182 lines
5.1 KiB
Bash
Executable File
182 lines
5.1 KiB
Bash
Executable File
#!/bin/bash
|
|
# Script to install UCS CA certificate into system and browsers
|
|
# Usage: ./install-ca-cert.sh [ca-server-ip]
|
|
|
|
set -e
|
|
|
|
# Configuration
|
|
UCS_SERVER="${1:-10.0.0.21}"
|
|
CA_CERT_FILE="/usr/local/share/ca-certificates/ucs-root-ca.crt"
|
|
TEMP_CERT="/tmp/ucs-root-ca.crt"
|
|
|
|
echo "============================================================"
|
|
echo "UCS CA Certificate Installation"
|
|
echo "============================================================"
|
|
echo "CA Server: $UCS_SERVER"
|
|
echo "Install to: System + All Browsers"
|
|
echo "============================================================"
|
|
echo ""
|
|
|
|
# Check if running as root for system installation
|
|
if [ "$EUID" -eq 0 ]; then
|
|
SUDO=""
|
|
RUNNING_AS_ROOT=true
|
|
else
|
|
SUDO="sudo"
|
|
RUNNING_AS_ROOT=false
|
|
fi
|
|
|
|
# Check for certutil
|
|
if ! command -v certutil &> /dev/null; then
|
|
echo "⚠ certutil not found, installing libnss3-tools..."
|
|
if [ "$RUNNING_AS_ROOT" = true ]; then
|
|
apt-get update && apt-get install -y libnss3-tools
|
|
else
|
|
$SUDO apt-get update && $SUDO apt-get install -y libnss3-tools
|
|
fi
|
|
echo ""
|
|
fi
|
|
|
|
# Step 1: Download CA certificate from UCS server
|
|
echo "[1/5] Downloading CA certificate from UCS server..."
|
|
scp root@${UCS_SERVER}:/etc/univention/ssl/ucsCA/CAcert.pem "$TEMP_CERT"
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: Failed to download CA certificate"
|
|
exit 1
|
|
fi
|
|
|
|
echo "✓ Downloaded CA certificate"
|
|
echo ""
|
|
|
|
# Step 2: Install to system CA certificates
|
|
echo "[2/5] Installing to system CA certificates..."
|
|
if [ "$RUNNING_AS_ROOT" = true ]; then
|
|
cp "$TEMP_CERT" "$CA_CERT_FILE"
|
|
update-ca-certificates
|
|
else
|
|
$SUDO cp "$TEMP_CERT" "$CA_CERT_FILE"
|
|
$SUDO update-ca-certificates
|
|
fi
|
|
|
|
if [ $? -eq 0 ]; then
|
|
echo "✓ Installed to system CA certificates"
|
|
else
|
|
echo "⚠ Warning: Failed to install system CA certificate"
|
|
fi
|
|
echo ""
|
|
|
|
# Step 3: Install to NSS database (Chrome, Chromium, Brave)
|
|
echo "[3/5] Installing to NSS database (Chrome/Chromium/Brave)..."
|
|
NSS_DB="$HOME/.pki/nssdb"
|
|
|
|
if [ -d "$NSS_DB" ]; then
|
|
# Remove old certificate if exists
|
|
certutil -D -d sql:$NSS_DB -n "UCS Root CA" 2>/dev/null || true
|
|
|
|
# Add certificate
|
|
certutil -A -d sql:$NSS_DB -t "CT,C,C" -n "UCS Root CA" -i "$TEMP_CERT"
|
|
|
|
if [ $? -eq 0 ]; then
|
|
echo "✓ Installed to NSS database"
|
|
else
|
|
echo "⚠ Warning: Failed to install to NSS database"
|
|
fi
|
|
else
|
|
echo "⚠ NSS database not found at $NSS_DB"
|
|
echo " (Chrome/Chromium/Brave may not be installed)"
|
|
fi
|
|
echo ""
|
|
|
|
# Step 4: Install to Firefox profiles
|
|
echo "[4/5] Installing to Firefox profiles..."
|
|
FIREFOX_DIR="$HOME/.mozilla/firefox"
|
|
FIREFOX_INSTALLED=false
|
|
|
|
if [ -d "$FIREFOX_DIR" ]; then
|
|
for profile in "$FIREFOX_DIR"/*.default*; do
|
|
if [ -d "$profile" ]; then
|
|
PROFILE_NAME=$(basename "$profile")
|
|
|
|
# Check if cert9.db exists
|
|
if [ -f "$profile/cert9.db" ]; then
|
|
# Remove old certificate if exists
|
|
certutil -D -d sql:$profile -n "UCS Root CA" 2>/dev/null || true
|
|
|
|
# Add certificate
|
|
certutil -A -d sql:$profile -t "CT,C,C" -n "UCS Root CA" -i "$TEMP_CERT"
|
|
|
|
if [ $? -eq 0 ]; then
|
|
echo " ✓ Installed to Firefox profile: $PROFILE_NAME"
|
|
FIREFOX_INSTALLED=true
|
|
else
|
|
echo " ⚠ Failed to install to profile: $PROFILE_NAME"
|
|
fi
|
|
fi
|
|
fi
|
|
done
|
|
|
|
if [ "$FIREFOX_INSTALLED" = false ]; then
|
|
echo "⚠ No Firefox profiles found with cert9.db"
|
|
fi
|
|
else
|
|
echo "⚠ Firefox directory not found"
|
|
echo " (Firefox may not be installed)"
|
|
fi
|
|
echo ""
|
|
|
|
# Step 5: Verify installation
|
|
echo "[5/5] Verifying installation..."
|
|
echo ""
|
|
|
|
# Check system CA
|
|
if [ -f "$CA_CERT_FILE" ]; then
|
|
echo "✓ System CA: Installed"
|
|
else
|
|
echo "✗ System CA: Not found"
|
|
fi
|
|
|
|
# Check NSS database
|
|
if [ -d "$NSS_DB" ]; then
|
|
if certutil -L -d sql:$NSS_DB | grep -q "UCS Root CA"; then
|
|
echo "✓ NSS Database: Installed (Chrome/Chromium/Brave)"
|
|
else
|
|
echo "✗ NSS Database: Not installed"
|
|
fi
|
|
fi
|
|
|
|
# Check Firefox
|
|
if [ -d "$FIREFOX_DIR" ]; then
|
|
FIREFOX_OK=false
|
|
for profile in "$FIREFOX_DIR"/*.default*; do
|
|
if [ -f "$profile/cert9.db" ]; then
|
|
if certutil -L -d sql:$profile | grep -q "UCS Root CA" 2>/dev/null; then
|
|
FIREFOX_OK=true
|
|
break
|
|
fi
|
|
fi
|
|
done
|
|
|
|
if [ "$FIREFOX_OK" = true ]; then
|
|
echo "✓ Firefox: Installed"
|
|
else
|
|
echo "✗ Firefox: Not installed"
|
|
fi
|
|
fi
|
|
|
|
# Clean up
|
|
rm -f "$TEMP_CERT"
|
|
|
|
echo ""
|
|
echo "============================================================"
|
|
echo "✓ CA Certificate Installation Complete!"
|
|
echo "============================================================"
|
|
echo ""
|
|
echo "Certificate Details:"
|
|
openssl x509 -in "$CA_CERT_FILE" -noout -subject -issuer -dates
|
|
echo ""
|
|
echo "IMPORTANT: Restart your browsers for changes to take effect!"
|
|
echo ""
|
|
echo "To verify, visit any UCS-signed HTTPS site:"
|
|
echo " https://$UCS_SERVER"
|
|
echo "============================================================"
|