X-Git-Url: http://git.hcoop.net/clinton/scripts.git/blobdiff_plain/87d0fa0931b70de55fd16d2899028dcff3ccc109..35a8912d935245273d137d627a67936327bbfe34:/ca-sign diff --git a/ca-sign b/ca-sign index 78e4a87..a5992bf 100755 --- a/ca-sign +++ b/ca-sign @@ -1,11 +1,24 @@ -#!/bin/sh -e +#!/bin/bash # # Sign a certificate request as a CA. Run this on deleuze as an -# admin. +# admin. If a domain is provided, then the certificate request must +# apply only to that domain. # -# Usage: ca-sign days request.csr out-cert-file.pem +# Run this on deleuze as an admin. +# +# Usage: ca-sign days request.csr key.asc outfile.pem [domain] + +if test -n "$6" || test -z "$4"; then + echo "Incorrect arguments." + echo "Usage: ca-sign days request.csr key.asc outfile.pem [domain]" + exit 1 +fi -test -n "$3" || exit 1 +# Make sure we run this from deleuze +if test "$(hostname -s)" != "deleuze"; then + echo "Error: This script must be run from deleuze." + exit 1 +fi DIR=/var/local/lib/ca CONF=$DIR/openssl.cnf @@ -16,18 +29,62 @@ CRL1=$DIR/crl-v1 CRL2=$DIR/crl-v2 CA_LOC=/afs/hcoop.net/user/h/hc/hcoop/public_html/ca +# Parameters DAYS=$1 REQUEST=$2 -PEM=$3 +KEY=$3 +PEM=$4 +DOMAIN=$5 + +# Make sure completed certificate does not already exist +if test -e "$PEM"; then + echo "Error: Refusing to overwrite existing certificate at" + echo " $PEM." + exit 1 +fi + +# Make sure that the key and request do exist +if test ! -f "$REQUEST"; then + echo "Error: The given certificate request file does not exist." + exit 1 +fi +if test ! -f "$KEY"; then + echo "Error: The given key file does not exist." + exit 1 +fi + +# Verify request +STATUS=$(openssl req -noout -in "$REQUEST" -verify 2>&1) +if test "$STATUS" != "verify OK"; then + echo "Error: This is not a valid certificate request." + exit 1 +fi +if test -n "$DOMAIN"; then + CN=$(openssl req -text -in "$REQUEST" | grep "Subject:" | grep "CN=." | \ + sed -r -e 's/^.*CN=([^/=,]+).*$/\1/1') + if test "${CN%%${DOMAIN}}" = "${CN}"; then + echo "Error: Domain in cert does not match $DOMAIN." + exit 1 + fi +fi + +# Get new serial number ID=$(cat -- $DIR/serial) -# Sign. +# Exit on error +set -e + +# Sign echo "Signing certificate request $REQUEST ..." -openssl ca -config $CONF -policy $POLICY -out $PEM -in $REQUEST -days $DAYS +openssl ca -config $CONF -policy $POLICY -out "$PEM" -in "$REQUEST" \ + -days "$DAYS" echo # Make a copy of the request -cp $REQUEST $DIR/requests/$ID.csr +cp "$REQUEST" $DIR/requests/$ID.csr + +# Append key to generated certificate +cat "$KEY" >> "$PEM" # Update revocation list. echo "Updating certificate revocation list ..."