fbouynot · August 18, 2023 15:23
diff --git a/install_pfx_cert_batch_F5_bigip.sh b/install_pfx_cert_batch_F5_bigip.sh
 #!/usr/bin/env bash

 #
 # install_cert_batch.sh
 #
 # -Description-
 #
 # This script is used when you have a lot of pfx to import in an F5 appliance,
 # but the intermediate certificate is missing in the pfx.
 # The script add the intermediate certificate and import the certs.
 # It has to be run from the F5 appliance.
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
 #
 # @package install_pfx_cert_batch_F5_bigip.sh
 # @copyright  2022 Félix Bouynot
 # @author     Félix Bouynot <[email protected]>
 # @link https://gist.github.com/fbouynot/36917da39c5bccc36dcced951a719f46
 #

 # -e: When a command fails, bash exits instead of continuing with the rest of the script
 # -u: This will make the script fail, when accessing an unset variable
 # -o pipefail: This will ensure that a pipeline command is treated as failed, even if one command in the pipeline fails
 set -euo pipefail

 # Enable debug mode by running your script as TRACE=1 ./install_cert_batch.sh instead of ./install_cert_batch.sh
 if [[ "${TRACE-0}" == "1" ]]; then
    set -o xtrace
 fi

 # Define constants
 readonly PROGNAME="${0##*/}"
 readonly VERSION='1.0.2'

 # Define default parameters
 readonly DEFAULT_DIRECTORY="/opt/scripts/certs/"

 # Help function: print the help message
 help() {
    cat << EOF
 Usage: ${PROGNAME} [-Vh] [ { -d | --directory } <cert-directory> ] { -p | --password } <pfx-password>
 Add the intermediate certificate to each pfx, then import them on the F5 appliance.

 Options:
    -d    --directory   WORD                                         Directory where the certificates are located (default: ${DEFAULT_DIRECTORY})
    -h    --help                                                     Print this message and exit
    -p    --password    WORD                                         Password protecting the pfx file
    -V    --version                                                  Print the version and exit

 Example: install_cert_batch.sh -p Azerty1234 -d "/opt/scripts/certs/"
 EOF

 exit 2
 }

 # Version function: print the version and license
 version() {
    cat << EOF
 ${PROGNAME} version ${VERSION} under GPLv3 licence.
 EOF

 exit 2
 }

 # Display help message if there is no parameter
 if [[ $# -eq 0 ]]
 then
    help
 fi

 # Deal with argument pairs
 while [[ $# -gt 0 ]]
 do
    key="$1"

    case $key in
        -d|--directory)
            export directory="$2"
            shift # consume -d
            ;;
        -p|--password)
            export password="$2"
            shift # consume -p
            ;;
        -h|--help)
            help
            ;;
        -V|--version)
            version
            ;;
        *)
        ;;
    esac
    shift # consume $1
 done

 # Set defaults if no options specified
 directory="${directory:-$DEFAULT_DIRECTORY}"

 # Change directory to base script directory
 cd "$(dirname "$0")"

 # Main function where we can write code
 main() {
    # Go to directory so the filenamepfx variable won't get path in it
    cd "${directory}"
    for filenamepfx in *.pfx
    do
        # Get the file name without extension
        local filename
        filename="${filenamepfx:0:-4}"
        echo "Certificate ${filename}"
        # Extract pfx
        echo "Splitting certificate (.PEM) and key (.KEY) for file ${filenamepfx}"
        openssl pkcs12 -in "${filename}".pfx -nocerts -out "${filename}".key -nodes -password pass:"${password}" > /dev/null 2>&1
        openssl pkcs12 -in "${filename}".pfx -nokeys -out "${filename}".pem -password pass:"${password}" > /dev/null 2>&1

        echo "Adding intermediary certificate to .PEM file $filename"
        # Add intermediate to cert
        echo -e "-----BEGIN CERTIFICATE-----
 xxxintermediatecertasbase64here
 xxxintermediatecertasbase64here
 xxxintermediatecertasbase64here
 -----END CERTIFICATE-----
 $(cat "${filename}".pem)" > "${filename}".pem

        echo "Creating .P12 ${filename} certificate from .PEM and .KEY files"
        # Build p12
        openssl pkcs12 -export -out "${filename}".p12 -inkey "${filename}".key -in "${filename}".pem -name "${filename}" -password pass:"${password}"
        rm -f "${filename}".key "${filename}".pem

        echo "Installing .P12 ${filename} on F5"
        # Install p12
        tmsh install sys crypto pkcs12 "${filename}$(date +%F)".p12 from-local-file "${filename}".p12 passphrase "${password}"
        rm -f "${filename}".p12 "${filename}".pfx
    done

    exit 0
 }

 main "$@"
	#!/usr/bin/env bash

	#
	# install_cert_batch.sh
	#
	# -Description-
	#
	# This script is used when you have a lot of pfx to import in an F5 appliance,
	# but the intermediate certificate is missing in the pfx.
	# The script add the intermediate certificate and import the certs.
	# It has to be run from the F5 appliance.
	#
	# This program is free software: you can redistribute it and/or modify
	# it under the terms of the GNU General Public License as published by
	# the Free Software Foundation, either version 3 of the License, or
	# (at your option) any later version.
	#
	# This program is distributed in the hope that it will be useful,
	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the
	# GNU General Public License for more details.
	#
	# You should have received a copy of the GNU General Public License
	# along with this program. If not, see <https://www.gnu.org/licenses/>.
	#
	# @package install_pfx_cert_batch_F5_bigip.sh
	# @copyright 2022 Félix Bouynot
	# @author Félix Bouynot <[email protected]>
	# @link https://gist.github.com/fbouynot/36917da39c5bccc36dcced951a719f46
	#

	# -e: When a command fails, bash exits instead of continuing with the rest of the script
	# -u: This will make the script fail, when accessing an unset variable
	# -o pipefail: This will ensure that a pipeline command is treated as failed, even if one command in the pipeline fails
	set -euo pipefail

	# Enable debug mode by running your script as TRACE=1 ./install_cert_batch.sh instead of ./install_cert_batch.sh
	if [[ "${TRACE-0}" == "1" ]]; then
	set -o xtrace
	fi

	# Define constants
	readonly PROGNAME="${0##*/}"
	readonly VERSION='1.0.2'

	# Define default parameters
	readonly DEFAULT_DIRECTORY="/opt/scripts/certs/"

	# Help function: print the help message
	help() {
	cat << EOF
	Usage: ${PROGNAME} [-Vh] [ { -d \| --directory } <cert-directory> ] { -p \| --password } <pfx-password>
	Add the intermediate certificate to each pfx, then import them on the F5 appliance.

	Options:
	-d --directory WORD Directory where the certificates are located (default: ${DEFAULT_DIRECTORY})
	-h --help Print this message and exit
	-p --password WORD Password protecting the pfx file
	-V --version Print the version and exit

	Example: install_cert_batch.sh -p Azerty1234 -d "/opt/scripts/certs/"
	EOF

	exit 2
	}

	# Version function: print the version and license
	version() {
	cat << EOF
	${PROGNAME} version ${VERSION} under GPLv3 licence.
	EOF

	exit 2
	}

	# Display help message if there is no parameter
	if [[ $# -eq 0 ]]
	then
	help
	fi

	# Deal with argument pairs
	while [[ $# -gt 0 ]]
	do
	key="$1"

	case $key in
	-d\|--directory)
	export directory="$2"
	shift # consume -d
	;;
	-p\|--password)
	export password="$2"
	shift # consume -p
	;;
	-h\|--help)
	help
	;;
	-V\|--version)
	version
	;;
	*)
	;;
	esac
	shift # consume $1
	done

	# Set defaults if no options specified
	directory="${directory:-$DEFAULT_DIRECTORY}"

	# Change directory to base script directory
	cd "$(dirname "$0")"

	# Main function where we can write code
	main() {
	# Go to directory so the filenamepfx variable won't get path in it
	cd "${directory}"
	for filenamepfx in *.pfx
	do
	# Get the file name without extension
	local filename
	filename="${filenamepfx:0:-4}"
	echo "Certificate ${filename}"
	# Extract pfx
	echo "Splitting certificate (.PEM) and key (.KEY) for file ${filenamepfx}"
	openssl pkcs12 -in "${filename}".pfx -nocerts -out "${filename}".key -nodes -password pass:"${password}" > /dev/null 2>&1
	openssl pkcs12 -in "${filename}".pfx -nokeys -out "${filename}".pem -password pass:"${password}" > /dev/null 2>&1

	echo "Adding intermediary certificate to .PEM file $filename"
	# Add intermediate to cert
	echo -e "-----BEGIN CERTIFICATE-----
	xxxintermediatecertasbase64here
	xxxintermediatecertasbase64here
	xxxintermediatecertasbase64here
	-----END CERTIFICATE-----
	$(cat "${filename}".pem)" > "${filename}".pem

	echo "Creating .P12 ${filename} certificate from .PEM and .KEY files"
	# Build p12
	openssl pkcs12 -export -out "${filename}".p12 -inkey "${filename}".key -in "${filename}".pem -name "${filename}" -password pass:"${password}"
	rm -f "${filename}".key "${filename}".pem

	echo "Installing .P12 ${filename} on F5"
	# Install p12
	tmsh install sys crypto pkcs12 "${filename}$(date +%F)".p12 from-local-file "${filename}".p12 passphrase "${password}"
	rm -f "${filename}".p12 "${filename}".pfx
	done

	exit 0
	}

	main "$@"