3 # Sign a certificate request as a CA. Run this on deleuze as an
4 # admin. If a domain is provided, then the certificate request must
5 # apply only to that domain.
7 # Usage: ca-sign days request.csr key.asc outfile.pem [domain]
9 if test -n "$6" ||
test -z "$4"; then
10 echo "Incorrect arguments."
11 echo "Usage: ca-sign days request.csr key.asc outfile.pem [domain]"
15 # Make sure we run this from deleuze
16 if test "$(hostname -s)" != "deleuze"; then
17 echo "Error: This script must be run from deleuze."
23 POLICY
=policy_anything
25 # Certificate revocation list
28 CA_LOC
=/afs
/hcoop.net
/user
/h
/hc
/hcoop
/public_html
/ca
37 # Make sure completed certificate does not already exist
38 if test -e "$PEM"; then
39 echo "Error: Refusing to overwrite existing certificate at"
44 # Make sure that the key and request do exist
45 if test ! -f "$REQUEST"; then
46 echo "Error: The given certificate request file does not exist."
49 if test ! -f "$KEY"; then
50 echo "Error: The given key file does not exist."
55 STATUS
=$
(openssl req
-noout -in "$REQUEST" -verify 2>&1)
56 if test "$STATUS" != "verify OK"; then
57 echo "Error: This is not a valid certificate request."
60 if test -n "$DOMAIN"; then
61 CN
=$
(openssl req
-text -in "$REQUEST" |
grep "Subject:" |
grep "CN=." | \
62 sed -r -e 's/^.*CN=([^/=,]+).*$/\1/1')
63 if test "${CN%%${DOMAIN}}" = "${CN}"; then
64 echo "Error: Domain in cert does not match $DOMAIN."
69 # Get new serial number
70 ID
=$
(cat -- $DIR/serial
)
76 echo "Signing certificate request $REQUEST ..."
77 openssl ca
-config $CONF -policy $POLICY -out "$PEM" -in "$REQUEST" \
81 # Make a copy of the request
82 cp "$REQUEST" $DIR/requests
/$ID.csr
84 # Append key to generated certificate
87 # Update revocation list.
88 echo "Updating certificate revocation list ..."
89 openssl ca
-config $CONF -batch -gencrl -crldays 30 -out $CRL1.pem
90 openssl crl
-outform DER
-out $CRL1.crl
-in $CRL1.pem
91 openssl ca
-config $CONF -batch -gencrl -crldays 30 -crlexts crl_ext \
93 openssl crl
-outform DER
-out $CRL2.crl
-in $CRL2.pem
94 cp $CRL1.crl
$CRL2.crl
$CA_LOC
97 echo "Don't forget to run ca-install to install the signed certificate!"