3 # Install a signed certificate, placing a complimentary copy in the
4 # member's homedir. Validation is done on the certificate before
5 # allowing it to be installed. Also grant member domtool permissions
8 # If the certificate comes from the member's home directory, then
9 # don't place an extra copy there.
11 # Run this on an administrative node while holding admin tokens.
13 # Usage: ca-install member domain cert-file.pem [key-file.pem]
16 echo "Usage: ca-install member domain cert-file.pem [key-file.pem] [intermediate-chain.pem]"
22 echo "Error: Too many arguments."
24 elif test -z "$3"; then
25 echo "Error: Not enough arguments."
35 WEBSERVERS
="shelob.hcoop.net minsky.hcoop.net"
37 function verify_cert
() {
38 if test -z "$2" ||
test -n "$3"; then
39 echo "Bad programming."
44 local MOD1
=$
(openssl x509
-noout -modulus -in "$CERT" 2>&1)
45 if test $
(echo "$MOD1" |
wc -c) -lt 500; then
46 echo "Error: Bad x509 part in certificate."
49 local MOD2
=$
(openssl rsa
-noout -modulus -in "$KEY" 2>&1)
50 if test $
(echo "$MOD2" |
wc -c) -lt 500; then
51 echo "Error: Bad RSA part in certificate or key."
54 if test "$MOD1" != "$MOD2"; then
55 echo "Error: x509 and RSA parts in certificate do not match."
60 function verify_chain
() {
61 if test -z "$1" ||
test -n "$2"; then
62 echo "Bad programming."
65 # just make sure the intermediate chain contains a cert, might be
66 # nice if this checked if it was used to sign the user's cert
68 local MOD1
=$
(openssl x509
-noout -modulus -in "$CERT" 2>&1)
69 if test $
(echo "$MOD1" |
wc -c) -lt 500; then
70 echo "Error: Bad x509 part in intermediate chain."
75 # Make sure we run this from an admin host...
76 if test "$(hostname -s)" != "gibran"; then
77 echo "Error: This script must be run from gibran."
81 # Sanity-check some paths
82 if test ! -f "$CERT"; then
83 echo "Error: Nonexistent or unreadable cert $CERT."
86 if test -n "$KEY" && test ! -f "$KEY"; then
87 echo "Error: Nonexistent or unreadable key $KEY."
90 if test -n "$CHAIN" && test ! -f "$CHAIN"; then
91 echo "Error: Nonexistent or unreadable intermediate chain $CHAIN."
95 # Check for valid username
96 if ! getent passwd
"$MEMBER" > /dev
/null
; then
97 echo "Error: Invalid user \"$MEMBER\"."
101 # Figure out destination for complimentary copy
102 APACHE_DEST
=/etc
/apache
2/ssl
/user
/$DOMAIN.pem
103 MEMBERHOME
=$
(getent passwd
$MEMBER | cut
-d':' -f 6)
104 if test -n "$KEY"; then
105 DEST
="$(dirname $KEY)/$DOMAIN.pem"
110 # Perform complimentary copy
111 if test -z "$DEST"; then
112 echo "No key specified, so skipping complimentary copy."
113 elif echo "$CERT" |
grep "^$MEMBERHOME" > /dev
/null
; then
114 echo "Member already has a cert, skipping the complimentary copy."
115 elif test -f "$DEST"; then
116 echo "Not overwriting existing file $DEST."
118 echo "Copying signed certificate to member's home directory ..."
120 chown
$MEMBER:nogroup
"$DEST"
124 # Determine whether we need to concatenate a private key
125 if openssl rsa
-noout -check -in "$CERT" > /dev
/null
; then
128 if test -z "$KEY"; then
129 echo "Error: No RSA private key is included with this certificate."
134 # Verify certificate and key
135 echo "Validating certificate ..."
136 if test -z "$KEY"; then
137 verify_cert
"$CERT" "$CERT"
139 verify_cert
"$CERT" "$KEY"
141 if test -n "$CHAIN"; then
142 verify_chain
"$CHAIN"
144 echo "Certificate passed validatation."
147 # Copy complete certificate to webserver
148 if test -z "$KEY"; then
149 echo "Installing certificate to Apache SSL directory ..."
150 for WEBSERVER
in $WEBSERVERS; do
151 < "$CERT" ssh $WEBSERVER sudo
tee "$APACHE_DEST" > /dev
/null
154 echo "Installing certificate and key to Apache SSL directory ..."
155 for WEBSERVER
in $WEBSERVERS; do
156 cat "$CERT" "$KEY" "$CHAIN" |
ssh $WEBSERVER sudo
tee "$APACHE_DEST" > /dev
/null
159 for WEBSERVER
in $WEBSERVERS; do
160 ssh $WEBSERVER sudo
chmod 400 "$APACHE_DEST" > /dev
/null
164 # Grant Domtool permissions
165 echo "Granting member Domtool permissions for the certificate ..."
166 domtool-admin grant
$MEMBER cert
"$APACHE_DEST"
169 echo "Restarting apache ..."
170 for WEBSERVER
in $WEBSERVERS; do
171 ssh $WEBSERVER sudo apache2ctl graceful
175 # Tell admin what to do
176 echo "Done. Tell $MEMBER that the certificate is available for use at"