summaryrefslogtreecommitdiff
path: root/signcsr.sh
blob: 0536411599f3b385e945fd2c092eb449cdf4aead (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
#!/bin/bash
# requires bash 3.0 regexes

SUPPLEMENTARY_CONFIG="$2"

. ./configure.sh

if ! [ -e "$1" ]; then
  echo "Please provide a csr file as an argument."
  echo "$0 [csrfile] (configfile)"
  exit 2
fi

# bash doesn't like the (stuff|) construction, so we use (stuff|())
if [[ "$1" =~ (.+/|())(.+) ]]; then # strip leading directories, if they exist
  NAME="${BASH_REMATCH[3]}"
  if [[ "$NAME" =~ (.+)\..* ]]; then # strip trailing suffix, if it exists
    NAME="${BASH_REMATCH[1]}"
  fi
  echo Using "$NAME" as cert name.
fi

if [ -e "$CA"/signed/"$NAME".crt ]; then
  echo "$CA/signed/$NAME.crt" already exists!
  exit 3
fi

# Gen signed key
mkdir -pv "$CA"/signed "$CA"/temp "$CA"/certs
SERIAL=$(cat "$CA"/ca/"$CA".serial)

if grep ^SPKAC "$1"; then # SPKAC HTML5 <keygen> standard
  [ -n $EKU ] || EKU="clientAuth" # I don't think servers do SPKACs
  openssl spkac -in "$1" # print key size
  openssl ca -config $OPENSSL_CONFIG -spkac "$1" -notext
else # x509 CSR
  if ! [ -n "$EKU" ]; then
    [[ "$( openssl req -in $1 -subject -nameopt multiline | grep -E '^ +commonName += ' | head -n 1 )" =~ ^\ +commonName\ +=\ (.+)$ ]]
    CN=${BASH_REMATCH[1]}
    if openssl req -in "$1" -text | grep -EA1 '^ +X509v3 Subject Alternative Name:' | tail -n 1 | grep -qE '^ +DNS:'; then
      EKU="serverAuth"
    elif [[ "$CN" =~ \. ]] && ! [[ "$CN" =~ ' ' ]]; then
      EKU="serverAuth"
    elif [[ "$CN" =~ ' ' ]]; then
      EKU="clientAuth"
    else
      echo Unable to determine if client or server for EKU.
    fi
  fi
  openssl req -in "$1" -text # print key size
  openssl ca -config "$OPENSSL_CONFIG" -in "$1" -notext
fi

if [ -e "$CA"/certs/"$SERIAL".pem ]; then # openssl lacks useful exit status codes, so we check to see if it actually did anything instead.
  mv -i "$1" "$CA"/signed/$NAME.csr
  ln "$CA"/certs/"$SERIAL".pem "$CA"/signed/"$NAME".crt # so we can find the certificate by name as well as serial
  openssl x509 -in "$CA"/certs/"$SERIAL".pem -outform DER -out "$CA"/signed/"$NAME".der # Chrome compatible
  if [ -x ./post-sign ]; then
    ./post-sign "$CA"/signed/"$NAME".der $SUPPLEMENTARY_CONFIG
  else
    echo "* Web: $CA/signed/$NAME.der with Content-type: application/x-x509-user-cert is suggested."
    echo "* Email: use ./mailcert.sh $NAME [emailaddress] to use sendmail to deliver the CA and user certificate as PEM MIME attachments."
  fi
fi