feat: add CA certificate installation script

New script: install-ca-cert.sh - Downloads UCS CA certificate from server - Installs to system CA certificates (/usr/local/share/ca-certificates/) - Installs to NSS database (Chrome, Chromium, Brave) - Installs to all Firefox profiles - Verifies installation - Works for current user Usage: ./install-ca-cert.sh [ca-server-ip] Default CA server: 10.0.0.21 Benefits: ✅ One-command setup for new users/systems ✅ Automatic browser detection ✅ Works with all major browsers ✅ Verification of successful installation
2025-10-23 10:12:27 +02:00
parent dd10546688
commit 23afabb28e
1 changed files with 170 additions and 0 deletions
--- a/install-ca-cert.sh
+++ b/install-ca-cert.sh
@@ -0,0 +1,170 @@
+#!/bin/bash
+# Script to install UCS CA certificate into system and browsers
+# Usage: ./install-ca-cert.sh [ca-server-ip]
+
+set -e
+
+# Configuration
+UCS_SERVER="${1:-10.0.0.21}"
+CA_CERT_FILE="/usr/local/share/ca-certificates/ucs-root-ca.crt"
+TEMP_CERT="/tmp/ucs-root-ca.crt"
+
+echo "============================================================"
+echo "UCS CA Certificate Installation"
+echo "============================================================"
+echo "CA Server:     $UCS_SERVER"
+echo "Install to:    System + All Browsers"
+echo "============================================================"
+echo ""
+
+# Check if running as root for system installation
+if [ "$EUID" -eq 0 ]; then
+    SUDO=""
+    RUNNING_AS_ROOT=true
+else
+    SUDO="sudo"
+    RUNNING_AS_ROOT=false
+fi
+
+# Step 1: Download CA certificate from UCS server
+echo "[1/5] Downloading CA certificate from UCS server..."
+scp root@${UCS_SERVER}:/etc/univention/ssl/ucsCA/CAcert.pem "$TEMP_CERT"
+if [ $? -ne 0 ]; then
+    echo "Error: Failed to download CA certificate"
+    exit 1
+fi
+
+echo "✓ Downloaded CA certificate"
+echo ""
+
+# Step 2: Install to system CA certificates
+echo "[2/5] Installing to system CA certificates..."
+if [ "$RUNNING_AS_ROOT" = true ]; then
+    cp "$TEMP_CERT" "$CA_CERT_FILE"
+    update-ca-certificates
+else
+    $SUDO cp "$TEMP_CERT" "$CA_CERT_FILE"
+    $SUDO update-ca-certificates
+fi
+
+if [ $? -eq 0 ]; then
+    echo "✓ Installed to system CA certificates"
+else
+    echo "⚠ Warning: Failed to install system CA certificate"
+fi
+echo ""
+
+# Step 3: Install to NSS database (Chrome, Chromium, Brave)
+echo "[3/5] Installing to NSS database (Chrome/Chromium/Brave)..."
+NSS_DB="$HOME/.pki/nssdb"
+
+if [ -d "$NSS_DB" ]; then
+    # Remove old certificate if exists
+    certutil -D -d sql:$NSS_DB -n "UCS Root CA" 2>/dev/null || true
+    
+    # Add certificate
+    certutil -A -d sql:$NSS_DB -t "CT,C,C" -n "UCS Root CA" -i "$TEMP_CERT"
+    
+    if [ $? -eq 0 ]; then
+        echo "✓ Installed to NSS database"
+    else
+        echo "⚠ Warning: Failed to install to NSS database"
+    fi
+else
+    echo "⚠ NSS database not found at $NSS_DB"
+    echo "  (Chrome/Chromium/Brave may not be installed)"
+fi
+echo ""
+
+# Step 4: Install to Firefox profiles
+echo "[4/5] Installing to Firefox profiles..."
+FIREFOX_DIR="$HOME/.mozilla/firefox"
+FIREFOX_INSTALLED=false
+
+if [ -d "$FIREFOX_DIR" ]; then
+    for profile in "$FIREFOX_DIR"/*.default*; do
+        if [ -d "$profile" ]; then
+            PROFILE_NAME=$(basename "$profile")
+            
+            # Check if cert9.db exists
+            if [ -f "$profile/cert9.db" ]; then
+                # Remove old certificate if exists
+                certutil -D -d sql:$profile -n "UCS Root CA" 2>/dev/null || true
+                
+                # Add certificate
+                certutil -A -d sql:$profile -t "CT,C,C" -n "UCS Root CA" -i "$TEMP_CERT"
+                
+                if [ $? -eq 0 ]; then
+                    echo "  ✓ Installed to Firefox profile: $PROFILE_NAME"
+                    FIREFOX_INSTALLED=true
+                else
+                    echo "  ⚠ Failed to install to profile: $PROFILE_NAME"
+                fi
+            fi
+        fi
+    done
+    
+    if [ "$FIREFOX_INSTALLED" = false ]; then
+        echo "⚠ No Firefox profiles found with cert9.db"
+    fi
+else
+    echo "⚠ Firefox directory not found"
+    echo "  (Firefox may not be installed)"
+fi
+echo ""
+
+# Step 5: Verify installation
+echo "[5/5] Verifying installation..."
+echo ""
+
+# Check system CA
+if [ -f "$CA_CERT_FILE" ]; then
+    echo "✓ System CA: Installed"
+else
+    echo "✗ System CA: Not found"
+fi
+
+# Check NSS database
+if [ -d "$NSS_DB" ]; then
+    if certutil -L -d sql:$NSS_DB | grep -q "UCS Root CA"; then
+        echo "✓ NSS Database: Installed (Chrome/Chromium/Brave)"
+    else
+        echo "✗ NSS Database: Not installed"
+    fi
+fi
+
+# Check Firefox
+if [ -d "$FIREFOX_DIR" ]; then
+    FIREFOX_OK=false
+    for profile in "$FIREFOX_DIR"/*.default*; do
+        if [ -f "$profile/cert9.db" ]; then
+            if certutil -L -d sql:$profile | grep -q "UCS Root CA" 2>/dev/null; then
+                FIREFOX_OK=true
+                break
+            fi
+        fi
+    done
+    
+    if [ "$FIREFOX_OK" = true ]; then
+        echo "✓ Firefox: Installed"
+    else
+        echo "✗ Firefox: Not installed"
+    fi
+fi
+
+# Clean up
+rm -f "$TEMP_CERT"
+
+echo ""
+echo "============================================================"
+echo "✓ CA Certificate Installation Complete!"
+echo "============================================================"
+echo ""
+echo "Certificate Details:"
+openssl x509 -in "$CA_CERT_FILE" -noout -subject -issuer -dates
+echo ""
+echo "IMPORTANT: Restart your browsers for changes to take effect!"
+echo ""
+echo "To verify, visit any UCS-signed HTTPS site:"
+echo "  https://$UCS_SERVER"
+echo "============================================================"