ca-sign

   1 #!/bin/bash
   2 #
   3 # Sign a certificate request as a CA.  Run this on deleuze as an
   4 # admin.  If a domain is provided, then the certificate request must
   5 # apply only to that domain.
   6 #
   7 # Run this on deleuze as an admin.
   8 #
   9 # Usage: ca-sign days request.csr key.asc outfile.pem [domain]
  10 #
  11 # If we need to generate a new CA private key and cert, do:
  12 #
  13 # $ openssl genrsa -out private/ca.key 2048 -nodes
  14 # $ openssl req -config openssl.cnf -x509 -sha1 -days 3650 \
  15 #   -key private/ca.key -new -out ca.crt
  16
  17 if test -n "$6" || test -z "$4"; then
  18     echo "Incorrect arguments."
  19     echo "Usage: ca-sign days request.csr key.asc outfile.pem [domain]"
  20     exit 1
  21 fi
  22
  23 # Make sure we run this from deleuze
  24 if test "$(hostname -s)" != "deleuze"; then
  25     echo "Error: This script must be run from deleuze."
  26     exit 1
  27 fi
  28
  29 DIR=/var/local/lib/ca
  30 CONF=$DIR/openssl.cnf
  31 POLICY=policy_anything
  32
  33 # Certificate revocation list
  34 CRL1=$DIR/crl-v1
  35 CRL2=$DIR/crl-v2
  36 CA_LOC=/afs/hcoop.net/user/h/hc/hcoop/public_html/ca
  37
  38 # Parameters
  39 DAYS=$1
  40 REQUEST=$2
  41 KEY=$3
  42 PEM=$4
  43 DOMAIN=$5
  44
  45 # Make sure completed certificate does not already exist
  46 if test -e "$PEM"; then
  47     echo "Error: Refusing to overwrite existing certificate at"
  48     echo "       $PEM."
  49     exit 1
  50 fi
  51
  52 # Make sure that the key and request do exist
  53 if test ! -f "$REQUEST"; then
  54     echo "Error: The given certificate request file does not exist."
  55     exit 1
  56 fi
  57 if test ! -f "$KEY"; then
  58     echo "Error: The given key file does not exist."
  59     exit 1
  60 fi
  61
  62 # Verify request
  63 STATUS=$(openssl req -noout -in "$REQUEST" -verify 2>&1)
  64 if test "$STATUS" != "verify OK"; then
  65     echo "Error: This is not a valid certificate request."
  66     exit 1
  67 fi
  68 if test -n "$DOMAIN"; then
  69     CN=$(openssl req -text -in "$REQUEST" | grep "Subject:" | grep "CN=." | \
  70         sed -r -e 's/^.*CN=([^/=,]+).*$/\1/1')
  71     if test "${CN%%${DOMAIN}}" = "${CN}"; then
  72         echo "Error: Domain in cert does not match $DOMAIN."
  73         exit 1
  74     fi
  75 fi
  76
  77 # Get new serial number
  78 ID=$(cat -- $DIR/serial)
  79
  80 # Exit on error
  81 set -e
  82
  83 # Sign
  84 echo "Signing certificate request $REQUEST ..."
  85 openssl ca -config $CONF -policy $POLICY -out "$PEM" -in "$REQUEST" \
  86     -days "$DAYS"
  87 echo
  88
  89 # Make a copy of the request
  90 cp "$REQUEST" $DIR/requests/$ID.csr
  91
  92 # Append key to generated certificate
  93 cat "$KEY" >> "$PEM"
  94
  95 # Update revocation list.
  96 echo "Updating certificate revocation list ..."
  97 openssl ca -config $CONF -batch -gencrl -crldays 30 -out $CRL1.pem
  98 openssl crl -outform DER -out $CRL1.crl -in $CRL1.pem
  99 openssl ca -config $CONF -batch -gencrl -crldays 30 -crlexts crl_ext \
 100     -out $CRL2.pem
 101 openssl crl -outform DER -out $CRL2.crl -in $CRL2.pem
 102 cp $CRL1.crl $CRL2.crl $CA_LOC
 103 echo
 104
 105 echo "Don't forget to run ca-install to install the signed certificate!"