| 4c237a24 |
1 | #!/bin/sh -e |
| 2 | # |
| 3 | # Sign a certificate request as a CA. Run this on deleuze as an |
| 4 | # admin. |
| 5 | # |
| 6 | # Usage: ca-sign days request.csr out-cert-file.pem |
| 7 | |
| 8 | test -n "$3" || exit 1 |
| 9 | |
| 10 | DIR=/var/local/lib/ca |
| 11 | CONF=$DIR/openssl.cnf |
| 12 | POLICY=policy_anything |
| 13 | |
| 14 | # Certificate revocation list |
| 15 | CRL1=$DIR/crl-v1 |
| 16 | CRL2=$DIR/crl-v2 |
| 17 | CA_LOC=/afs/hcoop.net/user/h/hc/hcoop/public_html/ca |
| 18 | |
| 19 | DAYS=$1 |
| 20 | REQUEST=$2 |
| 21 | PEM=$3 |
| 22 | ID=$(cat -- $DIR/serial) |
| 23 | |
| 24 | # Sign. |
| 25 | echo "Signing certificate request $REQUEST ..." |
| 26 | openssl ca -config $CONF -policy $POLICY -out $PEM -in $REQUEST -days $DAYS |
| 27 | echo |
| 28 | |
| 29 | # Make a copy of the request |
| 30 | cp $REQUEST $DIR/requests/$ID.csr |
| 31 | |
| 32 | # Update revocation list. |
| 33 | echo "Updating certificate revocation list ..." |
| 87d0fa09 |
34 | openssl ca -config $CONF -batch -gencrl -crldays 30 -out $CRL1.pem |
| 4c237a24 |
35 | openssl crl -outform DER -out $CRL1.crl -in $CRL1.pem |
| 87d0fa09 |
36 | openssl ca -config $CONF -batch -gencrl -crldays 30 -crlexts crl_ext \ |
| 4c237a24 |
37 | -out $CRL2.pem |
| 38 | openssl crl -outform DER -out $CRL2.crl -in $CRL2.pem |
| 39 | cp $CRL1.crl $CRL2.crl $CA_LOC |
| 40 | echo |
| 41 | |
| 42 | echo "Don't forget to run ca-install to install the signed certificate!" |
HCoop / clinton / scripts.git / blame