hyclak/ipa-cloudforms-cert.sh Secret

## ipa-cloudforms-cert.sh
#!/bin/sh

IPAADMIN='admin'
FQHOSTNAME=`hostname -f`

function usage {
  echo "Usage: $0 -d DESTINATION [-h FQDN] [-a subAltName] [-u IPAAdminUser]"
  echo "  -d DESTINATION 	Fully qualified path to output directory"
  echo "  -h FQDN		Fully qualified hostname (defaults to `hostname -f`)"
  echo "  -a subAltName		Comma separated list of subjectAltNames for cert"
  echo "  -u IPAAdminUser	IPA Admin user to create hosts and services"
}

options='d:h:a:u:'
while getopts $options opt; do
  case $opt in
    d)
      DESTDIR=${OPTARG}
      ;;
    h)
      FQHOSTNAME=${OPTARG}
      ;;
    a)
      SUBALTNAME=${OPTARG}
      ;;
    u)
      IPAADMIN=${OPTARG}
      ;;
    *)
      usage
      exit 1
    ;;
  esac
done

if [ -z "${DESTDIR}" ]; then
  usage
  exit 1
fi

if [ ! -d ${DESTDIR} ]; then
  mkdir ${DESTDIR}
  # Ensure selinux context is correct
  chcon -t cert_t ${DESTDIR}
else
  echo "${DESTDIR} already exists, refusing to continue."
  exit 1
fi

# Get a kerberos session going
klist | grep ${IPAADMIN} >/dev/null 2>&1
if [ $? -ne 0 ]; then
  kinit ${IPAADMIN}
fi

# Process SUBALTNAME option
SANARG=""
if [ -n ${SUBALTNAME} ]; then
  IFS=',' read -r -a SANS <<< ${SUBALTNAME}

  for SAN in "${SANS[@]}"; do
    # Build the argument for ipa-getcert
    SANARG="${SANARG} -D ${SAN}"

    # Make sure the SAN is a host in IPA
    ipa host-find ${SAN} >/dev/null 2>&1
    if [ $? -ne 0 ]; then
      ipa host-add ${SAN} --force
    fi

    # Create the service for the host if it doesn't exist
    ipa service-find "HTTP/${SAN}" >/dev/null 2>&1
    if [ $? -ne 0 ]; then
      ipa service-add "HTTP/${SAN}" --force
      # Allow our FQDN to manage the fake host service
      ipa service-add-host "HTTP/${SAN}" --host ${FQHOSTNAME}
    fi
  done
fi

# Create the certificate request
ipa-getcert request -k ${DESTDIR}/${FQHOSTNAME}.key -f ${DESTDIR}/${FQHOSTNAME}.crt -F ${DESTDIR}/ipa-ca.crt -K HTTP/${FQHOSTNAME} -U id-kp-serverAuth -U id-kp-clientAuth -D ${FQHOSTNAME} ${SANARG}
	#!/bin/sh

	IPAADMIN='admin'
	FQHOSTNAME=`hostname -f`

	function usage {
	echo "Usage: $0 -d DESTINATION [-h FQDN] [-a subAltName] [-u IPAAdminUser]"
	echo " -d DESTINATION Fully qualified path to output directory"
	echo " -h FQDN Fully qualified hostname (defaults to `hostname -f`)"
	echo " -a subAltName Comma separated list of subjectAltNames for cert"
	echo " -u IPAAdminUser IPA Admin user to create hosts and services"
	}

	options='d:h:a:u:'
	while getopts $options opt; do
	case $opt in
	d)
	DESTDIR=${OPTARG}
	;;
	h)
	FQHOSTNAME=${OPTARG}
	;;
	a)
	SUBALTNAME=${OPTARG}
	;;
	u)
	IPAADMIN=${OPTARG}
	;;
	*)
	usage
	exit 1
	;;
	esac
	done

	if [ -z "${DESTDIR}" ]; then
	usage
	exit 1
	fi

	if [ ! -d ${DESTDIR} ]; then
	mkdir ${DESTDIR}
	# Ensure selinux context is correct
	chcon -t cert_t ${DESTDIR}
	else
	echo "${DESTDIR} already exists, refusing to continue."
	exit 1
	fi

	# Get a kerberos session going
	klist \| grep ${IPAADMIN} >/dev/null 2>&1
	if [ $? -ne 0 ]; then
	kinit ${IPAADMIN}
	fi

	# Process SUBALTNAME option
	SANARG=""
	if [ -n ${SUBALTNAME} ]; then
	IFS=',' read -r -a SANS <<< ${SUBALTNAME}

	for SAN in "${SANS[@]}"; do
	# Build the argument for ipa-getcert
	SANARG="${SANARG} -D ${SAN}"

	# Make sure the SAN is a host in IPA
	ipa host-find ${SAN} >/dev/null 2>&1
	if [ $? -ne 0 ]; then
	ipa host-add ${SAN} --force
	fi

	# Create the service for the host if it doesn't exist
	ipa service-find "HTTP/${SAN}" >/dev/null 2>&1
	if [ $? -ne 0 ]; then
	ipa service-add "HTTP/${SAN}" --force
	# Allow our FQDN to manage the fake host service
	ipa service-add-host "HTTP/${SAN}" --host ${FQHOSTNAME}
	fi
	done
	fi

	# Create the certificate request
	ipa-getcert request -k ${DESTDIR}/${FQHOSTNAME}.key -f ${DESTDIR}/${FQHOSTNAME}.crt -F ${DESTDIR}/ipa-ca.crt -K HTTP/${FQHOSTNAME} -U id-kp-serverAuth -U id-kp-clientAuth -D ${FQHOSTNAME} ${SANARG}