/[pdpsoft]/nl.nikhef.pdp.tcs/nl.nikhef.pdp.tcs.tcsg4-tools/trunk/tcsg4-install-servercert.sh
ViewVC logotype

Contents of /nl.nikhef.pdp.tcs/nl.nikhef.pdp.tcs.tcsg4-tools/trunk/tcsg4-install-servercert.sh

Parent Directory Parent Directory | Revision Log Revision Log


Revision 3297 - (show annotations) (download) (as text)
Fri Jul 10 14:51:46 2020 UTC (2 years, 2 months ago) by davidg
File MIME type: application/x-shellscript
File size: 10078 byte(s)
make customer surfnet configurabl

1 #! /bin/sh
2 #
3 # @(#)$Id$
4 # rev 2
5 #
6 # TCS G4 client certificate format management tool for POSIX systems
7 # including installation to Grid Community Toolkit (formerly Globus)
8 # user credential directory formats
9 #
10 # Requirements: sh, awk, sed, openssl, date, mktemp, ls,
11 # mkdir, rmdir, mv, basename, grep, chmod
12 # in addition requires curl if you use URLs for the PKCS#7 input
13 #
14 # Copyright 2020 David Groep, Nikhef, Amsterdam
15 #
16 # Licensed under the Apache License, Version 2.0 (the "License");
17 # you may not use this file except in compliance with the License.
18 # You may obtain a copy of the License at
19 #
20 # http://www.apache.org/licenses/LICENSE-2.0
21 #
22 # Unless required by applicable law or agreed to in writing, software
23 # distributed under the License is distributed on an "AS IS" BASIS,
24 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
25 # See the License for the specific language governing permissions and
26 # limitations under the License.
27 #
28 #
29 destdir=.
30 DATE=`date +%Y%m%d-%H%M%S`
31 progname=`basename "$0"`
32 bckprefix=backup
33 makecsr=0
34 nameformat=friendly
35 certfn=
36 profile=""
37 customer=surfnet
38
39 # ############################################################################
40 # usage help and instructions
41 #
42 help() { cat <<EOF
43 Usage: tcsg4-install-servercert.sh [-d destdir] [-r|-R] [-f]
44 [-b backupprefix] <PKCS7.p7b>
45
46 -d destdir write result files to <destdir>
47 -r use EEC commonName as basis for new filenames
48 --no-rename use the base filename of the P7B file for new filenames
49 -R use EEC commonName and date as basis for filenames
50 -f do not make backups of existing files
51 -b bckprefix prefix of the filename to use when making backups
52 -C customer name of the Sectigo customer (default: surfnet)
53
54 <PKCS7.p7b> filename of the blob produced by Sectigo
55 or URL to the PKCS#7 blob from the success email
56 (https://cer.../ssl?action=download&sslId=1234567&format=bin)
57 remember to "quote" the URL to preserve the ampersands
58 or Self-Enrollment ID number (numeric)
59
60 EOF
61 return;
62 }
63
64 # ############################################################################
65 #
66 while [ $# -gt 0 ]; do
67 case "$1" in
68 -r | --rename ) nameformat="friendly"; shift 1 ;;
69 -x | --no-rename ) nameformat=""; shift 1 ;;
70 -R | --rename-with-date ) nameformat="dated"; shift 1 ;;
71 -f | --force ) bckprefix=""; shift 1 ;;
72 -h | --help ) help ; exit 0 ;;
73 -b | --backupprefix ) bckprefix="$2"; shift 2 ;;
74 -d | --destination ) destdir="$2"; shift 2 ;;
75 -* ) echo "Unknown option $1, exiting" >&2 ; exit 1 ;;
76 * ) break ;;
77 esac
78 done
79
80 case $# in
81 0 ) help ; exit 0 ;;
82 1 ) pkfile="$1"; break ;;
83 * ) echo "Too many arguments." >&2 ; exit 1 ;;
84 esac
85
86 # ############################################################################
87 # retrieve PKCS#7 from URL, if URL given (beware of quoting the ampersand)
88 # or from order number
89 #
90 [ "$pkfile" -gt 0 ] > /dev/null 2>&1
91 if [ $? -eq 0 ]; then
92 # this was a pure number, so an order ID
93 echo "Recognised order ID $pkfile, downloading"
94 pkfile="https://cert-manager.com/customer/${customer}/ssl?action=download&sslId=${pkfile}&format=bin"
95 fi
96
97 case "$pkfile" in
98 https://*format=bin | https://*format=base64 )
99 sslid=`echo "$pkfile"|sed -e's/.*sslId=\([0-9]*\).*/\1/'`
100 [ "$sslid" -gt 0 ] >/dev/null 2>&1
101 if [ $? -ne 0 ]; then
102 echo "URL provided is not a Sectigo SSL PKCS#7 enrollment result" >&2
103 exit 1
104 fi
105 curl -s -o "sectigo-order-$sslid.p7b" "$pkfile"
106 if [ $? -ne 0 ]; then
107 echo "URL cannot be downloaded ($pkfile)" >&2
108 exit 1
109 fi
110 case "$pkfile" in
111 *format=base64 )
112 mv "sectigo-order-$sslid.p7b" "sectigo-order-$sslid.p7b.pem"
113 openssl pkcs7 \
114 -inform pem -in "sectigo-order-$sslid.p7b.pem" \
115 -outform der -out "sectigo-order-$sslid.p7b"
116 ;;
117 esac
118 if [ ! -s "sectigo-order-$sslid.p7b" ]; then
119 echo "URL download result empty in sectigo-order-$sslid.p7b " >&2
120 echo " (source $pkfile)" >&2
121 exit 1
122 fi
123 pkfile="sectigo-order-$sslid.p7b"
124 ;;
125 esac
126
127
128 # ############################################################################
129 # input validation
130 #
131 if [ ! -r "$pkfile" ]; then echo "Cannot read $pkfile" >&2; exit 1; fi
132
133 case "$pkfile" in
134 *.p7b ) credbase=`basename "$pkfile" .p7b` ;;
135 * ) echo "Unlikely PKCS#12 file: $pkfile" >&2 ; exit 2 ;;
136 esac
137
138 # ############################################################################
139 # extraction of Sectigo blob of p7b
140 #
141 tempdir=`mktemp -d tcsg4unpack.XXXXXX`
142
143 if [ ! -d "$tempdir" ]; then
144 echo "Error creating temporary working directory here" >&2
145 exit 1
146 fi
147
148 openssl pkcs7 -inform der -in "$pkfile" -print_certs \
149 -out "$tempdir/p7b-$credbase.pem"
150
151 if [ $? -ne 0 ]; then
152 echo "Error: cannot extract data from PKCS7 file $pkfile" >&2
153 echo " PASSPHRASE INCORRECT?" >&2
154 exit 3
155 fi
156
157 if [ ! -s "$tempdir/p7b-$credbase.pem" ]; then
158 echo "Error: cannot extract data from PKCS7 file $pkfile" >&2
159 echo " resulting direct-rendered p7b file not found" >&2
160 exit 4
161 fi
162
163 if [ `grep -c CERTIFICATE "$tempdir/p7b-$credbase.pem"` -eq 0 ]; then
164 echo "Error: cannot extract data from PKCS7 file $pkfile" >&2
165 echo " resulting p7b file has no certificate material" >&2
166 exit 4
167 fi
168
169 # extract
170 awk '
171 BEGIN { icert = 0; }
172 /^-----BEGIN CERTIFICATE-----$/ {
173 icert++;
174 print $0 > "'$tempdir/cert-'"icert"'-$credbase.pem'";
175 do {
176 getline ln;
177 print ln > "'$tempdir/cert-'"icert"'-$credbase.pem'";
178 } while ( ln != "-----END CERTIFICATE-----" );
179 }
180 ' "$tempdir/p7b-$credbase.pem"
181
182 # ############################################################################
183 # generate per-certificate and key output files
184 #
185 [ -d "$destdir" ] || mkdir -p "$destdir"
186
187 havewrittenchain=0
188 for i in "$tempdir"/cert-*-"$credbase".pem
189 do
190 certcn=`openssl x509 -noout -subject -nameopt oneline,sep_comma_plus \
191 -in "$i" | \
192 sed -e 's/.*CN = \([a-zA-Z0-9\._][- a-zA-Z0-9:\._@]*\).*/\1/'`
193 issuercn=`openssl x509 -noout -issuer -nameopt oneline,sep_comma_plus \
194 -in "$i" | \
195 sed -e 's/.*CN = \([a-zA-Z0-9\._][- a-zA-Z0-9:\._@]*\).*/\1/'`
196
197 certdate=`openssl x509 -noout -text -in "$i" | \
198 awk '/ Not Before:/ { print $4,$3,$6; }'`
199 certisca=`openssl x509 -noout -text -in "$i" | \
200 awk 'BEGIN { ca=0; }
201 /CA:FALSE/ { ca=0; } /CA:TRUE/ { ca=1; }
202 END {print ca;}'`
203
204 if [ "$certcn" = "$issuercn" -o "$issuercn" = "AddTrust External CA Root" ]
205 then
206 continue
207 fi
208
209 # these CAs as intermediate subjects are known useless
210 case "$certcn" in
211 "AAA Certificate Services" ) continue ;;
212 "USERTrust RSA Certification Authority" ) continue ;;
213 * ) ;;
214 esac
215
216 if [ $certisca -eq 0 ]; then
217 certfn=`echo "$certcn" | sed -e 's/[^-a-zA-Z0-9_\.]/_/g'`
218 certfndated=`echo "$certcn issued $certdate" | \
219 sed -e 's/[^-a-zA-Z0-9_]/_/g'`
220 echo "Processing EEC certificate: $certcn"
221 friendlyname="${friendlyname:-$certcn issued $certdate}"
222 echo " (friendly name: $friendlyname)"
223 fi
224
225 if [ $certisca -eq 1 ]; then
226 echo "Processing CA certificate: $certcn"
227 if [ $havewrittenchain -eq 0 ]; then
228 if [ -f "$destdir/chain-$credbase.pem" -a -n "$bckprefix" ]; then
229 mv "$destdir/chain-$credbase.pem" \
230 "$destdir/$bckprefix.$DATE.chain-$credbase.pem"
231 fi
232 havewrittenchain=1
233 echo -ne "" > "$destdir/chain-$credbase.pem"
234 fi
235 cat $i >> "$destdir/chain-$credbase.pem"
236 fi
237
238 if [ $certisca -eq 0 ]; then
239 if [ -f "$destdir/cert-$credbase.pem" ]; then
240 mv "$destdir/cert-$credbase.pem" "$destdir/$bckprefix.$DATE.cert-$credbase.pem"
241 fi
242 cat $i > "$destdir/cert-$credbase.pem"
243
244 case "$issuercn" in
245 GEANT\ OV\ *) profile="ov" ;;
246 GEANT\ EV\ *) profile="ev" ;;
247 GEANT\ eScience\ *) profile="igtfov" ;;
248 * ) profile="" ;;
249 esac
250 fi
251
252 done
253
254 # ############################################################################
255 # cleanup intermate files and name output properly
256 #
257 rm "$tempdir"/cert-*-$credbase.pem
258 rm "$tempdir"/p7b-$credbase.pem
259 rmdir "$tempdir"
260 if [ $? -ne 0 ]; then
261 echo "Error: cannot remove working directory $tempdir" >&2
262 echo " internal inconsistency or prior error encountered" >&2
263 fi
264
265 # rename, if so required
266 if [ -n "$nameformat" ]; then
267 if [ "$nameformat" = "friendly" ]; then
268 certfn="${certfn:-$credbase}"
269 elif [ "$nameformat" = "dated" ]; then
270 certfn="${certfndated:-$credbase}"
271 else
272 echo "Unknown filename format, error" >&2
273 exit 2
274 fi
275 mv "$destdir/cert-$credbase.pem" "$destdir/cert-$certfn.pem"
276 mv "$destdir/chain-$credbase.pem" "$destdir/chain-$certfn.pem"
277 else
278 certfn="$credbase"
279 fi
280
281 # ############################################################################
282 # create the nginx compatible single file: cert+chain concatenated
283 #
284 cat "$destdir/cert-$certfn.pem" "$destdir/chain-$certfn.pem" \
285 > "$destdir/nginx-$certfn.pem"
286
287 # ############################################################################
288 # make per-profile copies in case of key re-use for same host new profile
289 #
290 if [ "$profile" != "" ]; then
291 [ -f "$destdir/cert-$certfn.pem" ] && cp -p "$destdir/cert-$certfn.pem" "$destdir/$profile-cert-$certfn.pem"
292 [ -f "$destdir/chain-$certfn.pem" ] && cp -p "$destdir/chain-$certfn.pem" "$destdir/$profile-chain-$certfn.pem"
293 [ -f "$destdir/nginx-$certfn.pem" ] && cp -p "$destdir/nginx-$certfn.pem" "$destdir/$profile-nginx-$certfn.pem"
294 fi
295
296 # ############################################################################
297 # inform user of result and of globus compatibility
298 #
299 echo "The following files have been created for you:"
300 echo -ne " " ; ls -l1a "$destdir/cert-$certfn.pem"
301 echo -ne " " ; ls -l1a "$destdir/chain-$certfn.pem"
302
303 #
304 #
305 # ############################################################################

Properties

Name Value
svn:executable *

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28