scripts/domtool-addcert

   1 #!/bin/sh -e
   2
   3 USER="$1"
   4 if test -z "$USER"; then
   5         echo Usage: domtool-addcert USERNAME
   6         exit 1
   7 fi
   8
   9   KEYDIR=`domtool-config -path cert keys`/$USER
  10  KEYFILE=$KEYDIR/key.pem
  11 CERTFILE=`domtool-config -path cert certs`/$USER.pem
  12   NEWREQ=~/.newreq.pem
  13      NEW=~/.new.pem
  14    KEYIN=~/.keyin
  15   CACONF=`domtool-config -path cert ca`/domtool-openssl.conf
  16
  17 mkdir $KEYDIR || echo Key directory already exists.
  18 openssl genrsa -out $KEYFILE 4096
  19 # chown -R domtool.nogroup $KEYDIR
  20 # chmod for non-afs systems
  21 chmod 700 $KEYDIR
  22 chmod 600 $KEYFILE
  23 if [ "$2" != '-unsafe' ]; then
  24     if [ -z "`getent passwd $USER`" ]; then
  25         echo "$USER does not exist. This must be a server principal."
  26     else
  27         chown -R $USER.nogroup $KEYDIR
  28     fi
  29 fi
  30
  31 fs sa $KEYDIR $USER read || echo This must be a server principal.
  32 echo "." >$KEYIN
  33 echo "." >>$KEYIN
  34 echo "." >>$KEYIN
  35 echo "." >>$KEYIN
  36 echo "." >>$KEYIN
  37 echo "$USER" >>$KEYIN
  38 # fixme: domtool-config -domain
  39 echo "$USER@`domtool-config -domain`" >>$KEYIN
  40 echo "" >>$KEYIN
  41 echo "" >>$KEYIN
  42 openssl req -new -key $KEYFILE -out $NEWREQ -days 365 <$KEYIN
  43 rm $KEYIN
  44 cat $NEWREQ $KEYFILE >$NEW
  45 rm $NEWREQ
  46
  47 ROOTCMD=""
  48 # Insecure CA is OK for development, and if the CA is in afs it is
  49 # assumed the script is being run with sufficient
  50 # permissions. Otherwise, become root to use the ca private key,
  51 if [ ! -r $CACONF ]; then
  52     ROOTCMD=sudo
  53 fi
  54
  55 $ROOTCMD openssl ca -batch -config `domtool-config -path cert ca`/domtool-openssl.conf -out $CERTFILE -infiles $NEW
  56 rm $NEW
  57 #chown domtool.nogroup $CERTFILE