X-Git-Url: http://git.hcoop.net/hcoop/scripts.git/blobdiff_plain/000346180edb9aea7cf942905952d18e00a3e506..HEAD:/ca-install

diff --git a/ca-install b/ca-install
index 60419ea..5b17734 100755
--- a/ca-install
+++ b/ca-install
@@ -13,12 +13,12 @@
 # Usage: ca-install member domain cert-file.pem [key-file.pem]
 
 function usage () {
-    echo "Usage: ca-install member domain cert-file.pem [key-file.pem]"
+    echo "Usage: ca-install member domain cert-file.pem [key-file.pem] [intermediate-chain.pem]"
     exit 1
 }
 
 # Check arguments
-if test -n "$5"; then
+if test -n "$6"; then
     echo "Error: Too many arguments."
     usage
 elif test -z "$3"; then
@@ -29,9 +29,10 @@ else
     DOMAIN=$2
     CERT=$3
     KEY=$4
+    CHAIN=$5
 fi
 
-WEBSERVERS="shelob.hcoop.net"
+WEBSERVERS="shelob.hcoop.net minsky.hcoop.net"
 
 function verify_cert () {
     if test -z "$2" || test -n "$3"; then
@@ -56,9 +57,24 @@ function verify_cert () {
     fi
 }
 
+function verify_chain () {
+    if test -z "$1" || test -n "$2"; then
+	echo "Bad programming."
+	exit 1
+    fi
+    # just make sure the intermediate chain contains a cert, might be
+    # nice if this checked if it was used to sign the user's cert
+    local CERT=$1
+    local MOD1=$(openssl x509 -noout -modulus -in "$CERT" 2>&1)
+    if test $(echo "$MOD1" | wc -c) -lt 500; then
+        echo "Error: Bad x509 part in intermediate chain."
+        exit 1
+    fi
+}
+
 # Make sure we run this from an admin host...
 if test "$(hostname -s)" != "gibran"; then
-    echo "Error: This script must be run from fritz."
+    echo "Error: This script must be run from gibran."
     exit 1
 fi
 
@@ -70,6 +86,10 @@ fi
 if test -n "$KEY" && test ! -f "$KEY"; then
     echo "Error: Nonexistent or unreadable key $KEY."
     exit 1
+fi
+if test -n "$CHAIN" && test ! -f "$CHAIN"; then
+    echo "Error: Nonexistent or unreadable intermediate chain $CHAIN."
+    exit 1
 fi    
 
 # Check for valid username
@@ -118,6 +138,9 @@ if test -z "$KEY"; then
 else
     verify_cert "$CERT" "$KEY"
 fi
+if test -n "$CHAIN"; then
+    verify_chain "$CHAIN"
+fi
 echo "Certificate passed validatation."
 echo
 
@@ -130,7 +153,7 @@ if test -z "$KEY"; then
 else
     echo "Installing certificate and key to Apache SSL directory ..."
     for WEBSERVER in $WEBSERVERS; do
-	cat "$CERT" "$KEY" | ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
+	cat "$CERT" "$KEY" "$CHAIN" | ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
     done
 fi
 for WEBSERVER in $WEBSERVERS; do