2
0

CA.sh 3.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139
  1. #!/bin/sh
  2. #
  3. # CA - wrapper around ca to make it easier to use ... basically ca requires
  4. # some setup stuff to be done before you can use it and this makes
  5. # things easier between now and when Eric is convinced to fix it :-)
  6. #
  7. # CA -newca ... will setup the right stuff
  8. # CA -newreq ... will generate a certificate request
  9. # CA -sign ... will sign the generated request and output
  10. #
  11. # At the end of that grab newreq.pem and newcert.pem (one has the key
  12. # and the other the certificate) and cat them together and that is what
  13. # you want/need ... I'll make even this a little cleaner later.
  14. #
  15. #
  16. # 12-Jan-96 tjh Added more things ... including CA -signcert which
  17. # converts a certificate to a request and then signs it.
  18. # 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG
  19. # environment variable so this can be driven from
  20. # a script.
  21. # 25-Jul-96 eay Cleaned up filenames some more.
  22. # 11-Jun-96 eay Fixed a few filename missmatches.
  23. # 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'.
  24. # 18-Apr-96 tjh Original hacking
  25. #
  26. # Tim Hudson
  27. # tjh@cryptsoft.com
  28. #
  29. # default openssl.cnf file has setup as per the following
  30. # demoCA ... where everything is stored
  31. if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi
  32. DAYS="-days 365" # 1 year
  33. CADAYS="-days 1095" # 3 years
  34. REQ="$OPENSSL req $SSLEAY_CONFIG"
  35. CA="$OPENSSL ca $SSLEAY_CONFIG"
  36. VERIFY="$OPENSSL verify"
  37. X509="$OPENSSL x509"
  38. CATOP=./demoCA
  39. CAKEY=./cakey.pem
  40. CAREQ=./careq.pem
  41. CACERT=./cacert.pem
  42. for i
  43. do
  44. case $i in
  45. -\?|-h|-help)
  46. echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" >&2
  47. exit 0
  48. ;;
  49. -newcert)
  50. # create a certificate
  51. $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS
  52. RET=$?
  53. echo "Certificate is in newcert.pem, private key is in newkey.pem"
  54. ;;
  55. -newreq)
  56. # create a certificate request
  57. $REQ -new -keyout newkey.pem -out newreq.pem $DAYS
  58. RET=$?
  59. echo "Request is in newreq.pem, private key is in newkey.pem"
  60. ;;
  61. -newca)
  62. # if explicitly asked for or it doesn't exist then setup the directory
  63. # structure that Eric likes to manage things
  64. NEW="1"
  65. if [ "$NEW" -o ! -f ${CATOP}/serial ]; then
  66. # create the directory hierarchy
  67. mkdir ${CATOP}
  68. mkdir ${CATOP}/certs
  69. mkdir ${CATOP}/crl
  70. mkdir ${CATOP}/newcerts
  71. mkdir ${CATOP}/private
  72. echo "00" > ${CATOP}/serial
  73. touch ${CATOP}/index.txt
  74. fi
  75. if [ ! -f ${CATOP}/private/$CAKEY ]; then
  76. echo "CA certificate filename (or enter to create)"
  77. read FILE
  78. # ask user for existing CA certificate
  79. if [ "$FILE" ]; then
  80. cp $FILE ${CATOP}/private/$CAKEY
  81. RET=$?
  82. else
  83. echo "Making CA certificate ..."
  84. $REQ -new -keyout ${CATOP}/private/$CAKEY \
  85. -out ${CATOP}/$CAREQ
  86. $CA -out ${CATOP}/$CACERT $CADAYS -batch \
  87. -keyfile ${CATOP}/private/$CAKEY -selfsign \
  88. -infiles ${CATOP}/$CAREQ
  89. RET=$?
  90. fi
  91. fi
  92. ;;
  93. -xsign)
  94. $CA -policy policy_anything -infiles newreq.pem
  95. RET=$?
  96. ;;
  97. -sign|-signreq)
  98. $CA -policy policy_anything -out newcert.pem -infiles newreq.pem
  99. RET=$?
  100. cat newcert.pem
  101. echo "Signed certificate is in newcert.pem"
  102. ;;
  103. -signcert)
  104. echo "Cert passphrase will be requested twice - bug?"
  105. $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
  106. $CA -policy policy_anything -out newcert.pem -infiles tmp.pem
  107. cat newcert.pem
  108. echo "Signed certificate is in newcert.pem"
  109. ;;
  110. -verify)
  111. shift
  112. if [ -z "$1" ]; then
  113. $VERIFY -CAfile $CATOP/$CACERT newcert.pem
  114. RET=$?
  115. else
  116. for j
  117. do
  118. $VERIFY -CAfile $CATOP/$CACERT $j
  119. if [ $? != 0 ]; then
  120. RET=$?
  121. fi
  122. done
  123. fi
  124. exit 0
  125. ;;
  126. *)
  127. echo "Unknown arg $i";
  128. exit 1
  129. ;;
  130. esac
  131. done
  132. exit $RET