Commit | Line | Data |
---|---|---|
385c3534 AC |
1 | #!/bin/sh -e |
2 | ||
906a79a6 DO |
3 | USER="$1" |
4 | if test -z "$USER"; then | |
5 | echo Usage: domtool-addcert USERNAME | |
6 | exit 1 | |
7 | fi | |
8 | ||
9e3f2290 | 9 | KEYDIR=`domtool-config -path cert keys`/$USER |
385c3534 | 10 | KEYFILE=$KEYDIR/key.pem |
9e3f2290 | 11 | CERTFILE=`domtool-config -path cert certs`/$USER.pem |
385c3534 AC |
12 | NEWREQ=~/.newreq.pem |
13 | NEW=~/.new.pem | |
14 | KEYIN=~/.keyin | |
9e3f2290 | 15 | CACONF=`domtool-config -path cert ca`/domtool-openssl.conf |
385c3534 | 16 | |
c235081a | 17 | mkdir $KEYDIR || echo Key directory already exists. |
9e3f2290 CE |
18 | openssl genrsa -out $KEYFILE 4096 |
19 | # chown -R domtool.nogroup $KEYDIR | |
20 | # chmod for non-afs systems | |
21 | chmod 700 $KEYDIR | |
22 | chmod 600 $KEYFILE | |
23 | if [ "$2" != '-unsafe' ]; then | |
24 | if [ -z "`getent passwd $USER`" ]; then | |
25 | echo "$USER does not exist. This must be a server principal." | |
26 | else | |
27 | chown -R $USER.nogroup $KEYDIR | |
28 | fi | |
29 | fi | |
30 | ||
3cd90a3d | 31 | fs sa $KEYDIR $USER read || echo This must be a server principal. |
385c3534 AC |
32 | echo "." >$KEYIN |
33 | echo "." >>$KEYIN | |
34 | echo "." >>$KEYIN | |
35 | echo "." >>$KEYIN | |
36 | echo "." >>$KEYIN | |
906a79a6 | 37 | echo "$USER" >>$KEYIN |
9e3f2290 CE |
38 | # fixme: domtool-config -domain |
39 | echo "$USER@`domtool-config -domain`" >>$KEYIN | |
385c3534 AC |
40 | echo "" >>$KEYIN |
41 | echo "" >>$KEYIN | |
42 | openssl req -new -key $KEYFILE -out $NEWREQ -days 365 <$KEYIN | |
43 | rm $KEYIN | |
44 | cat $NEWREQ $KEYFILE >$NEW | |
45 | rm $NEWREQ | |
9e3f2290 CE |
46 | |
47 | ROOTCMD="" | |
48 | # Insecure CA is OK for development, and if the CA is in afs it is | |
49 | # assumed the script is being run with sufficient | |
50 | # permissions. Otherwise, become root to use the ca private key, | |
51 | if [ ! -r $CACONF ]; then | |
52 | ROOTCMD=sudo | |
53 | fi | |
54 | ||
55 | $ROOTCMD openssl ca -batch -config `domtool-config -path cert ca`/domtool-openssl.conf -out $CERTFILE -infiles $NEW | |
385c3534 | 56 | rm $NEW |
9e3f2290 | 57 | #chown domtool.nogroup $CERTFILE |