+++ /dev/null
-#!/bin/bash
-# Author: Jan Vcelak <jvcelak@redhat.com>
-
-set -e
-
-# default options
-
-CERTDB_DIR=/etc/openldap/certs
-CERT_NAME="OpenLDAP Server"
-PASSWORD_FILE=
-HOSTNAME_FQDN="$(hostname --fqdn)"
-ALT_NAMES=
-ONCE=0
-
-# internals
-
-RANDOM_SOURCE=/dev/urandom
-CERT_RANDOM_BYTES=256
-CERT_KEY_TYPE=rsa
-CERT_KEY_SIZE=1024
-CERT_VALID_MONTHS=12
-
-# parse arguments
-
-usage() {
- printf "usage: generate-server-cert.sh [-d certdb-dir] [-n cert-name]\n" >&2
- printf " [-p password-file] [-h hostnames]\n" >&2
- printf " [-a dns-alt-names] [-o]\n" >&2
- exit 1
-}
-
-while getopts "d:n:p:h:a:o" opt; do
- case "$opt" in
- d)
- CERTDB_DIR="$OPTARG"
- ;;
- n)
- CERT_NAME="$OPTARG"
- ;;
- p)
- PASSWORD_FILE="$OPTARG"
- ;;
- h)
- HOSTNAME_FQDN="$OPTARG"
- ;;
- a)
- ALT_NAMES="$OPTARG"
- ;;
- o)
- ONCE=1
- ;;
- \?)
- usage
- ;;
- esac
-done
-
-[ "$OPTIND" -le "$#" ] && usage
-
-# generated options
-
-ONCE_FILE="$CERTDB_DIR/.slapd-leave"
-PASSWORD_FILE="${PASSWORD_FILE:-${CERTDB_DIR}/password}"
-ALT_NAMES="${ALT_NAMES:-${HOSTNAME_FQDN},localhost,localhost.localdomain}"
-
-# verify target location
-
-if [ "$ONCE" -eq 1 -a -f "$ONCE_FILE" ]; then
- printf "Skipping certificate generating, '%s' exists.\n" "$ONCE_FILE" >&2
- exit 0
-fi
-
-if ! certutil -d "$CERTDB_DIR" -U &>/dev/null; then
- printf "Directory '%s' is not a valid certificate database.\n" "$CERTDB_DIR" >&2
- exit 1
-fi
-
-printf "Creating new server certificate in '%s'.\n" "$CERTDB_DIR" >&2
-
-if [ ! -r "$PASSWORD_FILE" ]; then
- printf "Password file '%s' is not readable.\n" "$PASSWORD_FILE" >&2
- exit 1
-fi
-
-if certutil -d "$CERTDB_DIR" -L -a -n "$CERT_NAME" &>/dev/null; then
- printf "Certificate '%s' already exists in the certificate database.\n" "$CERT_NAME" >&2
- exit 1
-fi
-
-# generate server certificate (self signed)
-
-
-CERT_RANDOM=$(mktemp --tmpdir=/var/run/openldap)
-dd if=$RANDOM_SOURCE bs=$CERT_RANDOM_BYTES count=1 of=$CERT_RANDOM &>/dev/null
-
-certutil -d "$CERTDB_DIR" -f "$PASSWORD_FILE" -z "$CERT_RANDOM" \
- -S -x -n "$CERT_NAME" \
- -s "CN=$HOSTNAME_FQDN" \
- -t TC,, \
- -k $CERT_KEY_TYPE -g $CERT_KEY_SIZE \
- -v $CERT_VALID_MONTHS \
- -8 "$ALT_NAMES" \
- &>/dev/null
-
-rm -f $CERT_RANDOM
-
-# tune permissions
-
-if [ "$(id -u)" -eq 0 ]; then
- chgrp ldap "$PASSWORD_FILE"
- chmod g+r "$PASSWORD_FILE"
-else
- printf "WARNING: The server requires read permissions on the password file in order to\n" >&2
- printf " load it's private key from the certificate database.\n" >&2
-fi
-
-touch "$ONCE_FILE"
-exit 0