Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/bin/sh
IPAADMIN='admin'
FQHOSTNAME=`hostname -f`
function usage {
echo "Usage: $0 -d DESTINATION [-h FQDN] [-a subAltName] [-u IPAAdminUser]"
echo " -d DESTINATION Fully qualified path to output directory"
echo " -h FQDN Fully qualified hostname (defaults to `hostname -f`)"
echo " -a subAltName Comma separated list of subjectAltNames for cert"
echo " -u IPAAdminUser IPA Admin user to create hosts and services"
}
options='d:h:a:u:'
while getopts $options opt; do
case $opt in
d)
DESTDIR=${OPTARG}
;;
h)
FQHOSTNAME=${OPTARG}
;;
a)
SUBALTNAME=${OPTARG}
;;
u)
IPAADMIN=${OPTARG}
;;
*)
usage
exit 1
;;
esac
done
if [ -z "${DESTDIR}" ]; then
usage
exit 1
fi
if [ ! -d ${DESTDIR} ]; then
mkdir ${DESTDIR}
# Ensure selinux context is correct
chcon -t cert_t ${DESTDIR}
else
echo "${DESTDIR} already exists, refusing to continue."
exit 1
fi
# Get a kerberos session going
klist | grep ${IPAADMIN} >/dev/null 2>&1
if [ $? -ne 0 ]; then
kinit ${IPAADMIN}
fi
# Process SUBALTNAME option
SANARG=""
if [ -n ${SUBALTNAME} ]; then
IFS=',' read -r -a SANS <<< ${SUBALTNAME}
for SAN in "${SANS[@]}"; do
# Build the argument for ipa-getcert
SANARG="${SANARG} -D ${SAN}"
# Make sure the SAN is a host in IPA
ipa host-find ${SAN} >/dev/null 2>&1
if [ $? -ne 0 ]; then
ipa host-add ${SAN} --force
fi
# Create the service for the host if it doesn't exist
ipa service-find "HTTP/${SAN}" >/dev/null 2>&1
if [ $? -ne 0 ]; then
ipa service-add "HTTP/${SAN}" --force
# Allow our FQDN to manage the fake host service
ipa service-add-host "HTTP/${SAN}" --host ${FQHOSTNAME}
fi
done
fi
# Create the certificate request
ipa-getcert request -k ${DESTDIR}/${FQHOSTNAME}.key -f ${DESTDIR}/${FQHOSTNAME}.crt -F ${DESTDIR}/ipa-ca.crt -K HTTP/${FQHOSTNAME} -U id-kp-serverAuth -U id-kp-clientAuth -D ${FQHOSTNAME} ${SANARG}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment