Add local CA issue command · 1b62f0f

+28 -1

scripts/ca_manager.sh

@@ -18,10 +18,11 @@ Usage:
   $0 status-json
   $0 list-json
   $0 export-ca
+  $0 issue name dns-name [dns-name...]
   $0 sign-csr name csr-file dns-name [dns-name...]
 
 Notes:
-  - Run init/sign-csr as root.
+  - Run init/issue/sign-csr as root or as the CA directory owner.
   - CA private key is stored outside git in \$HOST_MANAGER_CA_DIR/private.
   - The web app only reads status, issued cert metadata, and the public CA cert.
 EOF
@@ -220,12 +221,38 @@ sign_csr() {
     printf '%s\n' "$cert"
 }
 
+issue_cert() {
+    need_openssl
+    [[ -f "$ca_key" && -f "$ca_cert" ]] || die "CA is not initialized"
+    local name key csr primary
+    name="$(safe_name "${1:-}")"
+    shift || true
+    [[ "$#" -ge 1 ]] || die "at least one DNS SAN is required"
+    primary="${1:-}"
+    [[ "$primary" =~ ^[A-Za-z0-9_.-]+$ ]] || die "unsafe DNS SAN: $primary"
+
+    key="$CA_DIR/issued/$name.key.pem"
+    csr="$CA_DIR/requests/$name.csr.pem"
+    [[ ! -e "$key" ]] || die "private key already exists: $key"
+    [[ ! -e "$CA_DIR/issued/$name.cert.pem" ]] || die "certificate already exists: $CA_DIR/issued/$name.cert.pem"
+    install -d -m 0755 "$CA_DIR/issued" "$CA_DIR/requests" "$CA_DIR/csr"
+
+    "$OPENSSL" genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -out "$key"
+    chmod 0640 "$key"
+    "$OPENSSL" req -new -sha256 -key "$key" -out "$csr" -subj "/CN=$primary"
+    chmod 0644 "$csr"
+    chown root:host-manager "$key" "$csr" 2>/dev/null || true
+
+    sign_csr "$name" "$csr" "$@"
+}
+
 cmd="${1:-}"
 case "$cmd" in
     init) shift; init_ca "$@" ;;
     status-json) status_json ;;
     list-json) list_json ;;
     export-ca) export_ca ;;
+    issue) shift; issue_cert "$@" ;;
     sign-csr) shift; sign_csr "$@" ;;
     -h|--help|help|'') usage ;;
     *) die "unknown command: $cmd" ;;


	@@ -18,10 +18,11 @@ Usage:
18	18	$0 status-json
19	19	$0 list-json
20	20	$0 export-ca
	21	+ $0 issue name dns-name [dns-name...]
21	22	$0 sign-csr name csr-file dns-name [dns-name...]
22	23
23	24	Notes:
24		- - Run init/sign-csr as root.
	25	+ - Run init/issue/sign-csr as root or as the CA directory owner.
25	26	- CA private key is stored outside git in \$HOST_MANAGER_CA_DIR/private.
26	27	- The web app only reads status, issued cert metadata, and the public CA cert.
27	28	EOF
	@@ -220,12 +221,38 @@ sign_csr() {
220	221	printf '%s\n' "$cert"
221	222	}
222	223
	224	+issue_cert() {
	225	+ need_openssl
	226	+ [[ -f "$ca_key" && -f "$ca_cert" ]] \|\| die "CA is not initialized"
	227	+ local name key csr primary
	228	+ name="$(safe_name "${1:-}")"
	229	+ shift \|\| true
	230	+ [[ "$#" -ge 1 ]] \|\| die "at least one DNS SAN is required"
	231	+ primary="${1:-}"
	232	+ [[ "$primary" =~ ^[A-Za-z0-9_.-]+$ ]] \|\| die "unsafe DNS SAN: $primary"
	233	+
	234	+ key="$CA_DIR/issued/$name.key.pem"
	235	+ csr="$CA_DIR/requests/$name.csr.pem"
	236	+ [[ ! -e "$key" ]] \|\| die "private key already exists: $key"
	237	+ [[ ! -e "$CA_DIR/issued/$name.cert.pem" ]] \|\| die "certificate already exists: $CA_DIR/issued/$name.cert.pem"
	238	+ install -d -m 0755 "$CA_DIR/issued" "$CA_DIR/requests" "$CA_DIR/csr"
	239	+
	240	+ "$OPENSSL" genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -out "$key"
	241	+ chmod 0640 "$key"
	242	+ "$OPENSSL" req -new -sha256 -key "$key" -out "$csr" -subj "/CN=$primary"
	243	+ chmod 0644 "$csr"
	244	+ chown root:host-manager "$key" "$csr" 2>/dev/null \|\| true
	245	+
	246	+ sign_csr "$name" "$csr" "$@"
	247	+}
	248	+
223	249	cmd="${1:-}"
224	250	case "$cmd" in
225	251	init) shift; init_ca "$@" ;;
226	252	status-json) status_json ;;
227	253	list-json) list_json ;;
228	254	export-ca) export_ca ;;
	255	+ issue) shift; issue_cert "$@" ;;
229	256	sign-csr) shift; sign_csr "$@" ;;
230	257	-h\|--help\|help\|'') usage ;;
231	258	*) die "unknown command: $cmd" ;;