ca-install, ca-sign: New scripts to sign and install user certs

diff --git a/ca-install b/ca-install
new file mode 100755 (executable)
index 0000000..c053e6b
--- /dev/null
+++ b/ca-install
@@ -0,0 +1,82 @@
+#!/bin/sh
+#
+# Install a signed certificate, placing a complimentary copy in the
+# user's homedir.  Also grant user domtool permissions.
+#
+# If the certificate comes from the USER's home directory, then don't
+# place an extra copy there.
+#
+# Run this on deleuze as an admin.
+#
+# Usage: ca-install user domain cert-file.pem [key-file.pem]
+
+# Check arguments
+if test -n "$5"; then
+    echo "Error: Too many arguments"
+    exit 1
+elif test -z "$3"; then
+    echo "Error: Not enough arguments"
+    exit 1
+else
+    USER=$1
+    DOMAIN=$2
+    CERT=$3
+    KEY=$4
+fi
+
+# Sanity-check some paths
+if test ! -f $CERT; then
+    echo "Error: Nonexistent or unreadable cert $CERT"
+    exit 1
+fi
+if test -n "$KEY" && test ! -f $KEY; then
+    echo "Error: Nonexistent or unreadable key $KEY"
+    exit 1
+fi    
+
+# Figure out destination for complimentary copy
+APACHE_DEST=/etc/apache2/ssl/user/$DOMAIN.pem
+USERHOME=$(getent passwd $USER | cut -d':' -f 6)
+if test -n "$KEY"; then
+    DEST=$(dirname $KEY)/$DOMAIN.pem
+else
+    DEST=
+fi
+
+# Perform complimentary copy
+if test -z "$DEST"; then
+    echo "No key specified, so skipping complimentary copy"
+elif echo "$CERT" | grep "^$USERHOME" > /dev/null; then
+    echo "User already has a cert, skipping the complimentary copy"
+elif test -f $DEST; then
+    echo "Not overwriting existing file $DEST"
+else
+    echo "Copying signed certificate to user's home directory ..."
+    cp $CERT $DEST
+    chown $USER:nogroup $DEST
+fi
+echo
+
+# Determine whether we need to concatenate a private key
+if grep "^-----BEGIN RSA PRIVATE KEY-----" $CERT > /dev/null; then
+    KEY=
+else
+    if test -z "$KEY"; then
+        echo "Error: No private key is included with this certificate"
+        exit 1
+    fi
+fi
+
+# Copy complete certificate to mire
+if test -z "$KEY"; then
+    echo "Installing cert to Apache SSL directory ..."
+    cat $CERT | ssh mire.hcoop.net sudo tee $APACHE_DEST > /dev/null
+else
+    echo "Installing cert to Apache SSL directory, adding key ..."
+    cat $CERT $KEY | ssh mire.hcoop.net sudo tee $APACHE_DEST > /dev/null
+fi
+echo
+
+# Grant Domtool permissions
+echo "Granting user Domtool permissions for the cert ..."
+domtool-admin grant $USER cert $APACHE_DEST

diff --git a/ca-sign b/ca-sign
new file mode 100755 (executable)
index 0000000..687ad5b
--- /dev/null
+++ b/ca-sign
@@ -0,0 +1,42 @@
+#!/bin/sh -e
+#
+# Sign a certificate request as a CA.  Run this on deleuze as an
+# admin.
+#
+# Usage: ca-sign days request.csr out-cert-file.pem
+
+test -n "$3" || exit 1
+
+DIR=/var/local/lib/ca
+CONF=$DIR/openssl.cnf
+POLICY=policy_anything
+
+# Certificate revocation list
+CRL1=$DIR/crl-v1
+CRL2=$DIR/crl-v2
+CA_LOC=/afs/hcoop.net/user/h/hc/hcoop/public_html/ca
+
+DAYS=$1
+REQUEST=$2
+PEM=$3
+ID=$(cat -- $DIR/serial)
+
+# Sign.
+echo "Signing certificate request $REQUEST ..."
+openssl ca -config $CONF -policy $POLICY -out $PEM -in $REQUEST -days $DAYS
+echo
+
+# Make a copy of the request
+cp $REQUEST $DIR/requests/$ID.csr
+
+# Update revocation list.
+echo "Updating certificate revocation list ..."
+openssl ca -config $CONF -batch -gencrl -crldays 180 -out $CRL1.pem
+openssl crl -outform DER -out $CRL1.crl -in $CRL1.pem
+openssl ca -config $CONF -batch -gencrl -crldays 180 -crlexts crl_ext \
+    -out $CRL2.pem
+openssl crl -outform DER -out $CRL2.crl -in $CRL2.pem
+cp $CRL1.crl $CRL2.crl $CA_LOC
+echo
+
+echo "Don't forget to run ca-install to install the signed certificate!"