ca-sign

   1 #!/bin/bash
   2 #
   3 # Sign a certificate request as a CA.  Run this on deleuze as an
   4 # admin.  If a domain is provided, then the certificate request must
   5 # apply only to that domain.
   6 #
   7 # Usage: ca-sign days request.csr key.asc outfile.pem [domain]
   8
   9 if test -n "$6" || test -z "$4"; then
  10     echo "Incorrect arguments."
  11     echo "Usage: ca-sign days request.csr key.asc outfile.pem [domain]"
  12     exit 1
  13 fi
  14
  15 # Make sure we run this from deleuze
  16 if test "$(hostname -s)" != "deleuze"; then
  17     echo "Error: This script must be run from deleuze."
  18     exit 1
  19 fi
  20
  21 DIR=/var/local/lib/ca
  22 CONF=$DIR/openssl.cnf
  23 POLICY=policy_anything
  24
  25 # Certificate revocation list
  26 CRL1=$DIR/crl-v1
  27 CRL2=$DIR/crl-v2
  28 CA_LOC=/afs/hcoop.net/user/h/hc/hcoop/public_html/ca
  29
  30 # Parameters
  31 DAYS=$1
  32 REQUEST=$2
  33 KEY=$3
  34 PEM=$4
  35 DOMAIN=$5
  36
  37 # Make sure completed certificate does not already exist
  38 if test -e "$PEM"; then
  39     echo "Error: Refusing to overwrite existing certificate at"
  40     echo "       $PEM."
  41     exit 1
  42 fi
  43
  44 # Make sure that the key and request do exist
  45 if test ! -f "$REQUEST"; then
  46     echo "Error: The given certificate request file does not exist."
  47     exit 1
  48 fi
  49 if test ! -f "$KEY"; then
  50     echo "Error: The given key file does not exist."
  51     exit 1
  52 fi
  53
  54 # Verify request
  55 STATUS=$(openssl req -noout -in "$REQUEST" -verify 2>&1)
  56 if test "$STATUS" != "verify OK"; then
  57     echo "Error: This is not a valid certificate request."
  58     exit 1
  59 fi
  60 if test -n "$DOMAIN"; then
  61     CN=$(openssl req -text -in "$REQUEST" | grep "Subject:" | grep "CN=." | \
  62         sed -r -e 's/^.*CN=([^/=,]+).*$/\1/1')
  63     if test "${CN%%${DOMAIN}}" = "${CN}"; then
  64         echo "Error: Domain in cert does not match $DOMAIN."
  65         exit 1
  66     fi
  67 fi
  68
  69 # Get new serial number
  70 ID=$(cat -- $DIR/serial)
  71
  72 # Exit on error
  73 set -e
  74
  75 # Sign
  76 echo "Signing certificate request $REQUEST ..."
  77 openssl ca -config $CONF -policy $POLICY -out "$PEM" -in "$REQUEST" \
  78     -days "$DAYS"
  79 echo
  80
  81 # Make a copy of the request
  82 cp "$REQUEST" $DIR/requests/$ID.csr
  83
  84 # Append key to generated certificate
  85 cat "$KEY" >> "$PEM"
  86
  87 # Update revocation list.
  88 echo "Updating certificate revocation list ..."
  89 openssl ca -config $CONF -batch -gencrl -crldays 30 -out $CRL1.pem
  90 openssl crl -outform DER -out $CRL1.crl -in $CRL1.pem
  91 openssl ca -config $CONF -batch -gencrl -crldays 30 -crlexts crl_ext \
  92     -out $CRL2.pem
  93 openssl crl -outform DER -out $CRL2.crl -in $CRL2.pem
  94 cp $CRL1.crl $CRL2.crl $CA_LOC
  95 echo
  96
  97 echo "Don't forget to run ca-install to install the signed certificate!"