#!/bin/sh -e
#
# Sign a certificate request as a CA.  Run this on deleuze as an
# admin.
#
# Usage: ca-sign days request.csr out-cert-file.pem

test -n "$3" || exit 1

DIR=/var/local/lib/ca
CONF=$DIR/openssl.cnf
POLICY=policy_anything

# Certificate revocation list
CRL1=$DIR/crl-v1
CRL2=$DIR/crl-v2
CA_LOC=/afs/hcoop.net/user/h/hc/hcoop/public_html/ca

DAYS=$1
REQUEST=$2
PEM=$3
ID=$(cat -- $DIR/serial)

# Sign.
echo "Signing certificate request $REQUEST ..."
openssl ca -config $CONF -policy $POLICY -out $PEM -in $REQUEST -days $DAYS
echo

# Make a copy of the request
cp $REQUEST $DIR/requests/$ID.csr

# Update revocation list.
echo "Updating certificate revocation list ..."
openssl ca -config $CONF -batch -gencrl -crldays 30 -out $CRL1.pem
openssl crl -outform DER -out $CRL1.crl -in $CRL1.pem
openssl ca -config $CONF -batch -gencrl -crldays 30 -crlexts crl_ext \
    -out $CRL2.pem
openssl crl -outform DER -out $CRL2.crl -in $CRL2.pem
cp $CRL1.crl $CRL2.crl $CA_LOC
echo

echo "Don't forget to run ca-install to install the signed certificate!"