worker: add runOutput function
[hcoop/domtool2.git] / scripts / domtool-addcert
CommitLineData
385c3534
AC
1#!/bin/sh -e
2
906a79a6
DO
3USER="$1"
4if test -z "$USER"; then
5 echo Usage: domtool-addcert USERNAME
6 exit 1
7fi
8
ec76f5e6
CE
9umask 0066 # Prevent others from reading any files creating on local fs
10
11 WORKDIR=/tmp/domtool-keyreq
9e3f2290 12 KEYDIR=`domtool-config -path cert keys`/$USER
385c3534 13 KEYFILE=$KEYDIR/key.pem
9e3f2290 14CERTFILE=`domtool-config -path cert certs`/$USER.pem
ec76f5e6
CE
15 NEWREQ=$WORKDIR/.newreq.pem
16 NEW=$WORKDIR/.new.pem
17 KEYIN=$WORKDIR/.keyin
18 NEWCERT=$WORKDIR/.cert
9e3f2290 19 CACONF=`domtool-config -path cert ca`/domtool-openssl.conf
385c3534 20
ec76f5e6
CE
21mkdir $WORKDIR && chmod 700 $WORKDIR || (echo Cannot create work dir ; exit 1)
22
c235081a 23mkdir $KEYDIR || echo Key directory already exists.
9e3f2290
CE
24openssl genrsa -out $KEYFILE 4096
25# chown -R domtool.nogroup $KEYDIR
26# chmod for non-afs systems
27chmod 700 $KEYDIR
28chmod 600 $KEYFILE
29if [ "$2" != '-unsafe' ]; then
30 if [ -z "`getent passwd $USER`" ]; then
31 echo "$USER does not exist. This must be a server principal."
32 else
fb9aeb18 33 chown -R $USER:nogroup $KEYDIR
9e3f2290
CE
34 fi
35fi
36
3cd90a3d 37fs sa $KEYDIR $USER read || echo This must be a server principal.
385c3534
AC
38echo "." >$KEYIN
39echo "." >>$KEYIN
40echo "." >>$KEYIN
41echo "." >>$KEYIN
42echo "." >>$KEYIN
906a79a6 43echo "$USER" >>$KEYIN
9e3f2290
CE
44# fixme: domtool-config -domain
45echo "$USER@`domtool-config -domain`" >>$KEYIN
385c3534
AC
46echo "" >>$KEYIN
47echo "" >>$KEYIN
48openssl req -new -key $KEYFILE -out $NEWREQ -days 365 <$KEYIN
49rm $KEYIN
50cat $NEWREQ $KEYFILE >$NEW
51rm $NEWREQ
9e3f2290
CE
52
53ROOTCMD=""
54# Insecure CA is OK for development, and if the CA is in afs it is
55# assumed the script is being run with sufficient
56# permissions. Otherwise, become root to use the ca private key,
57if [ ! -r $CACONF ]; then
58 ROOTCMD=sudo
59fi
60
ec76f5e6
CE
61$ROOTCMD openssl ca -batch -config `domtool-config -path cert ca`/domtool-openssl.conf -out $NEWCERT -infiles $NEW
62$ROOTCMD chown `whoami` $NEWCERT
63mv $NEWCERT $CERTFILE
385c3534 64rm $NEW
ec76f5e6 65rm $WORKDIR -rf
9e3f2290 66#chown domtool.nogroup $CERTFILE