8bc08255 |
1 | #!/bin/bash |
4c237a24 |
2 | # |
3 | # Sign a certificate request as a CA. Run this on deleuze as an |
8bc08255 |
4 | # admin. If a domain is provided, then the certificate request must |
5 | # apply only to that domain. |
4c237a24 |
6 | # |
35a8912d |
7 | # Run this on deleuze as an admin. |
8 | # |
73df01d4 |
9 | # Usage: ca-sign days request.csr key.asc outfile.pem [domain] |
2f52b40a |
10 | # |
11 | # If we need to generate a new CA private key and cert, do: |
12 | # |
13 | # $ openssl genrsa -out private/ca.key 2048 -nodes |
14 | # $ openssl req -config openssl.cnf -x509 -sha1 -days 3650 \ |
15 | # -key private/ca.key -new -out ca.crt |
4c237a24 |
16 | |
73df01d4 |
17 | if test -n "$6" || test -z "$4"; then |
e07d61c2 |
18 | echo "Incorrect arguments." |
73df01d4 |
19 | echo "Usage: ca-sign days request.csr key.asc outfile.pem [domain]" |
8bc08255 |
20 | exit 1 |
21 | fi |
22 | |
23 | # Make sure we run this from deleuze |
24 | if test "$(hostname -s)" != "deleuze"; then |
25 | echo "Error: This script must be run from deleuze." |
e07d61c2 |
26 | exit 1 |
27 | fi |
4c237a24 |
28 | |
29 | DIR=/var/local/lib/ca |
30 | CONF=$DIR/openssl.cnf |
31 | POLICY=policy_anything |
32 | |
33 | # Certificate revocation list |
34 | CRL1=$DIR/crl-v1 |
35 | CRL2=$DIR/crl-v2 |
36 | CA_LOC=/afs/hcoop.net/user/h/hc/hcoop/public_html/ca |
37 | |
8bc08255 |
38 | # Parameters |
4c237a24 |
39 | DAYS=$1 |
40 | REQUEST=$2 |
73df01d4 |
41 | KEY=$3 |
42 | PEM=$4 |
43 | DOMAIN=$5 |
44 | |
45 | # Make sure completed certificate does not already exist |
46 | if test -e "$PEM"; then |
47 | echo "Error: Refusing to overwrite existing certificate at" |
48 | echo " $PEM." |
49 | exit 1 |
50 | fi |
51 | |
52 | # Make sure that the key and request do exist |
53 | if test ! -f "$REQUEST"; then |
54 | echo "Error: The given certificate request file does not exist." |
55 | exit 1 |
56 | fi |
57 | if test ! -f "$KEY"; then |
58 | echo "Error: The given key file does not exist." |
59 | exit 1 |
60 | fi |
8bc08255 |
61 | |
62 | # Verify request |
63 | STATUS=$(openssl req -noout -in "$REQUEST" -verify 2>&1) |
64 | if test "$STATUS" != "verify OK"; then |
65 | echo "Error: This is not a valid certificate request." |
66 | exit 1 |
67 | fi |
68 | if test -n "$DOMAIN"; then |
69 | CN=$(openssl req -text -in "$REQUEST" | grep "Subject:" | grep "CN=." | \ |
70 | sed -r -e 's/^.*CN=([^/=,]+).*$/\1/1') |
71 | if test "${CN%%${DOMAIN}}" = "${CN}"; then |
72 | echo "Error: Domain in cert does not match $DOMAIN." |
73 | exit 1 |
74 | fi |
75 | fi |
76 | |
77 | # Get new serial number |
4c237a24 |
78 | ID=$(cat -- $DIR/serial) |
79 | |
8bc08255 |
80 | # Exit on error |
81 | set -e |
82 | |
73df01d4 |
83 | # Sign |
4c237a24 |
84 | echo "Signing certificate request $REQUEST ..." |
73df01d4 |
85 | openssl ca -config $CONF -policy $POLICY -out "$PEM" -in "$REQUEST" \ |
86 | -days "$DAYS" |
4c237a24 |
87 | echo |
88 | |
89 | # Make a copy of the request |
73df01d4 |
90 | cp "$REQUEST" $DIR/requests/$ID.csr |
91 | |
92 | # Append key to generated certificate |
93 | cat "$KEY" >> "$PEM" |
4c237a24 |
94 | |
95 | # Update revocation list. |
96 | echo "Updating certificate revocation list ..." |
87d0fa09 |
97 | openssl ca -config $CONF -batch -gencrl -crldays 30 -out $CRL1.pem |
4c237a24 |
98 | openssl crl -outform DER -out $CRL1.crl -in $CRL1.pem |
87d0fa09 |
99 | openssl ca -config $CONF -batch -gencrl -crldays 30 -crlexts crl_ext \ |
4c237a24 |
100 | -out $CRL2.pem |
101 | openssl crl -outform DER -out $CRL2.crl -in $CRL2.pem |
102 | cp $CRL1.crl $CRL2.crl $CA_LOC |
103 | echo |
104 | |
105 | echo "Don't forget to run ca-install to install the signed certificate!" |