ca-sign

   1 #!/bin/sh -e
   2 #
   3 # Sign a certificate request as a CA.  Run this on deleuze as an
   4 # admin.
   5 #
   6 # Usage: ca-sign days request.csr out-cert-file.pem
   7
   8 if test -n "$3" || test -z "$2"; then
   9     echo "Incorrect arguments."
  10     echo "Usage: ca-sign days request.csr out-cert-file.pem"
  11     exit 1
  12 fi
  13
  14 DIR=/var/local/lib/ca
  15 CONF=$DIR/openssl.cnf
  16 POLICY=policy_anything
  17
  18 # Certificate revocation list
  19 CRL1=$DIR/crl-v1
  20 CRL2=$DIR/crl-v2
  21 CA_LOC=/afs/hcoop.net/user/h/hc/hcoop/public_html/ca
  22
  23 DAYS=$1
  24 REQUEST=$2
  25 PEM=$3
  26 ID=$(cat -- $DIR/serial)
  27
  28 # Sign.
  29 echo "Signing certificate request $REQUEST ..."
  30 openssl ca -config $CONF -policy $POLICY -out $PEM -in $REQUEST -days $DAYS
  31 echo
  32
  33 # Make a copy of the request
  34 cp $REQUEST $DIR/requests/$ID.csr
  35
  36 # Update revocation list.
  37 echo "Updating certificate revocation list ..."
  38 openssl ca -config $CONF -batch -gencrl -crldays 30 -out $CRL1.pem
  39 openssl crl -outform DER -out $CRL1.crl -in $CRL1.pem
  40 openssl ca -config $CONF -batch -gencrl -crldays 30 -crlexts crl_ext \
  41     -out $CRL2.pem
  42 openssl crl -outform DER -out $CRL2.crl -in $CRL2.pem
  43 cp $CRL1.crl $CRL2.crl $CA_LOC
  44 echo
  45
  46 echo "Don't forget to run ca-install to install the signed certificate!"