[hcoop/domtool2.git] / scripts / domtool-addcert

#!/bin/sh -e

USER="$1"
if test -z "$USER"; then
	echo Usage: domtool-addcert USERNAME
	exit 1
fi   

umask 0066 # Prevent others from reading any files creating on local fs

 WORKDIR=/tmp/domtool-keyreq
  KEYDIR=`domtool-config -path cert keys`/$USER
 KEYFILE=$KEYDIR/key.pem
CERTFILE=`domtool-config -path cert certs`/$USER.pem
  NEWREQ=$WORKDIR/.newreq.pem
     NEW=$WORKDIR/.new.pem
   KEYIN=$WORKDIR/.keyin
 NEWCERT=$WORKDIR/.cert
  CACONF=`domtool-config -path cert ca`/domtool-openssl.conf

mkdir $WORKDIR && chmod 700 $WORKDIR || (echo Cannot create work dir ; exit 1)

mkdir $KEYDIR || echo Key directory already exists.
openssl genrsa -out $KEYFILE 4096
# chown -R domtool.nogroup $KEYDIR
# chmod for non-afs systems
chmod 700 $KEYDIR
chmod 600 $KEYFILE
if [ "$2" != '-unsafe' ]; then
    if [ -z "`getent passwd $USER`" ]; then
	echo "$USER does not exist. This must be a server principal."
    else
	chown -R $USER:nogroup $KEYDIR
    fi
fi

fs sa $KEYDIR $USER read || echo This must be a server principal.
echo "." >$KEYIN
echo "." >>$KEYIN
echo "." >>$KEYIN
echo "." >>$KEYIN
echo "." >>$KEYIN
echo "$USER" >>$KEYIN
# fixme: domtool-config -domain
echo "$USER@`domtool-config -domain`" >>$KEYIN
echo "" >>$KEYIN
echo "" >>$KEYIN
openssl req -new -key $KEYFILE -out $NEWREQ -days 365 <$KEYIN
rm $KEYIN
cat $NEWREQ $KEYFILE >$NEW
rm $NEWREQ

ROOTCMD=""
# Insecure CA is OK for development, and if the CA is in afs it is
# assumed the script is being run with sufficient
# permissions. Otherwise, become root to use the ca private key,
if [ ! -r $CACONF ]; then
    ROOTCMD=sudo
fi

$ROOTCMD openssl ca -batch -config `domtool-config -path cert ca`/domtool-openssl.conf -out $NEWCERT -infiles $NEW
$ROOTCMD chown `whoami` $NEWCERT
mv $NEWCERT $CERTFILE
rm $NEW
rm $WORKDIR -rf
#chown domtool.nogroup $CERTFILE
Commit	Line	Data
385c3534 AC	1	#!/bin/sh -e
385c3534 AC	2
906a79a6 DO	3	USER="$1"
	4	if test -z "$USER"; then
	5	echo Usage: domtool-addcert USERNAME
	6	exit 1
	7	fi
	8
ec76f5e6 CE	9	umask 0066 # Prevent others from reading any files creating on local fs
	10
	11	WORKDIR=/tmp/domtool-keyreq
9e3f2290	12	KEYDIR=`domtool-config -path cert keys`/$USER
385c3534	13	KEYFILE=$KEYDIR/key.pem
9e3f2290	14	CERTFILE=`domtool-config -path cert certs`/$USER.pem
ec76f5e6 CE	15	NEWREQ=$WORKDIR/.newreq.pem
	16	NEW=$WORKDIR/.new.pem
	17	KEYIN=$WORKDIR/.keyin
	18	NEWCERT=$WORKDIR/.cert
9e3f2290	19	CACONF=`domtool-config -path cert ca`/domtool-openssl.conf
385c3534	20
ec76f5e6 CE	21	mkdir $WORKDIR && chmod 700 $WORKDIR \|\| (echo Cannot create work dir ; exit 1)
ec76f5e6 CE	22
c235081a	23	mkdir $KEYDIR \|\| echo Key directory already exists.
9e3f2290 CE	24	openssl genrsa -out $KEYFILE 4096
	25	# chown -R domtool.nogroup $KEYDIR
	26	# chmod for non-afs systems
	27	chmod 700 $KEYDIR
	28	chmod 600 $KEYFILE
	29	if [ "$2" != '-unsafe' ]; then
	30	if [ -z "`getent passwd $USER`" ]; then
	31	echo "$USER does not exist. This must be a server principal."
	32	else
fb9aeb18	33	chown -R $USER:nogroup $KEYDIR
9e3f2290 CE	34	fi
	35	fi
	36
3cd90a3d	37	fs sa $KEYDIR $USER read \|\| echo This must be a server principal.
385c3534 AC	38	echo "." >$KEYIN
	39	echo "." >>$KEYIN
	40	echo "." >>$KEYIN
	41	echo "." >>$KEYIN
	42	echo "." >>$KEYIN
906a79a6	43	echo "$USER" >>$KEYIN
9e3f2290 CE	44	# fixme: domtool-config -domain
9e3f2290 CE	45	echo "$USER@`domtool-config -domain`" >>$KEYIN
385c3534 AC	46	echo "" >>$KEYIN
	47	echo "" >>$KEYIN
	48	openssl req -new -key $KEYFILE -out $NEWREQ -days 365 <$KEYIN
	49	rm $KEYIN
	50	cat $NEWREQ $KEYFILE >$NEW
	51	rm $NEWREQ
9e3f2290 CE	52
	53	ROOTCMD=""
	54	# Insecure CA is OK for development, and if the CA is in afs it is
	55	# assumed the script is being run with sufficient
	56	# permissions. Otherwise, become root to use the ca private key,
	57	if [ ! -r $CACONF ]; then
	58	ROOTCMD=sudo
	59	fi
	60
ec76f5e6 CE	61	$ROOTCMD openssl ca -batch -config `domtool-config -path cert ca`/domtool-openssl.conf -out $NEWCERT -infiles $NEW
	62	$ROOTCMD chown `whoami` $NEWCERT
	63	mv $NEWCERT $CERTFILE
385c3534	64	rm $NEW
ec76f5e6	65	rm $WORKDIR -rf
9e3f2290	66	#chown domtool.nogroup $CERTFILE