ca-sign: Add usage statement and more thorough param-checking
[clinton/scripts.git] / ca-sign
1 #!/bin/sh -e
2 #
3 # Sign a certificate request as a CA. Run this on deleuze as an
4 # admin.
5 #
6 # Usage: ca-sign days request.csr out-cert-file.pem
7
8 if test -n "$3" || test -z "$2"; then
9 echo "Incorrect arguments."
10 echo "Usage: ca-sign days request.csr out-cert-file.pem"
11 exit 1
12 fi
13
14 DIR=/var/local/lib/ca
15 CONF=$DIR/openssl.cnf
16 POLICY=policy_anything
17
18 # Certificate revocation list
19 CRL1=$DIR/crl-v1
20 CRL2=$DIR/crl-v2
21 CA_LOC=/afs/hcoop.net/user/h/hc/hcoop/public_html/ca
22
23 DAYS=$1
24 REQUEST=$2
25 PEM=$3
26 ID=$(cat -- $DIR/serial)
27
28 # Sign.
29 echo "Signing certificate request $REQUEST ..."
30 openssl ca -config $CONF -policy $POLICY -out $PEM -in $REQUEST -days $DAYS
31 echo
32
33 # Make a copy of the request
34 cp $REQUEST $DIR/requests/$ID.csr
35
36 # Update revocation list.
37 echo "Updating certificate revocation list ..."
38 openssl ca -config $CONF -batch -gencrl -crldays 30 -out $CRL1.pem
39 openssl crl -outform DER -out $CRL1.crl -in $CRL1.pem
40 openssl ca -config $CONF -batch -gencrl -crldays 30 -crlexts crl_ext \
41 -out $CRL2.pem
42 openssl crl -outform DER -out $CRL2.crl -in $CRL2.pem
43 cp $CRL1.crl $CRL2.crl $CA_LOC
44 echo
45
46 echo "Don't forget to run ca-install to install the signed certificate!"