[hcoop/scripts.git] / ca-sign

#!/bin/bash
#
# Sign a certificate request as a CA.  Run this on deleuze as an
# admin.  If a domain is provided, then the certificate request must
# apply only to that domain.
#
# Usage: ca-sign days request.csr outfile.pem [domain]

if test -n "$5" || test -z "$3"; then
    echo "Incorrect arguments."
    echo "Usage: ca-sign days request.csr outfile.pem [domain]"
    exit 1
fi

# Make sure we run this from deleuze
if test "$(hostname -s)" != "deleuze"; then
    echo "Error: This script must be run from deleuze."
    exit 1
fi

DIR=/var/local/lib/ca
CONF=$DIR/openssl.cnf
POLICY=policy_anything

# Certificate revocation list
CRL1=$DIR/crl-v1
CRL2=$DIR/crl-v2
CA_LOC=/afs/hcoop.net/user/h/hc/hcoop/public_html/ca

# Parameters
DAYS=$1
REQUEST=$2
PEM=$3
DOMAIN=$4

# Verify request
STATUS=$(openssl req -noout -in "$REQUEST" -verify 2>&1)
if test "$STATUS" != "verify OK"; then
    echo "Error: This is not a valid certificate request."
    exit 1
fi
if test -n "$DOMAIN"; then
    CN=$(openssl req -text -in "$REQUEST" | grep "Subject:" | grep "CN=." | \
        sed -r -e 's/^.*CN=([^/=,]+).*$/\1/1')
    if test "${CN%%${DOMAIN}}" = "${CN}"; then
        echo "Error: Domain in cert does not match $DOMAIN."
        exit 1
    fi
fi

# Get new serial number
ID=$(cat -- $DIR/serial)

# Exit on error
set -e

# Sign.
echo "Signing certificate request $REQUEST ..."
openssl ca -config $CONF -policy $POLICY -out $PEM -in $REQUEST -days $DAYS
echo

# Make a copy of the request
cp $REQUEST $DIR/requests/$ID.csr

# Update revocation list.
echo "Updating certificate revocation list ..."
openssl ca -config $CONF -batch -gencrl -crldays 30 -out $CRL1.pem
openssl crl -outform DER -out $CRL1.crl -in $CRL1.pem
openssl ca -config $CONF -batch -gencrl -crldays 30 -crlexts crl_ext \
    -out $CRL2.pem
openssl crl -outform DER -out $CRL2.crl -in $CRL2.pem
cp $CRL1.crl $CRL2.crl $CA_LOC
echo

echo "Don't forget to run ca-install to install the signed certificate!"
Commit	Line	Data
8bc08255	1	#!/bin/bash
4c237a24	2	#
4c237a24	3	# Sign a certificate request as a CA. Run this on deleuze as an
8bc08255	4	# admin. If a domain is provided, then the certificate request must
8bc08255	5	# apply only to that domain.
4c237a24	6	#
8bc08255	7	# Usage: ca-sign days request.csr outfile.pem [domain]
4c237a24	8
8bc08255	9	if test -n "$5" \|\| test -z "$3"; then
e07d61c2	10	echo "Incorrect arguments."
8bc08255	11	echo "Usage: ca-sign days request.csr outfile.pem [domain]"
	12	exit 1
	13	fi
	14
	15	# Make sure we run this from deleuze
	16	if test "$(hostname -s)" != "deleuze"; then
	17	echo "Error: This script must be run from deleuze."
e07d61c2	18	exit 1
e07d61c2	19	fi
4c237a24	20
	21	DIR=/var/local/lib/ca
	22	CONF=$DIR/openssl.cnf
	23	POLICY=policy_anything
	24
	25	# Certificate revocation list
	26	CRL1=$DIR/crl-v1
	27	CRL2=$DIR/crl-v2
	28	CA_LOC=/afs/hcoop.net/user/h/hc/hcoop/public_html/ca
	29
8bc08255	30	# Parameters
4c237a24	31	DAYS=$1
	32	REQUEST=$2
	33	PEM=$3
8bc08255	34	DOMAIN=$4
	35
	36	# Verify request
	37	STATUS=$(openssl req -noout -in "$REQUEST" -verify 2>&1)
	38	if test "$STATUS" != "verify OK"; then
	39	echo "Error: This is not a valid certificate request."
	40	exit 1
	41	fi
	42	if test -n "$DOMAIN"; then
	43	CN=$(openssl req -text -in "$REQUEST" \| grep "Subject:" \| grep "CN=." \| \
	44	sed -r -e 's/^.CN=([^/=,]+).$/\1/1')
	45	if test "${CN%%${DOMAIN}}" = "${CN}"; then
	46	echo "Error: Domain in cert does not match $DOMAIN."
	47	exit 1
	48	fi
	49	fi
	50
	51	# Get new serial number
4c237a24	52	ID=$(cat -- $DIR/serial)
4c237a24	53
8bc08255	54	# Exit on error
	55	set -e
	56
4c237a24	57	# Sign.
	58	echo "Signing certificate request $REQUEST ..."
	59	openssl ca -config $CONF -policy $POLICY -out $PEM -in $REQUEST -days $DAYS
	60	echo
	61
	62	# Make a copy of the request
	63	cp $REQUEST $DIR/requests/$ID.csr
	64
	65	# Update revocation list.
	66	echo "Updating certificate revocation list ..."
87d0fa09	67	openssl ca -config $CONF -batch -gencrl -crldays 30 -out $CRL1.pem
4c237a24	68	openssl crl -outform DER -out $CRL1.crl -in $CRL1.pem
87d0fa09	69	openssl ca -config $CONF -batch -gencrl -crldays 30 -crlexts crl_ext \
4c237a24	70	-out $CRL2.pem
	71	openssl crl -outform DER -out $CRL2.crl -in $CRL2.pem
	72	cp $CRL1.crl $CRL2.crl $CA_LOC
	73	echo
	74
	75	echo "Don't forget to run ca-install to install the signed certificate!"