client|server|clientserver|fclient|none)
echo "Generating a $flags certificate"
echo $CA_DIR
- CMD="openssl ca -in $filebase.req -out $filebase.cert -outdir tmp \
+ CMD="openssl ca -in $filebase.req -out $filebase.cert -outdir $tmpdir \
-md md5 -config $CA_CONF -batch -extensions ca_$flags -days $validity"
echo $CMD; $CMD
;;
# Get the serial number of the certificate that will eventually sign the proxy.
# Put it into a temporary file to be read by the ca command later.
- SERIAL="`openssl x509 -in ${filebase}.cert -noout -serial | sed 's/^serial=//'`"
+ SERIAL=$(openssl x509 -in ${filebase}.cert -noout -serial | sed 's/^serial=//')
echo ${SERIAL} > ${CA_DIR}/serial_proxy.txt
# cat ${CA_DIR}/serial_proxy.txt
export PROXYNAME=$4
validity=$5
+
# create_cert_proxy $CERT_DIR/${catype}_client "$catype client" proxy "proxy" 1
# create_cert_proxy $CERT_DIR/${catype}_client "$catype client" proxy_exp "expired proxy" -1
echo " in files named $filebase.(cert|priv)"
echo " with $validity days validity time"
+ if [ -r "${X509_PROX_CERT}" ]; then
+ echo "There already exists a file named ${X509_PROX_CERT}"
+ echo "file. Proxy certificate is not generated for '$CN'"
+ return
+ fi
+
+
# Have to 'edit' the ca database to remove the entry for the signing certificate.
# maybe no need... make a dummy database, touch and then delete afterwards...
touch ${CA_DIR}/index_proxy.txt
-cert ${X509_SIGNING_CERT} \
-keyfile ${X509_SIGNING_KEY} \
-out ${X509_PROX_CERT} \
- -outdir . \
+ -outdir $tmpdir \
-config ${CA_PROXY_CONF} -md md5 -days ${validity} -batch \
-passin pass:${PASSWORD} -notext \
-extensions proxy_none "
X509_PROX_REQ=${filebase}.${ident}.proxy.req
X509_PROX_GRID=${filebase}.${ident}.${ending}
+ if [ -r "${X509_PROX_CERT}" ]; then
+ echo "There already exists a file named ${X509_PROX_CERT}"
+ echo "file. Proxy-proxy certificate is not generated for '$CN'"
+ return
+ fi
+
# Get the serial number of the certificate that will eventually sign the proxy.
# Put it into a temporary file to be read by the ca command later.
# SERIAL="`openssl x509 -in ${X509_SIGNING_CERT} -noout -serial | sed 's/^serial=//'`"
-cert ${X509_SIGNING_CERT} \
-keyfile ${X509_SIGNING_KEY} \
-out ${X509_PROX_CERT} \
- -outdir . \
+ -outdir $tmpdir \
-config ${CA_PROXY_CONF} -md md5 -days ${validity} -batch \
-passin pass:${PASSWORD} -notext \
-extensions proxy_none "
function create_some {
# generating client certificate
- create_cert $CERT_DIR/${catype}_client "$LOGNAME client" client $DAYS
+ create_cert $CERT_DIR/${catype}_client "$LOGNAME" client $DAYS
# generate extra client certificates
if [ -n "$EXTRACERTS" ]; then
fi
# generating host certificate
- create_cert $CERT_DIR/${catype}_server "$HOSTNAME server" server $DAYS
+ create_cert $CERT_DIR/${catype}_server "$HOSTNAME" server $DAYS
# generating CRL
openssl ca -gencrl -crldays 10000 -out $CA_DIR/${catype}.crl -config $CA_CONF
if [ ! -d 'home' ]; then
mkdir 'home'
fi
- cp $CERT_DIR/${catype}_client.cert home/usercert.pem
- cp $CERT_DIR/${catype}_client.priv home/userkey.pem
+ cp -f $CERT_DIR/${catype}_client.cert home/usercert.pem
+ cp -f $CERT_DIR/${catype}_client.priv home/userkey.pem
# set the correct permissions for globus...
chmod 400 home/userkey.pem
if [ -n "$EXTRACERTS" ]; then
echo "Copying '$EXTRACERTS' extra certs"
for i in $(seq -f '%02g' 1 $EXTRACERTS); do
- cp $CERT_DIR/${catype}_client$i.cert home/usercert$i.pem
- cp $CERT_DIR/${catype}_client$i.priv home/userkey$i.pem
+ cp -f $CERT_DIR/${catype}_client$i.cert home/usercert$i.pem
+ cp -f $CERT_DIR/${catype}_client$i.priv home/userkey$i.pem
# set the correct permissions for globus...
chmod 400 home/userkey$i.pem
done
echo "Certificate directory set to $X509_CERT_DIR";
cd $TARGETDIR
-echo "Current directory now: `pwd`"
+echo "Current directory now: $PWD"
echo "Config directory now: ${CONFIGDIR}"
-mkdir -p tmp
-ABSTARGETDIR=$(pwd)
+tmpdir=$PWD/tmp
+mkdir -p $tmpdir
+trap "rm -rf $tmpdir" EXIT
+ABSTARGETDIR=$PWD
for catype in $CATYPES; do
echo "+-----------------------"
subject_name=`openssl x509 -in $CA_DIR/${catype}.cert -subject -noout`; ## echo "Subject name = ${subject_name:9}";
# pick off the first 9 characters of the string... this will give our raw subject. see above.
# Now have to construct the signing policy file....
- echo "access_id_CA X509 '${subject_name:9}'" > /tmp/temporary_signing_policy.file
- echo "pos_rights globus CA:sign" >> /tmp/temporary_signing_policy.file
+ echo "access_id_CA X509 '${subject_name:9}'" > $tmpdir/temporary_signing_policy.file
+ echo "pos_rights globus CA:sign" >> $tmpdir/temporary_signing_policy.file
# we now have a request to copy the CA certificates to a globus-friendly location.
# eg. /etc/grid-security/certificates
hash_number=`openssl x509 -in $CA_DIR/${catype}.cert -hash -noout`
echo "The copying of ${CA_DIR}/${catype}.cert to \
$X509_CERT_DIR/${hash_number}.0 failed with error code $result";
fi
- cp /tmp/temporary_signing_policy.file $X509_CERT_DIR/${hash_number}.signing_policy
+ cp $tmpdir/temporary_signing_policy.file $X509_CERT_DIR/${hash_number}.signing_policy
result=$?
if [ $result -ne 0 ];then
- echo "The copying of /tmp/temporary_signing_policy.file to \
+ echo "The copying of $tmpdir/temporary_signing_policy.file to \
$X509_CERT_DIR/${hash_number}.signing_policy failed with error code $result";
fi
- rm /tmp/temporary_signing_policy.file
+ rm $tmpdir/temporary_signing_policy.file
else
echo "The standard globus directory $X509_CERT_DIR does not exist!";
echo "Therefore I cannot copy the CA certificates etc to this directory. Continuing anyway...";
fi
done
-
-# cleaning up temp
-rm tmp/*.pem
-rmdir tmp
-
git://scientific.zcu.cz / glite-security-test-utils.git / commitdiff