From: Andreas Steffen Date: Mon, 6 Nov 2023 18:33:25 +0000 (+0100) Subject: cert-enroll: Install TLS client/server credentials X-Git-Tag: 5.9.12rc1~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f328ef0e0449e8b497718154a88f269264e94cfc;p=thirdparty%2Fstrongswan.git cert-enroll: Install TLS client/server credentials Install the generated key, host certificate and associated CA certificates as credentials for a TLS-protected client-server connection. --- diff --git a/src/cert-enroll/Makefile.am b/src/cert-enroll/Makefile.am index 16cd978d34..f2eb9e6e01 100644 --- a/src/cert-enroll/Makefile.am +++ b/src/cert-enroll/Makefile.am @@ -26,6 +26,7 @@ install-data-local: cert_install_availabledir = $(sysconfdir)/cert-enroll.d/cert-install-available cert_install_available_DATA = \ + cert-install-ssl \ cert-install-sssd \ cert-install-dirsrv \ cert-install-lighttpd \ @@ -41,8 +42,8 @@ cert-install-ipsec : cert-install-ipsec.in EXTRA_DIST = \ cert-enroll.conf cert-enroll.in cert-enroll.service.in cert-enroll.timer \ cert-install-dirsrv cert-install-gitea cert-install-ipsec.in \ - cert-install-lighttpd cert-install-openxpki cert-install-sssd \ - cert-install-swanctl.in + cert-install-lighttpd cert-install-openxpki cert-install-ssl \ + cert-install-sssd cert-install-swanctl.in man8_MANS = cert-enroll.8 diff --git a/src/cert-enroll/cert-enroll.conf b/src/cert-enroll/cert-enroll.conf index d690465005..d2b12c82f9 100644 --- a/src/cert-enroll/cert-enroll.conf +++ b/src/cert-enroll/cert-enroll.conf @@ -40,6 +40,12 @@ # ECDSA private key size in bits : ${ECDSA_SIZE=256} +# User group to be assigned to the private key (used by cert-install-ssl) +: ${USER_GROUP=systemd-journal-upload} + +# Systemd service using the private key (used by cert-install-ssl) +: ${SERVICE=systemd-journal-upload} + # Fully Qualified Domain Name and Distinguished Name : ${FQDN=`hostname`} : ${DN="C=CH, O=Example Company, CN=$FQDN"} diff --git a/src/cert-enroll/cert-install-ssl b/src/cert-enroll/cert-install-ssl new file mode 100644 index 0000000000..4db7c0b9cd --- /dev/null +++ b/src/cert-enroll/cert-install-ssl @@ -0,0 +1,61 @@ +#!/bin/bash +# Install the generated key, host certificate and associated CA certificates +# as credentials for a TLS-protected client-server connection. +# +# Copyright (C) 2023 Andreas Steffen +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. +# +set -e + +############################################################################## +# Set local paths +# + +# Path to the SSL credentials directory +SSL_DIR="/etc/ssl/$USER_GROUP" + +############################################################################## +# Create a credentials directory with given user group settings +# +mkdir -p $SSL_DIR +chgrp $USER_GROUP $SSL_DIR +chmod g+s $SSL_DIR +cp $CERTDIR/{$HOSTKEY,$HOSTCERT} $SSL_DIR +chmod g+r $SSL_DIR/$HOSTKEY + +cat $CERTDIR/{$ROOTCA,$SUBCA} > $SSL_DIR/trusted.pem +if [ -s $CERTDIR/old/$ROOTCA ] +then + cat $CERTDIR/old/$ROOTCA >> $SSL_DIR/trusted.pem +fi +if [ -s $CERTDIR/old/$SUBCA ] +then + cat $CERTDIR/old/$SUBCA >> $SSL_DIR/trusted.pem +fi + +############################################################################## +# Restart the systemd service if it is active +# + +if /usr/bin/systemctl -q is-active $SERVICE +then + /usr/bin/systemctl restart $SERVICE +fi +exit 0