HCoop / clinton / scripts.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
Make sure that listnew is run as root.
[clinton/scripts.git] / ca-sign
... / ...
CommitLineData
1#!/bin/bash
2#
3# Sign a certificate request as a CA. Run this on deleuze as an
4# admin. If a domain is provided, then the certificate request must
5# apply only to that domain.
6#
7# Usage: ca-sign days request.csr key.asc outfile.pem [domain]
8
9if test -n "$6" || test -z "$4"; then
10 echo "Incorrect arguments."
11 echo "Usage: ca-sign days request.csr key.asc outfile.pem [domain]"
12 exit 1
13fi
14
15# Make sure we run this from deleuze
16if test "$(hostname -s)" != "deleuze"; then
17 echo "Error: This script must be run from deleuze."
18 exit 1
19fi
20
21DIR=/var/local/lib/ca
22CONF=$DIR/openssl.cnf
23POLICY=policy_anything
24
25# Certificate revocation list
26CRL1=$DIR/crl-v1
27CRL2=$DIR/crl-v2
28CA_LOC=/afs/hcoop.net/user/h/hc/hcoop/public_html/ca
29
30# Parameters
31DAYS=$1
32REQUEST=$2
33KEY=$3
34PEM=$4
35DOMAIN=$5
36
37# Make sure completed certificate does not already exist
38if test -e "$PEM"; then
39 echo "Error: Refusing to overwrite existing certificate at"
40 echo " $PEM."
41 exit 1
42fi
43
44# Make sure that the key and request do exist
45if test ! -f "$REQUEST"; then
46 echo "Error: The given certificate request file does not exist."
47 exit 1
48fi
49if test ! -f "$KEY"; then
50 echo "Error: The given key file does not exist."
51 exit 1
52fi
53
54# Verify request
55STATUS=$(openssl req -noout -in "$REQUEST" -verify 2>&1)
56if test "$STATUS" != "verify OK"; then
57 echo "Error: This is not a valid certificate request."
58 exit 1
59fi
60if test -n "$DOMAIN"; then
61 CN=$(openssl req -text -in "$REQUEST" | grep "Subject:" | grep "CN=." | \
62 sed -r -e 's/^.*CN=([^/=,]+).*$/\1/1')
63 if test "${CN%%${DOMAIN}}" = "${CN}"; then
64 echo "Error: Domain in cert does not match $DOMAIN."
65 exit 1
66 fi
67fi
68
69# Get new serial number
70ID=$(cat -- $DIR/serial)
71
72# Exit on error
73set -e
74
75# Sign
76echo "Signing certificate request $REQUEST ..."
77openssl ca -config $CONF -policy $POLICY -out "$PEM" -in "$REQUEST" \
78 -days "$DAYS"
79echo
80
81# Make a copy of the request
82cp "$REQUEST" $DIR/requests/$ID.csr
83
84# Append key to generated certificate
85cat "$KEY" >> "$PEM"
86
87# Update revocation list.
88echo "Updating certificate revocation list ..."
89openssl ca -config $CONF -batch -gencrl -crldays 30 -out $CRL1.pem
90openssl crl -outform DER -out $CRL1.crl -in $CRL1.pem
91openssl ca -config $CONF -batch -gencrl -crldays 30 -crlexts crl_ext \
92 -out $CRL2.pem
93openssl crl -outform DER -out $CRL2.crl -in $CRL2.pem
94cp $CRL1.crl $CRL2.crl $CA_LOC
95echo
96
97echo "Don't forget to run ca-install to install the signed certificate!"
Unnamed repository; edit this file to name it for gitweb.