HCoop / hcoop / scripts.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
ca-install, ca-sign: New scripts to sign and install user certs
[hcoop/scripts.git] / ca-install
diff --git a/ca-install b/ca-install
new file mode 100755 (executable)
index 0000000..c053e6b
--- /dev/null
+++ b/ca-install
@@ -0,0 +1,82 @@
+#!/bin/sh
+#
+# Install a signed certificate, placing a complimentary copy in the
+# user's homedir.  Also grant user domtool permissions.
+#
+# If the certificate comes from the USER's home directory, then don't
+# place an extra copy there.
+#
+# Run this on deleuze as an admin.
+#
+# Usage: ca-install user domain cert-file.pem [key-file.pem]
+
+# Check arguments
+if test -n "$5"; then
+    echo "Error: Too many arguments"
+    exit 1
+elif test -z "$3"; then
+    echo "Error: Not enough arguments"
+    exit 1
+else
+    USER=$1
+    DOMAIN=$2
+    CERT=$3
+    KEY=$4
+fi
+
+# Sanity-check some paths
+if test ! -f $CERT; then
+    echo "Error: Nonexistent or unreadable cert $CERT"
+    exit 1
+fi
+if test -n "$KEY" && test ! -f $KEY; then
+    echo "Error: Nonexistent or unreadable key $KEY"
+    exit 1
+fi    
+
+# Figure out destination for complimentary copy
+APACHE_DEST=/etc/apache2/ssl/user/$DOMAIN.pem
+USERHOME=$(getent passwd $USER | cut -d':' -f 6)
+if test -n "$KEY"; then
+    DEST=$(dirname $KEY)/$DOMAIN.pem
+else
+    DEST=
+fi
+
+# Perform complimentary copy
+if test -z "$DEST"; then
+    echo "No key specified, so skipping complimentary copy"
+elif echo "$CERT" | grep "^$USERHOME" > /dev/null; then
+    echo "User already has a cert, skipping the complimentary copy"
+elif test -f $DEST; then
+    echo "Not overwriting existing file $DEST"
+else
+    echo "Copying signed certificate to user's home directory ..."
+    cp $CERT $DEST
+    chown $USER:nogroup $DEST
+fi
+echo
+
+# Determine whether we need to concatenate a private key
+if grep "^-----BEGIN RSA PRIVATE KEY-----" $CERT > /dev/null; then
+    KEY=
+else
+    if test -z "$KEY"; then
+        echo "Error: No private key is included with this certificate"
+        exit 1
+    fi
+fi
+
+# Copy complete certificate to mire
+if test -z "$KEY"; then
+    echo "Installing cert to Apache SSL directory ..."
+    cat $CERT | ssh mire.hcoop.net sudo tee $APACHE_DEST > /dev/null
+else
+    echo "Installing cert to Apache SSL directory, adding key ..."
+    cat $CERT $KEY | ssh mire.hcoop.net sudo tee $APACHE_DEST > /dev/null
+fi
+echo
+
+# Grant Domtool permissions
+echo "Granting user Domtool permissions for the cert ..."
+domtool-admin grant $USER cert $APACHE_DEST
Unnamed repository; edit this file 'description' to name the repository.