4 if test -z "$USER"; then
5 echo Usage
: domtool-addcert USERNAME
9 umask 0066 # Prevent others from reading any files creating on local fs
11 WORKDIR
=/tmp
/domtool-keyreq
12 KEYDIR
=`domtool-config -path cert keys`/$USER
13 KEYFILE
=$KEYDIR/key.pem
14 CERTFILE
=`domtool-config -path cert certs`/$USER.pem
15 NEWREQ
=$WORKDIR/.newreq.pem
18 NEWCERT
=$WORKDIR/.cert
19 CACONF
=`domtool-config -path cert ca`/domtool-openssl.conf
21 mkdir
$WORKDIR && chmod 700 $WORKDIR ||
(echo Cannot create work dir
; exit 1)
23 mkdir
$KEYDIR ||
echo Key directory already exists.
24 openssl genrsa
-out $KEYFILE 4096
25 # chown -R domtool.nogroup $KEYDIR
26 # chmod for non-afs systems
29 if [ "$2" != '-unsafe' ]; then
30 if [ -z "`getent passwd $USER`" ]; then
31 echo "$USER does not exist. This must be a server principal."
33 chown
-R $USER:nogroup
$KEYDIR
37 fs sa
$KEYDIR $USER read ||
echo This must be a server principal.
44 # fixme: domtool-config -domain
45 echo "$USER@`domtool-config -domain`" >>$KEYIN
48 openssl req
-new -key $KEYFILE -out $NEWREQ -days 365 <$KEYIN
50 cat $NEWREQ $KEYFILE >$NEW
54 # Insecure CA is OK for development, and if the CA is in afs it is
55 # assumed the script is being run with sufficient
56 # permissions. Otherwise, become root to use the ca private key,
57 if [ ! -r $CACONF ]; then
61 $ROOTCMD openssl ca
-batch -config `domtool-config -path cert ca`/domtool-openssl.conf
-out $NEWCERT -infiles $NEW
62 $ROOTCMD chown
`whoami` $NEWCERT
66 #chown domtool.nogroup $CERTFILE