summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xscripts/mkreq86
1 files changed, 80 insertions, 6 deletions
diff --git a/scripts/mkreq b/scripts/mkreq
index c73d598..4493867 100755
--- a/scripts/mkreq
+++ b/scripts/mkreq
@@ -1,7 +1,68 @@
#!/bin/sh
-mkdir -p $1
-cat>/tmp/mkreq-$$.cf<<EOC
+host="$1"; shift
+ca_host="ca.sunet.se"
+ca_name="infra"
+type=""
+
+usage ()
+{
+ echo "\
+Usage: mkreq [-v] [-s*] [-c] [-C <ca host>] [-N <ca name>] [--] <fqdn>
+
+
+ -h, --help show this help text and exit
+ -s request server cert (default if <fqdn> exists in cosmos repo)
+ -c request client cert
+ -C ca host (ca.sunet.se)
+ -N ca name (infra)
+
+ <fqdn> fully qualified name of host
+
+" 1>&2
+}
+
+{
+ while test $# -gt 0; do
+ case "$1" in
+ -s)
+ type="server"
+ ;;
+ -c)
+ type="client"
+ ;;
+ -C)
+ ca_host="$2"
+ shift
+ ;;
+ -N)
+ ca_name="$2"
+ shift
+ ;;
+ -h)
+ usage
+ exit 0
+ ;;
+ --)
+ break
+ ;;
+ esac
+ shift
+ done
+}
+
+if [ -d $host -a -z $type ]; then
+ type="server"
+fi
+
+
+cfg=`mktemp`
+key="/tmp/$host.key"
+csr="/tmp/$host.csr"
+
+trap 'rm -f $cfg' EXIT
+
+cat>$cfg<<EOC
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
@@ -11,11 +72,24 @@ prompt = no
[ req_distinguished_name ]
C = SE
O = SUNET
-CN = $1
+CN = $host
[ req_extensions ]
-subjectAltName = DNS:$1
+subjectAltName = DNS:$host
EOC
-openssl req -config /tmp/mkreq-$$.cf -new -newkey rsa:4096 -sha1 -keyout $1/$1.key -nodes -out $1/$1.csr
-rm /tmp/mkreq-$$.cf
+reqs="$ca_host/overlay/var/lib/ca/$ca_name/requests/$type"
+if [ ! -d $reqs ]; then
+ echo "*** ERROR - missing request directory $reqs"
+ exit 1
+fi
+
+openssl req -config $cfg -new -newkey rsa:4096 -sha256 -keyout $key -nodes -out $csr
+mv $csr "$reqs/$host.csr"
+git add "$reqs/$host.csr" && git commit -m "certification request for $host from $ca_host:$ca_name"
+
+if [ -d $host ]; then
+ ssh root@$host mkdir -p /etc/ssl/private && scp "$key" "root@$host:/etc/ssl/private/${host}_${ca_name}.key" && rm -f "$key" && echo "** private key given to $host" || echo "** private key left in $key - should be in root@$host:/etc/ssl/private/${host}_${ca_name}.key"
+fi
+
+echo "** successfully generated key and certification request for $host from $ca_host:$ca_name"