Commit | Line | Data |
---|---|---|
385c3534 AC |
1 | #!/bin/sh -e |
2 | ||
906a79a6 DO |
3 | USER="$1" |
4 | if test -z "$USER"; then | |
5 | echo Usage: domtool-addcert USERNAME | |
6 | exit 1 | |
7 | fi | |
8 | ||
ec76f5e6 CE |
9 | umask 0066 # Prevent others from reading any files creating on local fs |
10 | ||
11 | WORKDIR=/tmp/domtool-keyreq | |
9e3f2290 | 12 | KEYDIR=`domtool-config -path cert keys`/$USER |
385c3534 | 13 | KEYFILE=$KEYDIR/key.pem |
9e3f2290 | 14 | CERTFILE=`domtool-config -path cert certs`/$USER.pem |
ec76f5e6 CE |
15 | NEWREQ=$WORKDIR/.newreq.pem |
16 | NEW=$WORKDIR/.new.pem | |
17 | KEYIN=$WORKDIR/.keyin | |
18 | NEWCERT=$WORKDIR/.cert | |
9e3f2290 | 19 | CACONF=`domtool-config -path cert ca`/domtool-openssl.conf |
385c3534 | 20 | |
ec76f5e6 CE |
21 | mkdir $WORKDIR && chmod 700 $WORKDIR || (echo Cannot create work dir ; exit 1) |
22 | ||
c235081a | 23 | mkdir $KEYDIR || echo Key directory already exists. |
9e3f2290 CE |
24 | openssl genrsa -out $KEYFILE 4096 |
25 | # chown -R domtool.nogroup $KEYDIR | |
26 | # chmod for non-afs systems | |
27 | chmod 700 $KEYDIR | |
28 | chmod 600 $KEYFILE | |
29 | if [ "$2" != '-unsafe' ]; then | |
30 | if [ -z "`getent passwd $USER`" ]; then | |
31 | echo "$USER does not exist. This must be a server principal." | |
32 | else | |
33 | chown -R $USER.nogroup $KEYDIR | |
34 | fi | |
35 | fi | |
36 | ||
3cd90a3d | 37 | fs sa $KEYDIR $USER read || echo This must be a server principal. |
385c3534 AC |
38 | echo "." >$KEYIN |
39 | echo "." >>$KEYIN | |
40 | echo "." >>$KEYIN | |
41 | echo "." >>$KEYIN | |
42 | echo "." >>$KEYIN | |
906a79a6 | 43 | echo "$USER" >>$KEYIN |
9e3f2290 CE |
44 | # fixme: domtool-config -domain |
45 | echo "$USER@`domtool-config -domain`" >>$KEYIN | |
385c3534 AC |
46 | echo "" >>$KEYIN |
47 | echo "" >>$KEYIN | |
48 | openssl req -new -key $KEYFILE -out $NEWREQ -days 365 <$KEYIN | |
49 | rm $KEYIN | |
50 | cat $NEWREQ $KEYFILE >$NEW | |
51 | rm $NEWREQ | |
9e3f2290 CE |
52 | |
53 | ROOTCMD="" | |
54 | # Insecure CA is OK for development, and if the CA is in afs it is | |
55 | # assumed the script is being run with sufficient | |
56 | # permissions. Otherwise, become root to use the ca private key, | |
57 | if [ ! -r $CACONF ]; then | |
58 | ROOTCMD=sudo | |
59 | fi | |
60 | ||
ec76f5e6 CE |
61 | $ROOTCMD openssl ca -batch -config `domtool-config -path cert ca`/domtool-openssl.conf -out $NEWCERT -infiles $NEW |
62 | $ROOTCMD chown `whoami` $NEWCERT | |
63 | mv $NEWCERT $CERTFILE | |
385c3534 | 64 | rm $NEW |
ec76f5e6 | 65 | rm $WORKDIR -rf |
9e3f2290 | 66 | #chown domtool.nogroup $CERTFILE |