "openssl genrsa -out $RHUA-key.pem 2048 failed with exit code $?" openssl req -new -key $RHUA-key.pem -out $RHUA-req.pem << EOF ${C} ${ST} ${L} ${O} ${OU} ${RHUA} ${EMAIL} . . EOF openssl ca -in $RHUA-req.pem -out $RHUA-cert.pem -batch || error "openssl ca -in $RHUA-req.pem -out $RHUA-cert.pem -batch failed with exit code $?" cp -f "${RHUA}-cert.pem" ${CERT_DIR} cp -f "${RHUA}-key.pem" ${CERT_DIR} popd cp -f root-ca/entitlement-ca-chain.pem ${CERT_DIR} cp -f root-ca/server-ca-chain.pem ${CERT_DIR} cp -f root-ca/root-ca-cert.pem ${CERT_DIR} cp -f server-ca/entitlement-ca-key.pem ${CERT_DIR} popd echo -e "\033[32mResult certs copied to ${CERT_DIR} \033[0m" #echo -e "\033[32mDone preparing SSL chain and answers file.\033[0m" #echo -e "\033[32mNow run rhui installer with $OUTPUT/answers file. Check it first.\033[0m"