1*ebfedea0SLionel Sambuc#!/bin/sh 2*ebfedea0SLionel Sambuc# 3*ebfedea0SLionel Sambuc# CA - wrapper around ca to make it easier to use ... basically ca requires 4*ebfedea0SLionel Sambuc# some setup stuff to be done before you can use it and this makes 5*ebfedea0SLionel Sambuc# things easier between now and when Eric is convinced to fix it :-) 6*ebfedea0SLionel Sambuc# 7*ebfedea0SLionel Sambuc# CA -newca ... will setup the right stuff 8*ebfedea0SLionel Sambuc# CA -newreq ... will generate a certificate request 9*ebfedea0SLionel Sambuc# CA -sign ... will sign the generated request and output 10*ebfedea0SLionel Sambuc# 11*ebfedea0SLionel Sambuc# At the end of that grab newreq.pem and newcert.pem (one has the key 12*ebfedea0SLionel Sambuc# and the other the certificate) and cat them together and that is what 13*ebfedea0SLionel Sambuc# you want/need ... I'll make even this a little cleaner later. 14*ebfedea0SLionel Sambuc# 15*ebfedea0SLionel Sambuc# 16*ebfedea0SLionel Sambuc# 12-Jan-96 tjh Added more things ... including CA -signcert which 17*ebfedea0SLionel Sambuc# converts a certificate to a request and then signs it. 18*ebfedea0SLionel Sambuc# 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG 19*ebfedea0SLionel Sambuc# environment variable so this can be driven from 20*ebfedea0SLionel Sambuc# a script. 21*ebfedea0SLionel Sambuc# 25-Jul-96 eay Cleaned up filenames some more. 22*ebfedea0SLionel Sambuc# 11-Jun-96 eay Fixed a few filename missmatches. 23*ebfedea0SLionel Sambuc# 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'. 24*ebfedea0SLionel Sambuc# 18-Apr-96 tjh Original hacking 25*ebfedea0SLionel Sambuc# 26*ebfedea0SLionel Sambuc# Tim Hudson 27*ebfedea0SLionel Sambuc# tjh@cryptsoft.com 28*ebfedea0SLionel Sambuc# 29*ebfedea0SLionel Sambuc 30*ebfedea0SLionel Sambuc# default openssl.cnf file has setup as per the following 31*ebfedea0SLionel Sambuc# demoCA ... where everything is stored 32*ebfedea0SLionel Sambuccp_pem() { 33*ebfedea0SLionel Sambuc infile=$1 34*ebfedea0SLionel Sambuc outfile=$2 35*ebfedea0SLionel Sambuc bound=$3 36*ebfedea0SLionel Sambuc flag=0 37*ebfedea0SLionel Sambuc exec <$infile; 38*ebfedea0SLionel Sambuc while read line; do 39*ebfedea0SLionel Sambuc if [ $flag -eq 1 ]; then 40*ebfedea0SLionel Sambuc echo $line|grep "^-----END.*$bound" 2>/dev/null 1>/dev/null 41*ebfedea0SLionel Sambuc if [ $? -eq 0 ] ; then 42*ebfedea0SLionel Sambuc echo $line >>$outfile 43*ebfedea0SLionel Sambuc break 44*ebfedea0SLionel Sambuc else 45*ebfedea0SLionel Sambuc echo $line >>$outfile 46*ebfedea0SLionel Sambuc fi 47*ebfedea0SLionel Sambuc fi 48*ebfedea0SLionel Sambuc 49*ebfedea0SLionel Sambuc echo $line|grep "^-----BEGIN.*$bound" 2>/dev/null 1>/dev/null 50*ebfedea0SLionel Sambuc if [ $? -eq 0 ]; then 51*ebfedea0SLionel Sambuc echo $line >$outfile 52*ebfedea0SLionel Sambuc flag=1 53*ebfedea0SLionel Sambuc fi 54*ebfedea0SLionel Sambuc done 55*ebfedea0SLionel Sambuc} 56*ebfedea0SLionel Sambuc 57*ebfedea0SLionel Sambucusage() { 58*ebfedea0SLionel Sambuc echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2 59*ebfedea0SLionel Sambuc} 60*ebfedea0SLionel Sambuc 61*ebfedea0SLionel Sambucif [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi 62*ebfedea0SLionel Sambuc 63*ebfedea0SLionel Sambucif [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi # 1 year 64*ebfedea0SLionel SambucCADAYS="-days 1095" # 3 years 65*ebfedea0SLionel SambucREQ="$OPENSSL req $SSLEAY_CONFIG" 66*ebfedea0SLionel SambucCA="$OPENSSL ca $SSLEAY_CONFIG" 67*ebfedea0SLionel SambucVERIFY="$OPENSSL verify" 68*ebfedea0SLionel SambucX509="$OPENSSL x509" 69*ebfedea0SLionel SambucPKCS12="openssl pkcs12" 70*ebfedea0SLionel Sambuc 71*ebfedea0SLionel Sambucif [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi 72*ebfedea0SLionel SambucCAKEY=./cakey.pem 73*ebfedea0SLionel SambucCAREQ=./careq.pem 74*ebfedea0SLionel SambucCACERT=./cacert.pem 75*ebfedea0SLionel Sambuc 76*ebfedea0SLionel SambucRET=0 77*ebfedea0SLionel Sambuc 78*ebfedea0SLionel Sambucwhile [ "$1" != "" ] ; do 79*ebfedea0SLionel Sambuccase $1 in 80*ebfedea0SLionel Sambuc-\?|-h|-help) 81*ebfedea0SLionel Sambuc usage 82*ebfedea0SLionel Sambuc exit 0 83*ebfedea0SLionel Sambuc ;; 84*ebfedea0SLionel Sambuc-newcert) 85*ebfedea0SLionel Sambuc # create a certificate 86*ebfedea0SLionel Sambuc $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS 87*ebfedea0SLionel Sambuc RET=$? 88*ebfedea0SLionel Sambuc echo "Certificate is in newcert.pem, private key is in newkey.pem" 89*ebfedea0SLionel Sambuc ;; 90*ebfedea0SLionel Sambuc-newreq) 91*ebfedea0SLionel Sambuc # create a certificate request 92*ebfedea0SLionel Sambuc $REQ -new -keyout newkey.pem -out newreq.pem $DAYS 93*ebfedea0SLionel Sambuc RET=$? 94*ebfedea0SLionel Sambuc echo "Request is in newreq.pem, private key is in newkey.pem" 95*ebfedea0SLionel Sambuc ;; 96*ebfedea0SLionel Sambuc-newreq-nodes) 97*ebfedea0SLionel Sambuc # create a certificate request 98*ebfedea0SLionel Sambuc $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS 99*ebfedea0SLionel Sambuc RET=$? 100*ebfedea0SLionel Sambuc echo "Request (and private key) is in newreq.pem" 101*ebfedea0SLionel Sambuc ;; 102*ebfedea0SLionel Sambuc-newca) 103*ebfedea0SLionel Sambuc # if explicitly asked for or it doesn't exist then setup the directory 104*ebfedea0SLionel Sambuc # structure that Eric likes to manage things 105*ebfedea0SLionel Sambuc NEW="1" 106*ebfedea0SLionel Sambuc if [ "$NEW" -o ! -f ${CATOP}/serial ]; then 107*ebfedea0SLionel Sambuc # create the directory hierarchy 108*ebfedea0SLionel Sambuc mkdir -p ${CATOP} 109*ebfedea0SLionel Sambuc mkdir -p ${CATOP}/certs 110*ebfedea0SLionel Sambuc mkdir -p ${CATOP}/crl 111*ebfedea0SLionel Sambuc mkdir -p ${CATOP}/newcerts 112*ebfedea0SLionel Sambuc mkdir -p ${CATOP}/private 113*ebfedea0SLionel Sambuc touch ${CATOP}/index.txt 114*ebfedea0SLionel Sambuc fi 115*ebfedea0SLionel Sambuc if [ ! -f ${CATOP}/private/$CAKEY ]; then 116*ebfedea0SLionel Sambuc echo "CA certificate filename (or enter to create)" 117*ebfedea0SLionel Sambuc read FILE 118*ebfedea0SLionel Sambuc 119*ebfedea0SLionel Sambuc # ask user for existing CA certificate 120*ebfedea0SLionel Sambuc if [ "$FILE" ]; then 121*ebfedea0SLionel Sambuc cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE 122*ebfedea0SLionel Sambuc cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE 123*ebfedea0SLionel Sambuc RET=$? 124*ebfedea0SLionel Sambuc if [ ! -f "${CATOP}/serial" ]; then 125*ebfedea0SLionel Sambuc $X509 -in ${CATOP}/$CACERT -noout -next_serial \ 126*ebfedea0SLionel Sambuc -out ${CATOP}/serial 127*ebfedea0SLionel Sambuc fi 128*ebfedea0SLionel Sambuc else 129*ebfedea0SLionel Sambuc echo "Making CA certificate ..." 130*ebfedea0SLionel Sambuc $REQ -new -keyout ${CATOP}/private/$CAKEY \ 131*ebfedea0SLionel Sambuc -out ${CATOP}/$CAREQ 132*ebfedea0SLionel Sambuc $CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \ 133*ebfedea0SLionel Sambuc -keyfile ${CATOP}/private/$CAKEY -selfsign \ 134*ebfedea0SLionel Sambuc -extensions v3_ca \ 135*ebfedea0SLionel Sambuc -infiles ${CATOP}/$CAREQ 136*ebfedea0SLionel Sambuc RET=$? 137*ebfedea0SLionel Sambuc fi 138*ebfedea0SLionel Sambuc fi 139*ebfedea0SLionel Sambuc ;; 140*ebfedea0SLionel Sambuc-xsign) 141*ebfedea0SLionel Sambuc $CA -policy policy_anything -infiles newreq.pem 142*ebfedea0SLionel Sambuc RET=$? 143*ebfedea0SLionel Sambuc ;; 144*ebfedea0SLionel Sambuc-pkcs12) 145*ebfedea0SLionel Sambuc if [ -z "$2" ] ; then 146*ebfedea0SLionel Sambuc CNAME="My Certificate" 147*ebfedea0SLionel Sambuc else 148*ebfedea0SLionel Sambuc CNAME="$2" 149*ebfedea0SLionel Sambuc fi 150*ebfedea0SLionel Sambuc $PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \ 151*ebfedea0SLionel Sambuc -out newcert.p12 -export -name "$CNAME" 152*ebfedea0SLionel Sambuc RET=$? 153*ebfedea0SLionel Sambuc exit $RET 154*ebfedea0SLionel Sambuc ;; 155*ebfedea0SLionel Sambuc-sign|-signreq) 156*ebfedea0SLionel Sambuc $CA -policy policy_anything -out newcert.pem -infiles newreq.pem 157*ebfedea0SLionel Sambuc RET=$? 158*ebfedea0SLionel Sambuc cat newcert.pem 159*ebfedea0SLionel Sambuc echo "Signed certificate is in newcert.pem" 160*ebfedea0SLionel Sambuc ;; 161*ebfedea0SLionel Sambuc-signCA) 162*ebfedea0SLionel Sambuc $CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem 163*ebfedea0SLionel Sambuc RET=$? 164*ebfedea0SLionel Sambuc echo "Signed CA certificate is in newcert.pem" 165*ebfedea0SLionel Sambuc ;; 166*ebfedea0SLionel Sambuc-signcert) 167*ebfedea0SLionel Sambuc echo "Cert passphrase will be requested twice - bug?" 168*ebfedea0SLionel Sambuc $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem 169*ebfedea0SLionel Sambuc $CA -policy policy_anything -out newcert.pem -infiles tmp.pem 170*ebfedea0SLionel Sambuc RET=$? 171*ebfedea0SLionel Sambuc cat newcert.pem 172*ebfedea0SLionel Sambuc echo "Signed certificate is in newcert.pem" 173*ebfedea0SLionel Sambuc ;; 174*ebfedea0SLionel Sambuc-verify) 175*ebfedea0SLionel Sambuc shift 176*ebfedea0SLionel Sambuc if [ -z "$1" ]; then 177*ebfedea0SLionel Sambuc $VERIFY -CAfile $CATOP/$CACERT newcert.pem 178*ebfedea0SLionel Sambuc RET=$? 179*ebfedea0SLionel Sambuc else 180*ebfedea0SLionel Sambuc for j 181*ebfedea0SLionel Sambuc do 182*ebfedea0SLionel Sambuc $VERIFY -CAfile $CATOP/$CACERT $j 183*ebfedea0SLionel Sambuc if [ $? != 0 ]; then 184*ebfedea0SLionel Sambuc RET=$? 185*ebfedea0SLionel Sambuc fi 186*ebfedea0SLionel Sambuc done 187*ebfedea0SLionel Sambuc fi 188*ebfedea0SLionel Sambuc exit $RET 189*ebfedea0SLionel Sambuc ;; 190*ebfedea0SLionel Sambuc*) 191*ebfedea0SLionel Sambuc echo "Unknown arg $i" >&2 192*ebfedea0SLionel Sambuc usage 193*ebfedea0SLionel Sambuc exit 1 194*ebfedea0SLionel Sambuc ;; 195*ebfedea0SLionel Sambucesac 196*ebfedea0SLionel Sambucshift 197*ebfedea0SLionel Sambucdone 198*ebfedea0SLionel Sambucexit $RET 199