diff --git a/warden3/contrib/warden_ra/README b/warden3/contrib/warden_ra/README index 9f6789f575960bd9bdc4661abc3c8039dd9c227c..51932cd76133f916179df940677ea29dc737e047 100644 --- a/warden3/contrib/warden_ra/README +++ b/warden3/contrib/warden_ra/README @@ -57,7 +57,7 @@ to the new client administrator along with other setup information. The client administrator runs the application script with application password: - warden_apply.sh org.example.warden.client P4SSW0RD + warden_apply.sh https://warden.example.org/warden-ra/ org.example.warden.client P4SSW0RD The script creates new X509 key, CSR certificate request and makes call to the Warden RA web service, where it obtains the new complete certificate. @@ -69,7 +69,7 @@ Prolonging existing client credentials The client administrator runs the application script with his existing valid Warden credentials, which he needs to prolong: - warden_apply.sh org.example.warden.client cert.pem key.pem + warden_apply.sh https://warden.example.org/warden-ra/ org.example.warden.client cert.pem key.pem The script creates new X509 key, CSR certificate request and makes call to the Warden RA web service, where it obtains the new complete certificate. diff --git a/warden3/contrib/warden_ra/warden_apply.sh b/warden3/contrib/warden_ra/warden_apply.sh index 5d5f9716b2d0dca675fd8f9c8e2f528c81a59320..18024c6711c654c8676f6bac45705527364084a8 100644 --- a/warden3/contrib/warden_ra/warden_apply.sh +++ b/warden3/contrib/warden_ra/warden_apply.sh @@ -1,21 +1,28 @@ #!/bin/bash -url='https://warden-hub.cesnet.cz/warden-ra/getCert' key=key.pem csr=csr.pem cert=cert.pem result=${TMPDIR:-${TMP:-/tmp}}/cert.$$.$RANDOM config=${TMPDIR:-${TMP:-/tmp}}/conf.$$.$RANDOM -client="$1" -password="$2" -incert="$2" -inkey="$3" +if [ "$1" == "--cacert" ]; then + cacert="--cacert $2" + shift + shift +fi +url="$1" +client="$2" +password="$3" +incert="$4" +inkey="$5" trap 'rm -f "$config $result"' INT TERM HUP EXIT function flee { echo -e "$1"; exit $2; } -[ -z "$client" -o -z "$password" ] && flee "Usage: ${0%.*} client.name password\n ${0%.*} client.name cert_file key_file" 255 +[ -z "$client" -o -z "$password" ] && flee "Usage: ${0%.*} [--cacert CERT] url client.name password\n ${0%.*} [--cacert CERT] url client.name cert_file key_file" 255 + +url="${url%/}/getCert" for n in openssl curl; do command -v "$n" 2>&1 >/dev/null || flee "Haven't found $n binary." 251 @@ -32,9 +39,9 @@ echo -e "default_bits=2048\ndistinguished_name=rdn\nprompt=no\n[rdn]\ncommonName openssl req -new -nodes -batch -keyout "$key" -out "$csr" -config "$config" || flee "Error generating key/certificate request." 252 if [ -z "$inkey" ]; then - curl --progress-bar --request POST --data-binary '@-' "$url?name=$client&password=$password" < "$csr" > "$result" + curl --progress-bar $cacert --request POST --data-binary '@-' "$url?name=$client&password=$password" < "$csr" > "$result" else - curl --progress-bar --request POST --data-binary '@-' --cert "$incert" --key "$inkey" "$url?name=$client" < "$csr" > "$result" + curl --progress-bar $cacert --request POST --data-binary '@-' --cert "$incert" --key "$inkey" "$url?name=$client" < "$csr" > "$result" fi case $(<$result) in '-----BEGIN CERTIFICATE-----'*)