summary |
shortlog |
log |
commit | commitdiff |
tree
raw |
patch |
inline | side by side (from parent 1:
46ff8d3)
Removed `chown -R domtool.nogroup' calls since they are meaningless in
afs and incorrect on normal file systems. chown -R the key dir to the
user.nogroup unless `-unsafe' is passed, which allows the creation of
useless keys (the user running the script can read the key instead of
the intended user, which is ok for development).
Still needs improvement.
- KEYDIR=/afs/hcoop.net/common/etc/domtool/keys/$USER
+ KEYDIR=`domtool-config -path cert keys`/$USER
-CERTFILE=/afs/hcoop.net/common/etc/domtool/certs/$USER.pem
+CERTFILE=`domtool-config -path cert certs`/$USER.pem
NEWREQ=~/.newreq.pem
NEW=~/.new.pem
KEYIN=~/.keyin
NEWREQ=~/.newreq.pem
NEW=~/.new.pem
KEYIN=~/.keyin
+ CACONF=`domtool-config -path cert ca`/domtool-openssl.conf
mkdir $KEYDIR || echo Key directory already exists.
mkdir $KEYDIR || echo Key directory already exists.
-openssl genrsa -out $KEYFILE
-chown -R domtool.nogroup $KEYDIR
+openssl genrsa -out $KEYFILE 4096
+# chown -R domtool.nogroup $KEYDIR
+# chmod for non-afs systems
+chmod 700 $KEYDIR
+chmod 600 $KEYFILE
+if [ "$2" != '-unsafe' ]; then
+ if [ -z "`getent passwd $USER`" ]; then
+ echo "$USER does not exist. This must be a server principal."
+ else
+ chown -R $USER.nogroup $KEYDIR
+ fi
+fi
+
fs sa $KEYDIR $USER read || echo This must be a server principal.
echo "." >$KEYIN
echo "." >>$KEYIN
fs sa $KEYDIR $USER read || echo This must be a server principal.
echo "." >$KEYIN
echo "." >>$KEYIN
echo "." >>$KEYIN
echo "." >>$KEYIN
echo "$USER" >>$KEYIN
echo "." >>$KEYIN
echo "." >>$KEYIN
echo "$USER" >>$KEYIN
-echo "$USER@hcoop.net" >>$KEYIN
+# fixme: domtool-config -domain
+echo "$USER@`domtool-config -domain`" >>$KEYIN
echo "" >>$KEYIN
echo "" >>$KEYIN
openssl req -new -key $KEYFILE -out $NEWREQ -days 365 <$KEYIN
rm $KEYIN
cat $NEWREQ $KEYFILE >$NEW
rm $NEWREQ
echo "" >>$KEYIN
echo "" >>$KEYIN
openssl req -new -key $KEYFILE -out $NEWREQ -days 365 <$KEYIN
rm $KEYIN
cat $NEWREQ $KEYFILE >$NEW
rm $NEWREQ
-openssl ca -batch -config /etc/domtool/openssl.cnf -policy policy_anything -out $CERTFILE -infiles $NEW
+
+ROOTCMD=""
+# Insecure CA is OK for development, and if the CA is in afs it is
+# assumed the script is being run with sufficient
+# permissions. Otherwise, become root to use the ca private key,
+if [ ! -r $CACONF ]; then
+ ROOTCMD=sudo
+fi
+
+$ROOTCMD openssl ca -batch -config `domtool-config -path cert ca`/domtool-openssl.conf -out $CERTFILE -infiles $NEW
-chown domtool.nogroup $CERTFILE
+#chown domtool.nogroup $CERTFILE