ca-install: allow installing optional intermediate chain

All software nowadays supports storing cert + key + intermediate in
one file, adapt ca-install for this format.

diff --git a/ca-install b/ca-install
index c76206b..5b17734 100755 (executable)
--- a/ca-install
+++ b/ca-install
@@ -13,12 +13,12 @@
 # Usage: ca-install member domain cert-file.pem [key-file.pem]
 
 function usage () {
 # Usage: ca-install member domain cert-file.pem [key-file.pem]
 
 function usage () {

-    echo "Usage: ca-install member domain cert-file.pem [key-file.pem]"
+    echo "Usage: ca-install member domain cert-file.pem [key-file.pem] [intermediate-chain.pem]"

     exit 1
 }
 
 # Check arguments
     exit 1
 }
 
 # Check arguments

-if test -n "$5"; then
+if test -n "$6"; then

     echo "Error: Too many arguments."
     usage
 elif test -z "$3"; then
     echo "Error: Too many arguments."
     usage
 elif test -z "$3"; then


@@ -29,6 +29,7 @@ else
     DOMAIN=$2
     CERT=$3
     KEY=$4
     DOMAIN=$2
     CERT=$3
     KEY=$4

+    CHAIN=$5

 fi
 
 WEBSERVERS="shelob.hcoop.net minsky.hcoop.net"
 fi
 
 WEBSERVERS="shelob.hcoop.net minsky.hcoop.net"


@@ -56,6 +57,21 @@ function verify_cert () {
     fi
 }
 
     fi
 }
 

+function verify_chain () {
+    if test -z "$1" || test -n "$2"; then
+       echo "Bad programming."
+       exit 1
+    fi
+    # just make sure the intermediate chain contains a cert, might be
+    # nice if this checked if it was used to sign the user's cert
+    local CERT=$1
+    local MOD1=$(openssl x509 -noout -modulus -in "$CERT" 2>&1)
+    if test $(echo "$MOD1" | wc -c) -lt 500; then
+        echo "Error: Bad x509 part in intermediate chain."
+        exit 1
+    fi
+}
+

 # Make sure we run this from an admin host...
 if test "$(hostname -s)" != "gibran"; then
     echo "Error: This script must be run from gibran."
 # Make sure we run this from an admin host...
 if test "$(hostname -s)" != "gibran"; then
     echo "Error: This script must be run from gibran."


@@ -70,6 +86,10 @@ fi
 if test -n "$KEY" && test ! -f "$KEY"; then
     echo "Error: Nonexistent or unreadable key $KEY."
     exit 1
 if test -n "$KEY" && test ! -f "$KEY"; then
     echo "Error: Nonexistent or unreadable key $KEY."
     exit 1

+fi
+if test -n "$CHAIN" && test ! -f "$CHAIN"; then
+    echo "Error: Nonexistent or unreadable intermediate chain $CHAIN."
+    exit 1

 fi    
 
 # Check for valid username
 fi    
 
 # Check for valid username


@@ -118,6 +138,9 @@ if test -z "$KEY"; then
 else
     verify_cert "$CERT" "$KEY"
 fi
 else
     verify_cert "$CERT" "$KEY"
 fi

+if test -n "$CHAIN"; then
+    verify_chain "$CHAIN"
+fi

 echo "Certificate passed validatation."
 echo
 
 echo "Certificate passed validatation."
 echo
 


@@ -130,7 +153,7 @@ if test -z "$KEY"; then
 else
     echo "Installing certificate and key to Apache SSL directory ..."
     for WEBSERVER in $WEBSERVERS; do
 else
     echo "Installing certificate and key to Apache SSL directory ..."
     for WEBSERVER in $WEBSERVERS; do

-       cat "$CERT" "$KEY" | ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
+       cat "$CERT" "$KEY" "$CHAIN" | ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null

     done
 fi
 for WEBSERVER in $WEBSERVERS; do
     done
 fi
 for WEBSERVER in $WEBSERVERS; do