b7068ae3 |
1 | #!/bin/bash |
4c237a24 |
2 | # |
3 | # Install a signed certificate, placing a complimentary copy in the |
b7068ae3 |
4 | # member's homedir. Also grant member domtool permissions for the |
5 | # certificate. |
4c237a24 |
6 | # |
b7068ae3 |
7 | # If the certificate comes from the member's home directory, then |
8 | # don't place an extra copy there. |
4c237a24 |
9 | # |
10 | # Run this on deleuze as an admin. |
11 | # |
b7068ae3 |
12 | # Usage: ca-install member domain cert-file.pem [key-file.pem] |
13 | |
14 | function usage () { |
15 | echo "Usage: ca-install member domain cert-file.pem [key-file.pem]" |
16 | exit 1 |
17 | } |
4c237a24 |
18 | |
19 | # Check arguments |
20 | if test -n "$5"; then |
b7068ae3 |
21 | echo "Error: Too many arguments." |
22 | usage |
4c237a24 |
23 | elif test -z "$3"; then |
b7068ae3 |
24 | echo "Error: Not enough arguments." |
25 | usage |
4c237a24 |
26 | else |
b7068ae3 |
27 | MEMBER=$1 |
4c237a24 |
28 | DOMAIN=$2 |
29 | CERT=$3 |
30 | KEY=$4 |
31 | fi |
32 | |
b7068ae3 |
33 | WEBSERVER=mire.hcoop.net |
34 | |
35 | function verify_cert () { |
36 | if test -z "$2" || test -n "$3"; then |
37 | echo "Bad programming." |
38 | exit 1 |
39 | fi |
40 | local CERT=$1 |
41 | local KEY=$2 |
42 | local MOD1=$(openssl x509 -noout -modulus -in "$CERT" 2>&1) |
43 | if test $(echo "$MOD1" | wc -c) -lt 500; then |
44 | echo "Error: Bad x509 part in certificate." |
45 | exit 1 |
46 | fi |
47 | local MOD2=$(openssl rsa -noout -modulus -in "$KEY" 2>&1) |
48 | if test $(echo "$MOD2" | wc -c) -lt 500; then |
49 | echo "Error: Bad RSA part in certificate or key." |
50 | exit 1 |
51 | fi |
52 | if test "$MOD1" != "$MOD2"; then |
53 | echo "Error: x509 and RSA parts in certificate do not match." |
54 | exit 1 |
55 | fi |
56 | } |
57 | |
58 | # Make sure we run this from deleuze |
59 | if test "$(hostname -s)" != "deleuze"; then |
60 | echo "Error: This script must be run from deleuze." |
61 | exit 1 |
62 | fi |
63 | |
4c237a24 |
64 | # Sanity-check some paths |
b7068ae3 |
65 | if test ! -f "$CERT"; then |
66 | echo "Error: Nonexistent or unreadable cert $CERT." |
4c237a24 |
67 | exit 1 |
68 | fi |
b7068ae3 |
69 | if test -n "$KEY" && test ! -f "$KEY"; then |
70 | echo "Error: Nonexistent or unreadable key $KEY." |
4c237a24 |
71 | exit 1 |
72 | fi |
73 | |
b7068ae3 |
74 | # Check for valid username |
75 | if ! getent passwd "$MEMBER" > /dev/null; then |
76 | echo "Error: Invalid user \"$MEMBER\"." |
77 | exit 1 |
78 | fi |
79 | |
4c237a24 |
80 | # Figure out destination for complimentary copy |
81 | APACHE_DEST=/etc/apache2/ssl/user/$DOMAIN.pem |
b7068ae3 |
82 | MEMBERHOME=$(getent passwd $MEMBER | cut -d':' -f 6) |
4c237a24 |
83 | if test -n "$KEY"; then |
b7068ae3 |
84 | DEST="$(dirname $KEY)/$DOMAIN.pem" |
4c237a24 |
85 | else |
86 | DEST= |
87 | fi |
88 | |
89 | # Perform complimentary copy |
90 | if test -z "$DEST"; then |
b7068ae3 |
91 | echo "No key specified, so skipping complimentary copy." |
92 | elif echo "$CERT" | grep "^$MEMBERHOME" > /dev/null; then |
93 | echo "Member already has a cert, skipping the complimentary copy." |
94 | elif test -f "$DEST"; then |
95 | echo "Not overwriting existing file $DEST." |
4c237a24 |
96 | else |
b7068ae3 |
97 | echo "Copying signed certificate to member's home directory ..." |
98 | cp "$CERT" "$DEST" |
99 | chown $MEMBER:nogroup "$DEST" |
4c237a24 |
100 | fi |
101 | echo |
102 | |
103 | # Determine whether we need to concatenate a private key |
b7068ae3 |
104 | if grep "^-----BEGIN RSA PRIVATE KEY-----" "$CERT" > /dev/null; then |
4c237a24 |
105 | KEY= |
106 | else |
107 | if test -z "$KEY"; then |
b7068ae3 |
108 | echo "Error: No RSA private key is included with this certificate." |
4c237a24 |
109 | exit 1 |
110 | fi |
111 | fi |
112 | |
b7068ae3 |
113 | # Verify certificate and key |
114 | echo "Validating certificate ..." |
4c237a24 |
115 | if test -z "$KEY"; then |
b7068ae3 |
116 | verify_cert "$CERT" "$CERT" |
4c237a24 |
117 | else |
b7068ae3 |
118 | verify_cert "$CERT" "$KEY" |
119 | fi |
120 | echo "Certificate passed validatation." |
121 | echo |
122 | |
123 | # Copy complete certificate to webserver |
124 | if test -z "$KEY"; then |
125 | echo "Installing certificate to Apache SSL directory ..." |
126 | < "$CERT" ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null |
127 | else |
128 | echo "Installing certificate and key to Apache SSL directory ..." |
129 | cat "$CERT" "$KEY" | ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null |
4c237a24 |
130 | fi |
131 | echo |
132 | |
133 | # Grant Domtool permissions |
b7068ae3 |
134 | echo "Granting member Domtool permissions for the certificate ..." |
135 | domtool-admin grant $MEMBER cert "$APACHE_DEST" |
136 | echo |
137 | |
138 | # Tell admin what to do |
139 | echo "Done. Tell $MEMBER that the certificate is available for use at" |
140 | echo " $APACHE_DEST" |