| 1 | #! /bin/sh |
| 2 | |
| 3 | set -e |
| 4 | certroot=$(cd ${0%/*}/..; pwd) |
| 5 | . "$certroot"/lib/func.sh |
| 6 | runas_ca "$@" |
| 7 | |
| 8 | ## Parse the command line. |
| 9 | case "$#" in |
| 10 | 3) ;; |
| 11 | *) echo >&2 "Usage: $0 TAG PROFILE FILE"; exit 1 ;; |
| 12 | esac |
| 13 | tag=$1 profile=$2 file=$3 |
| 14 | |
| 15 | ## Make sure we're not overwriting anything. Put sequence numbers |
| 16 | ## into labels to prevent bad things from happening. |
| 17 | if [ -f "$certroot"/certs/"$tag".cert ]; then |
| 18 | echo >&2 "$0: certificate $tag already exists" |
| 19 | exit 1 |
| 20 | fi |
| 21 | |
| 22 | ## Make a temporary copy of the certificate. This prevents a race, and |
| 23 | ## more importantly lets us change directory. |
| 24 | cp "$file" "$certroot"/tmp/"$tag".req |
| 25 | cd "$certroot" |
| 26 | |
| 27 | ## Make the certificate. |
| 28 | openssl ca -config openssl.conf -extensions $profile-extensions \ |
| 29 | -in tmp/"$tag".req -out tmp/"$tag".cert |
| 30 | |
| 31 | ## Install a hash link the benefit of OpenSSL's `verify' command and |
| 32 | ## similar, and install the completed request and certificate in the |
| 33 | ## archive. |
| 34 | mv tmp/"$tag".req tmp/"$tag".cert certs/ |
| 35 | linkserial certs/"$tag".cert |
| 36 | linkhash certs/"$tag".cert |
| 37 | rm tmp/*.pem |
| 38 | |
| 39 | ## Output the certificate. |
| 40 | openssl x509 -in certs/"$tag".cert |