| 1 | #!/bin/sh -e |
| 2 | |
| 3 | USER="$1" |
| 4 | if test -z "$USER"; then |
| 5 | echo Usage: domtool-addcert USERNAME |
| 6 | exit 1 |
| 7 | fi |
| 8 | |
| 9 | KEYDIR=`domtool-config -path cert keys`/$USER |
| 10 | KEYFILE=$KEYDIR/key.pem |
| 11 | CERTFILE=`domtool-config -path cert certs`/$USER.pem |
| 12 | NEWREQ=~/.newreq.pem |
| 13 | NEW=~/.new.pem |
| 14 | KEYIN=~/.keyin |
| 15 | CACONF=`domtool-config -path cert ca`/domtool-openssl.conf |
| 16 | |
| 17 | mkdir $KEYDIR || echo Key directory already exists. |
| 18 | openssl genrsa -out $KEYFILE 4096 |
| 19 | # chown -R domtool.nogroup $KEYDIR |
| 20 | # chmod for non-afs systems |
| 21 | chmod 700 $KEYDIR |
| 22 | chmod 600 $KEYFILE |
| 23 | if [ "$2" != '-unsafe' ]; then |
| 24 | if [ -z "`getent passwd $USER`" ]; then |
| 25 | echo "$USER does not exist. This must be a server principal." |
| 26 | else |
| 27 | chown -R $USER.nogroup $KEYDIR |
| 28 | fi |
| 29 | fi |
| 30 | |
| 31 | fs sa $KEYDIR $USER read || echo This must be a server principal. |
| 32 | echo "." >$KEYIN |
| 33 | echo "." >>$KEYIN |
| 34 | echo "." >>$KEYIN |
| 35 | echo "." >>$KEYIN |
| 36 | echo "." >>$KEYIN |
| 37 | echo "$USER" >>$KEYIN |
| 38 | # fixme: domtool-config -domain |
| 39 | echo "$USER@`domtool-config -domain`" >>$KEYIN |
| 40 | echo "" >>$KEYIN |
| 41 | echo "" >>$KEYIN |
| 42 | openssl req -new -key $KEYFILE -out $NEWREQ -days 365 <$KEYIN |
| 43 | rm $KEYIN |
| 44 | cat $NEWREQ $KEYFILE >$NEW |
| 45 | rm $NEWREQ |
| 46 | |
| 47 | ROOTCMD="" |
| 48 | # Insecure CA is OK for development, and if the CA is in afs it is |
| 49 | # assumed the script is being run with sufficient |
| 50 | # permissions. Otherwise, become root to use the ca private key, |
| 51 | if [ ! -r $CACONF ]; then |
| 52 | ROOTCMD=sudo |
| 53 | fi |
| 54 | |
| 55 | $ROOTCMD openssl ca -batch -config `domtool-config -path cert ca`/domtool-openssl.conf -out $CERTFILE -infiles $NEW |
| 56 | rm $NEW |
| 57 | #chown domtool.nogroup $CERTFILE |