Regarding a posting recently on fedora-devel, I'm considering what would be involved in making the self-signed certificates that various RPM's install as part of their %post/%pre section (openssl, sendmail, mod_ssl, proftpd, cyrus-imapd, etc) be a bit more meaningful than just:
# rpm -q --scripts cyrus-imapd
preinstall scriptlet (using /bin/sh):
...
if [ ! -f /etc/pki/cyrus-imapd/cyrus-imapd.pem ]; then
pushd /etc/pki/tls/certs
umask 077
/bin/cat<< EOF | make cyrus-imapd.pem
--
SomeState
SomeCity
SomeOrganization
SomeOrganizationalUnit
localhost.localdomain
root(a)localhost.localdomain
EOF
/bin/chown root.mail cyrus-imapd.pem
/bin/chmod 640 cyrus-imapd.pem
mv cyrus-imapd.pem /etc/pki/cyrus-imapd/cyrus-imapd.pem
popd
fi
...
and to that end, I wanted to have Anaconda/Kickstart allow one to populate a file such as /etc/certinfo with a few fields:
#
# Certificate seed data, generated XX/XX/XXXX
#
C='US'
ST='Idaho'
L='Boise'
O='Redfish Solutions, LLC'
OU=''
as an example. Then the various scripts could use this as seed data.
The other thing that would be useful to have, but this is more of a packaging issue, would be to be able to re-run the %post/%pre scripts (or the idempotent sections of them) that generate certificates or otherwise network identity-derived configuration.
In cases where the CN (common name) of a certificate is generated from the hostname, for instance, and the hostname has changed (for instance the machine was rebooted in a production network with a DHCP configured to give it out a hostname).
An example of this is in the mod_ssl scripting:
# rpm -q --scripts mod_ssl
postinstall scriptlet (using /bin/sh):
umask 077
if [ ! -f /etc/pki/tls/private/localhost.key ] ; then
/usr/bin/openssl genrsa -rand /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime 1024> /etc/pki/tls/private/localhost.key 2> /dev/null
fi
FQDN=`hostname`
if [ "x${FQDN}" = "x" ]; then
FQDN=localhost.localdomain
fi
if [ ! -f /etc/pki/tls/certs/localhost.crt ] ; then
cat<< EOF | /usr/bin/openssl req -new -key /etc/pki/tls/private/localhost.key \
-x509 -days 365 -set_serial $RANDOM \
-out /etc/pki/tls/certs/localhost.crt 2>/dev/null
--
SomeState
SomeCity
SomeOrganization
SomeOrganizationalUnit
${FQDN}
root@${FQDN}
EOF
fi
So, my question is basically this: what would be involved in modifying Anaconda and Kickstart to include (a) UI support for entering this information in a separate configure screen at install time, or (b) additional options for scripted installs?
It shouldn't be too much, right?
Thanks,
-Philip