More backup script revamp.
[clinton/scripts.git] / ca-sign
1 #!/bin/bash
2 #
3 # Sign a certificate request as a CA. Run this on deleuze as an
4 # admin. If a domain is provided, then the certificate request must
5 # apply only to that domain.
6 #
7 # Run this on deleuze as an admin.
8 #
9 # Usage: ca-sign days request.csr key.asc outfile.pem [domain]
10 #
11 # If we need to generate a new CA private key and cert, do:
12 #
13 # $ openssl genrsa -out private/ca.key 2048 -nodes
14 # $ openssl req -config openssl.cnf -x509 -sha1 -days 3650 \
15 # -key private/ca.key -new -out ca.crt
16
17 if test -n "$6" || test -z "$4"; then
18 echo "Incorrect arguments."
19 echo "Usage: ca-sign days request.csr key.asc outfile.pem [domain]"
20 exit 1
21 fi
22
23 # Make sure we run this from deleuze
24 if test "$(hostname -s)" != "deleuze"; then
25 echo "Error: This script must be run from deleuze."
26 exit 1
27 fi
28
29 DIR=/var/local/lib/ca
30 CONF=$DIR/openssl.cnf
31 POLICY=policy_anything
32
33 # Certificate revocation list
34 CRL1=$DIR/crl-v1
35 CRL2=$DIR/crl-v2
36 CA_LOC=/afs/hcoop.net/user/h/hc/hcoop/public_html/ca
37
38 # Parameters
39 DAYS=$1
40 REQUEST=$2
41 KEY=$3
42 PEM=$4
43 DOMAIN=$5
44
45 # Make sure completed certificate does not already exist
46 if test -e "$PEM"; then
47 echo "Error: Refusing to overwrite existing certificate at"
48 echo " $PEM."
49 exit 1
50 fi
51
52 # Make sure that the key and request do exist
53 if test ! -f "$REQUEST"; then
54 echo "Error: The given certificate request file does not exist."
55 exit 1
56 fi
57 if test ! -f "$KEY"; then
58 echo "Error: The given key file does not exist."
59 exit 1
60 fi
61
62 # Verify request
63 STATUS=$(openssl req -noout -in "$REQUEST" -verify 2>&1)
64 if test "$STATUS" != "verify OK"; then
65 echo "Error: This is not a valid certificate request."
66 exit 1
67 fi
68 if test -n "$DOMAIN"; then
69 CN=$(openssl req -text -in "$REQUEST" | grep "Subject:" | grep "CN=." | \
70 sed -r -e 's/^.*CN=([^/=,]+).*$/\1/1')
71 if test "${CN%%${DOMAIN}}" = "${CN}"; then
72 echo "Error: Domain in cert does not match $DOMAIN."
73 exit 1
74 fi
75 fi
76
77 # Get new serial number
78 ID=$(cat -- $DIR/serial)
79
80 # Exit on error
81 set -e
82
83 # Sign
84 echo "Signing certificate request $REQUEST ..."
85 openssl ca -config $CONF -policy $POLICY -out "$PEM" -in "$REQUEST" \
86 -days "$DAYS"
87 echo
88
89 # Make a copy of the request
90 cp "$REQUEST" $DIR/requests/$ID.csr
91
92 # Append key to generated certificate
93 cat "$KEY" >> "$PEM"
94
95 # Update revocation list.
96 echo "Updating certificate revocation list ..."
97 openssl ca -config $CONF -batch -gencrl -crldays 30 -out $CRL1.pem
98 openssl crl -outform DER -out $CRL1.crl -in $CRL1.pem
99 openssl ca -config $CONF -batch -gencrl -crldays 30 -crlexts crl_ext \
100 -out $CRL2.pem
101 openssl crl -outform DER -out $CRL2.crl -in $CRL2.pem
102 cp $CRL1.crl $CRL2.crl $CA_LOC
103 echo
104
105 echo "Don't forget to run ca-install to install the signed certificate!"