#!/usr/bin/env bash # Author: Renich Bon Ciric # Year: 2012 # License: GPLv2 # set a nice umask umask 227 # ## settings country='MX' state='Mexico' city='Guadalajara' organization='woralelandia.com' expiration=365 # ## vars flags=$( echo ${@} | egrep -o '\-{2}[a-z]+' ) hosts=$( echo ${@} | sed 's/--[a-zA-Z0-9_\-]*//g' ) # ## functions ## Help function help () { cat << EOF NAME ${0} SYNOPSIS ${0} [options] hostN [hostN...] DESCRIPTION This script generates the CAcert, host and client certs and keys for libvirt to use. OPTIONS --help Output help --with-ca Generate the CAcert and key. This is only needed once in order to sign the host and client certs. EOF } ## CACert function generate_cacert () { # generate template cat << EOF > cacert.info cn = ${organization} ca cert_signing_key expiration_days = ${expiration} EOF # generate key ( umask 277 && certtool --generate-privkey > cacert.key ) # generate cert certtool --generate-self-signed --template cacert.info --load-privkey cacert.key --outfile cacert.pem } ## Host Certificates function generate_certs () { # generate templates and create keys and certs for host in ${hosts}; do cat << EOF > ${host}_servercert.info organization = ${organization} cn = ${host} tls_www_server encryption_key signing_key EOF # create key ( umask 277 && certtool --generate-privkey > ${host}_serverkey.pem ) # generate certs certtool --generate-certificate --template ${host}_servercert.info --load-privkey ${host}_serverkey.pem --load-ca-certificate cacert.pem --load-ca-privkey cacert.key --outfile ${host}_servercert.pem ## TLS # generate templates cat << EOF > ${host}_clientcert.info country = ${country} state = ${state} locality = ${city} organization = ${organization} cn = ${host} tls_www_client encryption_key signing_key EOF # generate ( umask 277 && certtool --generate-privkey > ${host}_clientkey.pem ) # generate certs certtool --generate-certificate --template ${host}_clientcert.info --load-privkey ${host}_clientkey.pem --load-ca-certificate cacert.pem --load-ca-privkey cacert.key --outfile ${host}_clientcert.pem done } ## Instructions function instructions () { cat << EOF Instructions ==================================================================================================== # ## CAcert # Copy the CAcert to all the hosts; at: /etc/pki/CA/cacert.pem # remember to: chmod 444 /etc/pki/CA/cacert.pem restorecon /etc/pki/CA/cacert.pem # ## Server certs and keys # Put every host's servercert in it; at: /etc/pki/libvirt/servercert.pem # Also, put every host's serverkey in it; at: /etc/pki/libvirt/private/serverkey.pem # remember to: mkdir -m 750 /etc/pki/libvirt/private chown -R root:qemu /etc/pki/libvirt chmod 440 /etc/pki/libvirt/servercert.pem chmod 440 /etc/pki/libvirt/private/serverkey.pem restorecon -R /etc/pki/libvirt # ## TLS client certs # Put every host's clientcert in it; at: /etc/pki/libvirt/clientcert.pem # Also, put every host's clientkey in it; /etc/pki/libvirt/private/clientkey.pem # remember to: chmod 440 /etc/pki/libvirt/clientcert.pem chmod 440 /etc/pki/libvirt/private/clientkey.pem restorecon -R /etc/pki/libvirt # ## Libvirtd # Remember to enable libvirt to listen; at /etc/sysconfig/libvirtd and restart libvirt afterwards sed -ri 's/#LIBVIRTD_ARGS="--listen"/LIBVIRTD_ARGS="--listen"/' /etc/sysconfig/libvirtd systemctl restart libvirtd.service # Add a list of authorized clients to tls_allowed_dn_list; at /etc/libvirt/libvirtd.conf # for example: tls_allowed_dn_list = ["C=US,O=lvs.cloudsigma.com,L=Las Vegas,ST=Nevada,CN=phost22", "C=US,O=lvs.cloudsigma.com,L=Las Vegas,ST=Nevada,CN=phost31"] # Feel free to delete all .info files; these are the templates used for the cert creation. If anything went wrong, you can debug it there. rm -f *.info EOF } # # checks case ${flags} in --with-ca) withca=true; ;; --help) help; ;; esac # ## logic if [[ -n $withca ]]; then generate_cacert fi if [[ -n $hosts ]]; then generate_certs instructions fi exit 0