| 1 | #!/bin/sh -e |
| 2 | |
| 3 | USER="$1" |
| 4 | if test -z "$USER"; then |
| 5 | echo Usage: domtool-addcert USERNAME |
| 6 | exit 1 |
| 7 | fi |
| 8 | |
| 9 | umask 0066 # Prevent others from reading any files creating on local fs |
| 10 | |
| 11 | WORKDIR=/tmp/domtool-keyreq |
| 12 | KEYDIR=`domtool-config -path cert keys`/$USER |
| 13 | KEYFILE=$KEYDIR/key.pem |
| 14 | CERTFILE=`domtool-config -path cert certs`/$USER.pem |
| 15 | NEWREQ=$WORKDIR/.newreq.pem |
| 16 | NEW=$WORKDIR/.new.pem |
| 17 | KEYIN=$WORKDIR/.keyin |
| 18 | NEWCERT=$WORKDIR/.cert |
| 19 | CACONF=`domtool-config -path cert ca`/domtool-openssl.conf |
| 20 | |
| 21 | mkdir $WORKDIR && chmod 700 $WORKDIR || (echo Cannot create work dir ; exit 1) |
| 22 | |
| 23 | mkdir $KEYDIR || echo Key directory already exists. |
| 24 | openssl genrsa -out $KEYFILE 4096 |
| 25 | # chown -R domtool.nogroup $KEYDIR |
| 26 | # chmod for non-afs systems |
| 27 | chmod 700 $KEYDIR |
| 28 | chmod 600 $KEYFILE |
| 29 | if [ "$2" != '-unsafe' ]; then |
| 30 | if [ -z "`getent passwd $USER`" ]; then |
| 31 | echo "$USER does not exist. This must be a server principal." |
| 32 | else |
| 33 | chown -R $USER:nogroup $KEYDIR |
| 34 | fi |
| 35 | fi |
| 36 | |
| 37 | fs sa $KEYDIR $USER read || echo This must be a server principal. |
| 38 | echo "." >$KEYIN |
| 39 | echo "." >>$KEYIN |
| 40 | echo "." >>$KEYIN |
| 41 | echo "." >>$KEYIN |
| 42 | echo "." >>$KEYIN |
| 43 | echo "$USER" >>$KEYIN |
| 44 | # fixme: domtool-config -domain |
| 45 | echo "$USER@`domtool-config -domain`" >>$KEYIN |
| 46 | echo "" >>$KEYIN |
| 47 | echo "" >>$KEYIN |
| 48 | openssl req -new -key $KEYFILE -out $NEWREQ -days 365 <$KEYIN |
| 49 | rm $KEYIN |
| 50 | cat $NEWREQ $KEYFILE >$NEW |
| 51 | rm $NEWREQ |
| 52 | |
| 53 | ROOTCMD="" |
| 54 | # Insecure CA is OK for development, and if the CA is in afs it is |
| 55 | # assumed the script is being run with sufficient |
| 56 | # permissions. Otherwise, become root to use the ca private key, |
| 57 | if [ ! -r $CACONF ]; then |
| 58 | ROOTCMD=sudo |
| 59 | fi |
| 60 | |
| 61 | $ROOTCMD openssl ca -batch -config `domtool-config -path cert ca`/domtool-openssl.conf -out $NEWCERT -infiles $NEW |
| 62 | $ROOTCMD chown `whoami` $NEWCERT |
| 63 | mv $NEWCERT $CERTFILE |
| 64 | rm $NEW |
| 65 | rm $WORKDIR -rf |
| 66 | #chown domtool.nogroup $CERTFILE |