This repository has been archived by the owner on Dec 7, 2022. It is now read-only.
/
nss-db-gen
executable file
·224 lines (185 loc) · 4.53 KB
/
nss-db-gen
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
#!/bin/bash
# Copyright (c) 2010 Red Hat, Inc.
#
# This software is licensed to you under the GNU General Public License,
# version 2 (GPLv2). There is NO WARRANTY for this software, express or
# implied, including the implied warranties of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
# along with this software; if not, see
# http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
#
# Red Hat trademarks are not licensed under GPLv2. No permission is
# granted to use or replicate Red Hat trademarks that are incorporated
# in this software or its documentation.
#
DIR="/tmp/tmp$RANDOM"
HOST=`hostname`
PWDFILE="password"
SEEDFILE="seed"
INST_DIR='/tmp/redhat/qpid'
DB_PASSWORD=""
VALID="12"
CA_PATH=""
echo ""
echo "Working in: $DIR"
echo ""
#
# ========== SETUP ============
#
# prompt user for install directory
echo ""
echo "Please specify a directory into which the created NSS database
and associated certificates will be installed."
echo ""
read -p "Enter a directory [$INST_DIR]:" ans
if [ "${#ans}" -gt 0 ]
then
INST_DIR=$ans
fi
echo $INST_DIR
# prompt user for install directory
while [ "${#DB_PASSWORD}" -eq 0 ]; do
echo ""
read -sp "Enter NSS database password:" DB_PASSWORD
done
echo ""
# prompt user for existing CA.
# must contain both key & certificate
echo ""
echo "Please specify a CA. Generated if not specified."
echo ""
read -p "Enter a path: " ans
if [ "${#ans}" -gt 0 ]
then
CA_PATH=$ans
echo "Using CA: $CA_PATH"
fi
# create temporary db directory
rm -rf $DIR
mkdir $DIR
cd $DIR
#
# ========== KEY SEED ===========
#
touch $SEEDFILE
i=0
while [ $i -lt 20 ]; do
echo $RANDOM >> $SEEDFILE
i=`expr $i + 1`
done
#
# ========== PASSWORD ===========
#
# create the password file
echo "$DB_PASSWORD" > $PWDFILE
echo ""
echo "Password file created."
#
# ========== DATABASE ============
#
# create the nss db
certutil -N -d . -f $PWDFILE
echo ""
echo "Database created."
#
# =========== CA =================
#
# create/import the CA cert
echo ""
if [ "$CA_PATH" = "" ]
then
echo "Creating CA certificate:"
SUBJECT="CN=redhat,O=pulp,ST=Alabama,C=US"
certutil -S -d . -n "ca" -s $SUBJECT -t "TC,," -f $PWDFILE -z $SEEDFILE -x -v $VALID
else
openssl pkcs12 -export -in $CA_PATH -out ca.p12 -name "ca"
pk12util -d . -n "ca" -i ca.p12
certutil -M -d . -n "ca" -t "TCu,Cu,Tuw"
echo "CA certificate: $CA_PATH, imported"
fi
certutil -L -d . -n "ca" -a -o ca.crt -f $PWDFILE
echo "CA created"
#
# =========== BROKER =============
#
# create broker cert signing request
echo ""
echo "Creating BROKER certificate:"
SUBJECT="CN=$HOST,O=pulp,ST=Alabama,C=US"
certutil -R -d . -s $SUBJECT -a -o broker.req -f $PWDFILE -z $SEEDFILE
# sign the broker cert w/ CA
certutil -C -d . -c "ca" -v $VALID -uV -m1 -a -i broker.req -f $PWDFILE -o broker.crt
# import the broker cert
certutil -A -d . -n "broker" -t ",," -a -i broker.crt
echo "Broker certificate created."
#
# =========== CLIENT =============
#
# create the nss db
mkdir client
certutil -N -d client -f $PWDFILE
# create client cert signing request
echo ""
echo "Creating CLIENT certificate:"
SUBJECT="CN=client,O=pulp,ST=Alabama,C=US"
certutil -R -d client -s $SUBJECT -a -o client.req -f $PWDFILE -z $SEEDFILE
# sign the client cert w/ CA
certutil -C -d . -c "ca" -v $VALID -uC -m2 -a -i client.req -f $PWDFILE -o client.crt
# import the client cert
certutil -A -d client -n "client" -t ",," -a -i client.crt
echo "Client certificate created."
# export client p12 bundle
pk12util -d client -n "client" -o client.p12
# using openssl, generate a key & cert using the p12.
openssl pkcs12 -in client.p12 -nodes -out client.crt
echo "Client key & certificate exported"
#
# =========== INSTALL =============
#
# clean unused artifacts
rm -f *.req
rm -f *.p12
rm -rf client
# create target directory and install files
mkdir -p $INST_DIR
mkdir -p $INST_DIR/nss
cp $DIR/*.crt $INST_DIR
cp $DIR/*.db $INST_DIR/nss
cp $DIR/$PWDFILE $INST_DIR/nss
# update perms
chmod 644 $INST_DIR/*.crt
chmod 644 $INST_DIR/nss/*
echo ""
echo "Artifacts copied to: $INST_DIR."
echo ""
#
# =========== POST =============
#
echo "Please update /etc/qpidd.conf as follows:"
echo "
....
auth=no
....
# SSL
require-encryption=yes
ssl-require-client-authentication=yes
ssl-cert-db=$INST_DIR/nss
ssl-cert-password-file=$INST_DIR/nss/password
ssl-cert-name=broker
ssl-port=5674
...
"
echo ""
echo "Please configure gofer as follows:"
echo "
...
[messaging]
url=ssl://<host>:5674
cacert=$INST_DIR/ca.crt
clientcert=$INST_DIR/client.crt
"
#
# =========== CLEANUP =============
#
cd /tmp
rm -rf $DIR