Skip to content
This repository has been archived by the owner on Jan 20, 2023. It is now read-only.

how to replace ssl cert with ip address as san

Jump to bottom
Sriram Nambakam edited this page Feb 5, 2018 · 1 revision

Notes

  • The following code illustrates how to change the SSL certificate on a Lightwave Domain Controller to include a given IP Address in the Subject Alternate Name
#!/bin/bash

HOSTNAME=
IP_ADDR=
USERNAME=
PASSWORD=

function showUsage()
{
    echo "Usage: lw-replace-ssl-cert -h <hostname fqdn>"
    echo "                           -i <IP Address>"
    echo "                           -u <Lightwave Admin Username>"
    echo "                           [-p <password>]"
}

function genCert()
{
    local host=$1
    local ip=$2
    local username=$3
    local password=$4

    /opt/vmware/bin/certool \
        --genkey \
        --privkey=$HOME/lwdc.key \
        --pubkey=$HOME/lwdc.pub
    rc=$?
    if [ $rc -ne 0 ]; then
        return $rc
    fi

    cat > $HOME/lwdc.csr <<-EOF
	    Country = US
	    Name = $host
	    IPAddress = $ip
	    Hostname = $host
	EOF

    rc=$?
    if [ $rc -ne 0 ]; then
        return $rc
    fi

    /opt/vmware/bin/certool \
        --gencert \
        --config=$HOME/lwdc.csr \
        --privkey=$HOME/lwdc.key \
        --cert=$HOME/lwdc.crt \
        --server=localhost \
        --srp-upn=$username \
        --srp-pwd=$password
    return $?
}

while getopts h:i:u:p: o
do
    case "$o" in
        h)
            HOSTNAME="$OPTARG"
            ;;
        i)
            IP_ADDR="$OPTARG"
            ;;
        u)
            USERNAME="$OPTARG"
            ;;
		p)
			PASSWORD="$OPTARG"
			;;
        [?])
            showUsage
            exit 1
    esac
done

if [ -z "$HOSTNAME" ]; then
    echo "Error: Hostname is not specified"
    showUsage
    exit 1
fi

if [ -z "$IP_ADDR" ]; then
    echo "Error: IP Address is not specified"
    showUsage
    exit 1
fi

if [ -z "$USERNAME" ]; then
    echo "Error: Username is not specified"
    showUsage
    exit 1
fi

if [ -z "$PASSWORD" ]; then
    stty -echo
    read -p "Password: " PASSWORD
    stty echo
fi

echo "Generating new SSL Certificate..."

genCert $HOSTNAME $IP_ADDR $USERNAME $PASSWORD
rc=$?
if [ $rc -ne 0 ]; then
    echo "Error: Failed to generate certificate"
    exit $rc
fi

echo "Deleting old SSL certificate from VECS..."

/opt/vmware/bin/vecs-cli entry delete \
    --store MACHINE_SSL_CERT \
    --alias __MACHINE_CERT \
    -y
rc=$?
if [ $rc -ne 0 ]; then
    echo "Error: Failed to delete Machine SSL certificate from VECS store"
    exit $rc
fi

echo "Adding newly created SSL certificate to VECS..."

/opt/vmware/bin/vecs-cli entry create \
    --store MACHINE_SSL_CERT \
    --alias __MACHINE_CERT \
    --cert $HOME/cascade.crt \
    --key $HOME/cascade.key
rc=$?
if [ $rc -ne 0 ]; then
    echo "Error: Failed to add Machine SSL certificate from VECS store"
    exit $rc
fi

echo "Restarting the Directory Service..."

/opt/likewise/bin/lwsm restart vmdir
rc=$?
if [ $rc -ne 0 ]; then
    echo "Error: Failed to restart the Directory Service"
    exit $rc
fi

echo "Restarting the Secure Token Service..."

systemctl restart vmware-stsd
rc=$?
if [ $rc -ne 0 ]; then
    echo "Error: Failed to restart the Secure Token Service"
    exit $rc
fi

Home | FAQ | Build Lightwave | VMware on GitHub

Clone this wiki locally