Alexandre Savard | 1b09e31 | 2012-08-07 20:33:29 -0400 | [diff] [blame] | 1 | #!/bin/sh |
| 2 | # |
| 3 | # CA - wrapper around ca to make it easier to use ... basically ca requires |
| 4 | # some setup stuff to be done before you can use it and this makes |
| 5 | # things easier between now and when Eric is convinced to fix it :-) |
| 6 | # |
| 7 | # CA -newca ... will setup the right stuff |
| 8 | # CA -newreq ... will generate a certificate request |
| 9 | # CA -sign ... will sign the generated request and output |
| 10 | # |
| 11 | # At the end of that grab newreq.pem and newcert.pem (one has the key |
| 12 | # and the other the certificate) and cat them together and that is what |
| 13 | # you want/need ... I'll make even this a little cleaner later. |
| 14 | # |
| 15 | # |
| 16 | # 12-Jan-96 tjh Added more things ... including CA -signcert which |
| 17 | # converts a certificate to a request and then signs it. |
| 18 | # 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG |
| 19 | # environment variable so this can be driven from |
| 20 | # a script. |
| 21 | # 25-Jul-96 eay Cleaned up filenames some more. |
| 22 | # 11-Jun-96 eay Fixed a few filename missmatches. |
| 23 | # 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'. |
| 24 | # 18-Apr-96 tjh Original hacking |
| 25 | # |
| 26 | # Tim Hudson |
| 27 | # tjh@cryptsoft.com |
| 28 | # |
| 29 | |
| 30 | # default openssl.cnf file has setup as per the following |
| 31 | # demoCA ... where everything is stored |
| 32 | cp_pem() { |
| 33 | infile=$1 |
| 34 | outfile=$2 |
| 35 | bound=$3 |
| 36 | flag=0 |
| 37 | exec <$infile; |
| 38 | while read line; do |
| 39 | if [ $flag -eq 1 ]; then |
| 40 | echo $line|grep "^-----END.*$bound" 2>/dev/null 1>/dev/null |
| 41 | if [ $? -eq 0 ] ; then |
| 42 | echo $line >>$outfile |
| 43 | break |
| 44 | else |
| 45 | echo $line >>$outfile |
| 46 | fi |
| 47 | fi |
| 48 | |
| 49 | echo $line|grep "^-----BEGIN.*$bound" 2>/dev/null 1>/dev/null |
| 50 | if [ $? -eq 0 ]; then |
| 51 | echo $line >$outfile |
| 52 | flag=1 |
| 53 | fi |
| 54 | done |
| 55 | } |
| 56 | |
| 57 | usage() { |
| 58 | echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2 |
| 59 | } |
| 60 | |
| 61 | if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi |
| 62 | |
| 63 | if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi # 1 year |
| 64 | CADAYS="-days 1095" # 3 years |
| 65 | REQ="$OPENSSL req $SSLEAY_CONFIG" |
| 66 | CA="$OPENSSL ca $SSLEAY_CONFIG" |
| 67 | VERIFY="$OPENSSL verify" |
| 68 | X509="$OPENSSL x509" |
| 69 | PKCS12="openssl pkcs12" |
| 70 | |
| 71 | if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi |
| 72 | CAKEY=./cakey.pem |
| 73 | CAREQ=./careq.pem |
| 74 | CACERT=./cacert.pem |
| 75 | |
| 76 | RET=0 |
| 77 | |
| 78 | while [ "$1" != "" ] ; do |
| 79 | case $1 in |
| 80 | -\?|-h|-help) |
| 81 | usage |
| 82 | exit 0 |
| 83 | ;; |
| 84 | -newcert) |
| 85 | # create a certificate |
| 86 | $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS |
| 87 | RET=$? |
| 88 | echo "Certificate is in newcert.pem, private key is in newkey.pem" |
| 89 | ;; |
| 90 | -newreq) |
| 91 | # create a certificate request |
| 92 | $REQ -new -keyout newkey.pem -out newreq.pem $DAYS |
| 93 | RET=$? |
| 94 | echo "Request is in newreq.pem, private key is in newkey.pem" |
| 95 | ;; |
| 96 | -newreq-nodes) |
| 97 | # create a certificate request |
| 98 | $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS |
| 99 | RET=$? |
| 100 | echo "Request (and private key) is in newreq.pem" |
| 101 | ;; |
| 102 | -newca) |
| 103 | # if explicitly asked for or it doesn't exist then setup the directory |
| 104 | # structure that Eric likes to manage things |
| 105 | NEW="1" |
| 106 | if [ "$NEW" -o ! -f ${CATOP}/serial ]; then |
| 107 | # create the directory hierarchy |
| 108 | mkdir -p ${CATOP} |
| 109 | mkdir -p ${CATOP}/certs |
| 110 | mkdir -p ${CATOP}/crl |
| 111 | mkdir -p ${CATOP}/newcerts |
| 112 | mkdir -p ${CATOP}/private |
| 113 | touch ${CATOP}/index.txt |
| 114 | fi |
| 115 | if [ ! -f ${CATOP}/private/$CAKEY ]; then |
| 116 | echo "CA certificate filename (or enter to create)" |
| 117 | read FILE |
| 118 | |
| 119 | # ask user for existing CA certificate |
| 120 | if [ "$FILE" ]; then |
| 121 | cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE |
| 122 | cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE |
| 123 | RET=$? |
| 124 | if [ ! -f "${CATOP}/serial" ]; then |
| 125 | $X509 -in ${CATOP}/$CACERT -noout -next_serial \ |
| 126 | -out ${CATOP}/serial |
| 127 | fi |
| 128 | else |
| 129 | echo "Making CA certificate ..." |
| 130 | $REQ -new -keyout ${CATOP}/private/$CAKEY \ |
| 131 | -out ${CATOP}/$CAREQ |
| 132 | $CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \ |
| 133 | -keyfile ${CATOP}/private/$CAKEY -selfsign \ |
| 134 | -extensions v3_ca \ |
| 135 | -infiles ${CATOP}/$CAREQ |
| 136 | RET=$? |
| 137 | fi |
| 138 | fi |
| 139 | ;; |
| 140 | -xsign) |
| 141 | $CA -policy policy_anything -infiles newreq.pem |
| 142 | RET=$? |
| 143 | ;; |
| 144 | -pkcs12) |
| 145 | if [ -z "$2" ] ; then |
| 146 | CNAME="My Certificate" |
| 147 | else |
| 148 | CNAME="$2" |
| 149 | fi |
| 150 | $PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \ |
| 151 | -out newcert.p12 -export -name "$CNAME" |
| 152 | RET=$? |
| 153 | exit $RET |
| 154 | ;; |
| 155 | -sign|-signreq) |
| 156 | $CA -policy policy_anything -out newcert.pem -infiles newreq.pem |
| 157 | RET=$? |
| 158 | cat newcert.pem |
| 159 | echo "Signed certificate is in newcert.pem" |
| 160 | ;; |
| 161 | -signCA) |
| 162 | $CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem |
| 163 | RET=$? |
| 164 | echo "Signed CA certificate is in newcert.pem" |
| 165 | ;; |
| 166 | -signcert) |
| 167 | echo "Cert passphrase will be requested twice - bug?" |
| 168 | $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem |
| 169 | $CA -policy policy_anything -out newcert.pem -infiles tmp.pem |
| 170 | RET=$? |
| 171 | cat newcert.pem |
| 172 | echo "Signed certificate is in newcert.pem" |
| 173 | ;; |
| 174 | -verify) |
| 175 | shift |
| 176 | if [ -z "$1" ]; then |
| 177 | $VERIFY -CAfile $CATOP/$CACERT newcert.pem |
| 178 | RET=$? |
| 179 | else |
| 180 | for j |
| 181 | do |
| 182 | $VERIFY -CAfile $CATOP/$CACERT $j |
| 183 | if [ $? != 0 ]; then |
| 184 | RET=$? |
| 185 | fi |
| 186 | done |
| 187 | fi |
| 188 | exit $RET |
| 189 | ;; |
| 190 | *) |
| 191 | echo "Unknown arg $i" >&2 |
| 192 | usage |
| 193 | exit 1 |
| 194 | ;; |
| 195 | esac |
| 196 | shift |
| 197 | done |
| 198 | exit $RET |