3 # Install a signed certificate, placing a complimentary copy in the
4 # member's homedir. Validation is done on the certificate before
5 # allowing it to be installed. Also grant member domtool permissions
8 # If the certificate comes from the member's home directory, then
9 # don't place an extra copy there.
11 # Run this on deleuze as an admin.
13 # Usage: ca-install member domain cert-file.pem [key-file.pem]
16 echo "Usage: ca-install member domain cert-file.pem [key-file.pem]"
22 echo "Error: Too many arguments."
24 elif test -z "$3"; then
25 echo "Error: Not enough arguments."
34 WEBSERVER
=mire.hcoop.net
36 function verify_cert
() {
37 if test -z "$2" ||
test -n "$3"; then
38 echo "Bad programming."
43 local MOD1
=$
(openssl x509
-noout -modulus -in "$CERT" 2>&1)
44 if test $
(echo "$MOD1" |
wc -c) -lt 500; then
45 echo "Error: Bad x509 part in certificate."
48 local MOD2
=$
(openssl rsa
-noout -modulus -in "$KEY" 2>&1)
49 if test $
(echo "$MOD2" |
wc -c) -lt 500; then
50 echo "Error: Bad RSA part in certificate or key."
53 if test "$MOD1" != "$MOD2"; then
54 echo "Error: x509 and RSA parts in certificate do not match."
59 # Make sure we run this from deleuze
60 if test "$(hostname -s)" != "deleuze"; then
61 echo "Error: This script must be run from deleuze."
65 # Sanity-check some paths
66 if test ! -f "$CERT"; then
67 echo "Error: Nonexistent or unreadable cert $CERT."
70 if test -n "$KEY" && test ! -f "$KEY"; then
71 echo "Error: Nonexistent or unreadable key $KEY."
75 # Check for valid username
76 if ! getent passwd
"$MEMBER" > /dev
/null
; then
77 echo "Error: Invalid user \"$MEMBER\"."
81 # Figure out destination for complimentary copy
82 APACHE_DEST
=/etc
/apache
2/ssl
/user
/$DOMAIN.pem
83 MEMBERHOME
=$
(getent passwd
$MEMBER | cut
-d':' -f 6)
84 if test -n "$KEY"; then
85 DEST
="$(dirname $KEY)/$DOMAIN.pem"
90 # Perform complimentary copy
91 if test -z "$DEST"; then
92 echo "No key specified, so skipping complimentary copy."
93 elif echo "$CERT" |
grep "^$MEMBERHOME" > /dev
/null
; then
94 echo "Member already has a cert, skipping the complimentary copy."
95 elif test -f "$DEST"; then
96 echo "Not overwriting existing file $DEST."
98 echo "Copying signed certificate to member's home directory ..."
100 chown
$MEMBER:nogroup
"$DEST"
104 # Determine whether we need to concatenate a private key
105 if grep "^-----BEGIN RSA PRIVATE KEY-----" "$CERT" > /dev
/null
; then
108 if test -z "$KEY"; then
109 echo "Error: No RSA private key is included with this certificate."
114 # Verify certificate and key
115 echo "Validating certificate ..."
116 if test -z "$KEY"; then
117 verify_cert
"$CERT" "$CERT"
119 verify_cert
"$CERT" "$KEY"
121 echo "Certificate passed validatation."
124 # Copy complete certificate to webserver
125 if test -z "$KEY"; then
126 echo "Installing certificate to Apache SSL directory ..."
127 < "$CERT" ssh $WEBSERVER sudo
tee "$APACHE_DEST" > /dev
/null
129 echo "Installing certificate and key to Apache SSL directory ..."
130 cat "$CERT" "$KEY" |
ssh $WEBSERVER sudo
tee "$APACHE_DEST" > /dev
/null
134 # Grant Domtool permissions
135 echo "Granting member Domtool permissions for the certificate ..."
136 domtool-admin grant
$MEMBER cert
"$APACHE_DEST"
139 # Tell admin what to do
140 echo "Done. Tell $MEMBER that the certificate is available for use at"