]>
Commit | Line | Data |
---|---|---|
1cecb3c5 DB |
1 | #!/bin/bash |
2 | ||
3 | # Generate a certificate for the systemtap server and add it to the | |
4 | # database of trusted servers for the client. | |
5 | # | |
d2334a22 | 6 | # Copyright (C) 2008-2010 Red Hat Inc. |
1cecb3c5 DB |
7 | # |
8 | # This file is part of systemtap, and is free software. You can | |
9 | # redistribute it and/or modify it under the terms of the GNU General | |
10 | # Public License (GPL); either version 2, or (at your option) any | |
11 | # later version. | |
12 | ||
98f552c2 | 13 | # Initialize the environment |
961588fd | 14 | . ${PKGLIBEXECDIR}stap-env |
98f552c2 | 15 | |
1cecb3c5 | 16 | # Obtain the certificate database directory name. |
d2334a22 | 17 | serverdb="$1" |
98f552c2 | 18 | if test "X$serverdb" = "X"; then |
d2334a22 | 19 | serverdb="$stap_ssl_db/server" |
1cecb3c5 | 20 | fi |
d2334a22 | 21 | rm -fr "$serverdb" |
1cecb3c5 DB |
22 | |
23 | # Create the server's certificate database directory. | |
d2334a22 | 24 | if ! mkdir -p -m 755 "$serverdb"; then |
1cecb3c5 DB |
25 | echo "Unable to create the server certificate database directory: $serverdb" >&2 |
26 | exit 1 | |
27 | fi | |
28 | ||
29 | # Create the certificate database password file. Care must be taken | |
30 | # that this file is only readable by the owner. | |
d2334a22 | 31 | if ! (touch "$serverdb/pw" && chmod 600 "$serverdb/pw"); then |
1cecb3c5 DB |
32 | echo "Unable to create the server certificate database password file: $serverdb/pw" >&2 |
33 | exit 1 | |
34 | fi | |
35 | ||
36 | # Generate a random password. | |
d2334a22 DB |
37 | mkpasswd -l 20 > "$serverdb/pw" 2>/dev/null || \ |
38 | apg -a 1 -n 1 -m 20 -x 20 > "$serverdb/pw" 2>/dev/null || \ | |
39 | (read -n20 password </dev/urandom; echo "$password" > "$serverdb/pw") | |
1cecb3c5 DB |
40 | |
41 | # Generate the server certificate database | |
d2334a22 | 42 | if ! certutil -N -d "$serverdb" -f "$serverdb/pw" > /dev/null; then |
1cecb3c5 DB |
43 | echo "Unable to initialize the server certificate database directory: $serverdb" >&2 |
44 | exit 1 | |
45 | fi | |
46 | ||
47 | # We need some random noise for generating keys | |
d2334a22 | 48 | dd bs=123 count=1 < /dev/urandom > "$serverdb/noise" 2> /dev/null |
1cecb3c5 DB |
49 | |
50 | # Generate a request for the server's certificate. | |
d2334a22 DB |
51 | certutil -R -d "$serverdb" -f "$serverdb/pw" -s "CN=Systemtap Compile Server, OU=Systemtap, O=Red Hat, C=US" \ |
52 | -o "$serverdb/stap.req" -z "$serverdb/noise" 2> /dev/null | |
53 | rm -fr "$serverdb/noise" | |
1cecb3c5 | 54 | |
4d6a58a6 | 55 | # Create the certificate file first so that it always has the proper access permissions. |
d2334a22 | 56 | if ! (touch "$serverdb/$stap_certfile" && chmod 644 "$serverdb/$stap_certfile"); then |
35e88656 | 57 | echo "Unable to create the server certificate file: $serverdb/$stap_certfile" >&2 |
4d6a58a6 DB |
58 | exit 1 |
59 | fi | |
60 | ||
d2334a22 DB |
61 | # Now generate the actual certificate. Make is valid for 1 year. |
62 | certutil -C -i "$serverdb/stap.req" -o "$serverdb/$stap_certfile" -x -d "$serverdb" \ | |
63 | -f "$serverdb/pw" -v 12 -5 -8 "$HOSTNAME,localhost" >/dev/null <<-EOF | |
1cecb3c5 DB |
64 | 1 |
65 | 3 | |
66 | 7 | |
67 | 8 | |
68 | y | |
69 | EOF | |
d2334a22 | 70 | rm -fr "$serverdb/stap.req" |
1cecb3c5 DB |
71 | |
72 | # Add the certificate to the server's certificate/key database as a trusted peer, ssl server and object signer | |
d2334a22 | 73 | certutil -A -n stap-server -t "PCu,,PCu" -i "$serverdb/$stap_certfile" -d "$serverdb" -f "$serverdb/pw" |
41b0a0c6 | 74 | |
d2334a22 | 75 | # Print some information about the certificate. |
41b0a0c6 | 76 | echo "Certificate $serverdb/$stap_certfile created and added to database $serverdb" |
d2334a22 DB |
77 | certutil -L -d "$serverdb" -n stap-server | \ |
78 | awk '/Validity|Not After|Not Before/ { print $0 }' | \ | |
79 | sed 's/^ */ /' | |
80 | ||
41b0a0c6 | 81 | exit 0 |