blob: 88691482a79076ef376f355a7a02440d8d3e1614 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
#!/bin/bash
# requires bash regexes
SUPPLEMENTARY_CONFIG="$2"
. ./configure.sh
if ! [ -e "$1" ]; then
echo "Please provide a csr file as an argument."
echo "$0 [csrfile] (configfile)"
exit 2
fi
# bash doesn't like the (stuff|) construction, so we use (stuff|())
if [[ "$1" =~ (.+/|())(.+) ]]; then # strip leading directories, if they exist
NAME="${BASH_REMATCH[3]}"
if [[ "$NAME" =~ (.+)\..* ]]; then # strip trailing suffix, if it exists
NAME="${BASH_REMATCH[1]}"
fi
echo Using "$NAME" as cert name.
fi
if [ -e "$CA"/signed/"$NAME".crt ]; then
echo "$CA/signed/$NAME.crt" already exists!
exit 3
fi
# Gen signed key
mkdir -pv "$CA"/signed "$CA"/temp "$CA"/certs
SERIAL=$(cat "$CA"/ca/"$CA".serial)
if [[ "$1" =~ \.spkac$ ]]; then # SPKAC HTML5 <keygen> standard
openssl spkac -in "$1" # print key size
openssl ca -config "$OPENSSL_CONFIG" -spkac "$1" -notext
else # x509 CSR
openssl req -in "$1" -text # print key size
openssl ca -config "$OPENSSL_CONFIG" -in "$1"
fi
if [ -e "$CA"/certs/"$SERIAL".pem ]; then # openssl lacks useful exit status codes, so we check to see if it actually did anything instead.
mv -i "$1" "$CA"/signed/$NAME.csr
ln "$CA"/certs/"$SERIAL".pem "$CA"/signed/"$NAME".crt # so we can find the certificate by name as well as serial
openssl x509 -in "$CA"/certs/"$SERIAL".pem -outform DER -out "$CA"/signed/"$NAME".der # Chrome compatible
if [ -x ./post-sign ]; then
./post-sign "$CA"/signed/"$NAME".der
else
echo "* Web: $CA/signed/$NAME.der with Content-type: application/x-x509-user-cert is suggested."
echo "* Email: use ./mailcert.sh $NAME [emailaddress] to use sendmail to deliver the CA and user certificate as PEM MIME attachments."
fi
fi
|