4c237a24 |
1 | #!/bin/sh -e |
2 | # |
3 | # Sign a certificate request as a CA. Run this on deleuze as an |
4 | # admin. |
5 | # |
6 | # Usage: ca-sign days request.csr out-cert-file.pem |
7 | |
e07d61c2 |
8 | if test -n "$3" || test -z "$2"; then |
9 | echo "Incorrect arguments." |
10 | echo "Usage: ca-sign days request.csr out-cert-file.pem" |
11 | exit 1 |
12 | fi |
4c237a24 |
13 | |
14 | DIR=/var/local/lib/ca |
15 | CONF=$DIR/openssl.cnf |
16 | POLICY=policy_anything |
17 | |
18 | # Certificate revocation list |
19 | CRL1=$DIR/crl-v1 |
20 | CRL2=$DIR/crl-v2 |
21 | CA_LOC=/afs/hcoop.net/user/h/hc/hcoop/public_html/ca |
22 | |
23 | DAYS=$1 |
24 | REQUEST=$2 |
25 | PEM=$3 |
26 | ID=$(cat -- $DIR/serial) |
27 | |
28 | # Sign. |
29 | echo "Signing certificate request $REQUEST ..." |
30 | openssl ca -config $CONF -policy $POLICY -out $PEM -in $REQUEST -days $DAYS |
31 | echo |
32 | |
33 | # Make a copy of the request |
34 | cp $REQUEST $DIR/requests/$ID.csr |
35 | |
36 | # Update revocation list. |
37 | echo "Updating certificate revocation list ..." |
87d0fa09 |
38 | openssl ca -config $CONF -batch -gencrl -crldays 30 -out $CRL1.pem |
4c237a24 |
39 | openssl crl -outform DER -out $CRL1.crl -in $CRL1.pem |
87d0fa09 |
40 | openssl ca -config $CONF -batch -gencrl -crldays 30 -crlexts crl_ext \ |
4c237a24 |
41 | -out $CRL2.pem |
42 | openssl crl -outform DER -out $CRL2.crl -in $CRL2.pem |
43 | cp $CRL1.crl $CRL2.crl $CA_LOC |
44 | echo |
45 | |
46 | echo "Don't forget to run ca-install to install the signed certificate!" |