#!/bin/sh -e
# sign.command
# By Chris Pepper, 2006-2007
# Usage: sign.command CSR | sign.command
# Example: sign.command www.tidbits.com.20071108.csr
# Note: CSR to sign must be in external-certs/

# CA host (if network accessible -- not necessarily a good idea)
CAHOST=ca.tidbits.com
# CA path
CAPATH=~/CA/tidbits
# CA certificate
CACERT=$CAPATH/ca.tidbits.com.20070401.crt
# Cert repository:
CERTDIR=$CAPATH/external-certs

#cd $CERTDIR


if [[ $# = 0 ]]
 then
  echo "Please enter the CSR's filename."
  echo -n "The CSR must be in $CERTDIR and its filename must end in '.csr': "
  read CSR
  BASENAME=`dirname $1`/`basename $CSR .csr`
 else
  BASENAME=`dirname $1`/`basename $1 .csr`
fi

if [[ ! -r ${BASENAME}.csr ]]
 then
  echo "$0: ERROR: ${BASENAME}.csr not readable"
  exit 1
fi

# Sign it!
openssl ca -in $BASENAME.csr -out $BASENAME.crt

# Append CA cert to the new signed cert, to facilitate installation of the CA cert.
cat $CACERT >> $BASENAME.crt

# Protect new key
chmod go-rwx $CERTDIR/*.key

echo "Your signed certificate is:"
ls -lt `dirname $BASENAME` | head -2 | tail -1

# # Facilitate extraction of certs from $CAHOST, if accessible:
# echo
# echo "To download the cert, first cd to a safe place on your workstation. Then fetch the signed certificate from $CAHOST:"
# echo "scp root@$CAHOST:$EXTCERTDIR/$BASENAME.crt ./"