| 1 | #!/bin/bash |
| 2 | # -*- sh -*- |
| 3 | |
| 4 | # Create a domtool certificate authority |
| 5 | # WARNING: Will not create a secure CA if it is in afs space |
| 6 | |
| 7 | if [[ `whoami` != "root" && "$1" != "-force" ]]; then |
| 8 | echo "This should be run as root. Use -force to force creating a CA" |
| 9 | echo "as a normal user" |
| 10 | exit 1 |
| 11 | fi |
| 12 | |
| 13 | # use domtool-config to extract ca path and site domain |
| 14 | |
| 15 | CAPATH=`../bin/domtool-config -path cert ca` |
| 16 | BASE_OPENSSL_CONFIG=`../bin/domtool-config -domain`.core.ssl.conf |
| 17 | |
| 18 | if [ ! -f $BASE_OPENSSL_CONFIG ]; then |
| 19 | echo "You need to create $BASE_OPENSSL_CONFIG before continuing" |
| 20 | exit 1 |
| 21 | fi |
| 22 | |
| 23 | cat $BASE_OPENSSL_CONFIG common.ssl.conf > domtool-openssl.conf |
| 24 | |
| 25 | if [ -z "$CAPATH" ]; then |
| 26 | echo "No CA path set. Domtool has not yet been built?" |
| 27 | exit 1 |
| 28 | fi |
| 29 | |
| 30 | # 1. Create directory structure |
| 31 | |
| 32 | mkdir -p $CAPATH |
| 33 | for d in crl newcerts private; do |
| 34 | mkdir $CAPATH/$d |
| 35 | done |
| 36 | |
| 37 | chmod go-rwx $CAPATH/private |
| 38 | echo '01' > $CAPATH/serial |
| 39 | touch $CAPATH/index |
| 40 | |
| 41 | # 2. Generate private key |
| 42 | |
| 43 | openssl req -nodes -config domtool-openssl.conf -days 1825 -x509 -newkey rsa -out $CAPATH/ca-cert.pem -outform PEM |
| 44 | |
| 45 | # 3. Copy ssl configuration to ca dir |
| 46 | |
| 47 | # In general, publishing the openssl config for a domain in the ca |
| 48 | # directory might not be the best idea, but since this is a limited |
| 49 | # use internal CA, it is probably not a big deal. |
| 50 | cp domtool-openssl.conf $CAPATH/ |
| 51 | chmod 600 $CAPATH/domtool-openssl.conf |
| 52 | |
| 53 | # Does the CA need to be readable by domtool? Issues with sudo and |
| 54 | # tickets, but those could be solved by creating a 700 |
| 55 | # /tmp/domtool-ca-out/ and chowning to the actual user after for the |
| 56 | # copy/delete. Or maybe the ca ought to live in afs |
| 57 | # space... generality issues arise, probably just do option #1. |