cert-enroll: Install TLS client/server credentials

Install the generated key, host certificate and associated CA certificates
as credentials for a TLS-protected client-server connection.

src/cert-enroll/Makefile.am

@@ -26,6 +26,7 @@ install-data-local:
 
 cert_install_availabledir = $(sysconfdir)/cert-enroll.d/cert-install-available
 cert_install_available_DATA = \
+	cert-install-ssl \
 	cert-install-sssd \
 	cert-install-dirsrv \
 	cert-install-lighttpd \
@@ -41,8 +42,8 @@ cert-install-ipsec : cert-install-ipsec.in
 EXTRA_DIST = \
 	cert-enroll.conf cert-enroll.in cert-enroll.service.in cert-enroll.timer \
 	cert-install-dirsrv cert-install-gitea cert-install-ipsec.in \
-	cert-install-lighttpd cert-install-openxpki cert-install-sssd \
-	cert-install-swanctl.in
+	cert-install-lighttpd cert-install-openxpki cert-install-ssl \
+	cert-install-sssd cert-install-swanctl.in
 
 man8_MANS = cert-enroll.8
 

src/cert-enroll/cert-enroll.conf

@@ -40,6 +40,12 @@
 # ECDSA private key size in bits
 : ${ECDSA_SIZE=256}
 
+# User group to be assigned to the private key (used by cert-install-ssl)
+: ${USER_GROUP=systemd-journal-upload}
+
+# Systemd service using the private key (used by cert-install-ssl)
+: ${SERVICE=systemd-journal-upload}
+
 # Fully Qualified Domain Name and Distinguished Name
 : ${FQDN=`hostname`}
 : ${DN="C=CH, O=Example Company, CN=$FQDN"}

src/cert-enroll/cert-install-ssl

@@ -0,0 +1,61 @@
+#!/bin/bash
+# Install the generated key, host certificate and associated CA certificates
+# as credentials for a TLS-protected client-server connection.
+#
+# Copyright (C) 2023 Andreas Steffen
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#
+set -e
+
+##############################################################################
+# Set local paths
+#
+
+# Path to the SSL credentials directory
+SSL_DIR="/etc/ssl/$USER_GROUP"
+
+##############################################################################
+# Create a credentials directory with given user group settings
+#
+mkdir -p $SSL_DIR
+chgrp $USER_GROUP $SSL_DIR
+chmod g+s $SSL_DIR
+cp $CERTDIR/{$HOSTKEY,$HOSTCERT} $SSL_DIR
+chmod g+r $SSL_DIR/$HOSTKEY
+
+cat $CERTDIR/{$ROOTCA,$SUBCA} > $SSL_DIR/trusted.pem
+if [ -s $CERTDIR/old/$ROOTCA ]
+then
+  cat $CERTDIR/old/$ROOTCA >> $SSL_DIR/trusted.pem
+fi
+if [ -s $CERTDIR/old/$SUBCA ]
+then
+  cat $CERTDIR/old/$SUBCA  >> $SSL_DIR/trusted.pem
+fi
+
+##############################################################################
+# Restart the systemd service if it is active
+#
+
+if /usr/bin/systemctl -q is-active $SERVICE
+then
+  /usr/bin/systemctl restart $SERVICE
+fi
+exit 0