| 8bc08255 |
1 | #!/bin/bash |
| 4c237a24 |
2 | # |
| 3 | # Sign a certificate request as a CA. Run this on deleuze as an |
| 8bc08255 |
4 | # admin. If a domain is provided, then the certificate request must |
| 5 | # apply only to that domain. |
| 4c237a24 |
6 | # |
| 73df01d4 |
7 | # Usage: ca-sign days request.csr key.asc outfile.pem [domain] |
| 4c237a24 |
8 | |
| 73df01d4 |
9 | if test -n "$6" || test -z "$4"; then |
| e07d61c2 |
10 | echo "Incorrect arguments." |
| 73df01d4 |
11 | echo "Usage: ca-sign days request.csr key.asc outfile.pem [domain]" |
| 8bc08255 |
12 | exit 1 |
| 13 | fi |
| 14 | |
| 15 | # Make sure we run this from deleuze |
| 16 | if test "$(hostname -s)" != "deleuze"; then |
| 17 | echo "Error: This script must be run from deleuze." |
| e07d61c2 |
18 | exit 1 |
| 19 | fi |
| 4c237a24 |
20 | |
| 21 | DIR=/var/local/lib/ca |
| 22 | CONF=$DIR/openssl.cnf |
| 23 | POLICY=policy_anything |
| 24 | |
| 25 | # Certificate revocation list |
| 26 | CRL1=$DIR/crl-v1 |
| 27 | CRL2=$DIR/crl-v2 |
| 28 | CA_LOC=/afs/hcoop.net/user/h/hc/hcoop/public_html/ca |
| 29 | |
| 8bc08255 |
30 | # Parameters |
| 4c237a24 |
31 | DAYS=$1 |
| 32 | REQUEST=$2 |
| 73df01d4 |
33 | KEY=$3 |
| 34 | PEM=$4 |
| 35 | DOMAIN=$5 |
| 36 | |
| 37 | # Make sure completed certificate does not already exist |
| 38 | if test -e "$PEM"; then |
| 39 | echo "Error: Refusing to overwrite existing certificate at" |
| 40 | echo " $PEM." |
| 41 | exit 1 |
| 42 | fi |
| 43 | |
| 44 | # Make sure that the key and request do exist |
| 45 | if test ! -f "$REQUEST"; then |
| 46 | echo "Error: The given certificate request file does not exist." |
| 47 | exit 1 |
| 48 | fi |
| 49 | if test ! -f "$KEY"; then |
| 50 | echo "Error: The given key file does not exist." |
| 51 | exit 1 |
| 52 | fi |
| 8bc08255 |
53 | |
| 54 | # Verify request |
| 55 | STATUS=$(openssl req -noout -in "$REQUEST" -verify 2>&1) |
| 56 | if test "$STATUS" != "verify OK"; then |
| 57 | echo "Error: This is not a valid certificate request." |
| 58 | exit 1 |
| 59 | fi |
| 60 | if test -n "$DOMAIN"; then |
| 61 | CN=$(openssl req -text -in "$REQUEST" | grep "Subject:" | grep "CN=." | \ |
| 62 | sed -r -e 's/^.*CN=([^/=,]+).*$/\1/1') |
| 63 | if test "${CN%%${DOMAIN}}" = "${CN}"; then |
| 64 | echo "Error: Domain in cert does not match $DOMAIN." |
| 65 | exit 1 |
| 66 | fi |
| 67 | fi |
| 68 | |
| 69 | # Get new serial number |
| 4c237a24 |
70 | ID=$(cat -- $DIR/serial) |
| 71 | |
| 8bc08255 |
72 | # Exit on error |
| 73 | set -e |
| 74 | |
| 73df01d4 |
75 | # Sign |
| 4c237a24 |
76 | echo "Signing certificate request $REQUEST ..." |
| 73df01d4 |
77 | openssl ca -config $CONF -policy $POLICY -out "$PEM" -in "$REQUEST" \ |
| 78 | -days "$DAYS" |
| 4c237a24 |
79 | echo |
| 80 | |
| 81 | # Make a copy of the request |
| 73df01d4 |
82 | cp "$REQUEST" $DIR/requests/$ID.csr |
| 83 | |
| 84 | # Append key to generated certificate |
| 85 | cat "$KEY" >> "$PEM" |
| 4c237a24 |
86 | |
| 87 | # Update revocation list. |
| 88 | echo "Updating certificate revocation list ..." |
| 87d0fa09 |
89 | openssl ca -config $CONF -batch -gencrl -crldays 30 -out $CRL1.pem |
| 4c237a24 |
90 | openssl crl -outform DER -out $CRL1.crl -in $CRL1.pem |
| 87d0fa09 |
91 | openssl ca -config $CONF -batch -gencrl -crldays 30 -crlexts crl_ext \ |
| 4c237a24 |
92 | -out $CRL2.pem |
| 93 | openssl crl -outform DER -out $CRL2.crl -in $CRL2.pem |
| 94 | cp $CRL1.crl $CRL2.crl $CA_LOC |
| 95 | echo |
| 96 | |
| 97 | echo "Don't forget to run ca-install to install the signed certificate!" |
HCoop / hcoop / scripts.git / blame