9fa74bc63fb723cd1e27b2c533d50f04fc350f42
3 # Install a signed certificate, placing a complimentary copy in the
4 # member's homedir. Also grant member domtool permissions for the
7 # If the certificate comes from the member's home directory, then
8 # don't place an extra copy there.
10 # Run this on deleuze as an admin.
12 # Usage: ca-install member domain cert-file.pem [key-file.pem]
15 echo "Usage: ca-install member domain cert-file.pem [key-file.pem]"
21 echo "Error: Too many arguments."
23 elif test -z "$3"; then
24 echo "Error: Not enough arguments."
33 WEBSERVER
=mire.hcoop.net
35 function verify_cert
() {
36 if test -z "$2" ||
test -n "$3"; then
37 echo "Bad programming."
42 local MOD1
=$
(openssl x509
-noout -modulus -in "$CERT" 2>&1)
43 if test $
(echo "$MOD1" |
wc -c) -lt 500; then
44 echo "Error: Bad x509 part in certificate."
47 local MOD2
=$
(openssl rsa
-noout -modulus -in "$KEY" 2>&1)
48 if test $
(echo "$MOD2" |
wc -c) -lt 500; then
49 echo "Error: Bad RSA part in certificate or key."
52 if test "$MOD1" != "$MOD2"; then
53 echo "Error: x509 and RSA parts in certificate do not match."
58 # Make sure we run this from deleuze
59 if test "$(hostname -s)" != "deleuze"; then
60 echo "Error: This script must be run from deleuze."
64 # Sanity-check some paths
65 if test ! -f "$CERT"; then
66 echo "Error: Nonexistent or unreadable cert $CERT."
69 if test -n "$KEY" && test ! -f "$KEY"; then
70 echo "Error: Nonexistent or unreadable key $KEY."
74 # Check for valid username
75 if ! getent passwd
"$MEMBER" > /dev
/null
; then
76 echo "Error: Invalid user \"$MEMBER\"."
80 # Figure out destination for complimentary copy
81 APACHE_DEST
=/etc
/apache
2/ssl
/user
/$DOMAIN.pem
82 MEMBERHOME
=$
(getent passwd
$MEMBER | cut
-d':' -f 6)
83 if test -n "$KEY"; then
84 DEST
="$(dirname $KEY)/$DOMAIN.pem"
89 # Perform complimentary copy
90 if test -z "$DEST"; then
91 echo "No key specified, so skipping complimentary copy."
92 elif echo "$CERT" |
grep "^$MEMBERHOME" > /dev
/null
; then
93 echo "Member already has a cert, skipping the complimentary copy."
94 elif test -f "$DEST"; then
95 echo "Not overwriting existing file $DEST."
97 echo "Copying signed certificate to member's home directory ..."
99 chown
$MEMBER:nogroup
"$DEST"
103 # Determine whether we need to concatenate a private key
104 if grep "^-----BEGIN RSA PRIVATE KEY-----" "$CERT" > /dev
/null
; then
107 if test -z "$KEY"; then
108 echo "Error: No RSA private key is included with this certificate."
113 # Verify certificate and key
114 echo "Validating certificate ..."
115 if test -z "$KEY"; then
116 verify_cert
"$CERT" "$CERT"
118 verify_cert
"$CERT" "$KEY"
120 echo "Certificate passed validatation."
123 # Copy complete certificate to webserver
124 if test -z "$KEY"; then
125 echo "Installing certificate to Apache SSL directory ..."
126 < "$CERT" ssh $WEBSERVER sudo
tee "$APACHE_DEST" > /dev
/null
128 echo "Installing certificate and key to Apache SSL directory ..."
129 cat "$CERT" "$KEY" |
ssh $WEBSERVER sudo
tee "$APACHE_DEST" > /dev
/null
133 # Grant Domtool permissions
134 echo "Granting member Domtool permissions for the certificate ..."
135 domtool-admin grant
$MEMBER cert
"$APACHE_DEST"
138 # Tell admin what to do
139 echo "Done. Tell $MEMBER that the certificate is available for use at"