--- /dev/null
+#!/bin/sh
+#
+# Install a signed certificate, placing a complimentary copy in the
+# user's homedir. Also grant user domtool permissions.
+#
+# If the certificate comes from the USER's home directory, then don't
+# place an extra copy there.
+#
+# Run this on deleuze as an admin.
+#
+# Usage: ca-install user domain cert-file.pem [key-file.pem]
+
+# Check arguments
+if test -n "$5"; then
+ echo "Error: Too many arguments"
+ exit 1
+elif test -z "$3"; then
+ echo "Error: Not enough arguments"
+ exit 1
+else
+ USER=$1
+ DOMAIN=$2
+ CERT=$3
+ KEY=$4
+fi
+
+# Sanity-check some paths
+if test ! -f $CERT; then
+ echo "Error: Nonexistent or unreadable cert $CERT"
+ exit 1
+fi
+if test -n "$KEY" && test ! -f $KEY; then
+ echo "Error: Nonexistent or unreadable key $KEY"
+ exit 1
+fi
+
+# Figure out destination for complimentary copy
+APACHE_DEST=/etc/apache2/ssl/user/$DOMAIN.pem
+USERHOME=$(getent passwd $USER | cut -d':' -f 6)
+if test -n "$KEY"; then
+ DEST=$(dirname $KEY)/$DOMAIN.pem
+else
+ DEST=
+fi
+
+# Perform complimentary copy
+if test -z "$DEST"; then
+ echo "No key specified, so skipping complimentary copy"
+elif echo "$CERT" | grep "^$USERHOME" > /dev/null; then
+ echo "User already has a cert, skipping the complimentary copy"
+elif test -f $DEST; then
+ echo "Not overwriting existing file $DEST"
+else
+ echo "Copying signed certificate to user's home directory ..."
+ cp $CERT $DEST
+ chown $USER:nogroup $DEST
+fi
+echo
+
+# Determine whether we need to concatenate a private key
+if grep "^-----BEGIN RSA PRIVATE KEY-----" $CERT > /dev/null; then
+ KEY=
+else
+ if test -z "$KEY"; then
+ echo "Error: No private key is included with this certificate"
+ exit 1
+ fi
+fi
+
+# Copy complete certificate to mire
+if test -z "$KEY"; then
+ echo "Installing cert to Apache SSL directory ..."
+ cat $CERT | ssh mire.hcoop.net sudo tee $APACHE_DEST > /dev/null
+else
+ echo "Installing cert to Apache SSL directory, adding key ..."
+ cat $CERT $KEY | ssh mire.hcoop.net sudo tee $APACHE_DEST > /dev/null
+fi
+echo
+
+# Grant Domtool permissions
+echo "Granting user Domtool permissions for the cert ..."
+domtool-admin grant $USER cert $APACHE_DEST
--- /dev/null
+#!/bin/sh -e
+#
+# Sign a certificate request as a CA. Run this on deleuze as an
+# admin.
+#
+# Usage: ca-sign days request.csr out-cert-file.pem
+
+test -n "$3" || exit 1
+
+DIR=/var/local/lib/ca
+CONF=$DIR/openssl.cnf
+POLICY=policy_anything
+
+# Certificate revocation list
+CRL1=$DIR/crl-v1
+CRL2=$DIR/crl-v2
+CA_LOC=/afs/hcoop.net/user/h/hc/hcoop/public_html/ca
+
+DAYS=$1
+REQUEST=$2
+PEM=$3
+ID=$(cat -- $DIR/serial)
+
+# Sign.
+echo "Signing certificate request $REQUEST ..."
+openssl ca -config $CONF -policy $POLICY -out $PEM -in $REQUEST -days $DAYS
+echo
+
+# Make a copy of the request
+cp $REQUEST $DIR/requests/$ID.csr
+
+# Update revocation list.
+echo "Updating certificate revocation list ..."
+openssl ca -config $CONF -batch -gencrl -crldays 180 -out $CRL1.pem
+openssl crl -outform DER -out $CRL1.crl -in $CRL1.pem
+openssl ca -config $CONF -batch -gencrl -crldays 180 -crlexts crl_ext \
+ -out $CRL2.pem
+openssl crl -outform DER -out $CRL2.crl -in $CRL2.pem
+cp $CRL1.crl $CRL2.crl $CA_LOC
+echo
+
+echo "Don't forget to run ca-install to install the signed certificate!"