1 #!/bin/sh 2 # 3 # CA - wrapper around ca to make it easier to use ... basically ca requires 4 # some setup stuff to be done before you can use it and this makes 5 # things easier between now and when Eric is convinced to fix it :-) 6 # 7 # CA -newca ... will setup the right stuff 8 # CA -newreq ... will generate a certificate request 9 # CA -sign ... will sign the generated request and output 10 # 11 # At the end of that grab newreq.pem and newcert.pem (one has the key 12 # and the other the certificate) and cat them together and that is what 13 # you want/need ... I'll make even this a little cleaner later. 14 # 15 # 16 # 12-Jan-96 tjh Added more things ... including CA -signcert which 17 # converts a certificate to a request and then signs it. 18 # 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG 19 # environment variable so this can be driven from 20 # a script. 21 # 25-Jul-96 eay Cleaned up filenames some more. 22 # 11-Jun-96 eay Fixed a few filename missmatches. 23 # 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'. 24 # 18-Apr-96 tjh Original hacking 25 # 26 # Tim Hudson 27 # tjh (at] cryptsoft.com 28 # 29 30 # default openssl.cnf file has setup as per the following 31 # demoCA ... where everything is stored 32 cp_pem() { 33 infile=$1 34 outfile=$2 35 bound=$3 36 flag=0 37 exec <$infile; 38 while read line; do 39 if [ $flag -eq 1 ]; then 40 echo $line|grep "^-----END.*$bound" 2>/dev/null 1>/dev/null 41 if [ $? -eq 0 ] ; then 42 echo $line >>$outfile 43 break 44 else 45 echo $line >>$outfile 46 fi 47 fi 48 49 echo $line|grep "^-----BEGIN.*$bound" 2>/dev/null 1>/dev/null 50 if [ $? -eq 0 ]; then 51 echo $line >$outfile 52 flag=1 53 fi 54 done 55 } 56 57 usage() { 58 echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2 59 } 60 61 if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi 62 63 if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi # 1 year 64 CADAYS="-days 1095" # 3 years 65 REQ="$OPENSSL req $SSLEAY_CONFIG" 66 CA="$OPENSSL ca $SSLEAY_CONFIG" 67 VERIFY="$OPENSSL verify" 68 X509="$OPENSSL x509" 69 PKCS12="openssl pkcs12" 70 71 if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi 72 CAKEY=./cakey.pem 73 CAREQ=./careq.pem 74 CACERT=./cacert.pem 75 76 RET=0 77 78 while [ "$1" != "" ] ; do 79 case $1 in 80 -\?|-h|-help) 81 usage 82 exit 0 83 ;; 84 -newcert) 85 # create a certificate 86 $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS 87 RET=$? 88 echo "Certificate is in newcert.pem, private key is in newkey.pem" 89 ;; 90 -newreq) 91 # create a certificate request 92 $REQ -new -keyout newkey.pem -out newreq.pem $DAYS 93 RET=$? 94 echo "Request is in newreq.pem, private key is in newkey.pem" 95 ;; 96 -newreq-nodes) 97 # create a certificate request 98 $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS 99 RET=$? 100 echo "Request (and private key) is in newreq.pem" 101 ;; 102 -newca) 103 # if explicitly asked for or it doesn't exist then setup the directory 104 # structure that Eric likes to manage things 105 NEW="1" 106 if [ "$NEW" -o ! -f ${CATOP}/serial ]; then 107 # create the directory hierarchy 108 mkdir -p ${CATOP} 109 mkdir -p ${CATOP}/certs 110 mkdir -p ${CATOP}/crl 111 mkdir -p ${CATOP}/newcerts 112 mkdir -p ${CATOP}/private 113 touch ${CATOP}/index.txt 114 fi 115 if [ ! -f ${CATOP}/private/$CAKEY ]; then 116 echo "CA certificate filename (or enter to create)" 117 read FILE 118 119 # ask user for existing CA certificate 120 if [ "$FILE" ]; then 121 cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE 122 cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE 123 RET=$? 124 if [ ! -f "${CATOP}/serial" ]; then 125 $X509 -in ${CATOP}/$CACERT -noout -next_serial \ 126 -out ${CATOP}/serial 127 fi 128 else 129 echo "Making CA certificate ..." 130 $REQ -new -keyout ${CATOP}/private/$CAKEY \ 131 -out ${CATOP}/$CAREQ 132 $CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \ 133 -keyfile ${CATOP}/private/$CAKEY -selfsign \ 134 -extensions v3_ca \ 135 -infiles ${CATOP}/$CAREQ 136 RET=$? 137 fi 138 fi 139 ;; 140 -xsign) 141 $CA -policy policy_anything -infiles newreq.pem 142 RET=$? 143 ;; 144 -pkcs12) 145 if [ -z "$2" ] ; then 146 CNAME="My Certificate" 147 else 148 CNAME="$2" 149 fi 150 $PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \ 151 -out newcert.p12 -export -name "$CNAME" 152 RET=$? 153 exit $RET 154 ;; 155 -sign|-signreq) 156 $CA -policy policy_anything -out newcert.pem -infiles newreq.pem 157 RET=$? 158 cat newcert.pem 159 echo "Signed certificate is in newcert.pem" 160 ;; 161 -signCA) 162 $CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem 163 RET=$? 164 echo "Signed CA certificate is in newcert.pem" 165 ;; 166 -signcert) 167 echo "Cert passphrase will be requested twice - bug?" 168 $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem 169 $CA -policy policy_anything -out newcert.pem -infiles tmp.pem 170 RET=$? 171 cat newcert.pem 172 echo "Signed certificate is in newcert.pem" 173 ;; 174 -verify) 175 shift 176 if [ -z "$1" ]; then 177 $VERIFY -CAfile $CATOP/$CACERT newcert.pem 178 RET=$? 179 else 180 for j 181 do 182 $VERIFY -CAfile $CATOP/$CACERT $j 183 if [ $? != 0 ]; then 184 RET=$? 185 fi 186 done 187 fi 188 exit $RET 189 ;; 190 *) 191 echo "Unknown arg $i" >&2 192 usage 193 exit 1 194 ;; 195 esac 196 shift 197 done 198 exit $RET 199
