1 | #!/bin/sh |
---|
2 | # |
---|
3 | # CA - wrapper around ca to make it easier to use ... basically ca requires |
---|
4 | # some setup stuff to be done before you can use it and this makes |
---|
5 | # things easier between now and when Eric is convinced to fix it :-) |
---|
6 | # |
---|
7 | # CA -newca ... will setup the right stuff |
---|
8 | # CA -newreq ... will generate a certificate request |
---|
9 | # CA -sign ... will sign the generated request and output |
---|
10 | # |
---|
11 | # At the end of that grab newreq.pem and newcert.pem (one has the key |
---|
12 | # and the other the certificate) and cat them together and that is what |
---|
13 | # you want/need ... I'll make even this a little cleaner later. |
---|
14 | # |
---|
15 | # |
---|
16 | # 12-Jan-96 tjh Added more things ... including CA -signcert which |
---|
17 | # converts a certificate to a request and then signs it. |
---|
18 | # 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG |
---|
19 | # environment variable so this can be driven from |
---|
20 | # a script. |
---|
21 | # 25-Jul-96 eay Cleaned up filenames some more. |
---|
22 | # 11-Jun-96 eay Fixed a few filename missmatches. |
---|
23 | # 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'. |
---|
24 | # 18-Apr-96 tjh Original hacking |
---|
25 | # |
---|
26 | # Tim Hudson |
---|
27 | # tjh@cryptsoft.com |
---|
28 | # |
---|
29 | |
---|
30 | # default openssl.cnf file has setup as per the following |
---|
31 | # demoCA ... where everything is stored |
---|
32 | |
---|
33 | if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi |
---|
34 | |
---|
35 | DAYS="-days 365" # 1 year |
---|
36 | CADAYS="-days 1095" # 3 years |
---|
37 | REQ="$OPENSSL req $SSLEAY_CONFIG" |
---|
38 | CA="$OPENSSL ca $SSLEAY_CONFIG" |
---|
39 | VERIFY="$OPENSSL verify" |
---|
40 | X509="$OPENSSL x509" |
---|
41 | |
---|
42 | CATOP=./demoCA |
---|
43 | CAKEY=./cakey.pem |
---|
44 | CAREQ=./careq.pem |
---|
45 | CACERT=./cacert.pem |
---|
46 | |
---|
47 | for i |
---|
48 | do |
---|
49 | case $i in |
---|
50 | -\?|-h|-help) |
---|
51 | echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" >&2 |
---|
52 | exit 0 |
---|
53 | ;; |
---|
54 | -newcert) |
---|
55 | # create a certificate |
---|
56 | $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS |
---|
57 | RET=$? |
---|
58 | echo "Certificate is in newcert.pem, private key is in newkey.pem" |
---|
59 | ;; |
---|
60 | -newreq) |
---|
61 | # create a certificate request |
---|
62 | $REQ -new -keyout newkey.pem -out newreq.pem $DAYS |
---|
63 | RET=$? |
---|
64 | echo "Request is in newreq.pem, private key is in newkey.pem" |
---|
65 | ;; |
---|
66 | -newca) |
---|
67 | # if explicitly asked for or it doesn't exist then setup the directory |
---|
68 | # structure that Eric likes to manage things |
---|
69 | NEW="1" |
---|
70 | if [ "$NEW" -o ! -f ${CATOP}/serial ]; then |
---|
71 | # create the directory hierarchy |
---|
72 | mkdir ${CATOP} |
---|
73 | mkdir ${CATOP}/certs |
---|
74 | mkdir ${CATOP}/crl |
---|
75 | mkdir ${CATOP}/newcerts |
---|
76 | mkdir ${CATOP}/private |
---|
77 | echo "00" > ${CATOP}/serial |
---|
78 | touch ${CATOP}/index.txt |
---|
79 | fi |
---|
80 | if [ ! -f ${CATOP}/private/$CAKEY ]; then |
---|
81 | echo "CA certificate filename (or enter to create)" |
---|
82 | read FILE |
---|
83 | |
---|
84 | # ask user for existing CA certificate |
---|
85 | if [ "$FILE" ]; then |
---|
86 | cp $FILE ${CATOP}/private/$CAKEY |
---|
87 | RET=$? |
---|
88 | else |
---|
89 | echo "Making CA certificate ..." |
---|
90 | $REQ -new -keyout ${CATOP}/private/$CAKEY \ |
---|
91 | -out ${CATOP}/$CAREQ |
---|
92 | $CA -out ${CATOP}/$CACERT $CADAYS -batch \ |
---|
93 | -keyfile ${CATOP}/private/$CAKEY -selfsign \ |
---|
94 | -extensions v3_ca \ |
---|
95 | -infiles ${CATOP}/$CAREQ |
---|
96 | RET=$? |
---|
97 | fi |
---|
98 | fi |
---|
99 | ;; |
---|
100 | -xsign) |
---|
101 | $CA -policy policy_anything -infiles newreq.pem |
---|
102 | RET=$? |
---|
103 | ;; |
---|
104 | -sign|-signreq) |
---|
105 | $CA -policy policy_anything -out newcert.pem -infiles newreq.pem |
---|
106 | RET=$? |
---|
107 | cat newcert.pem |
---|
108 | echo "Signed certificate is in newcert.pem" |
---|
109 | ;; |
---|
110 | -signcert) |
---|
111 | echo "Cert passphrase will be requested twice - bug?" |
---|
112 | $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem |
---|
113 | $CA -policy policy_anything -out newcert.pem -infiles tmp.pem |
---|
114 | cat newcert.pem |
---|
115 | echo "Signed certificate is in newcert.pem" |
---|
116 | ;; |
---|
117 | -verify) |
---|
118 | shift |
---|
119 | if [ -z "$1" ]; then |
---|
120 | $VERIFY -CAfile $CATOP/$CACERT newcert.pem |
---|
121 | RET=$? |
---|
122 | else |
---|
123 | for j |
---|
124 | do |
---|
125 | $VERIFY -CAfile $CATOP/$CACERT $j |
---|
126 | if [ $? != 0 ]; then |
---|
127 | RET=$? |
---|
128 | fi |
---|
129 | done |
---|
130 | fi |
---|
131 | exit 0 |
---|
132 | ;; |
---|
133 | *) |
---|
134 | echo "Unknown arg $i"; |
---|
135 | exit 1 |
---|
136 | ;; |
---|
137 | esac |
---|
138 | done |
---|
139 | exit $RET |
---|
140 | |
---|