[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Seeding certificates at install time



Regarding a posting recently on fedora-devel, I'm considering what would be involved in making the self-signed certificates that various RPM's install as part of their %post/%pre section (openssl, sendmail, mod_ssl, proftpd, cyrus-imapd, etc) be a bit more meaningful than just:

# rpm -q --scripts cyrus-imapd
preinstall scriptlet (using /bin/sh):
...
if [ ! -f /etc/pki/cyrus-imapd/cyrus-imapd.pem ]; then
pushd /etc/pki/tls/certs
umask 077
/bin/cat<<  EOF | make cyrus-imapd.pem
--
SomeState
SomeCity
SomeOrganization
SomeOrganizationalUnit
localhost.localdomain
root localhost localdomain
EOF
/bin/chown root.mail cyrus-imapd.pem
/bin/chmod 640 cyrus-imapd.pem
mv cyrus-imapd.pem /etc/pki/cyrus-imapd/cyrus-imapd.pem
popd
fi
...


and to that end, I wanted to have Anaconda/Kickstart allow one to populate a file such as /etc/certinfo with a few fields:

#
# Certificate seed data, generated XX/XX/XXXX
#
C='US'
ST='Idaho'
L='Boise'
O='Redfish Solutions, LLC'
OU=''



as an example. Then the various scripts could use this as seed data.

The other thing that would be useful to have, but this is more of a packaging issue, would be to be able to re-run the %post/%pre scripts (or the idempotent sections of them) that generate certificates or otherwise network identity-derived configuration.

In cases where the CN (common name) of a certificate is generated from the hostname, for instance, and the hostname has changed (for instance the machine was rebooted in a production network with a DHCP configured to give it out a hostname).

An example of this is in the mod_ssl scripting:

# rpm -q --scripts mod_ssl
postinstall scriptlet (using /bin/sh):
umask 077

if [ ! -f /etc/pki/tls/private/localhost.key ] ; then
/usr/bin/openssl genrsa -rand /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime 1024>  /etc/pki/tls/private/localhost.key 2>  /dev/null
fi

FQDN=`hostname`
if [ "x${FQDN}" = "x" ]; then
   FQDN=localhost.localdomain
fi

if [ ! -f /etc/pki/tls/certs/localhost.crt ] ; then
cat<<  EOF | /usr/bin/openssl req -new -key /etc/pki/tls/private/localhost.key \
         -x509 -days 365 -set_serial $RANDOM \
         -out /etc/pki/tls/certs/localhost.crt 2>/dev/null
--
SomeState
SomeCity
SomeOrganization
SomeOrganizationalUnit
${FQDN}
root ${FQDN}
EOF
fi


So, my question is basically this: what would be involved in modifying Anaconda and Kickstart to include (a) UI support for entering this information in a separate configure screen at install time, or (b) additional options for scripted installs?

It shouldn't be too much, right?

Thanks,

-Philip



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]