4 # Create a domtool certificate authority
5 # WARNING: Will not create a secure CA if it is in afs space
7 if [[ `whoami` != "root" && "$1" != "-force" ]]; then
8 echo "This should be run as root. Use -force to force creating a CA"
9 echo "as a normal user"
13 # use domtool-config to extract ca path and site domain
15 CAPATH
=`../bin/domtool-config -path cert ca`
16 BASE_OPENSSL_CONFIG
=`../bin/domtool-config -domain`.core.ssl.conf
18 if [ ! -f $BASE_OPENSSL_CONFIG ]; then
19 echo "You need to create $BASE_OPENSSL_CONFIG before continuing"
23 cat $BASE_OPENSSL_CONFIG common.ssl.conf
> domtool-openssl.conf
25 if [ -z "$CAPATH" ]; then
26 echo "No CA path set. Domtool has not yet been built?"
30 # 1. Create directory structure
33 for d
in crl newcerts private
; do
37 chmod go-rwx
$CAPATH/private
38 echo '01' > $CAPATH/serial
41 # 2. Generate private key
43 openssl req
-nodes -config domtool-openssl.conf
-days 1825 -x509 -newkey rsa
-out $CAPATH/ca-cert.pem
-outform PEM
45 # 3. Copy ssl configuration to ca dir
47 # In general, publishing the openssl config for a domain in the ca
48 # directory might not be the best idea, but since this is a limited
49 # use internal CA, it is probably not a big deal.
50 cp domtool-openssl.conf
$CAPATH/
51 chmod 600 $CAPATH/domtool-openssl.conf
53 # Does the CA need to be readable by domtool? Issues with sudo and
54 # tickets, but those could be solved by creating a 700
55 # /tmp/domtool-ca-out/ and chowning to the actual user after for the
56 # copy/delete. Or maybe the ca ought to live in afs
57 # space... generality issues arise, probably just do option #1.