From e39dca4505a5ba2a90a87135fb24957fb831e581 Mon Sep 17 00:00:00 2001
From: Sinisa Veseli <sveseli@aps.anl.gov>
Date: Wed, 15 Apr 2015 14:51:32 +0000
Subject: [PATCH] added dm certificate management scripts

---
 sbin/dm_create_ca.sh          | 60 +++++++++++++++++++++++++++++++++++
 sbin/dm_create_server_cert.sh | 60 +++++++++++++++++++++++++++++++++++
 sbin/dm_create_user_cert.sh   | 58 +++++++++++++++++++++++++++++++++
 3 files changed, 178 insertions(+)
 create mode 100755 sbin/dm_create_ca.sh
 create mode 100755 sbin/dm_create_server_cert.sh
 create mode 100755 sbin/dm_create_user_cert.sh

diff --git a/sbin/dm_create_ca.sh b/sbin/dm_create_ca.sh
new file mode 100755
index 00000000..ca7c97d3
--- /dev/null
+++ b/sbin/dm_create_ca.sh
@@ -0,0 +1,60 @@
+#!/bin/bash
+
+sbindir=`dirname $0` 
+
+# Set root/run directories
+if [ -z $DM_ROOT_DIR ]; then
+    cd $sbindir/..
+    export DM_ROOT_DIR=`pwd`
+fi
+if [ -z $DM_INSTALL_DIR ]; then
+    cd $DM_ROOT_DIR/..
+    export DM_INSTALL_DIR=`pwd`
+fi
+
+CA_ROOT=$DM_INSTALL_DIR/etc/CA
+CA_CONFIG=$DM_ROOT_DIR/etc/dm.openssl.cnf
+CA_DESC="DM Certificate Authority"
+LOG_FILE=/tmp/dm-ca.log.$$
+LOCKFILE=$CA_ROOT/dm-ca.lock
+
+echo "Creating $CA_DESC"
+
+# Check for lock file
+if [ -f $LOCKFILE ]; then
+    if [ "x$1" != "x--force" ]; then
+        echo "$0 has already been run and there is no need to re-run it."
+        exit -1
+    else
+        # Clean up CA...
+        rm -rf $CA_ROOT
+    fi
+fi
+
+# Prep directory
+HOSTNAME=`hostname`
+mkdir -p $CA_ROOT/newcerts
+mkdir -p $CA_ROOT/certs
+mkdir -p $CA_ROOT/certreqs
+mkdir -p $CA_ROOT/private
+mkdir -p $CA_ROOT/crl
+touch $CA_ROOT/index.txt
+echo "01" > $CA_ROOT/serial
+openssl req -days 3650 -nodes -new -x509 -keyout $CA_ROOT/private/cakey.pem -out $CA_ROOT/cacert.pem -config $CA_CONFIG >> $LOG_FILE 2>&1 << EOF
+
+
+
+
+$CA_DESC
+
+EOF
+
+#Set the lockfile
+if [ $? -eq 0 ]; then
+    echo "Created $CA_DESC"
+    touch $LOCKFILE
+    exit 0
+else
+    echo "Error creating CA: check '$LOG_FILE'."
+    exit -2
+fi
diff --git a/sbin/dm_create_server_cert.sh b/sbin/dm_create_server_cert.sh
new file mode 100755
index 00000000..b25cc9cd
--- /dev/null
+++ b/sbin/dm_create_server_cert.sh
@@ -0,0 +1,60 @@
+#!/bin/bash
+
+sbindir=`dirname $0` 
+# Set root/run directories
+if [ -z $DM_ROOT_DIR ]; then
+    cd $sbindir/..
+    export DM_ROOT_DIR=`pwd`
+fi
+if [ -z $DM_INSTALL_DIR ]; then
+    cd $DM_ROOT_DIR/..
+    export DM_INSTALL_DIR=`pwd`
+fi
+CA_ROOT=$DM_INSTALL_DIR/etc/CA
+CA_CONFIG=$DM_ROOT_DIR/etc/dm.openssl.cnf
+
+LOG_FILE=/tmp/dm-server-cert.log.$$
+
+SERVER_NAME=$1
+SERVER_CN=$2
+ADMIN_EMAIL=$3
+
+if [ $# -ne 3 ]; then
+    echo "Usage: $0 <server type> <server description> <admin email>"
+    exit 1
+fi 
+
+CERT_DIR=$CA_ROOT/certs
+CERT_REQ_DIR=$CA_ROOT/certreqs
+
+REQUEST_CMD="openssl req -days 3650 -nodes -new -keyout $CERT_DIR/$SERVER_NAME.key -out $CERT_REQ_DIR/$SERVER_NAME.csr -extensions server -config $CA_CONFIG"
+SIGN_CMD="openssl ca -days 3650 -out $CERT_DIR/$SERVER_NAME.crt -in $CERT_REQ_DIR/$SERVER_NAME.csr -extensions server -config $CA_CONFIG"
+$REQUEST_CMD >> $LOG_FILE 2>&1 << EOF
+
+
+
+
+$SERVER_CN
+$ADMIN_EMAIL
+
+
+EOF
+
+if [ $? -ne 0 ]; then
+    echo "Error creating server certificate, check '$LOG_FILE'."
+    exit -1
+fi
+
+$SIGN_CMD >> $LOG_FILE 2>&1 << EOF
+y
+y
+EOF
+
+if [ $? -eq 0 ]; then
+    chmod 400 $CERT_DIR/*
+    exit 0
+else
+    echo "Error creating server certificate, check '$LOG_FILE'."
+    exit -1
+fi
+
diff --git a/sbin/dm_create_user_cert.sh b/sbin/dm_create_user_cert.sh
new file mode 100755
index 00000000..4820d047
--- /dev/null
+++ b/sbin/dm_create_user_cert.sh
@@ -0,0 +1,58 @@
+#!/bin/bash
+
+# Set root/run directories
+if [ -z $DM_ROOT_DIR ]; then
+    cd $sbindir/..
+    export DM_ROOT_DIR=`pwd`
+fi
+if [ -z $DM_INSTALL_DIR ]; then
+    cd $DM_ROOT_DIR/..
+    export DM_INSTALL_DIR=`pwd`
+fi
+CA_ROOT=$DM_INSTALL_DIR/etc/CA
+CA_CONFIG=$DM_ROOT_DIR/etc/dm.openssl.cnf
+LOG_FILE=/tmp/dm-user-cert.log.$$
+
+USERNAME=$1
+USER_CN=$2
+USER_EMAIL=$3
+
+if [ $# -ne 3 ]; then
+    echo "Usage: $0 <username> <user cn> <user email>"
+    exit 1
+fi 
+
+CERT_DIR=$CA_ROOT/certs
+CERT_REQ_DIR=$CA_ROOT/certreqs
+
+REQUEST_CMD="openssl req -days 3650 -nodes -new -keyout $CERT_DIR/$USERNAME.key -out $CERT_REQ_DIR/$USERNAME.csr -config $CA_CONFIG"
+SIGN_CMD="openssl ca -days 3650 -out $CERT_DIR/$USERNAME.crt -in $CERT_REQ_DIR/$USERNAME.csr -config $CA_CONFIG"
+$REQUEST_CMD >> $LOG_FILE 2>&1 << EOF
+
+
+
+
+$USER_CN
+$USER_EMAIL
+
+
+EOF
+
+if [ $? -ne 0 ]; then
+    echo "Error creating server certificate, check '$LOG_FILE'."
+    exit -1
+fi
+
+$SIGN_CMD >> $LOG_FILE 2>&1 << EOF
+y
+y
+EOF
+
+if [ $? -eq 0 ]; then
+    chmod 400 $CERT_DIR/*
+    exit 0
+else
+    echo "Error creating server certificate, check '$LOG_FILE'."
+    exit -1
+fi
+
-- 
GitLab