ca-install: Mention that validation is done.
[clinton/scripts.git] / ca-install
1 #!/bin/bash
2 #
3 # Install a signed certificate, placing a complimentary copy in the
4 # member's homedir. Validation is done on the certificate before
5 # allowing it to be installed. Also grant member domtool permissions
6 # for the certificate.
7 #
8 # If the certificate comes from the member's home directory, then
9 # don't place an extra copy there.
10 #
11 # Run this on deleuze as an admin.
12 #
13 # Usage: ca-install member domain cert-file.pem [key-file.pem]
14
15 function usage () {
16 echo "Usage: ca-install member domain cert-file.pem [key-file.pem]"
17 exit 1
18 }
19
20 # Check arguments
21 if test -n "$5"; then
22 echo "Error: Too many arguments."
23 usage
24 elif test -z "$3"; then
25 echo "Error: Not enough arguments."
26 usage
27 else
28 MEMBER=$1
29 DOMAIN=$2
30 CERT=$3
31 KEY=$4
32 fi
33
34 WEBSERVER=mire.hcoop.net
35
36 function verify_cert () {
37 if test -z "$2" || test -n "$3"; then
38 echo "Bad programming."
39 exit 1
40 fi
41 local CERT=$1
42 local KEY=$2
43 local MOD1=$(openssl x509 -noout -modulus -in "$CERT" 2>&1)
44 if test $(echo "$MOD1" | wc -c) -lt 500; then
45 echo "Error: Bad x509 part in certificate."
46 exit 1
47 fi
48 local MOD2=$(openssl rsa -noout -modulus -in "$KEY" 2>&1)
49 if test $(echo "$MOD2" | wc -c) -lt 500; then
50 echo "Error: Bad RSA part in certificate or key."
51 exit 1
52 fi
53 if test "$MOD1" != "$MOD2"; then
54 echo "Error: x509 and RSA parts in certificate do not match."
55 exit 1
56 fi
57 }
58
59 # Make sure we run this from deleuze
60 if test "$(hostname -s)" != "deleuze"; then
61 echo "Error: This script must be run from deleuze."
62 exit 1
63 fi
64
65 # Sanity-check some paths
66 if test ! -f "$CERT"; then
67 echo "Error: Nonexistent or unreadable cert $CERT."
68 exit 1
69 fi
70 if test -n "$KEY" && test ! -f "$KEY"; then
71 echo "Error: Nonexistent or unreadable key $KEY."
72 exit 1
73 fi
74
75 # Check for valid username
76 if ! getent passwd "$MEMBER" > /dev/null; then
77 echo "Error: Invalid user \"$MEMBER\"."
78 exit 1
79 fi
80
81 # Figure out destination for complimentary copy
82 APACHE_DEST=/etc/apache2/ssl/user/$DOMAIN.pem
83 MEMBERHOME=$(getent passwd $MEMBER | cut -d':' -f 6)
84 if test -n "$KEY"; then
85 DEST="$(dirname $KEY)/$DOMAIN.pem"
86 else
87 DEST=
88 fi
89
90 # Perform complimentary copy
91 if test -z "$DEST"; then
92 echo "No key specified, so skipping complimentary copy."
93 elif echo "$CERT" | grep "^$MEMBERHOME" > /dev/null; then
94 echo "Member already has a cert, skipping the complimentary copy."
95 elif test -f "$DEST"; then
96 echo "Not overwriting existing file $DEST."
97 else
98 echo "Copying signed certificate to member's home directory ..."
99 cp "$CERT" "$DEST"
100 chown $MEMBER:nogroup "$DEST"
101 fi
102 echo
103
104 # Determine whether we need to concatenate a private key
105 if grep "^-----BEGIN RSA PRIVATE KEY-----" "$CERT" > /dev/null; then
106 KEY=
107 else
108 if test -z "$KEY"; then
109 echo "Error: No RSA private key is included with this certificate."
110 exit 1
111 fi
112 fi
113
114 # Verify certificate and key
115 echo "Validating certificate ..."
116 if test -z "$KEY"; then
117 verify_cert "$CERT" "$CERT"
118 else
119 verify_cert "$CERT" "$KEY"
120 fi
121 echo "Certificate passed validatation."
122 echo
123
124 # Copy complete certificate to webserver
125 if test -z "$KEY"; then
126 echo "Installing certificate to Apache SSL directory ..."
127 < "$CERT" ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
128 else
129 echo "Installing certificate and key to Apache SSL directory ..."
130 cat "$CERT" "$KEY" | ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
131 fi
132 echo
133
134 # Grant Domtool permissions
135 echo "Granting member Domtool permissions for the certificate ..."
136 domtool-admin grant $MEMBER cert "$APACHE_DEST"
137 echo
138
139 # Tell admin what to do
140 echo "Done. Tell $MEMBER that the certificate is available for use at"
141 echo " $APACHE_DEST"