bootstrap: ensure ca config exists before continuing
[hcoop/domtool2.git] / bootstrap / domtool-create-ca
... / ...
CommitLineData
1#!/bin/bash
2# -*- sh -*-
3
4# Create a domtool certificate authority
5# WARNING: Will not create a secure CA if it is in afs space
6
7if [[ `whoami` != "root" && "$1" != "-force" ]]; then
8 echo "This should be run as root. Use -force to force creating a CA"
9 echo "as a normal user"
10 exit 1
11fi
12
13# use domtool-config to extract ca path and site domain
14
15CAPATH=`../bin/domtool-config -path cert ca`
16BASE_OPENSSL_CONFIG=`../bin/domtool-config -domain`.core.ssl.conf
17
18if [ ! -f $BASE_OPENSSL_CONFIG ]; then
19 echo "You need to create $BASE_OPENSSL_CONFIG before continuing"
20 exit 1
21fi
22
23cat $BASE_OPENSSL_CONFIG common.ssl.conf > domtool-openssl.conf
24
25if [ -z "$CAPATH" ]; then
26 echo "No CA path set. Domtool has not yet been built?"
27 exit 1
28fi
29
30# 1. Create directory structure
31
32mkdir -p $CAPATH
33for d in crl newcerts private; do
34 mkdir $CAPATH/$d
35done
36
37chmod go-rwx $CAPATH/private
38echo '01' > $CAPATH/serial
39touch $CAPATH/index
40
41# 2. Generate private key
42
43openssl req -nodes -config domtool-openssl.conf -days 1825 -x509 -newkey rsa -out $CAPATH/ca-cert.pem -outform PEM
44
45# 3. Copy ssl configuration to ca dir
46
47# In general, publishing the openssl config for a domain in the ca
48# directory might not be the best idea, but since this is a limited
49# use internal CA, it is probably not a big deal.
50cp domtool-openssl.conf $CAPATH/
51chmod 600 $CAPATH/domtool-openssl.conf
52
53# Does the CA need to be readable by domtool? Issues with sudo and
54# tickets, but those could be solved by creating a 700
55# /tmp/domtool-ca-out/ and chowning to the actual user after for the
56# copy/delete. Or maybe the ca ought to live in afs
57# space... generality issues arise, probably just do option #1.