~mdw / ca / blame
| Commit | Line | Data |
|---|---|---|
| b294f6b5 MW |
1 | #! /bin/sh |
| 2 | ||
| 3 | set -e | |
| 4 | certroot=$(cd ${0%/*}/..; pwd) | |
| 5 | . "$certroot"/lib/func.sh | |
| 6 | runas_ca "$@" | |
| 7 | ||
| 8 | ## Parse the command line. | |
| 9 | case "$#" in | |
| 10 | 3) ;; | |
| 11 | *) echo >&2 "Usage: $0 TAG PROFILE FILE"; exit 1 ;; | |
| 12 | esac | |
| 13 | tag=$1 profile=$2 file=$3 | |
| 14 | ||
| 15 | ## Make sure we're not overwriting anything. Put sequence numbers | |
| 16 | ## into labels to prevent bad things from happening. | |
| 17 | if [ -f "$certroot"/certs/"$tag".cert ]; then | |
| 18 | echo >&2 "$0: certificate $tag already exists" | |
| 19 | exit 1 | |
| 20 | fi | |
| 21 | ||
| 22 | ## Make a temporary copy of the certificate. This prevents a race, and | |
| 23 | ## more importantly lets us change directory. | |
| 24 | cp "$file" "$certroot"/tmp/"$tag".req | |
| 25 | cd "$certroot" | |
| 26 | ||
| 27 | ## Make the certificate. | |
| 28 | openssl ca -config openssl.conf -extensions $profile-extensions \ | |
| 29 | -in tmp/"$tag".req -out tmp/"$tag".cert | |
| 30 | ||
| 31 | ## Install a hash link the benefit of OpenSSL's `verify' command and | |
| 32 | ## similar, and install the completed request and certificate in the | |
| 33 | ## archive. | |
| 34 | mv tmp/"$tag".req tmp/"$tag".cert certs/ | |
| 35 | linkserial certs/"$tag".cert | |
| 36 | linkhash certs/"$tag".cert | |
| 37 | rm tmp/*.pem | |
| 38 | ||
| 39 | ## Output the certificate. | |
| 40 | openssl x509 -in certs/"$tag".cert |