#!/bin/bash -e
# regenerate openldap tls certificates

. /etc/default/inithooks

TLS=/etc/ldap/tls
TLS_CA_KEY=$TLS/ca_key.pem
TLS_CA_CRT=$TLS/ca_cert.pem
TLS_CA_TPL=$TLS/ca.info

TLS_LDAP_KEY=$TLS/openldap_key.pem
TLS_LDAP_CRT=$TLS/openldap_crt.pem
TLS_LDAP_TPL=$TLS/openldap.info

certtool --generate-privkey > $TLS_CA_KEY
certtool --generate-self-signed \
    --load-privkey $TLS_CA_KEY --template $TLS_CA_TPL --outfile $TLS_CA_CRT \
    >/dev/null 2>&1

certtool --generate-privkey > $TLS_LDAP_KEY
certtool --generate-certificate \
    --load-privkey $TLS_LDAP_KEY --load-ca-certificate $TLS_CA_CRT \
    --load-ca-privkey $TLS_CA_KEY --template $TLS_LDAP_TPL --outfile $TLS_LDAP_CRT \
    >/dev/null 2>&1

chown -R openldap:openldap $TLS
chmod 640 $TLS_CA_KEY $TLS_CA_CRT $TLS_LDAP_KEY $TLS_LDAP_CRT

