#!/bin/bash
set -e
ACMEUSER="$1"
CERTS_DIR="$2"
SUBJ="$3"
EXT="$4"
if [ -z "$ACMEUSER" ] || [ -z "$CERTS_DIR" ] || [ -z "$SUBJ" ]; then
echo "Usage:"
echo "$0 \\"
echo " acmeuser \\"
echo " /mysite/certs/dir/ \\"
echo " /CN=mysite.com \\"
echo " subjectAltName=DNS:mysite.com,DNS:www.mysite.com"
exit 0
fi
BASE_DIR=$(cd `dirname "$0"`; pwd)
NAME=`date +%Y-%m-%d--%H-%M-%S--%N`
PREFIX="$CERTS_DIR/$NAME"
echo " -------------------------------------------- "
echo " begin $PREFIX "
echo " -------------------------------------------- "
mkdir -p "$CERTS_DIR"
openssl req -newkey rsa:4096 -sha512 -nodes \
-keyout "$PREFIX.key" \
-out "$PREFIX.csr" \
-subj "$SUBJ" \
-reqexts san \
-config <(echo '[req]'; echo 'distinguished_name=req'; echo '[san]'; echo $EXT)
sudo -u "$ACMEUSER" "$BASE_DIR/sign-cert.py" "$PREFIX.csr" "$PREFIX.crt"
echo "compare modulus"
MUDULUS_CRT=`openssl x509 -noout -modulus -in "$PREFIX.csr"`
MUDULUS_KEY=`openssl rsa -noout -modulus -in "$PREFIX.key"`
if [ "$MODULUS_CRT" != "$MUDULUS_KEY" ]; then
echo "ERROR: modulus of certificate do not matches modulus of key"
exit 1
fi
echo "ok"
cd "$CERTS_DIR"
ln -fs "$PREFIX.key" "private.key"
ln -fs "$PREFIX.key" "public.crt"
echo " -------------------------------------------- "
echo " done $PREFIX "
echo " -------------------------------------------- "