CA.sh revision 55714
155714Skris#!/bin/sh 255714Skris# 355714Skris# CA - wrapper around ca to make it easier to use ... basically ca requires 455714Skris# some setup stuff to be done before you can use it and this makes 555714Skris# things easier between now and when Eric is convinced to fix it :-) 655714Skris# 755714Skris# CA -newca ... will setup the right stuff 855714Skris# CA -newreq ... will generate a certificate request 955714Skris# CA -sign ... will sign the generated request and output 1055714Skris# 1155714Skris# At the end of that grab newreq.pem and newcert.pem (one has the key 1255714Skris# and the other the certificate) and cat them together and that is what 1355714Skris# you want/need ... I'll make even this a little cleaner later. 1455714Skris# 1555714Skris# 1655714Skris# 12-Jan-96 tjh Added more things ... including CA -signcert which 1755714Skris# converts a certificate to a request and then signs it. 1855714Skris# 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG 1955714Skris# environment variable so this can be driven from 2055714Skris# a script. 2155714Skris# 25-Jul-96 eay Cleaned up filenames some more. 2255714Skris# 11-Jun-96 eay Fixed a few filename missmatches. 2355714Skris# 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'. 2455714Skris# 18-Apr-96 tjh Original hacking 2555714Skris# 2655714Skris# Tim Hudson 2755714Skris# tjh@cryptsoft.com 2855714Skris# 2955714Skris 3055714Skris# default openssl.cnf file has setup as per the following 3155714Skris# demoCA ... where everything is stored 3255714Skris 3355714SkrisDAYS="-days 365" 3455714SkrisREQ="openssl req $SSLEAY_CONFIG" 3555714SkrisCA="openssl ca $SSLEAY_CONFIG" 3655714SkrisVERIFY="openssl verify" 3755714SkrisX509="openssl x509" 3855714Skris 3955714SkrisCATOP=./demoCA 4055714SkrisCAKEY=./cakey.pem 4155714SkrisCACERT=./cacert.pem 4255714Skris 4355714Skrisfor i 4455714Skrisdo 4555714Skriscase $i in 4655714Skris-\?|-h|-help) 4755714Skris echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" >&2 4855714Skris exit 0 4955714Skris ;; 5055714Skris-newcert) 5155714Skris # create a certificate 5255714Skris $REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS 5355714Skris RET=$? 5455714Skris echo "Certificate (and private key) is in newreq.pem" 5555714Skris ;; 5655714Skris-newreq) 5755714Skris # create a certificate request 5855714Skris $REQ -new -keyout newreq.pem -out newreq.pem $DAYS 5955714Skris RET=$? 6055714Skris echo "Request (and private key) is in newreq.pem" 6155714Skris ;; 6255714Skris-newca) 6355714Skris # if explictly asked for or it doesn't exist then setup the directory 6455714Skris # structure that Eric likes to manage things 6555714Skris NEW="1" 6655714Skris if [ "$NEW" -o ! -f ${CATOP}/serial ]; then 6755714Skris # create the directory hierarchy 6855714Skris mkdir ${CATOP} 6955714Skris mkdir ${CATOP}/certs 7055714Skris mkdir ${CATOP}/crl 7155714Skris mkdir ${CATOP}/newcerts 7255714Skris mkdir ${CATOP}/private 7355714Skris echo "01" > ${CATOP}/serial 7455714Skris touch ${CATOP}/index.txt 7555714Skris fi 7655714Skris if [ ! -f ${CATOP}/private/$CAKEY ]; then 7755714Skris echo "CA certificate filename (or enter to create)" 7855714Skris read FILE 7955714Skris 8055714Skris # ask user for existing CA certificate 8155714Skris if [ "$FILE" ]; then 8255714Skris cp $FILE ${CATOP}/private/$CAKEY 8355714Skris RET=$? 8455714Skris else 8555714Skris echo "Making CA certificate ..." 8655714Skris $REQ -new -x509 -keyout ${CATOP}/private/$CAKEY \ 8755714Skris -out ${CATOP}/$CACERT $DAYS 8855714Skris RET=$? 8955714Skris fi 9055714Skris fi 9155714Skris ;; 9255714Skris-xsign) 9355714Skris $CA -policy policy_anything -infiles newreq.pem 9455714Skris RET=$? 9555714Skris ;; 9655714Skris-sign|-signreq) 9755714Skris $CA -policy policy_anything -out newcert.pem -infiles newreq.pem 9855714Skris RET=$? 9955714Skris cat newcert.pem 10055714Skris echo "Signed certificate is in newcert.pem" 10155714Skris ;; 10255714Skris-signcert) 10355714Skris echo "Cert passphrase will be requested twice - bug?" 10455714Skris $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem 10555714Skris $CA -policy policy_anything -out newcert.pem -infiles tmp.pem 10655714Skris cat newcert.pem 10755714Skris echo "Signed certificate is in newcert.pem" 10855714Skris ;; 10955714Skris-verify) 11055714Skris shift 11155714Skris if [ -z "$1" ]; then 11255714Skris $VERIFY -CAfile $CATOP/$CACERT newcert.pem 11355714Skris RET=$? 11455714Skris else 11555714Skris for j 11655714Skris do 11755714Skris $VERIFY -CAfile $CATOP/$CACERT $j 11855714Skris if [ $? != 0 ]; then 11955714Skris RET=$? 12055714Skris fi 12155714Skris done 12255714Skris fi 12355714Skris exit 0 12455714Skris ;; 12555714Skris*) 12655714Skris echo "Unknown arg $i"; 12755714Skris exit 1 12855714Skris ;; 12955714Skrisesac 13055714Skrisdone 13155714Skrisexit $RET 13255714Skris 133