#!/bin/sh
#
# Author: Rune Nordbe Skillingstad <rune@skillingtad.no>
# Date: 2003-02-12
#
# Create a TLS certificate for slapd. To change default settings,
# edit /etc/ldap/ssl/slapd-cert.cnf
#
# $Id: mkslapdcert 45663 2008-08-04 17:31:11Z pere $

set -x

opensslbin=/usr/bin/openssl

umask 077

certconf=/etc/ldap/ssl/slapd-cert.cnf
privkey=/etc/ldap/ssl/slapd.pem

if test -x $opensslbin ; then
    :
else
    echo "error: can't fint openssl." 1>&2
    exit 1
fi

if [ ! -f $certconf ] ; then
    echo "warning: missing certificate configuration file $certconf." 1>&2
fi

chmod 751 /etc/ldap/ssl

if [ -f $privkey ] ; then
    echo "warning: private key $privkey already exist.  Exiting." 1>&2
    exit 1;
fi

# lifetime 10 year
$opensslbin req -new -x509 -nodes \
      -config $certconf -days 3650 \
      -out $privkey -keyout $privkey > /dev/null 2>&1 \
  || echo "error: problems running openssl." 1>&2

# Make sure the private key is only readable by user openldap
chown openldap:openldap $privkey
chmod 600 $privkey
