Commit | Line | Data |
---|---|---|
0f9f712c CE |
1 | #!/bin/bash |
2 | # -*- sh -*- | |
3 | ||
4 | # Create a domtool certificate authority | |
5 | # WARNING: Will not create a secure CA if it is in afs space | |
6 | ||
7 | if [[ `whoami` != "root" && "$1" != "-force" ]]; then | |
8 | echo "This should be run as root. Use -force to force creating a CA" | |
9 | echo "as a normal user" | |
10 | exit 1 | |
11 | fi | |
12 | ||
13 | # use domtool-config to extract ca path and site domain | |
14 | ||
15 | CAPATH=`../bin/domtool-config -path cert ca` | |
16 | BASE_OPENSSL_CONFIG=`../bin/domtool-config -domain`.core.ssl.conf | |
17 | ||
97dac8e4 CE |
18 | if [ ! -f $BASE_OPENSSL_CONFIG ]; then |
19 | echo "You need to create $BASE_OPENSSL_CONFIG before continuing" | |
20 | exit 1 | |
21 | fi | |
22 | ||
0f9f712c CE |
23 | cat $BASE_OPENSSL_CONFIG common.ssl.conf > domtool-openssl.conf |
24 | ||
25 | if [ -z "$CAPATH" ]; then | |
26 | echo "No CA path set. Domtool has not yet been built?" | |
27 | exit 1 | |
28 | fi | |
29 | ||
30 | # 1. Create directory structure | |
31 | ||
32 | mkdir -p $CAPATH | |
33 | for d in crl newcerts private; do | |
34 | mkdir $CAPATH/$d | |
35 | done | |
36 | ||
37 | chmod go-rwx $CAPATH/private | |
38 | echo '01' > $CAPATH/serial | |
39 | touch $CAPATH/index | |
40 | ||
41 | # 2. Generate private key | |
42 | ||
43 | openssl req -nodes -config domtool-openssl.conf -days 1825 -x509 -newkey rsa -out $CAPATH/ca-cert.pem -outform PEM | |
44 | ||
45 | # 3. Copy ssl configuration to ca dir | |
46 | ||
47 | # In general, publishing the openssl config for a domain in the ca | |
48 | # directory might not be the best idea, but since this is a limited | |
49 | # use internal CA, it is probably not a big deal. | |
50 | cp domtool-openssl.conf $CAPATH/ | |
51 | chmod 600 $CAPATH/domtool-openssl.conf | |
52 | ||
53 | # Does the CA need to be readable by domtool? Issues with sudo and | |
54 | # tickets, but those could be solved by creating a 700 | |
55 | # /tmp/domtool-ca-out/ and chowning to the actual user after for the | |
56 | # copy/delete. Or maybe the ca ought to live in afs | |
57 | # space... generality issues arise, probably just do option #1. |