]>
Commit | Line | Data |
---|---|---|
6d50f87a MG |
1 | #!/bin/bash -e |
2 | # | |
3 | # Generate a root CA cert for signing, and then a subject cert. | |
4 | # Usage: make-certs.sh hostname [user[@domain]] [more ...] | |
5 | # For testing only, probably still has some bugs in it. | |
6 | # | |
7 | ||
8 | DOMAIN=xn--u4h.net | |
9 | DAYS=365 | |
10 | KEYTYPE=RSA | |
11 | KEYSIZE=2048 | |
12 | DIGEST=SHA256 | |
13 | CRLHOURS=24 | |
14 | CRLDAYS= | |
15 | ||
16 | # Cleanup temporary files at exit. | |
17 | touch openssl.cnf | |
18 | newcertdir=`mktemp -d` | |
19 | cleanup() { | |
20 | test -f openssl.cnf && rm -f openssl.cnf | |
21 | test -f ca.txt && rm -f ca.txt | |
22 | test -f ocsp.txt && rm -f ocsp.txt | |
23 | test -n "$newcertdir" && rm -fr "$newcertdir" | |
24 | } | |
25 | trap cleanup EXIT | |
26 | ||
27 | # The first argument is either a common name value or a flag indicating that | |
28 | # we're doing something other than issuing a cert. | |
29 | commonname="$1" | |
30 | refresh_crl=false | |
31 | revoke_cert=false | |
32 | ocsp_serve=false | |
33 | if test "x$commonname" = "x-refresh-crl" ; then | |
34 | refresh_crl=true | |
35 | commonname="$1" | |
36 | fi | |
37 | if test "x$commonname" = "x-refresh_crl" ; then | |
38 | refresh_crl=true | |
39 | commonname="$1" | |
40 | fi | |
41 | if test "x$commonname" = "x-revoke" ; then | |
42 | revoke_cert=true | |
43 | shift | |
44 | commonname="$1" | |
45 | fi | |
46 | if test "x$commonname" = "x-ocsp" ; then | |
47 | ocsp_serve=true | |
48 | commonname="$1" | |
49 | fi | |
50 | if test "x$commonname" = x ; then | |
51 | echo Usage: `basename $0` 'commonname' user'[@domain]' '[more [...]]' | |
52 | echo Usage: `basename $0` -revoke 'commonname' | |
53 | echo Usage: `basename $0` -ocsp | |
54 | echo Usage: `basename $0` -refresh-crl | |
55 | echo More: | |
56 | echo -e \\tKey usage: "[sign|signing|encrypt|encryption|all]" | |
57 | echo -e \\tAuthority Access Info OCSP responder: "ocsp:URI" | |
58 | echo -e \\tCRL distribution point: "crl:URI" | |
59 | echo -e \\tSubject Alternative Name: | |
60 | echo -e \\t\\tHostname: "*" | |
61 | echo -e \\t\\tIP address: w.x.y.z | |
62 | echo -e \\t\\tEmail address: "*@*.com/edu/net/org/local" | |
63 | echo -e \\t\\tKerberos principal name: "*@*.COM/EDU/NET/ORG/LOCAL" | |
64 | echo -e \\tExtended key usage: | |
65 | echo -e \\t\\t1.... | |
66 | echo -e \\t\\t2.... | |
67 | echo -e \\t\\tid-kp-server-auth \| tls-server | |
68 | echo -e \\t\\tid-kp-client-auth \| tls-client | |
69 | echo -e \\t\\tid-kp-email-protection \| email | |
70 | echo -e \\t\\tid-ms-kp-sc-logon \| id-ms-sc-logon | |
71 | echo -e \\t\\tid-pkinit-kp-client-auth \| id-pkinit-client | |
72 | echo -e \\t\\tid-pkinit-kp-kdc \| id-pkinit-kdc | |
73 | echo -e \\t\\tca \| CA | |
74 | exit 1 | |
75 | fi | |
76 | ||
77 | # Choose a user name part for email attributes. | |
78 | GIVENUSER=$2 | |
79 | test x"$GIVENUSER" = x && GIVENUSER=$USER | |
80 | echo "$GIVENUSER" | grep -q @ || GIVENUSER="$GIVENUSER"@$DOMAIN | |
81 | DOMAIN=`echo "$GIVENUSER" | cut -f2- -d@` | |
82 | ||
83 | shift || true | |
84 | shift || true | |
85 | ||
86 | # Done already? | |
87 | done=: | |
88 | ||
89 | keygen() { | |
90 | case "$KEYTYPE" in | |
91 | DSA) | |
92 | openssl dsaparam -out "$1".param $KEYSIZE | |
93 | openssl gendsa "$1".param | |
94 | ;; | |
95 | RSA|*) | |
96 | #openssl genrsa $KEYSIZE -passout pass:qweqwe | |
97 | openssl genrsa $KEYSIZE | |
98 | #openssl genrsa $KEYSIZE -nodes | |
99 | ;; | |
100 | esac | |
101 | } | |
102 | ||
103 | # Set some defaults. | |
104 | CA=FALSE | |
105 | if test -s ca.crldp.uri.txt ; then | |
106 | crlval="`cat ca.crldp.uri.txt`" | |
107 | crl="URI:$crlval" | |
108 | fi | |
109 | if test -s ca.ocsp.uri.txt ; then | |
110 | aiaval="`cat ca.ocsp.uri.txt`" | |
111 | aia="OCSP;URI:$aiaval" | |
112 | fi | |
113 | if test -s ca.domain.txt ; then | |
114 | domval="`cat ca.domain.txt`" | |
115 | if test -n "$domval" ; then | |
116 | DOMAIN="$domval" | |
117 | fi | |
118 | fi | |
119 | ||
120 | # Parse the arguments which indicate what sort of information we want. | |
121 | while test $# -gt 0 ; do | |
122 | type= | |
123 | value="$1" | |
124 | case "$value" in | |
125 | RSA|rsa) | |
126 | KEYTYPE=RSA | |
127 | ;; | |
128 | DSA|dsa) | |
129 | KEYTYPE=DSA | |
130 | ;; | |
131 | OCSP:*|ocsp:*) | |
132 | aiaval=`echo "$value" | cut -f2- -d:` | |
133 | aia="OCSP;URI:$aiaval" | |
134 | ;; | |
135 | CRL:*|crl:*) | |
136 | crlval=`echo "$value" | cut -f2- -d:` | |
137 | crl="URI:$crlval" | |
138 | ;; | |
139 | signing|sign) | |
140 | keyusage="${keyusage:+${keyusage},}nonRepudiation,digitalSignature" | |
141 | ;; | |
142 | encryption|encrypt) | |
143 | keyusage="${keyusage:+${keyusage},}keyEncipherment,dataEncipherment" | |
144 | ;; | |
145 | all) | |
146 | keyusage="digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign,encipherOnly,decipherOnly" | |
147 | ;; | |
148 | ca|CA) | |
149 | CA=TRUE | |
150 | keyusage="${keyusage:+${keyusage},}nonRepudiation,digitalSignature,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign" | |
151 | ;; | |
152 | 1.*|2.*|id-*|tls-*|email|mail|codesign) | |
153 | ekuval=`echo "$value" | tr '[A-Z]' '[a-z]' | sed 's,\-,,g'` | |
154 | case "$ekuval" in | |
155 | idkpserverauth|tlsserver) ekuval=1.3.6.1.5.5.7.3.1;; | |
156 | idkpclientauth|tlsclient) ekuval=1.3.6.1.5.5.7.3.2;; | |
157 | idkpemailprotection|email|mail) ekuval=1.3.6.1.5.5.7.3.4;; | |
158 | idkpcodesign|codesign) ekuval=1.3.6.1.5.5.7.3.3;; | |
159 | idmskpsclogon|idmssclogon) ekuval=1.3.6.1.4.1.311.20.2.2;; | |
160 | idpkinitkpclientauth|idpkinitclient) ekuval=1.3.6.1.5.2.3.4;; | |
161 | idpkinitkpkdc|idpkinitkdc) ekuval=1.3.6.1.5.2.3.5;; | |
162 | esac | |
163 | if test -z "$eku" ; then | |
164 | eku="$ekuval" | |
165 | else | |
166 | eku="$eku,$ekuval" | |
167 | fi | |
168 | ;; | |
169 | *@*.COM|*@*.EDU|*@*.NET|*@*.ORG|*@*.LOCAL) | |
170 | luser=`echo "$value" | tr '[A-Z]' '[a-z]'` | |
171 | if test "$luser" = "$value" ; then | |
172 | luser= | |
173 | fi | |
174 | type="otherName:1.3.6.1.5.2.2;SEQUENCE:$value,${luser:+otherName:1.3.6.1.4.1.311.20.2.3;UTF8:${luser},}otherName:1.3.6.1.4.1.311.20.2.3;UTF8" | |
175 | unset luser | |
176 | principals="$principals $value" | |
177 | ;; | |
178 | *@*.com|*@*.edu|*@*.net|*@*.org|*@*.local) type=email;; | |
179 | [0-9]*.[0-9]*.[0-9]*.[0-9]*) type=IP;; | |
180 | *) type=DNS;; | |
181 | esac | |
182 | if test -n "$type" ; then | |
183 | newvalue="${type}:$value" | |
184 | if test -z "$altnames" ; then | |
185 | altnames="${newvalue}" | |
186 | else | |
187 | altnames="${altnames},${newvalue}" | |
188 | fi | |
189 | fi | |
190 | shift | |
191 | done | |
192 | ||
193 | # Build the configuration file, including bits on how to construct the CA | |
194 | # certificate, an OCSP responder certificate, and the issued certificate. | |
195 | cat > openssl.cnf <<- EOF | |
196 | [ca] | |
197 | default_ca = issuer | |
198 | ||
199 | [issuer] | |
200 | private_key = `pwd`/ca.key | |
201 | certificate = `pwd`/ca.crt | |
202 | database = `pwd`/ca.db | |
203 | serial = `pwd`/ca.srl | |
204 | default_md = $DIGEST | |
205 | new_certs_dir = $newcertdir | |
206 | policy = no_policy | |
207 | ||
208 | [no_policy] | |
209 | ||
210 | [req_oids] | |
211 | domainComponent = 0.9.2342.19200300.100.1.25 | |
212 | ||
213 | [req_ca] | |
214 | prompt = no | |
215 | oid_section = req_oids | |
216 | distinguished_name = req_ca_name | |
217 | default_md = $DIGEST | |
218 | subjectKeyIdentifier=hash | |
219 | ||
220 | [req_ca_name] | |
221 | C=US | |
222 | #stateOrProvinceName=SomeState | |
223 | localityName=SomeCity | |
224 | O=SomeOrg | |
225 | EOF | |
226 | #echo $DOMAIN | awk 'BEGIN {FS="."}{for(i=NF;i>0;i--){print NF-i ".domainComponent="$i;}}' >> openssl.cnf | |
227 | cat >> openssl.cnf <<- EOF | |
228 | #commonName = Test Certifying CA | |
229 | ||
230 | [v3_ca] | |
231 | subjectKeyIdentifier=hash | |
232 | authorityKeyIdentifier=keyid:always | |
233 | #authorityKeyIdentifier=keyid:always,issuer:always | |
234 | keyUsage=nonRepudiation,digitalSignature,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign | |
235 | basicConstraints=critical,CA:TRUE | |
236 | nsComment="Testing CA Certificate" | |
237 | EOF | |
238 | if test -n "$aia" ; then | |
239 | echo "authorityInfoAccess = ${aia}" >> openssl.cnf | |
240 | echo -n "$aiaval" > ca.ocsp.uri.txt | |
241 | fi | |
242 | if test -n "$crl" ; then | |
243 | echo "crlDistributionPoints = ${crl}" >> openssl.cnf | |
244 | echo -n "$crlval" > ca.crldp.uri.txt | |
245 | fi | |
246 | echo "$DOMAIN" > ca.domain.txt | |
247 | cat >> openssl.cnf <<- EOF | |
248 | ||
249 | [req_ocsp] | |
250 | prompt = no | |
251 | oid_section = req_oids | |
252 | distinguished_name = req_ocsp_name | |
253 | default_md = $DIGEST | |
254 | ||
255 | [req_ocsp_name] | |
256 | C=US | |
257 | #stateOrProvinceName=SomeState | |
258 | localityName=SomeOrg | |
259 | O=SomeOrg | |
260 | EOF | |
261 | #echo $DOMAIN | awk 'BEGIN {FS="."}{for(i=NF;i>0;i--){print NF-i ".domainComponent="$i;}}' >> openssl.cnf | |
262 | cat >> openssl.cnf <<- EOF | |
263 | #commonName = OCSP Signer for Test Certifying CA | |
264 | ||
265 | [v3_ocsp] | |
266 | subjectKeyIdentifier=hash | |
267 | #authorityKeyIdentifier=keyid:always,issuer:always | |
268 | authorityKeyIdentifier=keyid:always | |
269 | keyUsage=digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign | |
270 | extendedKeyUsage=1.3.6.1.5.5.7.3.9 | |
271 | #basicConstraints=CA:FALSE | |
272 | basicConstraints=CA:TRUE | |
273 | nsComment="Testing OCSP Certificate" | |
274 | 1.3.6.1.5.5.7.48.1.5=ASN1:NULL | |
275 | EOF | |
276 | if test -n "$aia" ; then | |
277 | echo "authorityInfoAccess = ${aia}" >> openssl.cnf | |
278 | fi | |
279 | if test -n "$crl" ; then | |
280 | echo "crlDistributionPoints = ${crl}" >> openssl.cnf | |
281 | fi | |
282 | cat >> openssl.cnf <<- EOF | |
283 | ||
284 | [req_issued] | |
285 | prompt = no | |
286 | oid_section = req_oids | |
287 | distinguished_name = req_issued_name | |
288 | default_md = $DIGEST | |
289 | ||
290 | [req_issued_name] | |
291 | C=US | |
292 | #stateOrProvinceName=SomeState | |
293 | localityName=SomeCity | |
294 | O=SomeOrg | |
295 | EOF | |
296 | #echo $DOMAIN | awk 'BEGIN {FS="."}{for(i=NF;i>0;i--){print NF-i ".domainComponent="$i;}}' >> openssl.cnf | |
297 | #mail = $GIVENUSER | |
298 | cat >> openssl.cnf <<- EOF | |
299 | commonName = $commonname | |
300 | ||
301 | [v3_issued] | |
302 | #certificatePolicies=2.5.29.32.0${eku:+,${eku}} | |
303 | subjectKeyIdentifier=hash | |
304 | authorityKeyIdentifier=keyid:always | |
305 | #authorityKeyIdentifier=keyid:always,issuer:always | |
306 | EOF | |
307 | if test -n "$aia" ; then | |
308 | echo "authorityInfoAccess = ${aia}" >> openssl.cnf | |
309 | fi | |
310 | if test -n "$crl" ; then | |
311 | echo "crlDistributionPoints = ${crl}" >> openssl.cnf | |
312 | fi | |
313 | if test -n "$keyusage" ; then | |
314 | echo "keyUsage = critical,${keyusage}" >> openssl.cnf | |
315 | fi | |
316 | if test -n "$altnames" ; then | |
317 | echo "subjectAltName = ${altnames}" >> openssl.cnf | |
318 | fi | |
319 | if test -n "$eku" ; then | |
320 | echo "extendedKeyUsage = ${eku}" >> openssl.cnf | |
321 | : | |
322 | fi | |
323 | if test "x$CA" = xTRUE ; then | |
324 | echo "basicConstraints=critical,CA:TRUE" >> openssl.cnf | |
325 | echo 'nsComment="Testing CA Certificate for '"$commonname"'"' >> openssl.cnf | |
326 | else | |
327 | echo "basicConstraints=CA:FALSE" >> openssl.cnf | |
328 | echo 'nsComment="Testing Certificate for '"$commonname"'"' >> openssl.cnf | |
329 | fi | |
330 | for value in $principals; do | |
331 | user=`echo "$value" | cut -f1 -d@` | |
332 | realm=`echo "$value" | cut -f2- -d@` | |
333 | echo "" >> openssl.cnf | |
334 | echo "[$value]" >> openssl.cnf | |
335 | echo "realm=EXPLICIT:0,GeneralString:$realm" >> openssl.cnf | |
336 | echo "kerberosname=EXPLICIT:1,SEQUENCE:krb5$user" >> openssl.cnf | |
337 | ||
338 | echo "" >> openssl.cnf | |
339 | echo "[krb5$user]" >> openssl.cnf | |
340 | echo "nametype=EXPLICIT:0,INTEGER:1" >> openssl.cnf | |
341 | echo "namelist=EXPLICIT:1,SEQUENCE:krb5basic$user" >> openssl.cnf | |
342 | ||
343 | echo "[krb5basic$user]" >> openssl.cnf | |
344 | count=0 | |
345 | for part in `echo "$user" | sed 's,/, ,g'` ; do | |
346 | echo "$count.part=GeneralString:$part" >> openssl.cnf | |
347 | count=`expr "$count" + 1` | |
348 | done | |
349 | done | |
350 | ||
351 | # Create the data files for a new CA. | |
352 | if ! test -s ca.srl ; then | |
353 | (dd if=/dev/urandom bs=8 count=1 2> /dev/null) | od -t x1c | head -n 1 | awk '{$1="00";OFS="";print}' > ca.srl | |
354 | else | |
355 | echo "You already have a ca.srl file; not replacing." | |
356 | fi | |
357 | if ! test -s ca.db ; then | |
358 | touch ca.db | |
359 | else | |
360 | echo "You already have a ca.db file; not replacing." | |
361 | fi | |
362 | if ! test -s ca.db.attr ; then | |
363 | touch ca.db.attr | |
364 | else | |
365 | echo "You already have a ca.db.attr file; not replacing." | |
366 | fi | |
367 | ||
368 | # If we need a CA key, generate one. | |
369 | if ! test -s ca.key ; then | |
370 | umask=`umask -p` | |
371 | umask 077 | |
372 | keygen ca > ca.key 2> /dev/null | |
373 | $umask | |
374 | else | |
375 | echo "You already have a ca.key file; not replacing." | |
376 | done=echo | |
377 | fi | |
378 | ||
379 | # If we need a CA certificate, generate one. | |
380 | if ! test -s ca.crt ; then | |
381 | sed -i -e 's,^\[req_ca\]$,\[req\],g' `pwd`/openssl.cnf | |
382 | openssl req -config `pwd`/openssl.cnf -new -key ca.key > ca.csr 2> /dev/null -passin pass:shim | |
383 | sed -i -e 's,^\[req\]$,\[req_ca\],g' `pwd`/openssl.cnf | |
384 | openssl x509 -extfile `pwd`/openssl.cnf -CAserial ca.srl -signkey ca.key -extensions v3_ca -req -in ca.csr -days $DAYS -out ca.crt ; : 2> /dev/null | |
385 | openssl x509 -noout -text -in ca.crt > ca.txt | |
386 | cat ca.crt >> ca.txt | |
387 | cat ca.txt > ca.crt | |
388 | rm ca.txt | |
389 | cat ca.crt > ca.chain.crt | |
390 | else | |
391 | echo "You already have a ca.crt file; not replacing." | |
392 | done=echo | |
393 | fi | |
394 | ||
395 | # If we need an OCSP key, generate one. | |
396 | if ! test -s ocsp.key ; then | |
397 | umask=`umask -p` | |
398 | umask 077 | |
399 | keygen ocsp > ocsp.key 2> /dev/null | |
400 | $umask | |
401 | else | |
402 | echo "You already have an ocsp.key file; not replacing." | |
403 | done=echo | |
404 | fi | |
405 | ||
406 | # Generate the OCSP signing cert. Set the X.509v3 basic constraints and EKU. | |
407 | if ! test -s ocsp.crt ; then | |
408 | sed -i -e 's,^\[req_ocsp\]$,\[req\],g' `pwd`/openssl.cnf | |
409 | openssl req -config `pwd`/openssl.cnf -new -key ocsp.key > ocsp.csr 2> /dev/null | |
410 | sed -i -e 's,^\[req\]$,\[req_ocsp\],g' `pwd`/openssl.cnf | |
411 | openssl ca -batch -config `pwd`/openssl.cnf -extensions v3_ocsp -preserveDN -in ocsp.csr -days $DAYS -out ocsp.crt 2> /dev/null | |
412 | openssl x509 -noout -text -in ocsp.crt > ocsp.txt | |
413 | cat ocsp.crt >> ocsp.txt | |
414 | cat ocsp.txt > ocsp.crt | |
415 | rm ocsp.txt | |
416 | else | |
417 | echo "You already have an ocsp.crt file; not replacing." | |
418 | done=echo | |
419 | fi | |
420 | ||
421 | # If we were told to revoke the certificate with the specified common name, | |
422 | # do so. | |
423 | if $revoke_cert ; then | |
424 | openssl ca -config `pwd`/openssl.cnf -revoke "$commonname".crt | |
425 | fi | |
426 | ||
427 | # Always refresh the CRL. | |
428 | openssl ca -config `pwd`/openssl.cnf -gencrl ${CRLHOURS:+-crlhours ${CRLHOURS}} ${CRLDAYS:+-crldays ${CRLDAYS}} -out ca.crl.pem | |
429 | openssl crl -in ca.crl.pem -outform der -out ca.crl | |
430 | openssl crl -in ca.crl -inform der -noout -text > ca.crl.pem | |
431 | openssl crl -in ca.crl -inform der >> ca.crl.pem | |
432 | ||
433 | # If we were told to start up the mini OCSP server, do so. | |
434 | if $ocsp_serve ; then | |
435 | openssl ocsp -text -index `pwd`/ca.db -CA `pwd`/ca.crt -rsigner `pwd`/ocsp.crt -rkey `pwd`/ocsp.key -rother `pwd`/ocsp.crt -port "`cut -f3 -d/ ca.ocsp.uri.txt | sed -r 's,(^[^:]*),0.0.0.0,g'`" | |
436 | exit 0 | |
437 | fi | |
438 | ||
439 | # If we're just here to do a revocation or refresh the CRL, we're done. | |
440 | if $revoke_cert || $refresh_crl ; then | |
441 | exit 0 | |
442 | fi | |
443 | ||
444 | # Create a new serial number and whatnot if this is a new sub-CA. | |
445 | if test "x$CA" = xTRUE ; then | |
446 | if ! test -d "$commonname" ; then | |
447 | mkdir "$commonname" | |
448 | fi | |
449 | if ! test -s "$commonname/ca.srl" ; then | |
450 | (dd if=/dev/urandom bs=8 count=1 2> /dev/null) | od -t x1c | head -n 1 | awk '{$1="00";OFS="";print}' > "$commonname/ca.srl" | |
451 | else | |
452 | echo "You already have a $commonname/ca.srl file; not replacing." | |
453 | fi | |
454 | if test -n "$aia" ; then | |
455 | echo -n "$aiaval" > "$commonname/ca.ocsp.uri.txt" | |
456 | fi | |
457 | if test -n "$crl" ; then | |
458 | echo -n "$crlval" > "$commonname/ca.crldp.uri.txt" | |
459 | fi | |
460 | echo "$DOMAIN" > "$commonname/ca.domain.txt" | |
461 | touch "$commonname/ca.db" "$commonname/ca.db.attr" | |
462 | cert="$commonname/ca.crt" | |
463 | csr="$commonname/ca.csr" | |
464 | key="$commonname/ca.key" | |
465 | pem="$commonname/ca.pem" | |
466 | pfx="$commonname/ca.p12" | |
467 | ln -s ../`basename $0` "$commonname"/ | |
468 | else | |
469 | cert="$commonname.crt" | |
470 | csr="$commonname.csr" | |
471 | key="$commonname.key" | |
472 | pem="$commonname.pem" | |
473 | pfx="$commonname.p12" | |
474 | fi | |
475 | ||
476 | # Generate the subject's certificate. Set the X.509v3 basic constraints. | |
477 | if ! test -s "$cert" ; then | |
478 | # Generate another key, unless we have a key or CSR. | |
479 | if ! test -s "$key" && ! test -s "$csr" ; then | |
480 | umask=`umask -p` | |
481 | umask 077 | |
482 | keygen "$commonname" > "$key" 2> /dev/null | |
483 | $umask | |
484 | else | |
485 | echo "You already have a $key or $csr file; not replacing." | |
486 | done=echo | |
487 | fi | |
488 | ||
489 | if ! test -s "$csr" ; then | |
490 | sed -i -e 's,^\[req_issued\]$,\[req\],g' `pwd`/openssl.cnf | |
491 | openssl req -config `pwd`/openssl.cnf -new -key "$key" > "$csr" 2> /dev/null | |
492 | sed -i -e 's,^\[req\]$,\[req_issued\],g' `pwd`/openssl.cnf | |
493 | fi | |
494 | openssl ca -batch -config `pwd`/openssl.cnf -extensions v3_issued -preserveDN -in "$csr" -days $DAYS -out "$cert" 2> /dev/null | |
495 | openssl x509 -noout -text -in "$cert" > "$cert.txt" | |
496 | cat "$cert" >> "$cert.txt" | |
497 | cat "$cert.txt" > "$cert" | |
498 | rm -f "$cert.txt" | |
499 | else | |
500 | echo "You already have a $cert file; not replacing." | |
501 | done=echo | |
502 | fi | |
503 | ||
504 | if test -s ca.chain.crt ; then | |
505 | chain=ca.chain.crt | |
506 | else | |
507 | chain=ca.crt | |
508 | fi | |
509 | if test "x$CA" = xTRUE ; then | |
510 | cat "$chain" "$cert" > "$commonname/ca.chain.crt" | |
511 | fi | |
512 | ||
513 | # Create ca.pem and the subject's name.pem for the benefit of applications | |
514 | # which expect both the private key and the certificate in one file. | |
515 | umask=`umask -p` | |
516 | umask 077 | |
517 | if ! test -s ca.pem ; then | |
518 | cat ca.key ca.crt > ca.pem | |
519 | else | |
520 | echo "You already have a ca.pem file; not replacing." | |
521 | done=echo | |
522 | fi | |
523 | if ! test -s "$pem" ; then | |
524 | cat "$key" "$cert" > "$pem" | |
525 | else | |
526 | echo "You already have a $pem file; not replacing." | |
527 | done=echo | |
528 | fi | |
529 | if ! test -s "$pfx" ; then | |
530 | #openssl pkcs12 -export -inkey "$key" -in "$cert" -name "$commonname" -out "$pfx" -nodes -passout pass:qweqwe | |
531 | openssl pkcs12 -export -inkey "$key" -in "$cert" -name "$commonname" -out "$pfx" -nodes -passout pass: | |
532 | else | |
533 | echo "You already have a $pfx file; not replacing." | |
534 | done=echo | |
535 | fi | |
536 | $umask | |
537 | $done | |
538 | ||
539 | echo CA certificate: | |
540 | openssl x509 -noout -issuer -in ca.crt | sed s,=\ ,\ ,g | |
541 | openssl x509 -noout -subject -in ca.crt | sed s,=\ ,\ ,g | |
542 | echo | |
543 | echo End entity certificate: | |
544 | openssl x509 -noout -issuer -in "$cert" | sed s,=\ ,\ ,g | |
545 | openssl x509 -noout -subject -in "$cert" | sed s,=\ ,\ ,g | |
546 | openssl x509 -noout -serial -in "$cert" | sed s,=,\ ,g | |
547 | echo | |
548 | echo PKCS12 bag: | |
549 | openssl pkcs12 -in "$pfx" -nodes -nokeys -nocerts -info -passin pass: | |
550 | #openssl pkcs12 -in "$pfx" -nodes -nokeys -nocerts -info -passin pass:qweqwe | |
551 | echo | |
552 | echo Verifying: | |
553 | echo + openssl verify -CAfile "$chain" "$cert" | |
554 | openssl verify -CAfile "$chain" "$cert" |