Commit | Line | Data |
---|---|---|
b7068ae3 | 1 | #!/bin/bash |
4c237a24 | 2 | # |
3 | # Install a signed certificate, placing a complimentary copy in the | |
139a90c8 | 4 | # member's homedir. Validation is done on the certificate before |
5 | # allowing it to be installed. Also grant member domtool permissions | |
6 | # for the certificate. | |
4c237a24 | 7 | # |
b7068ae3 | 8 | # If the certificate comes from the member's home directory, then |
9 | # don't place an extra copy there. | |
4c237a24 | 10 | # |
652feaf6 | 11 | # Run this on an administrative node while holding admin tokens. |
4c237a24 | 12 | # |
b7068ae3 | 13 | # Usage: ca-install member domain cert-file.pem [key-file.pem] |
14 | ||
15 | function usage () { | |
16 | echo "Usage: ca-install member domain cert-file.pem [key-file.pem]" | |
17 | exit 1 | |
18 | } | |
4c237a24 | 19 | |
20 | # Check arguments | |
21 | if test -n "$5"; then | |
b7068ae3 | 22 | echo "Error: Too many arguments." |
23 | usage | |
4c237a24 | 24 | elif test -z "$3"; then |
b7068ae3 | 25 | echo "Error: Not enough arguments." |
26 | usage | |
4c237a24 | 27 | else |
b7068ae3 | 28 | MEMBER=$1 |
4c237a24 | 29 | DOMAIN=$2 |
30 | CERT=$3 | |
31 | KEY=$4 | |
32 | fi | |
33 | ||
652feaf6 | 34 | WEBSERVER=navajos.hcoop.net |
b7068ae3 | 35 | |
36 | function verify_cert () { | |
37 | if test -z "$2" || test -n "$3"; then | |
38 | echo "Bad programming." | |
39 | exit 1 | |
40 | fi | |
41 | local CERT=$1 | |
42 | local KEY=$2 | |
43 | local MOD1=$(openssl x509 -noout -modulus -in "$CERT" 2>&1) | |
44 | if test $(echo "$MOD1" | wc -c) -lt 500; then | |
45 | echo "Error: Bad x509 part in certificate." | |
46 | exit 1 | |
47 | fi | |
48 | local MOD2=$(openssl rsa -noout -modulus -in "$KEY" 2>&1) | |
49 | if test $(echo "$MOD2" | wc -c) -lt 500; then | |
50 | echo "Error: Bad RSA part in certificate or key." | |
51 | exit 1 | |
52 | fi | |
53 | if test "$MOD1" != "$MOD2"; then | |
54 | echo "Error: x509 and RSA parts in certificate do not match." | |
55 | exit 1 | |
56 | fi | |
57 | } | |
58 | ||
652feaf6 CE |
59 | # Make sure we run this from an admin host... |
60 | if test "$(hostname -s)" != "fritz"; then | |
61 | echo "Error: This script must be run from fritz." | |
b7068ae3 | 62 | exit 1 |
63 | fi | |
64 | ||
4c237a24 | 65 | # Sanity-check some paths |
b7068ae3 | 66 | if test ! -f "$CERT"; then |
67 | echo "Error: Nonexistent or unreadable cert $CERT." | |
4c237a24 | 68 | exit 1 |
69 | fi | |
b7068ae3 | 70 | if test -n "$KEY" && test ! -f "$KEY"; then |
71 | echo "Error: Nonexistent or unreadable key $KEY." | |
4c237a24 | 72 | exit 1 |
73 | fi | |
74 | ||
b7068ae3 | 75 | # Check for valid username |
76 | if ! getent passwd "$MEMBER" > /dev/null; then | |
77 | echo "Error: Invalid user \"$MEMBER\"." | |
78 | exit 1 | |
79 | fi | |
80 | ||
4c237a24 | 81 | # Figure out destination for complimentary copy |
82 | APACHE_DEST=/etc/apache2/ssl/user/$DOMAIN.pem | |
b7068ae3 | 83 | MEMBERHOME=$(getent passwd $MEMBER | cut -d':' -f 6) |
4c237a24 | 84 | if test -n "$KEY"; then |
b7068ae3 | 85 | DEST="$(dirname $KEY)/$DOMAIN.pem" |
4c237a24 | 86 | else |
87 | DEST= | |
88 | fi | |
89 | ||
90 | # Perform complimentary copy | |
91 | if test -z "$DEST"; then | |
b7068ae3 | 92 | echo "No key specified, so skipping complimentary copy." |
93 | elif echo "$CERT" | grep "^$MEMBERHOME" > /dev/null; then | |
94 | echo "Member already has a cert, skipping the complimentary copy." | |
95 | elif test -f "$DEST"; then | |
96 | echo "Not overwriting existing file $DEST." | |
4c237a24 | 97 | else |
b7068ae3 | 98 | echo "Copying signed certificate to member's home directory ..." |
99 | cp "$CERT" "$DEST" | |
100 | chown $MEMBER:nogroup "$DEST" | |
4c237a24 | 101 | fi |
102 | echo | |
103 | ||
104 | # Determine whether we need to concatenate a private key | |
53aedbca | 105 | if openssl rsa -noout -check -in "$CERT" > /dev/null; then |
4c237a24 | 106 | KEY= |
107 | else | |
108 | if test -z "$KEY"; then | |
b7068ae3 | 109 | echo "Error: No RSA private key is included with this certificate." |
4c237a24 | 110 | exit 1 |
111 | fi | |
112 | fi | |
113 | ||
b7068ae3 | 114 | # Verify certificate and key |
115 | echo "Validating certificate ..." | |
4c237a24 | 116 | if test -z "$KEY"; then |
b7068ae3 | 117 | verify_cert "$CERT" "$CERT" |
4c237a24 | 118 | else |
b7068ae3 | 119 | verify_cert "$CERT" "$KEY" |
120 | fi | |
121 | echo "Certificate passed validatation." | |
122 | echo | |
123 | ||
124 | # Copy complete certificate to webserver | |
125 | if test -z "$KEY"; then | |
126 | echo "Installing certificate to Apache SSL directory ..." | |
127 | < "$CERT" ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null | |
128 | else | |
129 | echo "Installing certificate and key to Apache SSL directory ..." | |
130 | cat "$CERT" "$KEY" | ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null | |
4c237a24 | 131 | fi |
e66e3495 | 132 | ssh $WEBSERVER sudo chmod 400 "$APACHE_DEST" > /dev/null |
4c237a24 | 133 | echo |
134 | ||
135 | # Grant Domtool permissions | |
b7068ae3 | 136 | echo "Granting member Domtool permissions for the certificate ..." |
137 | domtool-admin grant $MEMBER cert "$APACHE_DEST" | |
138 | echo | |
139 | ||
13910790 | 140 | echo "Restarting apache ..." |
141 | ssh $WEBSERVER sudo apache2ctl restart | |
142 | echo | |
143 | ||
b7068ae3 | 144 | # Tell admin what to do |
145 | echo "Done. Tell $MEMBER that the certificate is available for use at" | |
146 | echo " $APACHE_DEST" |