hcoop-git-maint: Only update page if new content is nonempty.
[clinton/scripts.git] / ca-sign
CommitLineData
8bc08255 1#!/bin/bash
4c237a24 2#
3# Sign a certificate request as a CA. Run this on deleuze as an
8bc08255 4# admin. If a domain is provided, then the certificate request must
5# apply only to that domain.
4c237a24 6#
35a8912d 7# Run this on deleuze as an admin.
8#
73df01d4 9# Usage: ca-sign days request.csr key.asc outfile.pem [domain]
2f52b40a 10#
11# If we need to generate a new CA private key and cert, do:
12#
13# $ openssl genrsa -out private/ca.key 2048 -nodes
14# $ openssl req -config openssl.cnf -x509 -sha1 -days 3650 \
15# -key private/ca.key -new -out ca.crt
4c237a24 16
73df01d4 17if test -n "$6" || test -z "$4"; then
e07d61c2 18 echo "Incorrect arguments."
73df01d4 19 echo "Usage: ca-sign days request.csr key.asc outfile.pem [domain]"
8bc08255 20 exit 1
21fi
22
23# Make sure we run this from deleuze
24if test "$(hostname -s)" != "deleuze"; then
25 echo "Error: This script must be run from deleuze."
e07d61c2 26 exit 1
27fi
4c237a24 28
29DIR=/var/local/lib/ca
30CONF=$DIR/openssl.cnf
31POLICY=policy_anything
32
33# Certificate revocation list
34CRL1=$DIR/crl-v1
35CRL2=$DIR/crl-v2
36CA_LOC=/afs/hcoop.net/user/h/hc/hcoop/public_html/ca
37
8bc08255 38# Parameters
4c237a24 39DAYS=$1
40REQUEST=$2
73df01d4 41KEY=$3
42PEM=$4
43DOMAIN=$5
44
45# Make sure completed certificate does not already exist
46if test -e "$PEM"; then
47 echo "Error: Refusing to overwrite existing certificate at"
48 echo " $PEM."
49 exit 1
50fi
51
52# Make sure that the key and request do exist
53if test ! -f "$REQUEST"; then
54 echo "Error: The given certificate request file does not exist."
55 exit 1
56fi
57if test ! -f "$KEY"; then
58 echo "Error: The given key file does not exist."
59 exit 1
60fi
8bc08255 61
62# Verify request
63STATUS=$(openssl req -noout -in "$REQUEST" -verify 2>&1)
64if test "$STATUS" != "verify OK"; then
65 echo "Error: This is not a valid certificate request."
66 exit 1
67fi
68if test -n "$DOMAIN"; then
69 CN=$(openssl req -text -in "$REQUEST" | grep "Subject:" | grep "CN=." | \
70 sed -r -e 's/^.*CN=([^/=,]+).*$/\1/1')
71 if test "${CN%%${DOMAIN}}" = "${CN}"; then
72 echo "Error: Domain in cert does not match $DOMAIN."
73 exit 1
74 fi
75fi
76
77# Get new serial number
4c237a24 78ID=$(cat -- $DIR/serial)
79
8bc08255 80# Exit on error
81set -e
82
73df01d4 83# Sign
4c237a24 84echo "Signing certificate request $REQUEST ..."
73df01d4 85openssl ca -config $CONF -policy $POLICY -out "$PEM" -in "$REQUEST" \
86 -days "$DAYS"
4c237a24 87echo
88
89# Make a copy of the request
73df01d4 90cp "$REQUEST" $DIR/requests/$ID.csr
91
92# Append key to generated certificate
93cat "$KEY" >> "$PEM"
4c237a24 94
95# Update revocation list.
96echo "Updating certificate revocation list ..."
87d0fa09 97openssl ca -config $CONF -batch -gencrl -crldays 30 -out $CRL1.pem
4c237a24 98openssl crl -outform DER -out $CRL1.crl -in $CRL1.pem
87d0fa09 99openssl ca -config $CONF -batch -gencrl -crldays 30 -crlexts crl_ext \
4c237a24 100 -out $CRL2.pem
101openssl crl -outform DER -out $CRL2.crl -in $CRL2.pem
102cp $CRL1.crl $CRL2.crl $CA_LOC
103echo
104
105echo "Don't forget to run ca-install to install the signed certificate!"