bootstrap/domtool-create-ca

   1 #!/bin/bash
   2 # -*- sh -*-
   3
   4 # Create a domtool certificate authority
   5 # WARNING: Will not create a secure CA if it is in afs space
   6
   7 if [[ `whoami` != "root" && "$1" != "-force" ]]; then
   8     echo "This should be run as root. Use -force to force creating a CA"
   9     echo "as a normal user"
  10     exit 1
  11 fi
  12
  13 # use domtool-config to extract ca path and site domain
  14
  15 CAPATH=`../bin/domtool-config -path cert ca`
  16 BASE_OPENSSL_CONFIG=`../bin/domtool-config -domain`.core.ssl.conf
  17
  18 if [ ! -f $BASE_OPENSSL_CONFIG ]; then
  19     echo "You need to create $BASE_OPENSSL_CONFIG before continuing"
  20     exit 1
  21 fi
  22
  23 cat $BASE_OPENSSL_CONFIG common.ssl.conf > domtool-openssl.conf
  24
  25 if [ -z "$CAPATH" ]; then
  26     echo "No CA path set. Domtool has not yet been built?"
  27     exit 1
  28 fi
  29
  30 # 1. Create directory structure
  31
  32 mkdir -p $CAPATH
  33 for d in crl newcerts private; do
  34     mkdir $CAPATH/$d
  35 done
  36
  37 chmod go-rwx $CAPATH/private
  38 echo '01' > $CAPATH/serial
  39 touch $CAPATH/index
  40
  41 # 2. Generate private key
  42
  43 openssl req -nodes -config domtool-openssl.conf -days 1825 -x509 -newkey rsa -out $CAPATH/ca-cert.pem -outform PEM
  44
  45 # 3. Copy ssl configuration to ca dir
  46
  47 # In general, publishing the openssl config for a domain in the ca
  48 # directory might not be the best idea, but since this is a limited
  49 # use internal CA, it is probably not a big deal.
  50 cp domtool-openssl.conf $CAPATH/
  51 chmod 600 $CAPATH/domtool-openssl.conf
  52
  53 # Does the CA need to be readable by domtool? Issues with sudo and
  54 # tickets, but those could be solved by creating a 700
  55 # /tmp/domtool-ca-out/ and chowning to the actual user after for the
  56 # copy/delete. Or maybe the ca ought to live in afs
  57 # space... generality issues arise, probably just do option #1.