[hcoop/zz_old/misc/scripts.git] / ca-sign

#!/bin/bash
#
# Sign a certificate request as a CA.  Run this on deleuze as an
# admin.  If a domain is provided, then the certificate request must
# apply only to that domain.
#
# Run this on deleuze as an admin.
#
# Usage: ca-sign days request.csr key.asc outfile.pem [domain]

if test -n "$6" || test -z "$4"; then
    echo "Incorrect arguments."
    echo "Usage: ca-sign days request.csr key.asc outfile.pem [domain]"
    exit 1
fi

# Make sure we run this from deleuze
if test "$(hostname -s)" != "deleuze"; then
    echo "Error: This script must be run from deleuze."
    exit 1
fi

DIR=/var/local/lib/ca
CONF=$DIR/openssl.cnf
POLICY=policy_anything

# Certificate revocation list
CRL1=$DIR/crl-v1
CRL2=$DIR/crl-v2
CA_LOC=/afs/hcoop.net/user/h/hc/hcoop/public_html/ca

# Parameters
DAYS=$1
REQUEST=$2
KEY=$3
PEM=$4
DOMAIN=$5

# Make sure completed certificate does not already exist
if test -e "$PEM"; then
    echo "Error: Refusing to overwrite existing certificate at"
    echo "       $PEM."
    exit 1
fi

# Make sure that the key and request do exist
if test ! -f "$REQUEST"; then
    echo "Error: The given certificate request file does not exist."
    exit 1
fi
if test ! -f "$KEY"; then
    echo "Error: The given key file does not exist."
    exit 1
fi

# Verify request
STATUS=$(openssl req -noout -in "$REQUEST" -verify 2>&1)
if test "$STATUS" != "verify OK"; then
    echo "Error: This is not a valid certificate request."
    exit 1
fi
if test -n "$DOMAIN"; then
    CN=$(openssl req -text -in "$REQUEST" | grep "Subject:" | grep "CN=." | \
        sed -r -e 's/^.*CN=([^/=,]+).*$/\1/1')
    if test "${CN%%${DOMAIN}}" = "${CN}"; then
        echo "Error: Domain in cert does not match $DOMAIN."
        exit 1
    fi
fi

# Get new serial number
ID=$(cat -- $DIR/serial)

# Exit on error
set -e

# Sign
echo "Signing certificate request $REQUEST ..."
openssl ca -config $CONF -policy $POLICY -out "$PEM" -in "$REQUEST" \
    -days "$DAYS"
echo

# Make a copy of the request
cp "$REQUEST" $DIR/requests/$ID.csr

# Append key to generated certificate
cat "$KEY" >> "$PEM"

# Update revocation list.
echo "Updating certificate revocation list ..."
openssl ca -config $CONF -batch -gencrl -crldays 30 -out $CRL1.pem
openssl crl -outform DER -out $CRL1.crl -in $CRL1.pem
openssl ca -config $CONF -batch -gencrl -crldays 30 -crlexts crl_ext \
    -out $CRL2.pem
openssl crl -outform DER -out $CRL2.crl -in $CRL2.pem
cp $CRL1.crl $CRL2.crl $CA_LOC
echo

echo "Don't forget to run ca-install to install the signed certificate!"
Commit	Line	Data
8bc08255	1	#!/bin/bash
4c237a24	2	#
4c237a24	3	# Sign a certificate request as a CA. Run this on deleuze as an
8bc08255	4	# admin. If a domain is provided, then the certificate request must
8bc08255	5	# apply only to that domain.
4c237a24	6	#
35a8912d	7	# Run this on deleuze as an admin.
35a8912d	8	#
73df01d4	9	# Usage: ca-sign days request.csr key.asc outfile.pem [domain]
4c237a24	10
73df01d4	11	if test -n "$6" \|\| test -z "$4"; then
e07d61c2	12	echo "Incorrect arguments."
73df01d4	13	echo "Usage: ca-sign days request.csr key.asc outfile.pem [domain]"
8bc08255	14	exit 1
	15	fi
	16
	17	# Make sure we run this from deleuze
	18	if test "$(hostname -s)" != "deleuze"; then
	19	echo "Error: This script must be run from deleuze."
e07d61c2	20	exit 1
e07d61c2	21	fi
4c237a24	22
	23	DIR=/var/local/lib/ca
	24	CONF=$DIR/openssl.cnf
	25	POLICY=policy_anything
	26
	27	# Certificate revocation list
	28	CRL1=$DIR/crl-v1
	29	CRL2=$DIR/crl-v2
	30	CA_LOC=/afs/hcoop.net/user/h/hc/hcoop/public_html/ca
	31
8bc08255	32	# Parameters
4c237a24	33	DAYS=$1
4c237a24	34	REQUEST=$2
73df01d4	35	KEY=$3
	36	PEM=$4
	37	DOMAIN=$5
	38
	39	# Make sure completed certificate does not already exist
	40	if test -e "$PEM"; then
	41	echo "Error: Refusing to overwrite existing certificate at"
	42	echo " $PEM."
	43	exit 1
	44	fi
	45
	46	# Make sure that the key and request do exist
	47	if test ! -f "$REQUEST"; then
	48	echo "Error: The given certificate request file does not exist."
	49	exit 1
	50	fi
	51	if test ! -f "$KEY"; then
	52	echo "Error: The given key file does not exist."
	53	exit 1
	54	fi
8bc08255	55
	56	# Verify request
	57	STATUS=$(openssl req -noout -in "$REQUEST" -verify 2>&1)
	58	if test "$STATUS" != "verify OK"; then
	59	echo "Error: This is not a valid certificate request."
	60	exit 1
	61	fi
	62	if test -n "$DOMAIN"; then
	63	CN=$(openssl req -text -in "$REQUEST" \| grep "Subject:" \| grep "CN=." \| \
	64	sed -r -e 's/^.CN=([^/=,]+).$/\1/1')
	65	if test "${CN%%${DOMAIN}}" = "${CN}"; then
	66	echo "Error: Domain in cert does not match $DOMAIN."
	67	exit 1
	68	fi
	69	fi
	70
	71	# Get new serial number
4c237a24	72	ID=$(cat -- $DIR/serial)
4c237a24	73
8bc08255	74	# Exit on error
	75	set -e
	76
73df01d4	77	# Sign
4c237a24	78	echo "Signing certificate request $REQUEST ..."
73df01d4	79	openssl ca -config $CONF -policy $POLICY -out "$PEM" -in "$REQUEST" \
73df01d4	80	-days "$DAYS"
4c237a24	81	echo
	82
	83	# Make a copy of the request
73df01d4	84	cp "$REQUEST" $DIR/requests/$ID.csr
	85
	86	# Append key to generated certificate
	87	cat "$KEY" >> "$PEM"
4c237a24	88
	89	# Update revocation list.
	90	echo "Updating certificate revocation list ..."
87d0fa09	91	openssl ca -config $CONF -batch -gencrl -crldays 30 -out $CRL1.pem
4c237a24	92	openssl crl -outform DER -out $CRL1.crl -in $CRL1.pem
87d0fa09	93	openssl ca -config $CONF -batch -gencrl -crldays 30 -crlexts crl_ext \
4c237a24	94	-out $CRL2.pem
	95	openssl crl -outform DER -out $CRL2.crl -in $CRL2.pem
	96	cp $CRL1.crl $CRL2.crl $CA_LOC
	97	echo
	98
	99	echo "Don't forget to run ca-install to install the signed certificate!"