summaryrefslogtreecommitdiff
path: root/signcsr.sh
blob: 88691482a79076ef376f355a7a02440d8d3e1614 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#!/bin/bash
# requires bash regexes

SUPPLEMENTARY_CONFIG="$2"

. ./configure.sh

if ! [ -e "$1" ]; then
  echo "Please provide a csr file as an argument."
  echo "$0 [csrfile] (configfile)"
  exit 2
fi

# bash doesn't like the (stuff|) construction, so we use (stuff|())
if [[ "$1" =~ (.+/|())(.+) ]]; then # strip leading directories, if they exist
  NAME="${BASH_REMATCH[3]}"
  if [[ "$NAME" =~ (.+)\..* ]]; then # strip trailing suffix, if it exists
    NAME="${BASH_REMATCH[1]}"
  fi
  echo Using "$NAME" as cert name.
fi

if [ -e "$CA"/signed/"$NAME".crt ]; then
  echo "$CA/signed/$NAME.crt" already exists!
  exit 3
fi

# Gen signed key
mkdir -pv "$CA"/signed "$CA"/temp "$CA"/certs
SERIAL=$(cat "$CA"/ca/"$CA".serial)

if [[ "$1" =~ \.spkac$ ]]; then # SPKAC HTML5 <keygen> standard
  openssl spkac -in "$1" # print key size
  openssl ca -config "$OPENSSL_CONFIG" -spkac "$1" -notext
else # x509 CSR
  openssl req -in "$1" -text # print key size
  openssl ca -config "$OPENSSL_CONFIG" -in "$1"
fi

if [ -e "$CA"/certs/"$SERIAL".pem ]; then # openssl lacks useful exit status codes, so we check to see if it actually did anything instead.
  mv -i "$1" "$CA"/signed/$NAME.csr
  ln "$CA"/certs/"$SERIAL".pem "$CA"/signed/"$NAME".crt # so we can find the certificate by name as well as serial
  openssl x509 -in "$CA"/certs/"$SERIAL".pem -outform DER -out "$CA"/signed/"$NAME".der # Chrome compatible
  if [ -x ./post-sign ]; then
    ./post-sign "$CA"/signed/"$NAME".der
  else
    echo "* Web: $CA/signed/$NAME.der with Content-type: application/x-x509-user-cert is suggested."
    echo "* Email: use ./mailcert.sh $NAME [emailaddress] to use sendmail to deliver the CA and user certificate as PEM MIME attachments."
  fi
fi