source: trunk/sysadmin/bin/cacert-cert.sh @ 65

#!/bin/sh

# This script will find all the ServerNames and ServerAliases 
# that are in files in the $HTTPD_VHOSTS_DIR directory and 
# it will then generates a Certificate Signing Request for a 
# new CAcert.org certificate.

# PLEASE NOTE:
#
# 1. You need each ServerAlias on a new line, multiple aliases
#    on one line doesn't work with this.
#
# 2. The variables below WILL need editing for each sever you 
#    install this on.
#
# Chris <chrisc@indymedia.org> 
# 29th April 2007

# ===========================
#
# Please check all the variables in this part of the script
# Most will probably need changing for each server you install 
# this on.
#
##HTTPD_VHOSTS_DIR=/etc/httpd/vhosts-ssl.d/
HTTPD_VHOSTS_DIR="/etc/apache-ssl/redcta_hacks/"
DATE=`date "+%Y-%m-%d_%H-%M-%S"`
CERTS_DIR="/root/certs/crypt"
CERTS_DIR_NEW="$CERTS_DIR/.$DATE"
HOST=german
COMMONNAME=ssl.redcta.org.ar
#
#===========================

# be safe about permissions
LASTUMASK=`umask`
umask 077

# OpenSSL for HPUX needs a random file
RANDOMFILE=$HOME/.rnd

# create a config file for openssl
CONFIG=`mktemp -q $CERTS_DIR/openssl-conf.XXXXXXXX`
if [ ! $? -eq 0 ]; then
    echo "Could not create temporary config file. exiting"
    exit 1
fi

echo "Private Key and Certificate Signing Request Generator"
echo "This script was designed to suit the request format needed by"
echo "the CAcert Certificate Authority. www.CAcert.org"
echo

  # if the certs directory doesn't exist then create it
  if [[ ! -d $CERTS_DIR_NEW ]]; then
    mkdir -p $CERTS_DIR_NEW
  fi

  # get the ServerNames
  SERVER_NAMES=`grep -h ServerName $HTTPD_VHOSTS_DIR/* | sed  s/ServerName//g `
  for name in $SERVER_NAMES
    do
      if [ "$SANAMES" = "" ]; then
          SANAMES="DNS:$name"
      else
          SANAMES="$SANAMES, DNS:$name"
      fi
  done

  # get the ServerAliases 
  SERVER_ALIASES=`grep -h ServerAlias $HTTPD_VHOSTS_DIR/* | sed  s/ServerAlias//g `
  for name in $SERVER_ALIASES
    do
      if [ "$SANAMES" = "" ]; then
          SANAMES="DNS:$name"
      else
          SANAMES="$SANAMES, DNS:$name"
      fi
  done

  MAILMAN_DOMAINS=`cat /etc/mailman/domains_list.txt `
  for name in $MAILMAN_DOMAINS
    do
      if [ "$SANAMES" = "" ]; then
          SANAMES="DNS:$name"
      else
          SANAMES="$SANAMES, DNS:$name"
      fi
  done


# Config File Generation
cat <<EOF > $CONFIG
# -------------- BEGIN custom openssl.cnf -----
 HOME                    = $CERTS_DIR_NEW
 oid_section             = new_oids
 [ new_oids ]
 [ req ]
 default_days            = 730
 default_keyfile         = $CERTS_DIR_NEW/${HOST}-privatekey.pem
 distinguished_name      = req_distinguished_name
 encrypt_key             = no
 string_mask             = nombstr
 req_extensions          = v3_req 
 [ req_distinguished_name ]
 commonName              = Common Name (eg, YOUR name)
 commonName_default      = $COMMONNAME
 commonName_max          = 64
 [ v3_req ]
EOF

if [ ! "$SANAMES" = "" ]; then
    echo "subjectAltName=$SANAMES" >> $CONFIG
fi

echo "# -------------- END custom openssl.cnf -----" >> $CONFIG

echo "Running OpenSSL..."
  echo "Running OpenSSL..."
  openssl req -batch -config $CONFIG -newkey rsa:2048 -out ${CERTS_DIR_NEW}/${HOST}-csr.pem



  echo "Copy the following Certificate Request and paste into CAcert website to obtain a Certificate."
  echo "When you receive your certificate, you save it to"
  echo "${CERTS_DIR_NEW}/${HOST}-cert.pem"
  echo
  cat ${CERTS_DIR_NEW}/${HOST}-csr.pem
  echo
  echo The Certificate request is also available in ${CERTS_DIR_NEW}/${HOST}-csr.pem
  echo The Private Key is stored in ${CERTS_DIR_NEW}/${HOST}-privatekey.pem
  echo These will all need moving to ${CERTS_DIR}, like this:
  echo mv ${CERTS_DIR_NEW}/\* ${CERTS_DIR}/ 
  echo


#rm $CONFIG

#restore umask
umask $LASTUMASK