All software nowadays supports storing cert + key + intermediate in
one file, adapt ca-install for this format.
# Usage: ca-install member domain cert-file.pem [key-file.pem]
function usage () {
# Usage: ca-install member domain cert-file.pem [key-file.pem]
function usage () {
- echo "Usage: ca-install member domain cert-file.pem [key-file.pem]"
+ echo "Usage: ca-install member domain cert-file.pem [key-file.pem] [intermediate-chain.pem]"
exit 1
}
# Check arguments
exit 1
}
# Check arguments
echo "Error: Too many arguments."
usage
elif test -z "$3"; then
echo "Error: Too many arguments."
usage
elif test -z "$3"; then
fi
WEBSERVERS="shelob.hcoop.net minsky.hcoop.net"
fi
WEBSERVERS="shelob.hcoop.net minsky.hcoop.net"
+function verify_chain () {
+ if test -z "$1" || test -n "$2"; then
+ echo "Bad programming."
+ exit 1
+ fi
+ # just make sure the intermediate chain contains a cert, might be
+ # nice if this checked if it was used to sign the user's cert
+ local CERT=$1
+ local MOD1=$(openssl x509 -noout -modulus -in "$CERT" 2>&1)
+ if test $(echo "$MOD1" | wc -c) -lt 500; then
+ echo "Error: Bad x509 part in intermediate chain."
+ exit 1
+ fi
+}
+
# Make sure we run this from an admin host...
if test "$(hostname -s)" != "gibran"; then
echo "Error: This script must be run from gibran."
# Make sure we run this from an admin host...
if test "$(hostname -s)" != "gibran"; then
echo "Error: This script must be run from gibran."
if test -n "$KEY" && test ! -f "$KEY"; then
echo "Error: Nonexistent or unreadable key $KEY."
exit 1
if test -n "$KEY" && test ! -f "$KEY"; then
echo "Error: Nonexistent or unreadable key $KEY."
exit 1
+fi
+if test -n "$CHAIN" && test ! -f "$CHAIN"; then
+ echo "Error: Nonexistent or unreadable intermediate chain $CHAIN."
+ exit 1
fi
# Check for valid username
fi
# Check for valid username
else
verify_cert "$CERT" "$KEY"
fi
else
verify_cert "$CERT" "$KEY"
fi
+if test -n "$CHAIN"; then
+ verify_chain "$CHAIN"
+fi
echo "Certificate passed validatation."
echo
echo "Certificate passed validatation."
echo
else
echo "Installing certificate and key to Apache SSL directory ..."
for WEBSERVER in $WEBSERVERS; do
else
echo "Installing certificate and key to Apache SSL directory ..."
for WEBSERVER in $WEBSERVERS; do
- cat "$CERT" "$KEY" | ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
+ cat "$CERT" "$KEY" "$CHAIN" | ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
done
fi
for WEBSERVER in $WEBSERVERS; do
done
fi
for WEBSERVER in $WEBSERVERS; do