source: lab.git/TipAndDoc/openssl/CA.sh @ 23aa5e1

trunk
Last change on this file since 23aa5e1 was 8333ea0, checked in by mitty <mitty@…>, 14 years ago

git-svn-id: https://lab.mitty.jp/svn/lab/trunk@92 7d2118f6-f56c-43e7-95a2-4bb3031d96e7

  • Property mode set to 100755
File size: 3.7 KB
Line 
1#!/bin/sh
2#
3# CA - wrapper around ca to make it easier to use ... basically ca requires
4#      some setup stuff to be done before you can use it and this makes
5#      things easier between now and when Eric is convinced to fix it :-)
6#
7# CA -newca ... will setup the right stuff
8# CA -newreq ... will generate a certificate request
9# CA -sign ... will sign the generated request and output
10#
11# At the end of that grab newreq.pem and newcert.pem (one has the key
12# and the other the certificate) and cat them together and that is what
13# you want/need ... I'll make even this a little cleaner later.
14#
15#
16# 12-Jan-96 tjh    Added more things ... including CA -signcert which
17#                  converts a certificate to a request and then signs it.
18# 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
19#          environment variable so this can be driven from
20#          a script.
21# 25-Jul-96 eay    Cleaned up filenames some more.
22# 11-Jun-96 eay    Fixed a few filename missmatches.
23# 03-May-96 eay    Modified to use 'ssleay cmd' instead of 'cmd'.
24# 18-Apr-96 tjh    Original hacking
25#
26# Tim Hudson
27# tjh@cryptsoft.com
28#
29
30# default openssl.cnf file has setup as per the following
31# demoCA ... where everything is stored
32
33if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi
34
35DAYS="-days 3650"   # 10 years
36CADAYS="-days 3650" # 10 years
37REQ="$OPENSSL req $SSLEAY_CONFIG"
38CA="$OPENSSL ca $SSLEAY_CONFIG"
39VERIFY="$OPENSSL verify"
40X509="$OPENSSL x509"
41
42CATOP=./demoCA
43CAKEY=./cakey.pem
44CAREQ=./careq.pem
45CACERT=./cacert.pem
46
47for i
48do
49case $i in
50-\?|-h|-help)
51    echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" >&2
52    exit 0
53    ;;
54-newcert) 
55    # create a certificate
56    $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS
57    RET=$?
58    echo "Certificate is in newcert.pem, private key is in newkey.pem"
59    ;;
60-newreq) 
61    # create a certificate request
62    $REQ -new -keyout newkey.pem -out newreq.pem $DAYS
63    RET=$?
64    echo "Request is in newreq.pem, private key is in newkey.pem"
65    ;;
66-newca)     
67    # if explicitly asked for or it doesn't exist then setup the directory
68    # structure that Eric likes to manage things
69    NEW="1"
70    if [ "$NEW" -o ! -f ${CATOP}/serial ]; then
71    # create the directory hierarchy
72    mkdir ${CATOP} 
73    mkdir ${CATOP}/certs
74    mkdir ${CATOP}/crl
75    mkdir ${CATOP}/newcerts
76    mkdir ${CATOP}/private
77    echo "00" > ${CATOP}/serial
78    touch ${CATOP}/index.txt
79    fi
80    if [ ! -f ${CATOP}/private/$CAKEY ]; then
81    echo "CA certificate filename (or enter to create)"
82    read FILE
83
84    # ask user for existing CA certificate
85    if [ "$FILE" ]; then
86        cp $FILE ${CATOP}/private/$CAKEY
87        RET=$?
88    else
89        echo "Making CA certificate ..."
90        $REQ -new -keyout ${CATOP}/private/$CAKEY \
91               -out ${CATOP}/$CAREQ
92        $CA -out ${CATOP}/$CACERT $CADAYS -batch \
93               -keyfile ${CATOP}/private/$CAKEY -selfsign \
94               -extensions v3_ca \
95               -infiles ${CATOP}/$CAREQ 
96        RET=$?
97    fi
98    fi
99    ;;
100-xsign)
101    $CA -policy policy_anything -infiles newreq.pem
102    RET=$?
103    ;;
104-sign|-signreq) 
105    $CA -policy policy_anything -out newcert.pem -infiles newreq.pem
106    RET=$?
107    cat newcert.pem
108    echo "Signed certificate is in newcert.pem"
109    ;;
110-signcert) 
111    echo "Cert passphrase will be requested twice - bug?"
112    $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
113    $CA -policy policy_anything -out newcert.pem -infiles tmp.pem
114    cat newcert.pem
115    echo "Signed certificate is in newcert.pem"
116    ;;
117-verify) 
118    shift
119    if [ -z "$1" ]; then
120        $VERIFY -CAfile $CATOP/$CACERT newcert.pem
121        RET=$?
122    else
123    for j
124    do
125        $VERIFY -CAfile $CATOP/$CACERT $j
126        if [ $? != 0 ]; then
127            RET=$?
128        fi
129    done
130    fi
131    exit 0
132    ;;
133*)
134    echo "Unknown arg $i";
135    exit 1
136    ;;
137esac
138done
139exit $RET
140
Note: See TracBrowser for help on using the repository browser.