Client.getPass: catch syserror inval when detecting non-tty use
[hcoop/domtool2.git] / bootstrap / domtool-create-ca
1 #!/bin/bash
2 # -*- sh -*-
3
4 # Create a domtool certificate authority
5 # WARNING: Will not create a secure CA if it is in afs space
6
7 if [[ `whoami` != "root" && "$1" != "-force" ]]; then
8 echo "This should be run as root. Use -force to force creating a CA"
9 echo "as a normal user"
10 exit 1
11 fi
12
13 # use domtool-config to extract ca path and site domain
14
15 CAPATH=`../bin/domtool-config -path cert ca`
16 BASE_OPENSSL_CONFIG=`../bin/domtool-config -domain`.core.ssl.conf
17
18 if [ ! -f $BASE_OPENSSL_CONFIG ]; then
19 echo "You need to create $BASE_OPENSSL_CONFIG before continuing"
20 exit 1
21 fi
22
23 cat $BASE_OPENSSL_CONFIG common.ssl.conf > domtool-openssl.conf
24
25 if [ -z "$CAPATH" ]; then
26 echo "No CA path set. Domtool has not yet been built?"
27 exit 1
28 fi
29
30 # 1. Create directory structure
31
32 mkdir -p $CAPATH
33 for d in crl newcerts private; do
34 mkdir $CAPATH/$d
35 done
36
37 chmod go-rwx $CAPATH/private
38 echo '01' > $CAPATH/serial
39 touch $CAPATH/index
40
41 # 2. Generate private key
42
43 openssl req -nodes -config domtool-openssl.conf -days 1825 -x509 -newkey rsa -out $CAPATH/ca-cert.pem -outform PEM
44
45 # 3. Copy ssl configuration to ca dir
46
47 # In general, publishing the openssl config for a domain in the ca
48 # directory might not be the best idea, but since this is a limited
49 # use internal CA, it is probably not a big deal.
50 cp domtool-openssl.conf $CAPATH/
51 chmod 600 $CAPATH/domtool-openssl.conf
52
53 # Does the CA need to be readable by domtool? Issues with sudo and
54 # tickets, but those could be solved by creating a 700
55 # /tmp/domtool-ca-out/ and chowning to the actual user after for the
56 # copy/delete. Or maybe the ca ought to live in afs
57 # space... generality issues arise, probably just do option #1.