diff options
Diffstat (limited to 'bin/deploy_cert.slapd.sh')
| -rwxr-xr-x | bin/deploy_cert.slapd.sh | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/bin/deploy_cert.slapd.sh b/bin/deploy_cert.slapd.sh new file mode 100755 index 0000000..e40060d --- /dev/null +++ b/bin/deploy_cert.slapd.sh @@ -0,0 +1,78 @@ +#!/bin/sh + +set -e + +#CA_FROM_INTERNET="TRUE" +CA_LINK_FILE_NAME="ca" +CA_CHAIN_NAME="cachain" +CERT_PATH="$(dirname ${CHAINFILE})" +CA_LINK_FILE="${CERT_PATH}/${CA_LINK_FILE_NAME}.pem" + +Ca_from_internet () +{ + echo "Downloading CA file from internet!" + + ISSUER_URL="$(openssl x509 -in "${CHAINFILE}" -noout -text | grep 'CA Issuers' | cut -d ':' -f 2-)" + TEMPDIR="$(mktemp -d /tmp/dehydrated-hook.XXXX)" + + wget --quiet "${ISSUER_URL}" -O "${TEMPDIR}/${CA_LINK_FILE_NAME}" + + if openssl x509 -in "${TEMPDIR}/${CA_LINK_FILE_NAME}" -text > /dev/null 2>&1 + then + echo "Root certificate format is text PEM" + /usr/bin/mv "${TEMPDIR}/${CA_LINK_FILE_NAME}" "${CA_LINK_FILE}.new" + elif openssl x509 -inform DER -in "${TEMPDIR}/${CA_LINK_FILE_NAME}" -text > /dev/null 2>&1 + then + echo "Root certificate format is binary DER" + openssl x509 -in "${TEMPDIR}/${CA_LINK_FILE_NAME}" -inform DER -out "${CA_LINK_FILE}.new" + elif openssl pkcs7 -inform der -in "${TEMPDIR}/${CA_LINK_FILE_NAME}" > /dev/null 2>&1 + then + echo "Root certificate format is binary pkcs7" + openssl pkcs7 -print_certs -inform der -in "${TEMPDIR}/${CA_LINK_FILE_NAME}" -out "${CA_LINK_FILE}.new" + elif openssl pkcs12 -in "${TEMPDIR}/${CA_LINK_FILE_NAME}" -info > /dev/null 2>&1 + then + echo "${0}: root certificate format is binary pkcs12" + echo "Error, root certificate is in unhandled format." >&2 + exit 1 + else + echo "${0}: error, root certificate is in unhandled format." >&2 + exit 1 + fi + + openssl verify -trusted "${CA_LINK_FILE}.new" -untrusted "${CHAINFILE}" "${CERTFILE}" 1> /dev/null + + CA_COMMON_NAME="$(openssl x509 -noout -subject -nameopt multiline -in "${CA_LINK_FILE}.new" | grep commonName | sed -n 's/ *commonName *= //p')" + CA_FILE="${CERT_PATH}/${CA_COMMON_NAME}.pem" + + mv "${CA_LINK_FILE}.new" "${CA_FILE}" + rm -rf "${TEMPDIR}" +} + +unset CA_FILE + +for FILE in $(find /etc/ssl/certs -not -name "????????.?" -not -name ca-certificates.crt) +do + if openssl verify -no-CApath -CAfile "${FILE}" "${CHAINFILE}" > /dev/null 2>&1 + then + CA_FILE="${FILE}" + break + fi +done + +if [ -z "${CA_FILE}" ] +then + echo "Could not find root CA on this system." + + if [ "${CA_FROM_INTERNET}" = "TRUE" ] + then + Ca_from_internet + else + exit 1 + fi +fi + +echo "Found trusted root CA file: ${CA_FILE}" +ln -sf "${CA_FILE}" "${CA_LINK_FILE}" +#cp "${CA_FILE}" "${CA_LINK_FILE}" +openssl verify -trusted "${CA_LINK_FILE}" -untrusted "${CHAINFILE}" "${CERTFILE}" 1> /dev/null +cat "${CA_LINK_FILE}" "${CHAINFILE}" "${CERTFILE}" > "${CERT_PATH}/${CA_CHAIN_NAME}.pem" |