ca-install, ca-sign: New scripts to sign and install user certs

[hcoop/scripts.git] / ca-sign

diff --git a/ca-sign b/ca-sign
new file mode 100755 (executable)
index 0000000..687ad5b
--- /dev/null
+++ b/ca-sign
@@ -0,0 +1,42 @@
+#!/bin/sh -e
+#
+# Sign a certificate request as a CA.  Run this on deleuze as an
+# admin.
+#
+# Usage: ca-sign days request.csr out-cert-file.pem
+
+test -n "$3" || exit 1
+
+DIR=/var/local/lib/ca
+CONF=$DIR/openssl.cnf
+POLICY=policy_anything
+
+# Certificate revocation list
+CRL1=$DIR/crl-v1
+CRL2=$DIR/crl-v2
+CA_LOC=/afs/hcoop.net/user/h/hc/hcoop/public_html/ca
+
+DAYS=$1
+REQUEST=$2
+PEM=$3
+ID=$(cat -- $DIR/serial)
+
+# Sign.
+echo "Signing certificate request $REQUEST ..."
+openssl ca -config $CONF -policy $POLICY -out $PEM -in $REQUEST -days $DAYS
+echo
+
+# Make a copy of the request
+cp $REQUEST $DIR/requests/$ID.csr
+
+# Update revocation list.
+echo "Updating certificate revocation list ..."
+openssl ca -config $CONF -batch -gencrl -crldays 180 -out $CRL1.pem
+openssl crl -outform DER -out $CRL1.crl -in $CRL1.pem
+openssl ca -config $CONF -batch -gencrl -crldays 180 -crlexts crl_ext \
+    -out $CRL2.pem
+openssl crl -outform DER -out $CRL2.crl -in $CRL2.pem
+cp $CRL1.crl $CRL2.crl $CA_LOC
+echo
+
+echo "Don't forget to run ca-install to install the signed certificate!"