#!/bin/bash # SPDX-License-Identifier: Apache-2.0 set -e KOJI_USER="$1" CERT_SUBJECT="$2" DEBUG= SILENT="-s" QUIET="-q" for param in $3 ; do if [ $param ] ; then case $param in debug ) DEBUG="debug" ;; esac else break fi done if [ $DEBUG ] ; then set -xe SILENT= QUIET="-v" fi openssl genrsa -out private/"$KOJI_USER".key 2048 if [ -z "$CERT_SUBJECT" ]; then openssl req -config ssl.cnf -new -nodes -out certs/"$KOJI_USER".csr -key private/"$KOJI_USER".key else openssl req -subj "$CERT_SUBJECT" -config ssl.cnf -new -nodes -out certs/"$KOJI_USER".csr -key private/"$KOJI_USER".key fi openssl ca -batch -config ssl.cnf -keyfile private/koji_ca_cert.key -cert koji_ca_cert.crt -out certs/"$KOJI_USER".crt -outdir certs -infiles certs/"$KOJI_USER".csr cat certs/"$KOJI_USER".crt private/"$KOJI_USER".key > "$KOJI_USER".pem # Browser certificate is not password-protected, ask users to change their password openssl pkcs12 -export -inkey private/"$KOJI_USER".key -in certs/"$KOJI_USER".crt -CAfile koji_ca_cert.crt -out certs/"$KOJI_USER"_browser_cert.p12 -passout pass: