-
-
Save hyclak/18344f5bd6b43efbfafc64e27d1fec01 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
IPAADMIN='admin' | |
FQHOSTNAME=`hostname -f` | |
function usage { | |
echo "Usage: $0 -d DESTINATION [-h FQDN] [-a subAltName] [-u IPAAdminUser]" | |
echo " -d DESTINATION Fully qualified path to output directory" | |
echo " -h FQDN Fully qualified hostname (defaults to `hostname -f`)" | |
echo " -a subAltName Comma separated list of subjectAltNames for cert" | |
echo " -u IPAAdminUser IPA Admin user to create hosts and services" | |
} | |
options='d:h:a:u:' | |
while getopts $options opt; do | |
case $opt in | |
d) | |
DESTDIR=${OPTARG} | |
;; | |
h) | |
FQHOSTNAME=${OPTARG} | |
;; | |
a) | |
SUBALTNAME=${OPTARG} | |
;; | |
u) | |
IPAADMIN=${OPTARG} | |
;; | |
*) | |
usage | |
exit 1 | |
;; | |
esac | |
done | |
if [ -z "${DESTDIR}" ]; then | |
usage | |
exit 1 | |
fi | |
if [ ! -d ${DESTDIR} ]; then | |
mkdir ${DESTDIR} | |
# Ensure selinux context is correct | |
chcon -t cert_t ${DESTDIR} | |
else | |
echo "${DESTDIR} already exists, refusing to continue." | |
exit 1 | |
fi | |
# Get a kerberos session going | |
klist | grep ${IPAADMIN} >/dev/null 2>&1 | |
if [ $? -ne 0 ]; then | |
kinit ${IPAADMIN} | |
fi | |
# Process SUBALTNAME option | |
SANARG="" | |
if [ -n ${SUBALTNAME} ]; then | |
IFS=',' read -r -a SANS <<< ${SUBALTNAME} | |
for SAN in "${SANS[@]}"; do | |
# Build the argument for ipa-getcert | |
SANARG="${SANARG} -D ${SAN}" | |
# Make sure the SAN is a host in IPA | |
ipa host-find ${SAN} >/dev/null 2>&1 | |
if [ $? -ne 0 ]; then | |
ipa host-add ${SAN} --force | |
fi | |
# Create the service for the host if it doesn't exist | |
ipa service-find "HTTP/${SAN}" >/dev/null 2>&1 | |
if [ $? -ne 0 ]; then | |
ipa service-add "HTTP/${SAN}" --force | |
# Allow our FQDN to manage the fake host service | |
ipa service-add-host "HTTP/${SAN}" --host ${FQHOSTNAME} | |
fi | |
done | |
fi | |
# Create the certificate request | |
ipa-getcert request -k ${DESTDIR}/${FQHOSTNAME}.key -f ${DESTDIR}/${FQHOSTNAME}.crt -F ${DESTDIR}/ipa-ca.crt -K HTTP/${FQHOSTNAME} -U id-kp-serverAuth -U id-kp-clientAuth -D ${FQHOSTNAME} ${SANARG} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment