X-Git-Url: http://git.hcoop.net/clinton/scripts.git/blobdiff_plain/4c237a2485281a1d7141162ec88890d2e17b2445..8bc082554d9f96277dccd78315791edc3d015126:/ca-sign

diff --git a/ca-sign b/ca-sign
index 687ad5b..4967c87 100755
--- a/ca-sign
+++ b/ca-sign
@@ -1,11 +1,22 @@
-#!/bin/sh -e
+#!/bin/bash
 #
 # Sign a certificate request as a CA.  Run this on deleuze as an
-# admin.
+# admin.  If a domain is provided, then the certificate request must
+# apply only to that domain.
 #
-# Usage: ca-sign days request.csr out-cert-file.pem
+# Usage: ca-sign days request.csr outfile.pem [domain]
 
-test -n "$3" || exit 1
+if test -n "$5" || test -z "$3"; then
+    echo "Incorrect arguments."
+    echo "Usage: ca-sign days request.csr outfile.pem [domain]"
+    exit 1
+fi
+
+# Make sure we run this from deleuze
+if test "$(hostname -s)" != "deleuze"; then
+    echo "Error: This script must be run from deleuze."
+    exit 1
+fi
 
 DIR=/var/local/lib/ca
 CONF=$DIR/openssl.cnf
@@ -16,11 +27,33 @@ CRL1=$DIR/crl-v1
 CRL2=$DIR/crl-v2
 CA_LOC=/afs/hcoop.net/user/h/hc/hcoop/public_html/ca
 
+# Parameters
 DAYS=$1
 REQUEST=$2
 PEM=$3
+DOMAIN=$4
+
+# Verify request
+STATUS=$(openssl req -noout -in "$REQUEST" -verify 2>&1)
+if test "$STATUS" != "verify OK"; then
+    echo "Error: This is not a valid certificate request."
+    exit 1
+fi
+if test -n "$DOMAIN"; then
+    CN=$(openssl req -text -in "$REQUEST" | grep "Subject:" | grep "CN=." | \
+        sed -r -e 's/^.*CN=([^/=,]+).*$/\1/1')
+    if test "${CN%%${DOMAIN}}" = "${CN}"; then
+        echo "Error: Domain in cert does not match $DOMAIN."
+        exit 1
+    fi
+fi
+
+# Get new serial number
 ID=$(cat -- $DIR/serial)
 
+# Exit on error
+set -e
+
 # Sign.
 echo "Signing certificate request $REQUEST ..."
 openssl ca -config $CONF -policy $POLICY -out $PEM -in $REQUEST -days $DAYS
@@ -31,9 +64,9 @@ cp $REQUEST $DIR/requests/$ID.csr
 
 # Update revocation list.
 echo "Updating certificate revocation list ..."
-openssl ca -config $CONF -batch -gencrl -crldays 180 -out $CRL1.pem
+openssl ca -config $CONF -batch -gencrl -crldays 30 -out $CRL1.pem
 openssl crl -outform DER -out $CRL1.crl -in $CRL1.pem
-openssl ca -config $CONF -batch -gencrl -crldays 180 -crlexts crl_ext \
+openssl ca -config $CONF -batch -gencrl -crldays 30 -crlexts crl_ext \
     -out $CRL2.pem
 openssl crl -outform DER -out $CRL2.crl -in $CRL2.pem
 cp $CRL1.crl $CRL2.crl $CA_LOC