155714Skris#!/bin/sh 255714Skris# 355714Skris# CA - wrapper around ca to make it easier to use ... basically ca requires 455714Skris# some setup stuff to be done before you can use it and this makes 555714Skris# things easier between now and when Eric is convinced to fix it :-) 655714Skris# 755714Skris# CA -newca ... will setup the right stuff 8205128Ssimon# CA -newreq ... will generate a certificate request 9205128Ssimon# CA -sign ... will sign the generated request and output 1055714Skris# 11205128Ssimon# At the end of that grab newreq.pem and newcert.pem (one has the key 1255714Skris# and the other the certificate) and cat them together and that is what 1355714Skris# you want/need ... I'll make even this a little cleaner later. 1455714Skris# 1555714Skris# 1655714Skris# 12-Jan-96 tjh Added more things ... including CA -signcert which 1755714Skris# converts a certificate to a request and then signs it. 1855714Skris# 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG 19205128Ssimon# environment variable so this can be driven from 20205128Ssimon# a script. 2155714Skris# 25-Jul-96 eay Cleaned up filenames some more. 2255714Skris# 11-Jun-96 eay Fixed a few filename missmatches. 2355714Skris# 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'. 2455714Skris# 18-Apr-96 tjh Original hacking 2555714Skris# 2655714Skris# Tim Hudson 2755714Skris# tjh@cryptsoft.com 2855714Skris# 2955714Skris 3055714Skris# default openssl.cnf file has setup as per the following 3155714Skris# demoCA ... where everything is stored 32205128Ssimoncp_pem() { 33205128Ssimon infile=$1 34205128Ssimon outfile=$2 35205128Ssimon bound=$3 36205128Ssimon flag=0 37205128Ssimon exec <$infile; 38205128Ssimon while read line; do 39205128Ssimon if [ $flag -eq 1 ]; then 40205128Ssimon echo $line|grep "^-----END.*$bound" 2>/dev/null 1>/dev/null 41205128Ssimon if [ $? -eq 0 ] ; then 42205128Ssimon echo $line >>$outfile 43205128Ssimon break 44205128Ssimon else 45205128Ssimon echo $line >>$outfile 46205128Ssimon fi 47205128Ssimon fi 4855714Skris 49205128Ssimon echo $line|grep "^-----BEGIN.*$bound" 2>/dev/null 1>/dev/null 50205128Ssimon if [ $? -eq 0 ]; then 51205128Ssimon echo $line >$outfile 52205128Ssimon flag=1 53205128Ssimon fi 54205128Ssimon done 55205128Ssimon} 56205128Ssimon 57205128Ssimonusage() { 58205128Ssimon echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2 59205128Ssimon} 60205128Ssimon 61160814Ssimonif [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi 6255714Skris 63205128Ssimonif [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi # 1 year 64160814SsimonCADAYS="-days 1095" # 3 years 65160814SsimonREQ="$OPENSSL req $SSLEAY_CONFIG" 66160814SsimonCA="$OPENSSL ca $SSLEAY_CONFIG" 67160814SsimonVERIFY="$OPENSSL verify" 68160814SsimonX509="$OPENSSL x509" 69205128SsimonPKCS12="openssl pkcs12" 70160814Ssimon 71205128Ssimonif [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi 7255714SkrisCAKEY=./cakey.pem 73160814SsimonCAREQ=./careq.pem 7455714SkrisCACERT=./cacert.pem 7555714Skris 76205128SsimonRET=0 77205128Ssimon 78205128Ssimonwhile [ "$1" != "" ] ; do 79205128Ssimoncase $1 in 8055714Skris-\?|-h|-help) 81205128Ssimon usage 8255714Skris exit 0 8355714Skris ;; 84205128Ssimon-newcert) 8555714Skris # create a certificate 86160814Ssimon $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS 8755714Skris RET=$? 88160814Ssimon echo "Certificate is in newcert.pem, private key is in newkey.pem" 8955714Skris ;; 90205128Ssimon-newreq) 9155714Skris # create a certificate request 92160814Ssimon $REQ -new -keyout newkey.pem -out newreq.pem $DAYS 9355714Skris RET=$? 94160814Ssimon echo "Request is in newreq.pem, private key is in newkey.pem" 9555714Skris ;; 96205128Ssimon-newreq-nodes) 97205128Ssimon # create a certificate request 98205128Ssimon $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS 99205128Ssimon RET=$? 100205128Ssimon echo "Request (and private key) is in newreq.pem" 101205128Ssimon ;; 102205128Ssimon-newca) 10359191Skris # if explicitly asked for or it doesn't exist then setup the directory 104205128Ssimon # structure that Eric likes to manage things 10555714Skris NEW="1" 10655714Skris if [ "$NEW" -o ! -f ${CATOP}/serial ]; then 10755714Skris # create the directory hierarchy 108205128Ssimon mkdir -p ${CATOP} 109205128Ssimon mkdir -p ${CATOP}/certs 110205128Ssimon mkdir -p ${CATOP}/crl 111205128Ssimon mkdir -p ${CATOP}/newcerts 112205128Ssimon mkdir -p ${CATOP}/private 11355714Skris touch ${CATOP}/index.txt 11455714Skris fi 11555714Skris if [ ! -f ${CATOP}/private/$CAKEY ]; then 11655714Skris echo "CA certificate filename (or enter to create)" 11755714Skris read FILE 11855714Skris 11955714Skris # ask user for existing CA certificate 12055714Skris if [ "$FILE" ]; then 121205128Ssimon cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE 122205128Ssimon cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE 12355714Skris RET=$? 124205128Ssimon if [ ! -f "${CATOP}/serial" ]; then 125205128Ssimon $X509 -in ${CATOP}/$CACERT -noout -next_serial \ 126205128Ssimon -out ${CATOP}/serial 127205128Ssimon fi 12855714Skris else 12955714Skris echo "Making CA certificate ..." 130160814Ssimon $REQ -new -keyout ${CATOP}/private/$CAKEY \ 131160814Ssimon -out ${CATOP}/$CAREQ 132205128Ssimon $CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \ 133160814Ssimon -keyfile ${CATOP}/private/$CAKEY -selfsign \ 134205128Ssimon -extensions v3_ca \ 135205128Ssimon -infiles ${CATOP}/$CAREQ 13655714Skris RET=$? 13755714Skris fi 13855714Skris fi 13955714Skris ;; 14055714Skris-xsign) 141205128Ssimon $CA -policy policy_anything -infiles newreq.pem 14255714Skris RET=$? 14355714Skris ;; 144205128Ssimon-pkcs12) 145205128Ssimon if [ -z "$2" ] ; then 146205128Ssimon CNAME="My Certificate" 147205128Ssimon else 148205128Ssimon CNAME="$2" 149205128Ssimon fi 150205128Ssimon $PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \ 151205128Ssimon -out newcert.p12 -export -name "$CNAME" 152205128Ssimon RET=$? 153205128Ssimon exit $RET 154205128Ssimon ;; 155205128Ssimon-sign|-signreq) 15655714Skris $CA -policy policy_anything -out newcert.pem -infiles newreq.pem 15755714Skris RET=$? 15855714Skris cat newcert.pem 15955714Skris echo "Signed certificate is in newcert.pem" 16055714Skris ;; 161205128Ssimon-signCA) 162205128Ssimon $CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem 163205128Ssimon RET=$? 164205128Ssimon echo "Signed CA certificate is in newcert.pem" 165205128Ssimon ;; 166205128Ssimon-signcert) 16755714Skris echo "Cert passphrase will be requested twice - bug?" 16855714Skris $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem 16955714Skris $CA -policy policy_anything -out newcert.pem -infiles tmp.pem 170205128Ssimon RET=$? 17155714Skris cat newcert.pem 17255714Skris echo "Signed certificate is in newcert.pem" 17355714Skris ;; 174205128Ssimon-verify) 17555714Skris shift 17655714Skris if [ -z "$1" ]; then 17755714Skris $VERIFY -CAfile $CATOP/$CACERT newcert.pem 17855714Skris RET=$? 17955714Skris else 18055714Skris for j 18155714Skris do 18255714Skris $VERIFY -CAfile $CATOP/$CACERT $j 18355714Skris if [ $? != 0 ]; then 18455714Skris RET=$? 18555714Skris fi 18655714Skris done 18755714Skris fi 188205128Ssimon exit $RET 18955714Skris ;; 19055714Skris*) 191205128Ssimon echo "Unknown arg $i" >&2 192205128Ssimon usage 19355714Skris exit 1 19455714Skris ;; 19555714Skrisesac 196205128Ssimonshift 19755714Skrisdone 19855714Skrisexit $RET 199