Example config file for a single-machine development setup
[hcoop/domtool2.git] / scripts / domtool-addcert
1 #!/bin/sh -e
2
3 USER="$1"
4 if test -z "$USER"; then
5 echo Usage: domtool-addcert USERNAME
6 exit 1
7 fi
8
9 KEYDIR=`domtool-config -path cert keys`/$USER
10 KEYFILE=$KEYDIR/key.pem
11 CERTFILE=`domtool-config -path cert certs`/$USER.pem
12 NEWREQ=~/.newreq.pem
13 NEW=~/.new.pem
14 KEYIN=~/.keyin
15 CACONF=`domtool-config -path cert ca`/domtool-openssl.conf
16
17 mkdir $KEYDIR || echo Key directory already exists.
18 openssl genrsa -out $KEYFILE 4096
19 # chown -R domtool.nogroup $KEYDIR
20 # chmod for non-afs systems
21 chmod 700 $KEYDIR
22 chmod 600 $KEYFILE
23 if [ "$2" != '-unsafe' ]; then
24 if [ -z "`getent passwd $USER`" ]; then
25 echo "$USER does not exist. This must be a server principal."
26 else
27 chown -R $USER.nogroup $KEYDIR
28 fi
29 fi
30
31 fs sa $KEYDIR $USER read || echo This must be a server principal.
32 echo "." >$KEYIN
33 echo "." >>$KEYIN
34 echo "." >>$KEYIN
35 echo "." >>$KEYIN
36 echo "." >>$KEYIN
37 echo "$USER" >>$KEYIN
38 # fixme: domtool-config -domain
39 echo "$USER@`domtool-config -domain`" >>$KEYIN
40 echo "" >>$KEYIN
41 echo "" >>$KEYIN
42 openssl req -new -key $KEYFILE -out $NEWREQ -days 365 <$KEYIN
43 rm $KEYIN
44 cat $NEWREQ $KEYFILE >$NEW
45 rm $NEWREQ
46
47 ROOTCMD=""
48 # Insecure CA is OK for development, and if the CA is in afs it is
49 # assumed the script is being run with sufficient
50 # permissions. Otherwise, become root to use the ca private key,
51 if [ ! -r $CACONF ]; then
52 ROOTCMD=sudo
53 fi
54
55 $ROOTCMD openssl ca -batch -config `domtool-config -path cert ca`/domtool-openssl.conf -out $CERTFILE -infiles $NEW
56 rm $NEW
57 #chown domtool.nogroup $CERTFILE