From 4c237a2485281a1d7141162ec88890d2e17b2445 Mon Sep 17 00:00:00 2001 From: mwolson_admin Date: Sat, 17 Nov 2007 20:03:09 -0500 Subject: [PATCH] ca-install, ca-sign: New scripts to sign and install user certs --- ca-install | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ca-sign | 42 ++++++++++++++++++++++++++++ 2 files changed, 124 insertions(+) create mode 100755 ca-install create mode 100755 ca-sign diff --git a/ca-install b/ca-install new file mode 100755 index 0000000..c053e6b --- /dev/null +++ b/ca-install @@ -0,0 +1,82 @@ +#!/bin/sh +# +# Install a signed certificate, placing a complimentary copy in the +# user's homedir. Also grant user domtool permissions. +# +# If the certificate comes from the USER's home directory, then don't +# place an extra copy there. +# +# Run this on deleuze as an admin. +# +# Usage: ca-install user domain cert-file.pem [key-file.pem] + +# Check arguments +if test -n "$5"; then + echo "Error: Too many arguments" + exit 1 +elif test -z "$3"; then + echo "Error: Not enough arguments" + exit 1 +else + USER=$1 + DOMAIN=$2 + CERT=$3 + KEY=$4 +fi + +# Sanity-check some paths +if test ! -f $CERT; then + echo "Error: Nonexistent or unreadable cert $CERT" + exit 1 +fi +if test -n "$KEY" && test ! -f $KEY; then + echo "Error: Nonexistent or unreadable key $KEY" + exit 1 +fi + +# Figure out destination for complimentary copy +APACHE_DEST=/etc/apache2/ssl/user/$DOMAIN.pem +USERHOME=$(getent passwd $USER | cut -d':' -f 6) +if test -n "$KEY"; then + DEST=$(dirname $KEY)/$DOMAIN.pem +else + DEST= +fi + +# Perform complimentary copy +if test -z "$DEST"; then + echo "No key specified, so skipping complimentary copy" +elif echo "$CERT" | grep "^$USERHOME" > /dev/null; then + echo "User already has a cert, skipping the complimentary copy" +elif test -f $DEST; then + echo "Not overwriting existing file $DEST" +else + echo "Copying signed certificate to user's home directory ..." + cp $CERT $DEST + chown $USER:nogroup $DEST +fi +echo + +# Determine whether we need to concatenate a private key +if grep "^-----BEGIN RSA PRIVATE KEY-----" $CERT > /dev/null; then + KEY= +else + if test -z "$KEY"; then + echo "Error: No private key is included with this certificate" + exit 1 + fi +fi + +# Copy complete certificate to mire +if test -z "$KEY"; then + echo "Installing cert to Apache SSL directory ..." + cat $CERT | ssh mire.hcoop.net sudo tee $APACHE_DEST > /dev/null +else + echo "Installing cert to Apache SSL directory, adding key ..." + cat $CERT $KEY | ssh mire.hcoop.net sudo tee $APACHE_DEST > /dev/null +fi +echo + +# Grant Domtool permissions +echo "Granting user Domtool permissions for the cert ..." +domtool-admin grant $USER cert $APACHE_DEST diff --git a/ca-sign b/ca-sign new file mode 100755 index 0000000..687ad5b --- /dev/null +++ b/ca-sign @@ -0,0 +1,42 @@ +#!/bin/sh -e +# +# Sign a certificate request as a CA. Run this on deleuze as an +# admin. +# +# Usage: ca-sign days request.csr out-cert-file.pem + +test -n "$3" || exit 1 + +DIR=/var/local/lib/ca +CONF=$DIR/openssl.cnf +POLICY=policy_anything + +# Certificate revocation list +CRL1=$DIR/crl-v1 +CRL2=$DIR/crl-v2 +CA_LOC=/afs/hcoop.net/user/h/hc/hcoop/public_html/ca + +DAYS=$1 +REQUEST=$2 +PEM=$3 +ID=$(cat -- $DIR/serial) + +# Sign. +echo "Signing certificate request $REQUEST ..." +openssl ca -config $CONF -policy $POLICY -out $PEM -in $REQUEST -days $DAYS +echo + +# Make a copy of the request +cp $REQUEST $DIR/requests/$ID.csr + +# Update revocation list. +echo "Updating certificate revocation list ..." +openssl ca -config $CONF -batch -gencrl -crldays 180 -out $CRL1.pem +openssl crl -outform DER -out $CRL1.crl -in $CRL1.pem +openssl ca -config $CONF -batch -gencrl -crldays 180 -crlexts crl_ext \ + -out $CRL2.pem +openssl crl -outform DER -out $CRL2.crl -in $CRL2.pem +cp $CRL1.crl $CRL2.crl $CA_LOC +echo + +echo "Don't forget to run ca-install to install the signed certificate!" -- 2.20.1