blob: 910d8d98d11d1d2d1dffff476668fc565ce15211 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
#!/bin/bash
# requires bash 3.0 regexes
SUPPLEMENTARY_CONFIG="$2"
. ./configure.sh
if ! [ -e "$1" ]; then
echo "Please provide a csr file as an argument."
echo "$0 [csrfile] (configfile)"
exit 2
fi
# bash doesn't like the (stuff|) construction, so we use (stuff|())
if [[ "$1" =~ (.+/|())(.+) ]]; then # strip leading directories, if they exist
NAME="${BASH_REMATCH[3]}"
if [[ "$NAME" =~ (.+)\..* ]]; then # strip trailing suffix, if it exists
NAME="${BASH_REMATCH[1]}"
fi
echo Using "$NAME" as cert name.
fi
if [ -e "$CA"/signed/"$NAME".crt ]; then
echo "$CA/signed/$NAME.crt" already exists!
exit 3
fi
# Gen signed key
mkdir -pv "$CA"/signed "$CA"/temp "$CA"/certs
SERIAL=$(cat "$CA"/ca/"$CA".serial)
if grep ^SPKAC "$1"; then # SPKAC HTML5 <keygen> standard
[ -n $EKU ] || EKU="clientAuth" # I don't think servers do SPKACs
openssl spkac -in "$1" # print key size
openssl ca -config <( ./ekusub.sh "$EKU" < $OPENSSL_CONFIG ) -spkac "$1" -notext
else # x509 CSR
if ! [ -n "$EKU" ]; then
[[ "$( openssl req -in $1 -subject -nameopt multiline | grep -E '^ +commonName += ' | head -n 1 )" =~ ^\ +commonName\ +=\ (.+)$ ]]
CN=${BASH_REMATCH[1]}
if openssl req -in "$1" -text | grep -EA1 '^ +X509v3 Subject Alternative Name:' | tail -n 1 | grep -qE '^ +DNS:'; then
EKU="serverAuth"
elif [[ "$CN" =~ \. ]] && ! [[ "$CN" =~ ' ' ]]; then
EKU="serverAuth"
elif [[ "$CN" =~ ' ' ]]; then
EKU="clientAuth"
else
echo Unable to determine if client or server for EKU.
fi
fi
openssl req -in "$1" -text # print key size
openssl ca -config <( ./ekusub.sh "$EKU" < "$OPENSSL_CONFIG" ) -in "$1" -notext
fi
if [ -e "$CA"/certs/"$SERIAL".pem ]; then # openssl lacks useful exit status codes, so we check to see if it actually did anything instead.
mv -i "$1" "$CA"/signed/$NAME.csr
ln "$CA"/certs/"$SERIAL".pem "$CA"/signed/"$NAME".crt # so we can find the certificate by name as well as serial
openssl x509 -in "$CA"/certs/"$SERIAL".pem -outform DER -out "$CA"/signed/"$NAME".der # Chrome compatible
if [ -x ./post-sign ]; then
./post-sign "$CA"/signed/"$NAME".der $SUPPLEMENTARY_CONFIG
else
echo "* Web: $CA/signed/$NAME.der with Content-type: application/x-x509-user-cert is suggested."
echo "* Email: use ./mailcert.sh $NAME [emailaddress] to use sendmail to deliver the CA and user certificate as PEM MIME attachments."
fi
fi
|
