| 1 | #!/bin/sh -e |
| 2 | |
| 3 | USER="$1" |
| 4 | if test -z "$USER"; then |
| 5 | echo Usage: domtool-addcert USERNAME |
| 6 | exit 1 |
| 7 | fi |
| 8 | |
| 9 | KEYDIR=/afs/hcoop.net/common/etc/domtool/keys/$USER |
| 10 | KEYFILE=$KEYDIR/key.pem |
| 11 | CERTFILE=/afs/hcoop.net/common/etc/domtool/certs/$USER.pem |
| 12 | NEWREQ=~/.newreq.pem |
| 13 | NEW=~/.new.pem |
| 14 | KEYIN=~/.keyin |
| 15 | |
| 16 | mkdir $KEYDIR || echo Key directory already exists. |
| 17 | openssl genrsa -out $KEYFILE |
| 18 | chown -R domtool.nogroup $KEYDIR |
| 19 | fs sa $KEYDIR $USER read || echo This must be a server principal. |
| 20 | echo "." >$KEYIN |
| 21 | echo "." >>$KEYIN |
| 22 | echo "." >>$KEYIN |
| 23 | echo "." >>$KEYIN |
| 24 | echo "." >>$KEYIN |
| 25 | echo "$USER" >>$KEYIN |
| 26 | echo "$USER@hcoop.net" >>$KEYIN |
| 27 | echo "" >>$KEYIN |
| 28 | echo "" >>$KEYIN |
| 29 | openssl req -new -key $KEYFILE -out $NEWREQ -days 365 <$KEYIN |
| 30 | rm $KEYIN |
| 31 | cat $NEWREQ $KEYFILE >$NEW |
| 32 | rm $NEWREQ |
| 33 | openssl ca -batch -config /etc/domtool/openssl.cnf -policy policy_anything -out $CERTFILE -infiles $NEW |
| 34 | rm $NEW |
| 35 | chown domtool.nogroup $CERTFILE |