X-Git-Url: http://git.hcoop.net/clinton/scripts.git/blobdiff_plain/8bc082554d9f96277dccd78315791edc3d015126..82cda9f8fe4595f243af80a3acef7ea7e8d939a4:/ca-sign?ds=inline

diff --git a/ca-sign b/ca-sign
index 4967c87..a587cc0 100755
--- a/ca-sign
+++ b/ca-sign
@@ -4,11 +4,19 @@
 # admin.  If a domain is provided, then the certificate request must
 # apply only to that domain.
 #
-# Usage: ca-sign days request.csr outfile.pem [domain]
+# Run this on deleuze as an admin.
+#
+# Usage: ca-sign days request.csr key.asc outfile.pem [domain]
+#
+# If we need to generate a new CA private key and cert, do:
+#
+# $ openssl genrsa -out private/ca.key 2048 -nodes
+# $ openssl req -config openssl.cnf -x509 -sha1 -days 3650 \
+#   -key private/ca.key -new -out ca.crt
 
-if test -n "$5" || test -z "$3"; then
+if test -n "$6" || test -z "$4"; then
     echo "Incorrect arguments."
-    echo "Usage: ca-sign days request.csr outfile.pem [domain]"
+    echo "Usage: ca-sign days request.csr key.asc outfile.pem [domain]"
     exit 1
 fi
 
@@ -30,8 +38,26 @@ CA_LOC=/afs/hcoop.net/user/h/hc/hcoop/public_html/ca
 # Parameters
 DAYS=$1
 REQUEST=$2
-PEM=$3
-DOMAIN=$4
+KEY=$3
+PEM=$4
+DOMAIN=$5
+
+# Make sure completed certificate does not already exist
+if test -e "$PEM"; then
+    echo "Error: Refusing to overwrite existing certificate at"
+    echo "       $PEM."
+    exit 1
+fi
+
+# Make sure that the key and request do exist
+if test ! -f "$REQUEST"; then
+    echo "Error: The given certificate request file does not exist."
+    exit 1
+fi
+if test ! -f "$KEY"; then
+    echo "Error: The given key file does not exist."
+    exit 1
+fi
 
 # Verify request
 STATUS=$(openssl req -noout -in "$REQUEST" -verify 2>&1)
@@ -54,13 +80,17 @@ ID=$(cat -- $DIR/serial)
 # Exit on error
 set -e
 
-# Sign.
+# Sign
 echo "Signing certificate request $REQUEST ..."
-openssl ca -config $CONF -policy $POLICY -out $PEM -in $REQUEST -days $DAYS
+openssl ca -config $CONF -policy $POLICY -out "$PEM" -in "$REQUEST" \
+    -days "$DAYS"
 echo
 
 # Make a copy of the request
-cp $REQUEST $DIR/requests/$ID.csr
+cp "$REQUEST" $DIR/requests/$ID.csr
+
+# Append key to generated certificate
+cat "$KEY" >> "$PEM"
 
 # Update revocation list.
 echo "Updating certificate revocation list ..."