1241675Suqs#!/bin/sh 2241675Suqs# 3241675Suqs# CA - wrapper around ca to make it easier to use ... basically ca requires 4241675Suqs# some setup stuff to be done before you can use it and this makes 5241675Suqs# things easier between now and when Eric is convinced to fix it :-) 6241675Suqs# 7241675Suqs# CA -newca ... will setup the right stuff 8241675Suqs# CA -newreq ... will generate a certificate request 9241675Suqs# CA -sign ... will sign the generated request and output 10241675Suqs# 11241675Suqs# At the end of that grab newreq.pem and newcert.pem (one has the key 12241675Suqs# and the other the certificate) and cat them together and that is what 13241675Suqs# you want/need ... I'll make even this a little cleaner later. 14241675Suqs# 15241675Suqs# 16241675Suqs# 12-Jan-96 tjh Added more things ... including CA -signcert which 17241675Suqs# converts a certificate to a request and then signs it. 18241675Suqs# 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG 19241675Suqs# environment variable so this can be driven from 20241675Suqs# a script. 21241675Suqs# 25-Jul-96 eay Cleaned up filenames some more. 22241675Suqs# 11-Jun-96 eay Fixed a few filename missmatches. 23241675Suqs# 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'. 24241675Suqs# 18-Apr-96 tjh Original hacking 25241675Suqs# 26241675Suqs# Tim Hudson 27241675Suqs# tjh@cryptsoft.com 28241675Suqs# 29241675Suqs 30241675Suqs# default openssl.cnf file has setup as per the following 31241675Suqs# demoCA ... where everything is stored 32241675Suqscp_pem() { 33241675Suqs infile=$1 34241675Suqs outfile=$2 35241675Suqs bound=$3 36241675Suqs flag=0 37241675Suqs exec <$infile; 38241675Suqs while read line; do 39241675Suqs if [ $flag -eq 1 ]; then 40241675Suqs echo $line|grep "^-----END.*$bound" 2>/dev/null 1>/dev/null 41241675Suqs if [ $? -eq 0 ] ; then 42241675Suqs echo $line >>$outfile 43241675Suqs break 44241675Suqs else 45241675Suqs echo $line >>$outfile 46241675Suqs fi 47241675Suqs fi 48241675Suqs 49241675Suqs echo $line|grep "^-----BEGIN.*$bound" 2>/dev/null 1>/dev/null 50241675Suqs if [ $? -eq 0 ]; then 51241675Suqs echo $line >$outfile 52241675Suqs flag=1 53241675Suqs fi 54241675Suqs done 55241675Suqs} 56241675Suqs 57241675Suqsusage() { 58241675Suqs echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2 59241675Suqs} 60241675Suqs 61241675Suqsif [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi 62241675Suqs 63241675Suqsif [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi # 1 year 64CADAYS="-days 1095" # 3 years 65REQ="$OPENSSL req $SSLEAY_CONFIG" 66CA="$OPENSSL ca $SSLEAY_CONFIG" 67VERIFY="$OPENSSL verify" 68X509="$OPENSSL x509" 69PKCS12="openssl pkcs12" 70 71if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi 72CAKEY=./cakey.pem 73CAREQ=./careq.pem 74CACERT=./cacert.pem 75 76RET=0 77 78while [ "$1" != "" ] ; do 79case $1 in 80-\?|-h|-help) 81 usage 82 exit 0 83 ;; 84-newcert) 85 # create a certificate 86 $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS 87 RET=$? 88 echo "Certificate is in newcert.pem, private key is in newkey.pem" 89 ;; 90-newreq) 91 # create a certificate request 92 $REQ -new -keyout newkey.pem -out newreq.pem $DAYS 93 RET=$? 94 echo "Request is in newreq.pem, private key is in newkey.pem" 95 ;; 96-newreq-nodes) 97 # create a certificate request 98 $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS 99 RET=$? 100 echo "Request (and private key) is in newreq.pem" 101 ;; 102-newca) 103 # if explicitly asked for or it doesn't exist then setup the directory 104 # structure that Eric likes to manage things 105 NEW="1" 106 if [ "$NEW" -o ! -f ${CATOP}/serial ]; then 107 # create the directory hierarchy 108 mkdir -p ${CATOP} 109 mkdir -p ${CATOP}/certs 110 mkdir -p ${CATOP}/crl 111 mkdir -p ${CATOP}/newcerts 112 mkdir -p ${CATOP}/private 113 touch ${CATOP}/index.txt 114 fi 115 if [ ! -f ${CATOP}/private/$CAKEY ]; then 116 echo "CA certificate filename (or enter to create)" 117 read FILE 118 119 # ask user for existing CA certificate 120 if [ "$FILE" ]; then 121 cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE 122 cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE 123 RET=$? 124 if [ ! -f "${CATOP}/serial" ]; then 125 $X509 -in ${CATOP}/$CACERT -noout -next_serial \ 126 -out ${CATOP}/serial 127 fi 128 else 129 echo "Making CA certificate ..." 130 $REQ -new -keyout ${CATOP}/private/$CAKEY \ 131 -out ${CATOP}/$CAREQ 132 $CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \ 133 -keyfile ${CATOP}/private/$CAKEY -selfsign \ 134 -extensions v3_ca \ 135 -infiles ${CATOP}/$CAREQ 136 RET=$? 137 fi 138 fi 139 ;; 140-xsign) 141 $CA -policy policy_anything -infiles newreq.pem 142 RET=$? 143 ;; 144-pkcs12) 145 if [ -z "$2" ] ; then 146 CNAME="My Certificate" 147 else 148 CNAME="$2" 149 fi 150 $PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \ 151 -out newcert.p12 -export -name "$CNAME" 152 RET=$? 153 exit $RET 154 ;; 155-sign|-signreq) 156 $CA -policy policy_anything -out newcert.pem -infiles newreq.pem 157 RET=$? 158 cat newcert.pem 159 echo "Signed certificate is in newcert.pem" 160 ;; 161-signCA) 162 $CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem 163 RET=$? 164 echo "Signed CA certificate is in newcert.pem" 165 ;; 166-signcert) 167 echo "Cert passphrase will be requested twice - bug?" 168 $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem 169 $CA -policy policy_anything -out newcert.pem -infiles tmp.pem 170 RET=$? 171 cat newcert.pem 172 echo "Signed certificate is in newcert.pem" 173 ;; 174-verify) 175 shift 176 if [ -z "$1" ]; then 177 $VERIFY -CAfile $CATOP/$CACERT newcert.pem 178 RET=$? 179 else 180 for j 181 do 182 $VERIFY -CAfile $CATOP/$CACERT $j 183 if [ $? != 0 ]; then 184 RET=$? 185 fi 186 done 187 fi 188 exit $RET 189 ;; 190*) 191 echo "Unknown arg $i" >&2 192 usage 193 exit 1 194 ;; 195esac 196shift 197done 198exit $RET 199