-#!/bin/sh -e
+#!/bin/bash
#
# Sign a certificate request as a CA. Run this on deleuze as an
-# admin.
+# admin. If a domain is provided, then the certificate request must
+# apply only to that domain.
#
-# Usage: ca-sign days request.csr out-cert-file.pem
+# Usage: ca-sign days request.csr outfile.pem [domain]
-if test -n "$3" || test -z "$2"; then
+if test -n "$5" || test -z "$3"; then
echo "Incorrect arguments."
- echo "Usage: ca-sign days request.csr out-cert-file.pem"
+ echo "Usage: ca-sign days request.csr outfile.pem [domain]"
+ exit 1
+fi
+
+# Make sure we run this from deleuze
+if test "$(hostname -s)" != "deleuze"; then
+ echo "Error: This script must be run from deleuze."
exit 1
fi
CRL2=$DIR/crl-v2
CA_LOC=/afs/hcoop.net/user/h/hc/hcoop/public_html/ca
+# Parameters
DAYS=$1
REQUEST=$2
PEM=$3
+DOMAIN=$4
+
+# Verify request
+STATUS=$(openssl req -noout -in "$REQUEST" -verify 2>&1)
+if test "$STATUS" != "verify OK"; then
+ echo "Error: This is not a valid certificate request."
+ exit 1
+fi
+if test -n "$DOMAIN"; then
+ CN=$(openssl req -text -in "$REQUEST" | grep "Subject:" | grep "CN=." | \
+ sed -r -e 's/^.*CN=([^/=,]+).*$/\1/1')
+ if test "${CN%%${DOMAIN}}" = "${CN}"; then
+ echo "Error: Domain in cert does not match $DOMAIN."
+ exit 1
+ fi
+fi
+
+# Get new serial number
ID=$(cat -- $DIR/serial)
+# Exit on error
+set -e
+
# Sign.
echo "Signing certificate request $REQUEST ..."
openssl ca -config $CONF -policy $POLICY -out $PEM -in $REQUEST -days $DAYS