#!/bin/bash # requires bash regexes SUPPLEMENTARY_CONFIG="$2" . ./configure.sh if ! [ -e "$1" ]; then echo "Please provide a csr file as an argument." echo "$0 [csrfile] (configfile)" exit 2 fi # bash doesn't like the (stuff|) construction, so we use (stuff|()) if [[ "$1" =~ (.+/|())(.+) ]]; then # strip leading directories, if they exist NAME="${BASH_REMATCH[3]}" if [[ "$NAME" =~ (.+)\..* ]]; then # strip trailing suffix, if it exists NAME="${BASH_REMATCH[1]}" fi echo Using "$NAME" as cert name. fi if [ -e "$CA"/signed/"$NAME".crt ]; then echo "$CA/signed/$NAME.crt" already exists! exit 3 fi # Gen signed key mkdir -pv "$CA"/signed "$CA"/temp "$CA"/certs SERIAL=$(cat "$CA"/ca/"$CA".serial) if [[ "$1" =~ \.spkac$ ]]; then # SPKAC HTML5 standard openssl ca -config "$OPENSSL_CONFIG" -spkac "$1" -notext else # x509 CSR openssl ca -config "$OPENSSL_CONFIG" -in "$1" fi if [ -e "$CA"/certs/"$SERIAL".pem ]; then # openssl lacks useful exit status codes, so we check to see if it actually did anything instead. mv -i "$1" "$CA"/signed/$NAME.csr ln "$CA"/certs/"$SERIAL".pem "$CA"/signed/"$NAME".crt # so we can find the certificate by name as well as serial openssl x509 -in "$CA"/certs/"$SERIAL".pem -outform DER -out "$CA"/signed/"$NAME".der # Chrome compatible echo "* Web: $CA/signed/$NAME.der with Content-type: application/x-x509-user-cert is suggested." echo "* Email: use ./mailcert.sh $NAME [emailaddress] to use sendmail to deliver the CA and user certificate as PEM MIME attachments." fi