1#!/bin/sh 2# 3# CA - wrapper around ca to make it easier to use ... basically ca requires 4# some setup stuff to be done before you can use it and this makes 5# things easier between now and when Eric is convinced to fix it :-) 6# 7# CA -newca ... will setup the right stuff 8# CA -newreq ... will generate a certificate request 9# CA -sign ... will sign the generated request and output 10# 11# At the end of that grab newreq.pem and newcert.pem (one has the key 12# and the other the certificate) and cat them together and that is what 13# you want/need ... I'll make even this a little cleaner later. 14# 15# 16# 12-Jan-96 tjh Added more things ... including CA -signcert which 17# converts a certificate to a request and then signs it. 18# 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG 19# environment variable so this can be driven from 20# a script. 21# 25-Jul-96 eay Cleaned up filenames some more. 22# 11-Jun-96 eay Fixed a few filename missmatches. 23# 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'. 24# 18-Apr-96 tjh Original hacking 25# 26# Tim Hudson 27# tjh@cryptsoft.com 28# 29 30# default openssl.cnf file has setup as per the following 31# demoCA ... where everything is stored 32 33if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi 34 35DAYS="-days 365" 36REQ="$OPENSSL req $SSLEAY_CONFIG" 37CA="$OPENSSL ca $SSLEAY_CONFIG" 38VERIFY="$OPENSSL verify" 39X509="$OPENSSL x509" 40 41CATOP=./demoCA 42CAKEY=./cakey.pem 43CACERT=./cacert.pem 44 45for i 46do 47case $i in 48-\?|-h|-help) 49 echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" >&2 50 exit 0 51 ;; 52-newcert) 53 # create a certificate 54 $REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS 55 RET=$? 56 echo "Certificate (and private key) is in newreq.pem" 57 ;; 58-newreq) 59 # create a certificate request 60 $REQ -new -keyout newreq.pem -out newreq.pem $DAYS 61 RET=$? 62 echo "Request (and private key) is in newreq.pem" 63 ;; 64-newca) 65 # if explicitly asked for or it doesn't exist then setup the directory 66 # structure that Eric likes to manage things 67 NEW="1" 68 if [ "$NEW" -o ! -f ${CATOP}/serial ]; then 69 # create the directory hierarchy 70 mkdir ${CATOP} 71 mkdir ${CATOP}/certs 72 mkdir ${CATOP}/crl 73 mkdir ${CATOP}/newcerts 74 mkdir ${CATOP}/private 75 echo "01" > ${CATOP}/serial 76 touch ${CATOP}/index.txt 77 fi 78 if [ ! -f ${CATOP}/private/$CAKEY ]; then 79 echo "CA certificate filename (or enter to create)" 80 read FILE 81 82 # ask user for existing CA certificate 83 if [ "$FILE" ]; then 84 cp $FILE ${CATOP}/private/$CAKEY 85 RET=$? 86 else 87 echo "Making CA certificate ..." 88 $REQ -new -x509 -keyout ${CATOP}/private/$CAKEY \ 89 -out ${CATOP}/$CACERT $DAYS 90 RET=$? 91 fi 92 fi 93 ;; 94-xsign) 95 $CA -policy policy_anything -infiles newreq.pem 96 RET=$? 97 ;; 98-sign|-signreq) 99 $CA -policy policy_anything -out newcert.pem -infiles newreq.pem 100 RET=$? 101 cat newcert.pem 102 echo "Signed certificate is in newcert.pem" 103 ;; 104-signcert) 105 echo "Cert passphrase will be requested twice - bug?" 106 $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem 107 $CA -policy policy_anything -out newcert.pem -infiles tmp.pem 108 cat newcert.pem 109 echo "Signed certificate is in newcert.pem" 110 ;; 111-verify) 112 shift 113 if [ -z "$1" ]; then 114 $VERIFY -CAfile $CATOP/$CACERT newcert.pem 115 RET=$? 116 else 117 for j 118 do 119 $VERIFY -CAfile $CATOP/$CACERT $j 120 if [ $? != 0 ]; then 121 RET=$? 122 fi 123 done 124 fi 125 exit 0 126 ;; 127*) 128 echo "Unknown arg $i"; 129 exit 1 130 ;; 131esac 132done 133exit $RET 134 135