forked from inducer/relate
-
Notifications
You must be signed in to change notification settings - Fork 0
/
saml-keygen.sh
executable file
·90 lines (78 loc) · 2.16 KB
/
saml-keygen.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
#! /bin/sh
# nicked and customized from Shibboleth
# Run as
# ./saml-keygen.sh –h your.host.name –e https://your.host.name/saml2/metadata/ -y 10
while getopts h:u:g:o:e:y:bf c
do
case $c in
u) USER=$OPTARG;;
g) GROUP=$OPTARG;;
o) OUT=$OPTARG;;
b) BATCH=1;;
f) FORCE=1;;
h) FQDN=$OPTARG;;
e) ENTITYID=$OPTARG;;
y) YEARS=$OPTARG;;
\?) echo "keygen [-o output directory (default .)] [-u username to own keypair] [-g owning groupname] [-h hostname for cert] [-y years to issue cert] [-e entityID to embed in cert]"
exit 1;;
esac
done
if [ -z "$OUT" ] ; then
OUT=saml-config
mkdir -p saml-config
fi
if [ -n "$FORCE" ] ; then
rm $OUT/sp-key.pem $OUT/sp-cert.pem
fi
if [ -s $OUT/sp-key.pem -o -s $OUT/sp-cert.pem ] ; then
if [ -z "$BATCH" ] ; then
echo The files $OUT/sp-key.pem and/or $OUT/sp-cert.pem already exist!
echo Use -f option to force recreation of keypair.
exit 2
fi
exit 0
fi
if [ -z "$FQDN" ] ; then
FQDN=`hostname`
fi
if [ -z "$YEARS" ] ; then
YEARS=10
fi
DAYS=`expr $YEARS \* 365`
if [ -z "$ENTITYID" ] ; then
ALTNAME=DNS:$FQDN
else
ALTNAME=DNS:$FQDN,URI:$ENTITYID
fi
SSLCNF=$OUT/sp-cert.cnf
cat >$SSLCNF <<EOF
# OpenSSL configuration file for creating sp-cert.pem
[req]
prompt=no
default_bits=2048
encrypt_key=no
default_md=sha1
distinguished_name=dn
# PrintableStrings only
string_mask=MASK:0002
x509_extensions=ext
[dn]
CN=$FQDN
[ext]
subjectAltName=$ALTNAME
subjectKeyIdentifier=hash
EOF
touch $OUT/sp-key.pem
chmod 600 $OUT/sp-key.pem
if [ -z "$BATCH" ] ; then
openssl req -config $SSLCNF -new -x509 -days $DAYS -keyout $OUT/sp-key.pem -out $OUT/sp-cert.pem
else
openssl req -config $SSLCNF -new -x509 -days $DAYS -keyout $OUT/sp-key.pem -out $OUT/sp-cert.pem 2> /dev/null
fi
rm $SSLCNF
if [ -s $OUT/sp-key.pem -a -n "$USER" ] ; then
chown $USER $OUT/sp-key.pem $OUT/sp-cert.pem
fi
if [ -s $OUT/sp-key.pem -a -n "$GROUP" ] ; then
chgrp $GROUP $OUT/sp-key.pem $OUT/sp-cert.pem
fi