1#!/bin/sh 2# 3# CA - wrapper around ca to make it easier to use ... basically ca requires 4# some setup stuff to be done before you can use it and this makes 5# things easier between now and when Eric is convinced to fix it :-) 6# 7# CA -newca ... will setup the right stuff 8# CA -newreq ... will generate a certificate request 9# CA -sign ... will sign the generated request and output 10# 11# At the end of that grab newreq.pem and newcert.pem (one has the key 12# and the other the certificate) and cat them together and that is what 13# you want/need ... I'll make even this a little cleaner later. 14# 15# 16# 12-Jan-96 tjh Added more things ... including CA -signcert which 17# converts a certificate to a request and then signs it. 18# 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG 19# environment variable so this can be driven from 20# a script. 21# 25-Jul-96 eay Cleaned up filenames some more. 22# 11-Jun-96 eay Fixed a few filename missmatches. 23# 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'. 24# 18-Apr-96 tjh Original hacking 25# 26# Tim Hudson 27# tjh@cryptsoft.com 28# 29 30# default openssl.cnf file has setup as per the following 31# demoCA ... where everything is stored 32 33if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi 34 35DAYS="-days 365" # 1 year 36CADAYS="-days 1095" # 3 years 37REQ="$OPENSSL req $SSLEAY_CONFIG" 38CA="$OPENSSL ca $SSLEAY_CONFIG" 39VERIFY="$OPENSSL verify" 40X509="$OPENSSL x509" 41 42CATOP=./demoCA 43CAKEY=./cakey.pem 44CAREQ=./careq.pem 45CACERT=./cacert.pem 46 47for i 48do 49case $i in 50-\?|-h|-help) 51 echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" >&2 52 exit 0 53 ;; 54-newcert) 55 # create a certificate 56 $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS 57 RET=$? 58 echo "Certificate is in newcert.pem, private key is in newkey.pem" 59 ;; 60-newreq) 61 # create a certificate request 62 $REQ -new -keyout newkey.pem -out newreq.pem $DAYS 63 RET=$? 64 echo "Request is in newreq.pem, private key is in newkey.pem" 65 ;; 66-newca) 67 # if explicitly asked for or it doesn't exist then setup the directory 68 # structure that Eric likes to manage things 69 NEW="1" 70 if [ "$NEW" -o ! -f ${CATOP}/serial ]; then 71 # create the directory hierarchy 72 mkdir ${CATOP} 73 mkdir ${CATOP}/certs 74 mkdir ${CATOP}/crl 75 mkdir ${CATOP}/newcerts 76 mkdir ${CATOP}/private 77 echo "00" > ${CATOP}/serial 78 touch ${CATOP}/index.txt 79 fi 80 if [ ! -f ${CATOP}/private/$CAKEY ]; then 81 echo "CA certificate filename (or enter to create)" 82 read FILE 83 84 # ask user for existing CA certificate 85 if [ "$FILE" ]; then 86 cp $FILE ${CATOP}/private/$CAKEY 87 RET=$? 88 else 89 echo "Making CA certificate ..." 90 $REQ -new -keyout ${CATOP}/private/$CAKEY \ 91 -out ${CATOP}/$CAREQ 92 $CA -out ${CATOP}/$CACERT $CADAYS -batch \ 93 -keyfile ${CATOP}/private/$CAKEY -selfsign \ 94 -infiles ${CATOP}/$CAREQ 95 RET=$? 96 fi 97 fi 98 ;; 99-xsign) 100 $CA -policy policy_anything -infiles newreq.pem 101 RET=$? 102 ;; 103-sign|-signreq) 104 $CA -policy policy_anything -out newcert.pem -infiles newreq.pem 105 RET=$? 106 cat newcert.pem 107 echo "Signed certificate is in newcert.pem" 108 ;; 109-signcert) 110 echo "Cert passphrase will be requested twice - bug?" 111 $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem 112 $CA -policy policy_anything -out newcert.pem -infiles tmp.pem 113 cat newcert.pem 114 echo "Signed certificate is in newcert.pem" 115 ;; 116-verify) 117 shift 118 if [ -z "$1" ]; then 119 $VERIFY -CAfile $CATOP/$CACERT newcert.pem 120 RET=$? 121 else 122 for j 123 do 124 $VERIFY -CAfile $CATOP/$CACERT $j 125 if [ $? != 0 ]; then 126 RET=$? 127 fi 128 done 129 fi 130 exit 0 131 ;; 132*) 133 echo "Unknown arg $i"; 134 exit 1 135 ;; 136esac 137done 138exit $RET 139 140