There are a couple of scripts in /afs/hcoop.net/common/etc/scripts that facilitate signing and installing of certificates.
We should investigate CACert's scripts for generating CSRs.
Signing
ca-sign is the script that given a certificate request, produces a signed certificate. It stores a copy of the certificate request in /var/local/lib/ca/requests, and stores a copy of the certificate in /var/local/lib/ca/newcerts. It also updates the certificate revocation list, which is a publicly-accessible list of certificates that have been revoked.
Here is an example of how to invoke it:
ca-sign days request.csr out-cert-file.pem
days is the number of days that the certificate should be valid. Users get to choose this value.
request.csr is the certificate request.
out-cert-file.pem is where you want the generated certificate to be placed.
Installing
ca-install is the script which installs a certificate (including the RSA private key) to the user web nodes. It does sanity-checking on the certificate before allowing it to be installed, so as not to bring down Apache.
Usage:
ca-install member domain cert-file.pem [key-file.pem]