#!/bin/bash # # Install a signed certificate, placing a complimentary copy in the # member's homedir. Validation is done on the certificate before # allowing it to be installed. Also grant member domtool permissions # for the certificate. # # If the certificate comes from the member's home directory, then # don't place an extra copy there. # # Run this on deleuze as an admin. # # Usage: ca-install member domain cert-file.pem [key-file.pem] function usage () { echo "Usage: ca-install member domain cert-file.pem [key-file.pem]" exit 1 } # Check arguments if test -n "$5"; then echo "Error: Too many arguments." usage elif test -z "$3"; then echo "Error: Not enough arguments." usage else MEMBER=$1 DOMAIN=$2 CERT=$3 KEY=$4 fi WEBSERVER=mire.hcoop.net function verify_cert () { if test -z "$2" || test -n "$3"; then echo "Bad programming." exit 1 fi local CERT=$1 local KEY=$2 local MOD1=$(openssl x509 -noout -modulus -in "$CERT" 2>&1) if test $(echo "$MOD1" | wc -c) -lt 500; then echo "Error: Bad x509 part in certificate." exit 1 fi local MOD2=$(openssl rsa -noout -modulus -in "$KEY" 2>&1) if test $(echo "$MOD2" | wc -c) -lt 500; then echo "Error: Bad RSA part in certificate or key." exit 1 fi if test "$MOD1" != "$MOD2"; then echo "Error: x509 and RSA parts in certificate do not match." exit 1 fi } # Make sure we run this from deleuze if test "$(hostname -s)" != "deleuze"; then echo "Error: This script must be run from deleuze." exit 1 fi # Sanity-check some paths if test ! -f "$CERT"; then echo "Error: Nonexistent or unreadable cert $CERT." exit 1 fi if test -n "$KEY" && test ! -f "$KEY"; then echo "Error: Nonexistent or unreadable key $KEY." exit 1 fi # Check for valid username if ! getent passwd "$MEMBER" > /dev/null; then echo "Error: Invalid user \"$MEMBER\"." exit 1 fi # Figure out destination for complimentary copy APACHE_DEST=/etc/apache2/ssl/user/$DOMAIN.pem MEMBERHOME=$(getent passwd $MEMBER | cut -d':' -f 6) if test -n "$KEY"; then DEST="$(dirname $KEY)/$DOMAIN.pem" else DEST= fi # Perform complimentary copy if test -z "$DEST"; then echo "No key specified, so skipping complimentary copy." elif echo "$CERT" | grep "^$MEMBERHOME" > /dev/null; then echo "Member already has a cert, skipping the complimentary copy." elif test -f "$DEST"; then echo "Not overwriting existing file $DEST." else echo "Copying signed certificate to member's home directory ..." cp "$CERT" "$DEST" chown $MEMBER:nogroup "$DEST" fi echo # Determine whether we need to concatenate a private key if grep "^-----BEGIN RSA PRIVATE KEY-----" "$CERT" > /dev/null; then KEY= else if test -z "$KEY"; then echo "Error: No RSA private key is included with this certificate." exit 1 fi fi # Verify certificate and key echo "Validating certificate ..." if test -z "$KEY"; then verify_cert "$CERT" "$CERT" else verify_cert "$CERT" "$KEY" fi echo "Certificate passed validatation." echo # Copy complete certificate to webserver if test -z "$KEY"; then echo "Installing certificate to Apache SSL directory ..." < "$CERT" ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null else echo "Installing certificate and key to Apache SSL directory ..." cat "$CERT" "$KEY" | ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null fi echo # Grant Domtool permissions echo "Granting member Domtool permissions for the certificate ..." domtool-admin grant $MEMBER cert "$APACHE_DEST" echo # Tell admin what to do echo "Done. Tell $MEMBER that the certificate is available for use at" echo " $APACHE_DEST"