github.com/nais/outtune@v0.0.0-20230327072907-ef48d1263aba/import_cert.sh (about) 1 #!/usr/bin/env bash 2 set -e 3 4 download_cert() { 5 curl --silent --fail https://outtune-api.prod-gcp.nais.io/cert --data @- << EOF | jq -r '.cert_pem' > cert.pem 6 { 7 "serial": "$(cat ~/.config/naisdevice/product_serial)", 8 "public_key_pem": "$(base64 --wrap 0 < ~/.config/naisdevice/browser_cert_pubkey.pem)" 9 } 10 EOF 11 } 12 13 main() { 14 for profile in "$HOME"/.mozilla/firefox/*.default-release/; do 15 echo "updating profile: $profile" 16 # If key already enrolled: 17 if certutil -d "$profile" -K -n naisdevice &> /dev/null; then 18 echo "cert only import" 19 ( 20 set -e 21 cd "$(mktemp -d)" && echo "working in: $(pwd)" 22 download_cert 23 24 if certutil -d "$profile" -D -n naisdevice > /dev/null; then 25 echo "removed old cert" 26 else 27 echo "failed to remove old cert or no old cert found" 28 fi 29 30 certutil -d "$profile" -A -n naisdevice -i cert.pem -t ,, 31 rm -f cert.pem 32 echo "done" 33 ) 34 else 35 echo "first time import" 36 ( 37 set -e 38 cd "$(mktemp -d)" && echo "working in: $(pwd)" 39 openssl genrsa -out key.pem 4096 40 openssl rsa -in key.pem -pubout -outform PEM > ~/.config/naisdevice/browser_cert_pubkey.pem 41 download_cert 42 43 openssl pkcs12 -export -out bundle.p12 -in cert.pem -inkey key.pem -password pass:asd123 -name naisdevice 44 pk12util -d "$profile" -i bundle.p12 -W asd123 45 46 rm -f key.pem cert.pem bundle.p12 47 echo "done" 48 ) 49 fi 50 done 51 } 52 53 # update $profile/ClientAuthRememberList.txt with cert prefs: 54 # nav-no.managed.us2.access-control.cas.ms:443 55 # nav-no.managed.prod04.access-control.cas.ms 56 57 main