#!/bin/bash # # Sign a certificate request as a CA. Run this on deleuze as an # admin. If a domain is provided, then the certificate request must # apply only to that domain. # # Run this on deleuze as an admin. # # Usage: ca-sign days request.csr key.asc outfile.pem [domain] # # If we need to generate a new CA private key and cert, do: # # $ openssl genrsa -out private/ca.key 2048 -nodes # $ openssl req -config openssl.cnf -x509 -sha1 -days 3650 \ # -key private/ca.key -new -out ca.crt if test -n "$6" || test -z "$4"; then echo "Incorrect arguments." echo "Usage: ca-sign days request.csr key.asc outfile.pem [domain]" exit 1 fi # Make sure we run this from deleuze if test "$(hostname -s)" != "deleuze"; then echo "Error: This script must be run from deleuze." exit 1 fi DIR=/var/local/lib/ca CONF=$DIR/openssl.cnf POLICY=policy_anything # Certificate revocation list CRL1=$DIR/crl-v1 CRL2=$DIR/crl-v2 CA_LOC=/afs/hcoop.net/user/h/hc/hcoop/public_html/ca # Parameters DAYS=$1 REQUEST=$2 KEY=$3 PEM=$4 DOMAIN=$5 # Make sure completed certificate does not already exist if test -e "$PEM"; then echo "Error: Refusing to overwrite existing certificate at" echo " $PEM." exit 1 fi # Make sure that the key and request do exist if test ! -f "$REQUEST"; then echo "Error: The given certificate request file does not exist." exit 1 fi if test ! -f "$KEY"; then echo "Error: The given key file does not exist." exit 1 fi # Verify request STATUS=$(openssl req -noout -in "$REQUEST" -verify 2>&1) if test "$STATUS" != "verify OK"; then echo "Error: This is not a valid certificate request." exit 1 fi if test -n "$DOMAIN"; then CN=$(openssl req -text -in "$REQUEST" | grep "Subject:" | grep "CN=." | \ sed -r -e 's/^.*CN=([^/=,]+).*$/\1/1') if test "${CN%%${DOMAIN}}" = "${CN}"; then echo "Error: Domain in cert does not match $DOMAIN." exit 1 fi fi # Get new serial number ID=$(cat -- $DIR/serial) # Exit on error set -e # Sign echo "Signing certificate request $REQUEST ..." openssl ca -config $CONF -policy $POLICY -out "$PEM" -in "$REQUEST" \ -days "$DAYS" echo # Make a copy of the request cp "$REQUEST" $DIR/requests/$ID.csr # Append key to generated certificate cat "$KEY" >> "$PEM" # Update revocation list. echo "Updating certificate revocation list ..." openssl ca -config $CONF -batch -gencrl -crldays 30 -out $CRL1.pem openssl crl -outform DER -out $CRL1.crl -in $CRL1.pem openssl ca -config $CONF -batch -gencrl -crldays 30 -crlexts crl_ext \ -out $CRL2.pem openssl crl -outform DER -out $CRL2.crl -in $CRL2.pem cp $CRL1.crl $CRL2.crl $CA_LOC echo echo "Don't forget to run ca-install to install the signed certificate!"