Commit | Line | Data |
---|---|---|
0f9f712c CE |
1 | #!/bin/bash |
2 | # -*- sh -*- | |
3 | ||
4 | # Create a domtool certificate authority | |
5 | # WARNING: Will not create a secure CA if it is in afs space | |
6 | ||
7 | if [[ `whoami` != "root" && "$1" != "-force" ]]; then | |
8 | echo "This should be run as root. Use -force to force creating a CA" | |
9 | echo "as a normal user" | |
10 | exit 1 | |
11 | fi | |
12 | ||
13 | # use domtool-config to extract ca path and site domain | |
14 | ||
15 | CAPATH=`../bin/domtool-config -path cert ca` | |
16 | BASE_OPENSSL_CONFIG=`../bin/domtool-config -domain`.core.ssl.conf | |
17 | ||
18 | cat $BASE_OPENSSL_CONFIG common.ssl.conf > domtool-openssl.conf | |
19 | ||
20 | if [ -z "$CAPATH" ]; then | |
21 | echo "No CA path set. Domtool has not yet been built?" | |
22 | exit 1 | |
23 | fi | |
24 | ||
25 | # 1. Create directory structure | |
26 | ||
27 | mkdir -p $CAPATH | |
28 | for d in crl newcerts private; do | |
29 | mkdir $CAPATH/$d | |
30 | done | |
31 | ||
32 | chmod go-rwx $CAPATH/private | |
33 | echo '01' > $CAPATH/serial | |
34 | touch $CAPATH/index | |
35 | ||
36 | # 2. Generate private key | |
37 | ||
38 | openssl req -nodes -config domtool-openssl.conf -days 1825 -x509 -newkey rsa -out $CAPATH/ca-cert.pem -outform PEM | |
39 | ||
40 | # 3. Copy ssl configuration to ca dir | |
41 | ||
42 | # In general, publishing the openssl config for a domain in the ca | |
43 | # directory might not be the best idea, but since this is a limited | |
44 | # use internal CA, it is probably not a big deal. | |
45 | cp domtool-openssl.conf $CAPATH/ | |
46 | chmod 600 $CAPATH/domtool-openssl.conf | |
47 | ||
48 | # Does the CA need to be readable by domtool? Issues with sudo and | |
49 | # tickets, but those could be solved by creating a 700 | |
50 | # /tmp/domtool-ca-out/ and chowning to the actual user after for the | |
51 | # copy/delete. Or maybe the ca ought to live in afs | |
52 | # space... generality issues arise, probably just do option #1. |