Skip to content
Permalink
Browse files

update shibboleth_keygen.sh

  • Loading branch information
pcaskey committed Oct 27, 2018
1 parent 0929c38 commit 7160c7adec82bdc9551efa1ed75cbdbeab6ae4aa
Showing with 32 additions and 15 deletions.
  1. +32 −15 container_files/system/shibboleth_keygen.sh
@@ -1,37 +1,45 @@
#! /bin/sh

while getopts h:u:g:o:e:y:bf c
while getopts n:h:u:g:o:e:y:bf c
do
case $c in
u) USER=$OPTARG;;
g) GROUP=$OPTARG;;
o) OUT=$OPTARG;;
b) BATCH=1;;
f) FORCE=1;;
h) FQDN=$OPTARG;;
e) ENTITYID=$OPTARG;;
y) YEARS=$OPTARG;;
\?) echo "shibboleth_keygen [-o output directory (default .)] [-h hostname for cert] [-y years to issue cert] [-e entityID to embed in cert]"
n) PREFIX=$OPTARG;;
\?) echo "keygen [-o output directory (default .)] [-u username to own keypair] [-g owning groupname] [-h hostname for cert] [-y years to issue cert] [-e entityID to embed in cert] [-n filename prefix (default 'sp')]"
exit 1;;
esac
done

if [ -z "$OUT" ] ; then
OUT=.
fi

if [ -z "$PREFIX" ]; then
PREFIX="sp"
fi

if [ -n "$FORCE" ] ; then
rm $OUT/sp-key.pem $OUT/sp-cert.pem
rm $OUT/${PREFIX}-key.pem $OUT/${PREFIX}-cert.pem
fi

if [ -s $OUT/sp-key.pem -o -s $OUT/sp-cert.pem ] ; then
if [ -s $OUT/${PREFIX}-key.pem -o -s $OUT/${PREFIX}-cert.pem ] ; then
if [ -z "$BATCH" ] ; then
echo The files $OUT/sp-key.pem and/or $OUT/sp-cert.pem already exist!
echo The files $OUT/${PREFIX}-key.pem and/or $OUT/${PREFIX}-cert.pem already exist!
echo Use -f option to force recreation of keypair.
exit 2
fi
exit 0
fi

if [ -z "$FQDN" ] ; then
FQDN=`hostname --fqdn`
FQDN=`hostname`
fi

if [ -z "$YEARS" ] ; then
@@ -46,14 +54,14 @@ else
ALTNAME=DNS:$FQDN,URI:$ENTITYID
fi

SSLCNF=$OUT/sp-cert.cnf
SSLCNF=$OUT/${PREFIX}-cert.cnf
cat >$SSLCNF <<EOF
# OpenSSL configuration file for creating sp-cert.pem
# OpenSSL configuration file for creating keypair
[req]
prompt=no
default_bits=2048
default_bits=3072
encrypt_key=no
default_md=sha1
default_md=sha256
distinguished_name=dn
# PrintableStrings only
string_mask=MASK:0002
@@ -65,11 +73,20 @@ subjectAltName=$ALTNAME
subjectKeyIdentifier=hash
EOF

touch $OUT/sp-key.pem
chmod 600 $OUT/sp-key.pem
touch $OUT/${PREFIX}-key.pem
chmod 600 $OUT/${PREFIX}-key.pem
if [ -z "$BATCH" ] ; then
openssl req -config $SSLCNF -new -x509 -days $DAYS -keyout $OUT/sp-key.pem -out $OUT/sp-cert.pem
openssl req -config $SSLCNF -new -x509 -days $DAYS -keyout $OUT/${PREFIX}-key.pem -out $OUT/${PREFIX}-cert.pem
else
openssl req -config $SSLCNF -new -x509 -days $DAYS -keyout $OUT/sp-key.pem -out $OUT/sp-cert.pem 2> /dev/null
openssl req -config $SSLCNF -new -x509 -days $DAYS -keyout $OUT/${PREFIX}-key.pem -out $OUT/${PREFIX}-cert.pem 2> /dev/null
fi
rm $SSLCNF

if [ -s $OUT/${PREFIX}-key.pem -a -n "$USER" ] ; then
chown $USER $OUT/${PREFIX}-key.pem $OUT/${PREFIX}-cert.pem
fi
rm $SSLCNF

if [ -s $OUT/${PREFIX}-key.pem -a -n "$GROUP" ] ; then
chgrp $GROUP $OUT/${PREFIX}-key.pem $OUT/${PREFIX}-cert.pem
fi

0 comments on commit 7160c7a

Please sign in to comment.
You can’t perform that action at this time.