X-Git-Url: http://git.hcoop.net/clinton/scripts.git/blobdiff_plain/139a90c847a6c77158d0b67e44aefddbc240c122..8bc082554d9f96277dccd78315791edc3d015126:/ca-sign

diff --git a/ca-sign b/ca-sign
index 68b6c88..4967c87 100755
--- a/ca-sign
+++ b/ca-sign
@@ -1,13 +1,20 @@
-#!/bin/sh -e
+#!/bin/bash
 #
 # Sign a certificate request as a CA.  Run this on deleuze as an
-# admin.
+# admin.  If a domain is provided, then the certificate request must
+# apply only to that domain.
 #
-# Usage: ca-sign days request.csr out-cert-file.pem
+# Usage: ca-sign days request.csr outfile.pem [domain]
 
-if test -n "$3" || test -z "$2"; then
+if test -n "$5" || test -z "$3"; then
     echo "Incorrect arguments."
-    echo "Usage: ca-sign days request.csr out-cert-file.pem"
+    echo "Usage: ca-sign days request.csr outfile.pem [domain]"
+    exit 1
+fi
+
+# Make sure we run this from deleuze
+if test "$(hostname -s)" != "deleuze"; then
+    echo "Error: This script must be run from deleuze."
     exit 1
 fi
 
@@ -20,11 +27,33 @@ CRL1=$DIR/crl-v1
 CRL2=$DIR/crl-v2
 CA_LOC=/afs/hcoop.net/user/h/hc/hcoop/public_html/ca
 
+# Parameters
 DAYS=$1
 REQUEST=$2
 PEM=$3
+DOMAIN=$4
+
+# Verify request
+STATUS=$(openssl req -noout -in "$REQUEST" -verify 2>&1)
+if test "$STATUS" != "verify OK"; then
+    echo "Error: This is not a valid certificate request."
+    exit 1
+fi
+if test -n "$DOMAIN"; then
+    CN=$(openssl req -text -in "$REQUEST" | grep "Subject:" | grep "CN=." | \
+        sed -r -e 's/^.*CN=([^/=,]+).*$/\1/1')
+    if test "${CN%%${DOMAIN}}" = "${CN}"; then
+        echo "Error: Domain in cert does not match $DOMAIN."
+        exit 1
+    fi
+fi
+
+# Get new serial number
 ID=$(cat -- $DIR/serial)
 
+# Exit on error
+set -e
+
 # Sign.
 echo "Signing certificate request $REQUEST ..."
 openssl ca -config $CONF -policy $POLICY -out $PEM -in $REQUEST -days $DAYS