HCoop Git - hcoop/domtool2.git/blame_incremental

... / ...

Commit	Line	Data
	1	#!/bin/sh -e
	2
	3	USER="$1"
	4	if test -z "$USER"; then
	5	echo Usage: domtool-addcert USERNAME
	6	exit 1
	7	fi
	8
	9	KEYDIR=`domtool-config -path cert keys`/$USER
	10	KEYFILE=$KEYDIR/key.pem
	11	CERTFILE=`domtool-config -path cert certs`/$USER.pem
	12	NEWREQ=~/.newreq.pem
	13	NEW=~/.new.pem
	14	KEYIN=~/.keyin
	15	CACONF=`domtool-config -path cert ca`/domtool-openssl.conf
	16
	17	mkdir $KEYDIR \|\| echo Key directory already exists.
	18	openssl genrsa -out $KEYFILE 4096
	19	# chown -R domtool.nogroup $KEYDIR
	20	# chmod for non-afs systems
	21	chmod 700 $KEYDIR
	22	chmod 600 $KEYFILE
	23	if [ "$2" != '-unsafe' ]; then
	24	if [ -z "`getent passwd $USER`" ]; then
	25	echo "$USER does not exist. This must be a server principal."
	26	else
	27	chown -R $USER.nogroup $KEYDIR
	28	fi
	29	fi
	30
	31	fs sa $KEYDIR $USER read \|\| echo This must be a server principal.
	32	echo "." >$KEYIN
	33	echo "." >>$KEYIN
	34	echo "." >>$KEYIN
	35	echo "." >>$KEYIN
	36	echo "." >>$KEYIN
	37	echo "$USER" >>$KEYIN
	38	# fixme: domtool-config -domain
	39	echo "$USER@`domtool-config -domain`" >>$KEYIN
	40	echo "" >>$KEYIN
	41	echo "" >>$KEYIN
	42	openssl req -new -key $KEYFILE -out $NEWREQ -days 365 <$KEYIN
	43	rm $KEYIN
	44	cat $NEWREQ $KEYFILE >$NEW
	45	rm $NEWREQ
	46
	47	ROOTCMD=""
	48	# Insecure CA is OK for development, and if the CA is in afs it is
	49	# assumed the script is being run with sufficient
	50	# permissions. Otherwise, become root to use the ca private key,
	51	if [ ! -r $CACONF ]; then
	52	ROOTCMD=sudo
	53	fi
	54
	55	$ROOTCMD openssl ca -batch -config `domtool-config -path cert ca`/domtool-openssl.conf -out $CERTFILE -infiles $NEW
	56	rm $NEW
	57	#chown domtool.nogroup $CERTFILE