-CERTFILE=/afs/hcoop.net/common/etc/domtool/certs/$1.pem
- NEWREQ=~/.newreq.pem
- NEW=~/.new.pem
- KEYIN=~/.keyin
-
-mkdir -p $KEYDIR
-openssl genrsa -out $KEYFILE
-chown -R domtool.domtool $KEYDIR
-fs sa $KEYDIR $USER read
+CERTFILE=`domtool-config -path cert certs`/$USER.pem
+ NEWREQ=$WORKDIR/.newreq.pem
+ NEW=$WORKDIR/.new.pem
+ KEYIN=$WORKDIR/.keyin
+ NEWCERT=$WORKDIR/.cert
+ CACONF=`domtool-config -path cert ca`/domtool-openssl.conf
+
+mkdir $WORKDIR && chmod 700 $WORKDIR || (echo Cannot create work dir ; exit 1)
+
+mkdir $KEYDIR || echo Key directory already exists.
+openssl genrsa -out $KEYFILE 4096
+# chown -R domtool.nogroup $KEYDIR
+# chmod for non-afs systems
+chmod 700 $KEYDIR
+chmod 600 $KEYFILE
+if [ "$2" != '-unsafe' ]; then
+ if [ -z "`getent passwd $USER`" ]; then
+ echo "$USER does not exist. This must be a server principal."
+ else
+ chown -R $USER.nogroup $KEYDIR
+ fi
+fi
+
+fs sa $KEYDIR $USER read || echo This must be a server principal.