#!/usr/local/bin/bash
##
## install-cert.sh
##
## Copyright (c) 2004 SIPfoundry, Inc.
## License by SIPfoundry under the LGPL license.
##
## Copyright (c) 2004 Pingtel Corp.
## Licensed to SIPfoundry under a Contributor Agreement.
##
Action=INSTALL
Basename=""
while [ $# -ne 0 ]
do
case ${1} in
##
## handle an unknown switch
##
-*)
Action=USAGE
break
;;
# positional arguments
*)
if [ -z "${Basename}" ]
then
Basename=${1}
else
echo "Too many arguments supplied: $@" 1>&2
Action=USAGE
break
fi
;;
esac
shift # always consume 1
done
if [ -z "${Basename}" ]
then
Basename=`hostname`
fi
if ! [ -f "${Basename}.crt" -a -f "${Basename}.key" ]
then
cat <<EOF 1>&2
! Certificate and key not found for ${Basename}
${Basename}.crt
${Basename}.key
EOF
Action=USAGE
fi
if [ "${Action}" = "USAGE" ]
then
cat <<EOF
Usage:
install-cert.sh [ <server-name> ]
The server-name specifies the base name of the .key and .crt files
generated by the gen-ssl-keys.sh script. If not specified, it defaults
to the fully qualified host name of the system.
The certificate is examined to find the issuer name; if a CA certificate
is found in the same directory with that name (with a '.crt' suffix),
than that certificate is installed as a trusted authority.
EOF
exit 1
fi
caName=`@OPENSSL@ x509 -in "${Basename}.crt" -issuer -nameopt RFC2253,multiline -noout | perl -ne 'use English; m/^ +commonName += / && print $POSTMATCH'`
if [ -n "${caName}" -a -f "${caName}.crt" ]
then
AuthoritySwitch="--authority ${caName}.crt"
else
AuthoritySwitch=""
fi
echo "Checking the ${Basename} certificate"
if @bindir@/ssl-cert/check-cert.sh ${AuthoritySwitch} $Basename.crt
then
if [ ! -d @SIPX_CONFDIR@/ssl ]
then
mkdir @SIPX_CONFDIR@/ssl || exit 1
chown @SIPXPBXUSER@ @SIPX_CONFDIR@/ssl || exit 1
chmod 0700 @SIPX_CONFDIR@/ssl || exit 1
fi
if [ -n "${caName}" -a -f "${caName}.crt" ]
then
# create the sipX authorities store directory
if [ ! -d @SIPX_CONFDIR@/ssl/authorities ]
then
mkdir @SIPX_CONFDIR@/ssl/authorities || exit 1
chown @SIPXPBXUSER@ @SIPX_CONFDIR@/ssl/authorities || exit 1
chmod 0700 @SIPX_CONFDIR@/ssl/authorities || exit 1
fi
echo "Installing ${caName}.crt certificate as a trusted CA"
cp -v ${caName}.crt @SIPX_CONFDIR@/ssl/authorities/${caName}.crt || exit 1
chown @SIPXPBXUSER@ @SIPX_CONFDIR@/ssl/authorities/${caName}.crt || exit 1
chmod 0644 @SIPX_CONFDIR@/ssl/authorities/${caName}.crt || exit 1
# regenerate the hash symlinks for the certificate store
@bindir@/ssl-cert/ca_rehash
fi
echo "Installing the ${Basename} certificate"
cp -v $Basename.crt @SIPX_CONFDIR@/ssl/ssl.crt || exit 1
chown @SIPXPBXUSER@ @SIPX_CONFDIR@/ssl/ssl.crt || exit 1
chmod 0600 @SIPX_CONFDIR@/ssl/ssl.crt || exit 1
echo "Installing the ${Basename} private key"
cp -v $Basename.key @SIPX_CONFDIR@/ssl/ssl.key || exit 1
chown @SIPXPBXUSER@ @SIPX_CONFDIR@/ssl/ssl.key || exit 1
chmod 0600 @SIPX_CONFDIR@/ssl/ssl.key || exit 1
echo "Checking the installed certificate"
if @bindir@/ssl-cert/check-cert.sh @SIPX_CONFDIR@/ssl/ssl.crt
then
cat <<EOF
Your sipX SSL security is now configured.
EOF
cert_expires=`@OPENSSL@ x509 -in "${Basename}.crt" -noout -enddate | sed 's/notAfter=//'`
cat <<EOF
Your server certificate will expire ${cert_expires}.
EOF
else
echo "Post-install check failed." 1>&2
exit 1;
fi
else
cat <<EOF 1>&2
! Check failed - certificate and key not installed.
EOF
if [ -n "${caName}" ]
then
cat <<EOF 1>&2
You may need to obtain the root certificate for your CA (${caName}).
If you get a copy of the root certificate, put it in this directory, named
${caName}.crt and rerun this command.
EOF
fi
exit 1;
fi
syntax highlighted by Code2HTML, v. 0.9.1