/usr/bin/icinga2-sign-key is in icinga2-common 2.1.1-1.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 | #!/bin/sh
ICINGA2PKIDIR=/usr/share/icinga2/pki
. $ICINGA2PKIDIR/pkifuncs
if [ -z "$1" ]; then
echo "Syntax: $0 <csr-file>" >&2
exit 1
fi
check_pki_dir
csrfile=$1
if [ ! -e "$ICINGA_CA/$csrfile" ]; then
echo "The specified CSR file does not exist."
exit 1
fi
pubkfile=${csrfile%.*}
if [ ! -f $ICINGA_CA/ca.crt -o ! -f $ICINGA_CA/ca.key ]; then
echo "Please build a CA certificate first." >&2
exit 1
fi
[ -f $ICINGA_CA/vars ] && . $ICINGA_CA/vars
if ! openssl x509 -days "$REQ_DAYS" -CA $ICINGA_CA/ca.crt -CAkey $ICINGA_CA/ca.key -req -in $ICINGA_CA/$csrfile -outform PEM -out $ICINGA_CA/$pubkfile.crt -CAserial $ICINGA_CA/serial; then
echo "Signing the CSR failed." >&2
exit 1
fi
cn=`openssl x509 -in $pubkfile.crt -subject | grep -Eo '/CN=[^ ]+' | cut -f2- -d=`
case "$cn" in
*/*)
echo "commonName contains invalid character (/)."
exit 1
;;
esac
mv $pubkfile.crt $cn.crt
pubkfile=$cn
# Make an agent bundle file
tar cz -C $ICINGA_CA $pubkfile.crt ca.crt | base64 > $ICINGA_CA/$pubkfile.bundle
echo "Done. $pubkfile.crt and $pubkfile.bundle files were written."
exit 0
|