# 1. setup CA for use in Sigul # used for authentication between server and bridge # and between clients and bridge #set -x -e ca_dir=/tmp/sigul users="user1 user2" nss_password="SecretPasswd" p12_password="SecretPasswd" nsspwdfile=nss-passwd p12pwdfile=p12-passwd cat > $nsspwdfile << EOF $nss_password EOF cat > $p12pwdfile << EOF $p12_password EOF [ -d $ca_dir ] || mkdir -p $ca_dir rm -rf $ca_dir/* echo; echo "Creating NSS database ..." certutil -d $ca_dir -N -f $nsspwdfile echo; echo "Creating CA ..." certutil -d $ca_dir -S -f $nsspwdfile -n sigul-ca -s 'CN=Sigul CA' -t CT,, -x -v 120 echo; echo "Exporting CA cert ..." certutil -d $ca_dir -L -n sigul-ca -a > sigul-ca.pem # bridge cert bridge_host=bridge.example.com echo; echo "Creating bridge cert ..." certutil -d $ca_dir -S -f $nsspwdfile -n sigul-bridge-cert -s "CN=$bridge_host" -c sigul-ca -t u,, -v 120 pk12util -d $ca_dir -k $nsspwdfile -w $p12pwdfile -o bridge-cert.p12 -n sigul-bridge-cert # server cert server_host=server.example.com echo; echo "Creating server cert ..." certutil -d $ca_dir -S -f $nsspwdfile -n sigul-server-cert -s "CN=$server_host" -c sigul-ca -t u,, -v 120 pk12util -d $ca_dir -k $nsspwdfile -w $p12pwdfile -o server-cert.p12 -n sigul-server-cert # users/clients for user in $users do echo; echo "Creating client cert for $user ..." certutil -d $ca_dir -S -f $nsspwdfile -n sigul-${user}-cert -s "CN=$user" -c sigul-ca -t u,, -v 120 pk12util -d $ca_dir -k $nsspwdfile -w $p12pwdfile -o ${user}-cert.p12 -n sigul-${user}-cert done # show NSS database certutil -d $ca_dir -L # # 2. prepare bridge NSS database # bridge_dir=$ca_dir/bridge mkdir -p $bridge_dir echo; echo "Creating bridge NSS database ..." certutil -d $bridge_dir -N -f $nsspwdfile echo; echo "Importing CA and bridge certs ..." certutil -d $bridge_dir -A -f $nsspwdfile -n sigul-ca -t CT,, -a -i sigul-ca.pem pk12util -d $bridge_dir -k $nsspwdfile -w $p12pwdfile -i bridge-cert.p12 rm bridge-cert.p12 echo; echo "Copying NSS database to bridge ..." chown sigul:sigul $bridge_dir/* scp -rp $bridge_dir/* root@$bridge_host:/var/lib/sigul cat > $bridge_dir/bridge.conf << EOF [daemon] unix-user: sigul unix-group: sigul [koji] koji-config: /var/lib/sigul/koji/config [nss] nss-password: $nss_password EOF echo; echo "Copying config to bridge ..." scp -rp $bridge_dir/bridge.conf root@$bridge_host:/etc/sigul # # 3. prepare server NSS database # server_dir=$ca_dir/server mkdir -p $server_dir echo; echo "Creating server NSS database ..." certutil -d $server_dir -N -f $nsspwdfile echo; echo "Importing CA and bridge certs ..." certutil -d $server_dir -A -f $nsspwdfile -n sigul-ca -t CT,, -a -i sigul-ca.pem pk12util -d $server_dir -k $nsspwdfile -w $p12pwdfile -i server-cert.p12 rm server-cert.p12 echo; echo "Copying NSS database to server ..." chown sigul:sigul $server_dir/* scp -rp $server_dir/* root@$server_host:/var/lib/sigul cat > $server_dir/server.conf << EOF [server] bridge-hostname: $bridge_host [daemon] unix-user: sigul unix-group: sigul [nss] nss-password: $nss_password EOF echo; echo "Copying config to server ..." scp -rp $server_dir/server.conf root@$server_host:/etc/sigul # # 4. prepare clients' NSS databases # client_dir=$ca_dir/client mkdir -p $client_dir for user in $users do user_dir=$client_dir/$user mkdir -p $user_dir echo; echo "Creating NSS database for $user ..." certutil -d $user_dir -N -f $nsspwdfile echo; echo "Importing CA and user certs ..." certutil -d $user_dir -A -f $nsspwdfile -n sigul-ca -t CT,, -a -i sigul-ca.pem pk12util -d $user_dir -k $nsspwdfile -w $p12pwdfile -i $user-cert.p12 rm $user-cert.p12 cat > $user_dir/client.conf << EOF [client] bridge-hostname: $bridge_host server-hostname: $server_host client-cert-nickname: sigul-$user-cert user-name: $user [koji] koji-config: ~/.koji/your-config [nss] nss-password: $nss_password EOF done rm sigul-ca.pem rm $nsspwdfile $p12pwdfile