[hcoop/domtool2.git] / bootstrap / domtool-create-ca

#!/bin/bash
# -*- sh -*-

# Create a domtool certificate authority
# WARNING: Will not create a secure CA if it is in afs space

if [[ `whoami` != "root" && "$1" != "-force" ]]; then
    echo "This should be run as root. Use -force to force creating a CA"
    echo "as a normal user"
    exit 1
fi

# use domtool-config to extract ca path and site domain

CAPATH=`../bin/domtool-config -path cert ca`
BASE_OPENSSL_CONFIG=`../bin/domtool-config -domain`.core.ssl.conf

if [ ! -f $BASE_OPENSSL_CONFIG ]; then
    echo "You need to create $BASE_OPENSSL_CONFIG before continuing"
    exit 1
fi

cat $BASE_OPENSSL_CONFIG common.ssl.conf > domtool-openssl.conf

if [ -z "$CAPATH" ]; then
    echo "No CA path set. Domtool has not yet been built?"
    exit 1
fi

# 1. Create directory structure

mkdir -p $CAPATH
for d in crl newcerts private; do
    mkdir $CAPATH/$d
done

chmod go-rwx $CAPATH/private
echo '01' > $CAPATH/serial
touch $CAPATH/index

# 2. Generate private key

openssl req -nodes -config domtool-openssl.conf -days 1825 -x509 -newkey rsa -out $CAPATH/ca-cert.pem -outform PEM

# 3. Copy ssl configuration to ca dir

# In general, publishing the openssl config for a domain in the ca
# directory might not be the best idea, but since this is a limited
# use internal CA, it is probably not a big deal.
cp domtool-openssl.conf $CAPATH/
chmod 600 $CAPATH/domtool-openssl.conf

# Does the CA need to be readable by domtool? Issues with sudo and
# tickets, but those could be solved by creating a 700
# /tmp/domtool-ca-out/ and chowning to the actual user after for the
# copy/delete. Or maybe the ca ought to live in afs
# space... generality issues arise, probably just do option #1.
Commit	Line	Data
0f9f712c CE	1	#!/bin/bash
	2	# -- sh --
	3
	4	# Create a domtool certificate authority
	5	# WARNING: Will not create a secure CA if it is in afs space
	6
	7	if [[ `whoami` != "root" && "$1" != "-force" ]]; then
	8	echo "This should be run as root. Use -force to force creating a CA"
	9	echo "as a normal user"
	10	exit 1
	11	fi
	12
	13	# use domtool-config to extract ca path and site domain
	14
	15	CAPATH=`../bin/domtool-config -path cert ca`
	16	BASE_OPENSSL_CONFIG=`../bin/domtool-config -domain`.core.ssl.conf
	17
97dac8e4 CE	18	if [ ! -f $BASE_OPENSSL_CONFIG ]; then
	19	echo "You need to create $BASE_OPENSSL_CONFIG before continuing"
	20	exit 1
	21	fi
	22
0f9f712c CE	23	cat $BASE_OPENSSL_CONFIG common.ssl.conf > domtool-openssl.conf
	24
	25	if [ -z "$CAPATH" ]; then
	26	echo "No CA path set. Domtool has not yet been built?"
	27	exit 1
	28	fi
	29
	30	# 1. Create directory structure
	31
	32	mkdir -p $CAPATH
	33	for d in crl newcerts private; do
	34	mkdir $CAPATH/$d
	35	done
	36
	37	chmod go-rwx $CAPATH/private
	38	echo '01' > $CAPATH/serial
	39	touch $CAPATH/index
	40
	41	# 2. Generate private key
	42
	43	openssl req -nodes -config domtool-openssl.conf -days 1825 -x509 -newkey rsa -out $CAPATH/ca-cert.pem -outform PEM
	44
	45	# 3. Copy ssl configuration to ca dir
	46
	47	# In general, publishing the openssl config for a domain in the ca
	48	# directory might not be the best idea, but since this is a limited
	49	# use internal CA, it is probably not a big deal.
	50	cp domtool-openssl.conf $CAPATH/
	51	chmod 600 $CAPATH/domtool-openssl.conf
	52
	53	# Does the CA need to be readable by domtool? Issues with sudo and
	54	# tickets, but those could be solved by creating a 700
	55	# /tmp/domtool-ca-out/ and chowning to the actual user after for the
	56	# copy/delete. Or maybe the ca ought to live in afs
	57	# space... generality issues arise, probably just do option #1.