#!/usr/local/bin/bash ## ## install-cert.sh ## ## Copyright (c) 2004 SIPfoundry, Inc. ## License by SIPfoundry under the LGPL license. ## ## Copyright (c) 2004 Pingtel Corp. ## Licensed to SIPfoundry under a Contributor Agreement. ## Action=INSTALL Basename="" while [ $# -ne 0 ] do case ${1} in ## ## handle an unknown switch ## -*) Action=USAGE break ;; # positional arguments *) if [ -z "${Basename}" ] then Basename=${1} else echo "Too many arguments supplied: $@" 1>&2 Action=USAGE break fi ;; esac shift # always consume 1 done if [ -z "${Basename}" ] then Basename=`hostname` fi if ! [ -f "${Basename}.crt" -a -f "${Basename}.key" ] then cat <&2 ! Certificate and key not found for ${Basename} ${Basename}.crt ${Basename}.key EOF Action=USAGE fi if [ "${Action}" = "USAGE" ] then cat < ] The server-name specifies the base name of the .key and .crt files generated by the gen-ssl-keys.sh script. If not specified, it defaults to the fully qualified host name of the system. The certificate is examined to find the issuer name; if a CA certificate is found in the same directory with that name (with a '.crt' suffix), than that certificate is installed as a trusted authority. EOF exit 1 fi caName=`@OPENSSL@ x509 -in "${Basename}.crt" -issuer -nameopt RFC2253,multiline -noout | perl -ne 'use English; m/^ +commonName += / && print $POSTMATCH'` if [ -n "${caName}" -a -f "${caName}.crt" ] then AuthoritySwitch="--authority ${caName}.crt" else AuthoritySwitch="" fi echo "Checking the ${Basename} certificate" if @bindir@/ssl-cert/check-cert.sh ${AuthoritySwitch} $Basename.crt then if [ ! -d @SIPX_CONFDIR@/ssl ] then mkdir @SIPX_CONFDIR@/ssl || exit 1 chown @SIPXPBXUSER@ @SIPX_CONFDIR@/ssl || exit 1 chmod 0700 @SIPX_CONFDIR@/ssl || exit 1 fi if [ -n "${caName}" -a -f "${caName}.crt" ] then # create the sipX authorities store directory if [ ! -d @SIPX_CONFDIR@/ssl/authorities ] then mkdir @SIPX_CONFDIR@/ssl/authorities || exit 1 chown @SIPXPBXUSER@ @SIPX_CONFDIR@/ssl/authorities || exit 1 chmod 0700 @SIPX_CONFDIR@/ssl/authorities || exit 1 fi echo "Installing ${caName}.crt certificate as a trusted CA" cp -v ${caName}.crt @SIPX_CONFDIR@/ssl/authorities/${caName}.crt || exit 1 chown @SIPXPBXUSER@ @SIPX_CONFDIR@/ssl/authorities/${caName}.crt || exit 1 chmod 0644 @SIPX_CONFDIR@/ssl/authorities/${caName}.crt || exit 1 # regenerate the hash symlinks for the certificate store @bindir@/ssl-cert/ca_rehash fi echo "Installing the ${Basename} certificate" cp -v $Basename.crt @SIPX_CONFDIR@/ssl/ssl.crt || exit 1 chown @SIPXPBXUSER@ @SIPX_CONFDIR@/ssl/ssl.crt || exit 1 chmod 0600 @SIPX_CONFDIR@/ssl/ssl.crt || exit 1 echo "Installing the ${Basename} private key" cp -v $Basename.key @SIPX_CONFDIR@/ssl/ssl.key || exit 1 chown @SIPXPBXUSER@ @SIPX_CONFDIR@/ssl/ssl.key || exit 1 chmod 0600 @SIPX_CONFDIR@/ssl/ssl.key || exit 1 echo "Checking the installed certificate" if @bindir@/ssl-cert/check-cert.sh @SIPX_CONFDIR@/ssl/ssl.crt then cat <&2 exit 1; fi else cat <&2 ! Check failed - certificate and key not installed. EOF if [ -n "${caName}" ] then cat <&2 You may need to obtain the root certificate for your CA (${caName}). If you get a copy of the root certificate, put it in this directory, named ${caName}.crt and rerun this command. EOF fi exit 1; fi