# admin. If a domain is provided, then the certificate request must
# apply only to that domain.
#
-# Usage: ca-sign days request.csr outfile.pem [domain]
+# Run this on deleuze as an admin.
+#
+# Usage: ca-sign days request.csr key.asc outfile.pem [domain]
+#
+# If we need to generate a new CA private key and cert, do:
+#
+# $ openssl genrsa -out private/ca.key 2048 -nodes
+# $ openssl req -config openssl.cnf -x509 -sha1 -days 3650 \
+# -key private/ca.key -new -out ca.crt
-if test -n "$5" || test -z "$3"; then
+if test -n "$6" || test -z "$4"; then
echo "Incorrect arguments."
- echo "Usage: ca-sign days request.csr outfile.pem [domain]"
+ echo "Usage: ca-sign days request.csr key.asc outfile.pem [domain]"
exit 1
fi
# Parameters
DAYS=$1
REQUEST=$2
-PEM=$3
-DOMAIN=$4
+KEY=$3
+PEM=$4
+DOMAIN=$5
+
+# Make sure completed certificate does not already exist
+if test -e "$PEM"; then
+ echo "Error: Refusing to overwrite existing certificate at"
+ echo " $PEM."
+ exit 1
+fi
+
+# Make sure that the key and request do exist
+if test ! -f "$REQUEST"; then
+ echo "Error: The given certificate request file does not exist."
+ exit 1
+fi
+if test ! -f "$KEY"; then
+ echo "Error: The given key file does not exist."
+ exit 1
+fi
# Verify request
STATUS=$(openssl req -noout -in "$REQUEST" -verify 2>&1)
# Exit on error
set -e
-# Sign.
+# Sign
echo "Signing certificate request $REQUEST ..."
-openssl ca -config $CONF -policy $POLICY -out $PEM -in $REQUEST -days $DAYS
+openssl ca -config $CONF -policy $POLICY -out "$PEM" -in "$REQUEST" \
+ -days "$DAYS"
echo
# Make a copy of the request
-cp $REQUEST $DIR/requests/$ID.csr
+cp "$REQUEST" $DIR/requests/$ID.csr
+
+# Append key to generated certificate
+cat "$KEY" >> "$PEM"
# Update revocation list.
echo "Updating certificate revocation list ..."