Commit | Line | Data |
---|---|---|
b294f6b5 MW |
1 | #! /bin/sh |
2 | ||
3 | set -e | |
4 | certroot=$(cd ${0%/*}/..; pwd) | |
5 | . "$certroot"/lib/func.sh | |
6 | runas_ca "$@" | |
7 | ||
8 | ## Parse the command line. | |
9 | case "$#" in | |
10 | 3) ;; | |
11 | *) echo >&2 "Usage: $0 TAG PROFILE FILE"; exit 1 ;; | |
12 | esac | |
13 | tag=$1 profile=$2 file=$3 | |
14 | ||
15 | ## Make sure we're not overwriting anything. Put sequence numbers | |
16 | ## into labels to prevent bad things from happening. | |
17 | if [ -f "$certroot"/certs/"$tag".cert ]; then | |
18 | echo >&2 "$0: certificate $tag already exists" | |
19 | exit 1 | |
20 | fi | |
21 | ||
22 | ## Make a temporary copy of the certificate. This prevents a race, and | |
23 | ## more importantly lets us change directory. | |
24 | cp "$file" "$certroot"/tmp/"$tag".req | |
25 | cd "$certroot" | |
26 | ||
27 | ## Make the certificate. | |
28 | openssl ca -config openssl.conf -extensions $profile-extensions \ | |
29 | -in tmp/"$tag".req -out tmp/"$tag".cert | |
30 | ||
31 | ## Install a hash link the benefit of OpenSSL's `verify' command and | |
32 | ## similar, and install the completed request and certificate in the | |
33 | ## archive. | |
34 | mv tmp/"$tag".req tmp/"$tag".cert certs/ | |
35 | linkserial certs/"$tag".cert | |
36 | linkhash certs/"$tag".cert | |
37 | rm tmp/*.pem | |
38 | ||
39 | ## Output the certificate. | |
40 | openssl x509 -in certs/"$tag".cert |