--- /dev/null
+#! /bin/sh
+
+set -e
+. lib/func.sh
+
+## The key types are adorned with bit lengths. Work out the raw key type
+## names.
+rawkeytypes=""
+for kt in $keytypes; do
+ rawkeytypes="$rawkeytypes ${kt%:*}"
+done
+
+## Start a new output directory.
+rm -rf publish.new
+mkdir publish.new
+mkdir publish.new/ssh-ca
+for kt in $rawkeytypes; do
+ cp ca/ca-$kt.pub publish.new/ssh-ca/
+ read pub <ca/ca-$kt.pub
+ echo "$@cert-authority $scope $pub" >publish.new/ssh-ca/ca-$kt.entry
+done
+
+## Sign the various host keys.
+exec 3<etc/hosts 4>publish.new/ssh-ca/hosts.list
+last=%%%
+while read line <&3; do
+
+ ## Ignore comments and empty lines.
+ case "$line" in
+ "#"* | "") continue ;;
+ ##*[! ]*) ;;
+ ##*) continue ;;
+ esac
+
+ ## Read the host line.
+ set -- $line
+ host=$1
+ names=""
+
+ ## If this is a different host, then start a new section of the list.
+ case "$host" in "$last") ;; *) { echo; echo "$host"; } >&4 ;; esac
+ last=$host
+
+ ## Build a list of names for the host.
+ for n in "$@"; do
+ names=${names:+$names,}$n
+ case "$n" in
+ *.* | *:*) ;;
+ *) names=${names:+$names,}$n.$domain ;;
+ esac
+ done
+
+ ## Sign certificates.
+ for kt in $rawkeytypes; do
+ if [ ! -f host/$host-$kt.pub ]; then continue; fi
+ cp host/$host-$kt.pub publish.new/ssh-ca/
+ ssh-keygen -q -sca/ca-$kt \
+ -h -I"$cacomment:$host.$domain" -n$names \
+ -V$validity \
+ publish.new/ssh-ca/$host-$kt.pub
+ mv publish.new/ssh-ca/$host-$kt-cert.pub \
+ publish.new/ssh-ca/$host-$kt.cert
+ ssh-keygen -lv -fpublish.new/ssh-ca/$host-$kt.pub | sed 's,^,| ,' >&4
+ done
+done
+exec 3>&- 4>&-
+
+## Sign the list.
+run_gpg --armor -o publish.new/ssh-ca/hosts.asc \
+ --clearsign publish.new/ssh-ca/hosts.list
+rm publish.new/ssh-ca/hosts.list
+
+## Include a copy of the public key.
+run_gpg --export --armor -o publish.new/ssh-ca/ca-gnupg.asc
+
+## Include a copy of the complete archive.
+(cd publish.new; tar czf ssh-ca.tar.gz ssh-ca/)
+mv publish.new/ssh-ca.tar.gz publish.new/ssh-ca/
+
+## Done.
+rm -rf publish
+mv publish.new publish