CA.sh revision 55714 
1#!/bin/sh
2#
3# CA - wrapper around ca to make it easier to use ... basically ca requires
4#      some setup stuff to be done before you can use it and this makes
5#      things easier between now and when Eric is convinced to fix it :-)
6#
7# CA -newca ... will setup the right stuff
8# CA -newreq ... will generate a certificate request 
9# CA -sign ... will sign the generated request and output 
10#
11# At the end of that grab newreq.pem and newcert.pem (one has the key 
12# and the other the certificate) and cat them together and that is what
13# you want/need ... I'll make even this a little cleaner later.
14#
15#
16# 12-Jan-96 tjh    Added more things ... including CA -signcert which
17#                  converts a certificate to a request and then signs it.
18# 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
19#		   environment variable so this can be driven from
20#		   a script.
21# 25-Jul-96 eay    Cleaned up filenames some more.
22# 11-Jun-96 eay    Fixed a few filename missmatches.
23# 03-May-96 eay    Modified to use 'ssleay cmd' instead of 'cmd'.
24# 18-Apr-96 tjh    Original hacking
25#
26# Tim Hudson
27# tjh@cryptsoft.com
28#
29
30# default openssl.cnf file has setup as per the following
31# demoCA ... where everything is stored
32
33DAYS="-days 365"
34REQ="openssl req $SSLEAY_CONFIG"
35CA="openssl ca $SSLEAY_CONFIG"
36VERIFY="openssl verify"
37X509="openssl x509"
38
39CATOP=./demoCA
40CAKEY=./cakey.pem
41CACERT=./cacert.pem
42
43for i
44do
45case $i in
46-\?|-h|-help)
47    echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" >&2
48    exit 0
49    ;;
50-newcert) 
51    # create a certificate
52    $REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS
53    RET=$?
54    echo "Certificate (and private key) is in newreq.pem"
55    ;;
56-newreq) 
57    # create a certificate request
58    $REQ -new -keyout newreq.pem -out newreq.pem $DAYS
59    RET=$?
60    echo "Request (and private key) is in newreq.pem"
61    ;;
62-newca)     
63    # if explictly asked for or it doesn't exist then setup the directory
64    # structure that Eric likes to manage things 
65    NEW="1"
66    if [ "$NEW" -o ! -f ${CATOP}/serial ]; then
67	# create the directory hierarchy
68	mkdir ${CATOP} 
69	mkdir ${CATOP}/certs 
70	mkdir ${CATOP}/crl 
71	mkdir ${CATOP}/newcerts
72	mkdir ${CATOP}/private
73	echo "01" > ${CATOP}/serial
74	touch ${CATOP}/index.txt
75    fi
76    if [ ! -f ${CATOP}/private/$CAKEY ]; then
77	echo "CA certificate filename (or enter to create)"
78	read FILE
79
80	# ask user for existing CA certificate
81	if [ "$FILE" ]; then
82	    cp $FILE ${CATOP}/private/$CAKEY
83	    RET=$?
84	else
85	    echo "Making CA certificate ..."
86	    $REQ -new -x509 -keyout ${CATOP}/private/$CAKEY \
87			   -out ${CATOP}/$CACERT $DAYS
88	    RET=$?
89	fi
90    fi
91    ;;
92-xsign)
93    $CA -policy policy_anything -infiles newreq.pem 
94    RET=$?
95    ;;
96-sign|-signreq) 
97    $CA -policy policy_anything -out newcert.pem -infiles newreq.pem
98    RET=$?
99    cat newcert.pem
100    echo "Signed certificate is in newcert.pem"
101    ;;
102-signcert) 
103    echo "Cert passphrase will be requested twice - bug?"
104    $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
105    $CA -policy policy_anything -out newcert.pem -infiles tmp.pem
106    cat newcert.pem
107    echo "Signed certificate is in newcert.pem"
108    ;;
109-verify) 
110    shift
111    if [ -z "$1" ]; then
112	    $VERIFY -CAfile $CATOP/$CACERT newcert.pem
113	    RET=$?
114    else
115	for j
116	do
117	    $VERIFY -CAfile $CATOP/$CACERT $j
118	    if [ $? != 0 ]; then
119		    RET=$?
120	    fi
121	done
122    fi
123    exit 0
124    ;;
125*)
126    echo "Unknown arg $i";
127    exit 1
128    ;;
129esac
130done
131exit $RET
132
133