diff options
Diffstat (limited to 'openssl/apps/CA.sh')
| -rw-r--r-- | openssl/apps/CA.sh | 139 |
1 files changed, 139 insertions, 0 deletions
diff --git a/openssl/apps/CA.sh b/openssl/apps/CA.sh new file mode 100644 index 000000000..a0b20d85a --- /dev/null +++ b/openssl/apps/CA.sh @@ -0,0 +1,139 @@ +#!/bin/sh +# +# CA - wrapper around ca to make it easier to use ... basically ca requires +# some setup stuff to be done before you can use it and this makes +# things easier between now and when Eric is convinced to fix it :-) +# +# CA -newca ... will setup the right stuff +# CA -newreq ... will generate a certificate request +# CA -sign ... will sign the generated request and output +# +# At the end of that grab newreq.pem and newcert.pem (one has the key +# and the other the certificate) and cat them together and that is what +# you want/need ... I'll make even this a little cleaner later. +# +# +# 12-Jan-96 tjh Added more things ... including CA -signcert which +# converts a certificate to a request and then signs it. +# 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG +# environment variable so this can be driven from +# a script. +# 25-Jul-96 eay Cleaned up filenames some more. +# 11-Jun-96 eay Fixed a few filename missmatches. +# 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'. +# 18-Apr-96 tjh Original hacking +# +# Tim Hudson +# tjh@cryptsoft.com +# + +# default openssl.cnf file has setup as per the following +# demoCA ... where everything is stored + +if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi + +DAYS="-days 365" # 1 year +CADAYS="-days 1095" # 3 years +REQ="$OPENSSL req $SSLEAY_CONFIG" +CA="$OPENSSL ca $SSLEAY_CONFIG" +VERIFY="$OPENSSL verify" +X509="$OPENSSL x509" + +CATOP=./demoCA +CAKEY=./cakey.pem +CAREQ=./careq.pem +CACERT=./cacert.pem + +for i +do +case $i in +-\?|-h|-help) + echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" >&2 + exit 0 + ;; +-newcert) + # create a certificate + $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS + RET=$? + echo "Certificate is in newcert.pem, private key is in newkey.pem" + ;; +-newreq) + # create a certificate request + $REQ -new -keyout newkey.pem -out newreq.pem $DAYS + RET=$? + echo "Request is in newreq.pem, private key is in newkey.pem" + ;; +-newca) + # if explicitly asked for or it doesn't exist then setup the directory + # structure that Eric likes to manage things + NEW="1" + if [ "$NEW" -o ! -f ${CATOP}/serial ]; then + # create the directory hierarchy + mkdir ${CATOP} + mkdir ${CATOP}/certs + mkdir ${CATOP}/crl + mkdir ${CATOP}/newcerts + mkdir ${CATOP}/private + echo "00" > ${CATOP}/serial + touch ${CATOP}/index.txt + fi + if [ ! -f ${CATOP}/private/$CAKEY ]; then + echo "CA certificate filename (or enter to create)" + read FILE + + # ask user for existing CA certificate + if [ "$FILE" ]; then + cp $FILE ${CATOP}/private/$CAKEY + RET=$? + else + echo "Making CA certificate ..." + $REQ -new -keyout ${CATOP}/private/$CAKEY \ + -out ${CATOP}/$CAREQ + $CA -out ${CATOP}/$CACERT $CADAYS -batch \ + -keyfile ${CATOP}/private/$CAKEY -selfsign \ + -infiles ${CATOP}/$CAREQ + RET=$? + fi + fi + ;; +-xsign) + $CA -policy policy_anything -infiles newreq.pem + RET=$? + ;; +-sign|-signreq) + $CA -policy policy_anything -out newcert.pem -infiles newreq.pem + RET=$? + cat newcert.pem + echo "Signed certificate is in newcert.pem" + ;; +-signcert) + echo "Cert passphrase will be requested twice - bug?" + $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem + $CA -policy policy_anything -out newcert.pem -infiles tmp.pem + cat newcert.pem + echo "Signed certificate is in newcert.pem" + ;; +-verify) + shift + if [ -z "$1" ]; then + $VERIFY -CAfile $CATOP/$CACERT newcert.pem + RET=$? + else + for j + do + $VERIFY -CAfile $CATOP/$CACERT $j + if [ $? != 0 ]; then + RET=$? + fi + done + fi + exit 0 + ;; +*) + echo "Unknown arg $i"; + exit 1 + ;; +esac +done +exit $RET + |