CA.sh revision 55714
1#!/bin/sh 2# 3# CA - wrapper around ca to make it easier to use ... basically ca requires 4# some setup stuff to be done before you can use it and this makes 5# things easier between now and when Eric is convinced to fix it :-) 6# 7# CA -newca ... will setup the right stuff 8# CA -newreq ... will generate a certificate request 9# CA -sign ... will sign the generated request and output 10# 11# At the end of that grab newreq.pem and newcert.pem (one has the key 12# and the other the certificate) and cat them together and that is what 13# you want/need ... I'll make even this a little cleaner later. 14# 15# 16# 12-Jan-96 tjh Added more things ... including CA -signcert which 17# converts a certificate to a request and then signs it. 18# 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG 19# environment variable so this can be driven from 20# a script. 21# 25-Jul-96 eay Cleaned up filenames some more. 22# 11-Jun-96 eay Fixed a few filename missmatches. 23# 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'. 24# 18-Apr-96 tjh Original hacking 25# 26# Tim Hudson 27# tjh@cryptsoft.com 28# 29 30# default openssl.cnf file has setup as per the following 31# demoCA ... where everything is stored 32 33DAYS="-days 365" 34REQ="openssl req $SSLEAY_CONFIG" 35CA="openssl ca $SSLEAY_CONFIG" 36VERIFY="openssl verify" 37X509="openssl x509" 38 39CATOP=./demoCA 40CAKEY=./cakey.pem 41CACERT=./cacert.pem 42 43for i 44do 45case $i in 46-\?|-h|-help) 47 echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" >&2 48 exit 0 49 ;; 50-newcert) 51 # create a certificate 52 $REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS 53 RET=$? 54 echo "Certificate (and private key) is in newreq.pem" 55 ;; 56-newreq) 57 # create a certificate request 58 $REQ -new -keyout newreq.pem -out newreq.pem $DAYS 59 RET=$? 60 echo "Request (and private key) is in newreq.pem" 61 ;; 62-newca) 63 # if explictly asked for or it doesn't exist then setup the directory 64 # structure that Eric likes to manage things 65 NEW="1" 66 if [ "$NEW" -o ! -f ${CATOP}/serial ]; then 67 # create the directory hierarchy 68 mkdir ${CATOP} 69 mkdir ${CATOP}/certs 70 mkdir ${CATOP}/crl 71 mkdir ${CATOP}/newcerts 72 mkdir ${CATOP}/private 73 echo "01" > ${CATOP}/serial 74 touch ${CATOP}/index.txt 75 fi 76 if [ ! -f ${CATOP}/private/$CAKEY ]; then 77 echo "CA certificate filename (or enter to create)" 78 read FILE 79 80 # ask user for existing CA certificate 81 if [ "$FILE" ]; then 82 cp $FILE ${CATOP}/private/$CAKEY 83 RET=$? 84 else 85 echo "Making CA certificate ..." 86 $REQ -new -x509 -keyout ${CATOP}/private/$CAKEY \ 87 -out ${CATOP}/$CACERT $DAYS 88 RET=$? 89 fi 90 fi 91 ;; 92-xsign) 93 $CA -policy policy_anything -infiles newreq.pem 94 RET=$? 95 ;; 96-sign|-signreq) 97 $CA -policy policy_anything -out newcert.pem -infiles newreq.pem 98 RET=$? 99 cat newcert.pem 100 echo "Signed certificate is in newcert.pem" 101 ;; 102-signcert) 103 echo "Cert passphrase will be requested twice - bug?" 104 $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem 105 $CA -policy policy_anything -out newcert.pem -infiles tmp.pem 106 cat newcert.pem 107 echo "Signed certificate is in newcert.pem" 108 ;; 109-verify) 110 shift 111 if [ -z "$1" ]; then 112 $VERIFY -CAfile $CATOP/$CACERT newcert.pem 113 RET=$? 114 else 115 for j 116 do 117 $VERIFY -CAfile $CATOP/$CACERT $j 118 if [ $? != 0 ]; then 119 RET=$? 120 fi 121 done 122 fi 123 exit 0 124 ;; 125*) 126 echo "Unknown arg $i"; 127 exit 1 128 ;; 129esac 130done 131exit $RET 132 133