├── .gitignore
├── vims
├── tpl
    ├── server-ext.tpl
    ├── client-ext.tpl
    ├── user-ext.tpl
    ├── index-html.tpl
    ├── req-config.tpl
    └── ca-config.tpl
├── ca-scripts.spec
├── Makefile
├── bin
    ├── ca-list-certs
    ├── ca-revoke-cert
    ├── ca-renew-cert
    ├── ca-init
    └── ca-create-cert
├── ca-scripts.conf
├── doc
    ├── ca-renew-cert.pod
    ├── ca-revoke-cert.pod
    ├── ca-init.pod
    ├── ca-scripts.conf.pod
    └── ca-create-cert.pod
├── README.md
└── lib
    └── ca-functions


/.gitignore:
--------------------------------------------------------------------------------
1 | *.swp
2 | 


--------------------------------------------------------------------------------
/vims:
--------------------------------------------------------------------------------
1 | gvim -p Makefile bin/* lib/*
2 | gvim -p ca-scripts.conf tpl/*
3 | gvim -p README.md doc/*
4 | 


--------------------------------------------------------------------------------
/tpl/server-ext.tpl:
--------------------------------------------------------------------------------
 1 | basicConstraints        = critical, CA:FALSE
 2 | nsCertType              = server
 3 | nsRevocationUrl         = %CA_CRL_URI%
 4 | %CA_CRT_COMMENT%
 5 | keyUsage                = critical, keyEncipherment, keyAgreement
 6 | extendedKeyUsage        = serverAuth
 7 | 
 8 | issuerAltName           = issuer:copy
 9 | subjectAltName          = @server_altname
10 | subjectKeyIdentifier    = hash
11 | authorityKeyIdentifier  = keyid,issuer:always
12 | authorityInfoAccess     = caIssuers;URI:%CA_CRT_URI%
13 | crlDistributionPoints   = URI:%CA_CRL_URI%
14 | 
15 | [ server_altname ]
16 | URI=%CA_CRT_URI%
17 | email=move
18 | %CA_CRT_ALT_NAMES%
19 | 
20 | 


--------------------------------------------------------------------------------
/tpl/client-ext.tpl:
--------------------------------------------------------------------------------
 1 | basicConstraints        = critical, CA:FALSE
 2 | nsCertType              = client
 3 | nsRevocationUrl         = %CA_CRL_URI%
 4 | %CA_CRT_COMMENT%
 5 | keyUsage                = critical, keyEncipherment, keyAgreement, digitalSignature
 6 | extendedKeyUsage        = clientAuth, timeStamping
 7 | 
 8 | issuerAltName           = issuer:copy
 9 | subjectAltName          = @client_altname
10 | subjectKeyIdentifier    = hash
11 | authorityKeyIdentifier  = keyid,issuer:always
12 | authorityInfoAccess     = caIssuers;URI:%CA_CRT_URI%
13 | crlDistributionPoints   = URI:%CA_CRL_URI%
14 | 
15 | [ client_altname ]
16 | URI=%CA_CRT_URI%
17 | email=move
18 | %CA_CRT_ALT_NAMES%
19 | 


--------------------------------------------------------------------------------
/tpl/user-ext.tpl:
--------------------------------------------------------------------------------
 1 | basicConstraints        = critical, CA:FALSE
 2 | nsCertType              = client, objsign, email
 3 | nsRevocationUrl         = %CA_CRL_URI%
 4 | %CA_CRT_COMMENT%
 5 | keyUsage                = critical, keyEncipherment, keyAgreement, digitalSignature, nonRepudiation, dataEncipherment
 6 | extendedKeyUsage        = clientAuth, codeSigning, emailProtection
 7 | 
 8 | issuerAltName           = issuer:copy
 9 | subjectAltName          = @user_altname
10 | subjectKeyIdentifier    = hash
11 | authorityKeyIdentifier  = keyid,issuer:always
12 | authorityInfoAccess     = caIssuers;URI:%CA_CRT_URI%
13 | crlDistributionPoints   = URI:%CA_CRL_URI%
14 | 
15 | [ user_altname ]
16 | URI=%CA_CRT_URI%
17 | email=move
18 | 
19 | 


--------------------------------------------------------------------------------
/ca-scripts.spec:
--------------------------------------------------------------------------------
 1 | Summary:	SSL Certificate Authority Management Scripts
 2 | Name:		ca-scripts
 3 | Version:	0.9.0
 4 | Release:	1
 5 | URL:		https://github.com/erenfro/ca-scripts
 6 | License:	GPL
 7 | Group:		Applications/Internet
 8 | BuildRoot:	${_tmppath}/${name}-root
 9 | Requires:	bash
10 | BuildArch:	noarch
11 | 
12 | %description
13 | SS Certificate Authority Management Scripts
14 | 
15 | %prep
16 | %setup
17 | %build
18 | 
19 | %install
20 | rm -rf ${RPM_BUILD_ROOT}
21 | mkdir -p ${RPM_BUILD_ROOT}/opt/ca-scripts
22 | make install
23 | 
24 | %clean
25 | rm -rf ${RPM_BUILD_ROOT}
26 | 
27 | %fils
28 | %defattr(-,root,root)
29 | %attr(755,root,root) ${RPM_BUILD_ROOT}/opt/${RPM_PACKAGE_NAME}/bin
30 | 
31 | %changelog
32 | * Thu Feb 19 2015 Eric Renfro <psi-jack@linux-help.org>
33 | - Initial release.
34 | 
35 | 


--------------------------------------------------------------------------------
/tpl/index-html.tpl:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 2 | <HTML>
 3 | <HEAD><TITLE>%CA_DESC%</TITLE>
 4 | <STYLE>
 5 | BODY { font-family: arial,sans-serif; }
 6 | H1 { font-size: xx-large; margin-left: 50px; }
 7 | H3 { font-size: large; margin-top: 50px; margin-left: 50px; }
 8 | IMG { border: 0; }
 9 | P { width: 700px; margin-left: 100px; }
10 | </STYLE>
11 | </HEAD>
12 | 
13 | <BODY>
14 | <H1>%CA_DESC%</H1>
15 | <H3>CA Certificate</H3>
16 | <P>The CA certificate can be found
17 | <A href="%CA_CRT_URI%">here</A></P>
18 | <P>MD5 Fingerprint: %CA_CRT_MD5_FP%</P>
19 | <P>SHA1 Fingerprint: %CA_CRT_SHA_FP%</P>
20 | <H3>Certificate Revocation List</H3>
21 | <P>The certificate revocation list can be found
22 | <A href="%CA_CRL_URI%.der">here</A> (DER encoded)
23 | or <A href="%CA_CRL_URI%">here</A> (PEM encoded)</P>
24 | <P>MD5 Fingerprint: %CA_CRL_MD5_FP%</P>
25 | <P>SHA1 Fingerprint: %CA_CRL_SHA_FP%</P>
26 | </BODY>
27 | </HTML>
28 | 


--------------------------------------------------------------------------------
/tpl/req-config.tpl:
--------------------------------------------------------------------------------
 1 | [ req ]
 2 | default_bits            = %CA_CRT_BITS%
 3 | default_md              = sha1
 4 | distinguished_name      = req_dn
 5 | req_extensions          = req_%CA_CRT_TYPE%_extensions
 6 | string_mask             = nombstr
 7 | prompt                  = no
 8 | 
 9 | [ req_dn ]
10 | C                       = %CA_CRT_C%
11 | ST                      = %CA_CRT_ST%
12 | L                       = %CA_CRT_L%
13 | O                       = %CA_CRT_O%
14 | OU                      = %CA_CRT_OU%
15 | CN                      = %CA_CRT_CN%
16 | emailAddress            = %CA_CRT_E%
17 | 
18 | [ req_server_extensions ]
19 | basicConstraints        = critical, CA:FALSE
20 | keyUsage                = critical, keyEncipherment, keyAgreement
21 | extendedKeyUsage        = serverAuth
22 | 
23 | [ req_client_extensions ]
24 | basicConstraints        = critical, CA:FALSE
25 | keyUsage                = critical, keyEncipherment, keyAgreement, digitalSignature
26 | extendedKeyUsage        = clientAuth, timeStamping
27 | 
28 | [ req_user_extensions ]
29 | basicConstraints        = critical, CA:FALSE
30 | keyUsage                = critical, keyEncipherment, keyAgreement, digitalSignature, nonRepudiation, dataEncipherment
31 | extendedKeyUsage        = clientAuth, codeSigning, emailProtection
32 | 
33 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | NAME=ca-scripts
 2 | VERSION=0.9.0
 3 | 
 4 | DIRS=bin lib tpl
 5 | INSTALL_DIRS=`find $(DIRS) -type d 2>/dev/null`
 6 | INSTALL_FILES=`find $(DIRS) -type f 2>/dev/null`
 7 | DOC_FILES=*.conf *.md doc/*.pod
 8 | SCRIPTS=ca-create-cert ca-init ca-list-certs ca-renew-cert ca-revoke-cert
 9 | 
10 | PKG_DIR=ca-scripts
11 | PKG_NAME=$(NAME)_$(VERSION)
12 | PKG=$(PKG_DIR)/$(PKG_NAME).tar.gz
13 | SIG=$(PKG_DIR)/$(PKG_NAME).asc
14 | 
15 | PREFIX?=/opt/$(NAME)
16 | DOC_DIR=$(PREFIX)/doc
17 | #DOC_DIR=$(PREFIX)/share/doc/$(PKG_NAME)
18 | 
19 | pkg:
20 | 	mkdir -p $(PKG_DIR)
21 | 
22 | $(PKG): pkg
23 | 	git archive --output=$(PKG) --prefix=$(PKG_NAME)/ HEAD
24 | 
25 | build: $(PKG)
26 | 
27 | $(SIG): $(PKG)
28 | 	gpg --sign --detach-sign --armor $(PKG)
29 | 
30 | sign: $(SIG)
31 | 
32 | clean:
33 | 	rm -f $(PKG) $(SIG)
34 | 
35 | all: $(PKG) $(SIG)
36 | 
37 | test:
38 | 
39 | tag:
40 | 	git tag v$(VERSION)
41 | 	git push --tags
42 | 
43 | release: $(PKG) $(SIG) tag
44 | 
45 | install:
46 | 	for dir in $(INSTALL_DIRS); do mkdir -p $(PREFIX)/$$dir; done
47 | 	for file in $(INSTALL_FILES); do cp $$file $(PREFIX)/$$file; done
48 | 	mkdir -p $(DOC_DIR)
49 | 	cp -r $(DOC_FILES) $(DOC_DIR)/
50 | 
51 | symlinks:
52 | 	for link in $(SCRIPTS); do ln -s $(PREFIX)/bin/$$link /usr/local/bin/$$link
53 | 
54 | uninstall:
55 | 	for file in $(INSTALL_FILES); do rm -f $(PREFIX)/$$file; done
56 | 	rm -rf $(DOC_DIR)
57 | 
58 | rmsymlinks:
59 | 	for link in $(SCRIPTS); do rm -f /usr/local/bin/$$link
60 | 
61 | 
62 | .PHONY: build sign clean test tag release install uninstall all
63 | 
64 | 


--------------------------------------------------------------------------------
/bin/ca-list-certs:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -e
 3 | source $(dirname $(readlink -f $0))/../lib/ca-functions
 4 | 
 5 | usage() {
 6 |     cat <<__EOT__
 7 | Usage: $PROGNAME [options] <common name>|<path to certificate>
 8 | 
 9 | Options:
10 |   -h, --help            Print this helpful message!
11 |   -f, --config FILE     Use config file instead of $CONFFILE
12 |   -t, --type TYPE       Certificate type: "server" (default), "client" or "user"
13 |   -e, --expiring        Show certificates that are expiring within 90 days
14 | 
15 | __EOT__
16 | }
17 | 
18 | short="hf:e"
19 | long="help,config:,expiring"
20 | opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" )
21 | if [ 0 -ne $? ]; then echo; usage; exit 1; fi
22 | eval set -- "$opts";
23 | 
24 | while :; do
25 |     case "$1" in
26 |         -h|--help) usage; exit 0;;
27 |         -f|--config) shift; CONFFILE="$1"; CONFFILECLI=1; shift;;
28 |         -e|--expiring) shift; USER_EXPIRE="1"; shift;;
29 |         --) shift; break;;
30 |         *) echo "Unknown value '$1'"; exit 1;;
31 |     esac
32 | done
33 | 
34 | # load up the configuration file
35 | ca_load_conf
36 | 
37 | for group in ca server client user; do
38 |     case $group in
39 |         ca)	echo "Certificate Authorities:";;
40 |         server)	echo; echo "Server Certificates:";;
41 |         client) echo; echo "Client Certificates:";;
42 |         user)	echo; echo "User Certificates:";;
43 |     esac
44 |       
45 |     while read certFile; do
46 |         #echo "File: $certFile"
47 |         cert_info "$certFile"
48 |     done < <(find "$CA_HOME/crt/" -type f -name "*.${group}.crt")
49 | done
50 | 
51 | 


--------------------------------------------------------------------------------
/bin/ca-revoke-cert:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -e
 3 | source $(dirname $(readlink -f $0))/../lib/ca-functions
 4 | 
 5 | usage() {
 6 |     cat <<__EOT__
 7 | Usage: $PROGNAME [options] <common name>|<path to certificate>
 8 | 
 9 | Options:
10 |   -h, --help            Print this helpful message!
11 |   -f, --config FILE     Use config file instead of $CONFFILE
12 |   -t, --type TYPE       Certificate type: "server" (default), "client" or "user"
13 |   -l, --crl-days DAYS   Make CRL valid for DAYS days instead of CA_CRL_DAYS
14 |   -i, --template FILE   Use alternative index.html template
15 |   -o, --output FILE     Generate CA index.html in FILE
16 | 
17 | __EOT__
18 | }
19 | 
20 | short="hf:t:l:i:o:"
21 | long="help,config:,type:,crl-days:,template:,output:"
22 | opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" )
23 | if [ 0 -ne $? ]; then echo; usage; exit 1; fi
24 | eval set -- "$opts";
25 | 
26 | while :; do
27 |     case "$1" in
28 |         -h|--help) usage; exit 0;;
29 |         -f|--config) shift; CONFFILE="$1"; CONFFILECLI=1; shift;;
30 |         -t|--type) shift; USER_CA_CRT_TYPE="$1"; shift;;
31 |         -l|--crl-days) shift; USER_CA_CRL_DAYS="$1"; shift;;
32 |         -i|--template) shift; INDEXTPL="$1"; shift;;
33 |         -o|--output) shift; INDEXOUT="$1"; shift;;
34 |         --) shift; break;;
35 |         *) echo "Unknown value '$1'"; exit 1;;
36 |     esac
37 | done
38 | 
39 | ca_load_conf
40 | 
41 | CNF_NAME=$( ca_find_cnf "$1" )
42 | CRT="$CA_HOME/crt/$CNF_NAME.crt"
43 | 
44 | openssl ca -config $CA_HOME/cnf/$CA_NAME.ca.cnf \
45 |   -revoke $CRT -crl_reason superseded
46 | 
47 | ca_gen_crl
48 | if [ -n "$INDEXOUT" ]; then
49 |     ca_checksum
50 |     ca_template $INDEXTPL $INDEXOUT
51 | fi
52 | 
53 | 


--------------------------------------------------------------------------------
/ca-scripts.conf:
--------------------------------------------------------------------------------
 1 | # example ca-scripts configuration file
 2 | # see ca-scripts.conf(5) for details
 3 | 
 4 | # REQUIRED: CA_HOME provides the path to the root of the CA directory tree
 5 | #           this directory must exist and be writeable
 6 | #CA_HOME="/etc/ssl/ca-scripts"
 7 | CA_HOME="/tmp/ca"
 8 | 
 9 | # REQUIRED: CA_DOMAIN provides a template for other optional variables and
10 | #           the filenames that are generated within the directory tree
11 | CA_DOMAIN="example.com"
12 | 
13 | # REQUIRED: CA_DN_* configures the Distinguished Name fields present in the
14 | #           CA certificate generated by ca-init
15 | CA_DN_C="GB"
16 | CA_DN_ST="London"
17 | CA_DN_L="Example House, Mayfair"
18 | CA_DN_O="Example Security Services Ltd."
19 | CA_DN_OU="Example Internet Encryption Division"
20 | CA_DN_CN="Example Security Services Root Certificate Authority"
21 | 
22 | # OPTIONAL: CA_DESC configures a single-line description for your CA
23 | #           using the CN= or O= line from your DN is recommended
24 | # Default value:
25 | # CA_DESC="$CA_DN_CN"
26 | 
27 | # OPTIONAL: CA_EMAIL provides an e-mail address that is embedded into all
28 | #           generated certificates as a point-of-contact
29 | # Default value:
30 | # CA_EMAIL="ca@$CA_DOMAIN"
31 | 
32 | # OPTIONAL: CA_CRT_URI and CA_CRL_URI provide locations where the CA
33 | #           certificate and revocation lists can be found
34 | # Default value:
35 | # CA_CRT_URI="http://$CA_DOMAIN/ca/$CA_NAME.ca.crt"
36 | # CA_CRL_URI="http://$CA_DOMAIN/ca/$CA_NAME.ca.crl"
37 | 
38 | # OPTIONAL: CA_DAYS, CA_CRT_DAYS and CA_CRL_DAYS set the default validity
39 | #           period for the CA cert, certificates and revocation lists.
40 | # Default value:
41 | # CA_DAYS=3652
42 | # CA_CRT_DAYS=365
43 | # CA_CRL_DAYS=365
44 | 
45 | # OPTIONAL: CA_CRT_BITS sets the default key length for generated keys.
46 | # Default value:
47 | # CA_CRT_BITS=2048
48 | 
49 | # OPTIONAL: CA_DEFAULT_MD sets the default message digest of generated
50 | # certificates.
51 | # Default value:
52 | CA_DEFAULT_MD="sha256"
53 | 
54 | # OPTIONAL: CA_CRT_TYPE sets the default type of generated certificate.
55 | # Default value:
56 | # CA_CRT_TYPE="server"
57 | 
58 | # OPTIONAL: CA_PATHLEN sets the maximum number of intermediate CA certificates
59 | #           that can be in the chain of authority between the root CA and the
60 | #           final certificate.
61 | # Default value:
62 | # CA_PATHLEN=0
63 | 


--------------------------------------------------------------------------------
/bin/ca-renew-cert:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -e
 3 | source $(dirname $(readlink -f $0))/../lib/ca-functions
 4 | 
 5 | usage() {
 6 |     cat <<__EOT__
 7 | Usage: $PROGNAME [options] <common name>|<path to certificate>
 8 | 
 9 | Options:
10 |   -h, --help            Print this helpful message!
11 |   -f, --config FILE     Use config file instead of $CONFFILE
12 |   -t, --type TYPE       Certificate type: "server" (default), "client" or "user"
13 |   -d, --days DAYS       Renew certificate for DAYS days instead of CA_CRT_DAYS
14 | 
15 | __EOT__
16 | }
17 | 
18 | short="hf:t:d:"
19 | long="help,config:,type:,days:"
20 | opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" )
21 | if [ 0 -ne $? ]; then echo; usage; exit 1; fi
22 | eval set -- "$opts";
23 | 
24 | while :; do
25 |     case "$1" in
26 |         -h|--help) usage; exit 0;;
27 |         -f|--config) shift; CONFFILE="$1"; CONFFILECLI=1; shift;;
28 |         -t|--type) shift; USER_CA_CRT_TYPE="$1"; shift;;
29 |         -d|--days) shift; USER_CA_CRT_DAYS="$1"; shift;;
30 |         --) shift; break;;
31 |         *) echo "Unknown value '$1'"; exit 1;;
32 |     esac
33 | done
34 | 
35 | ca_load_conf
36 | 
37 | CNF_NAME=$( ca_find_cnf "$1" )
38 | CRT="$CA_HOME/crt/$CNF_NAME.crt"
39 | 
40 | # make sure that configuration files are present as expected
41 | if [ ! -f "$CA_HOME/cnf/$CNF_NAME.ext.cnf" ]; then
42 |     error "Couldn't find extensions in $CA_HOME/cnf/$CNF_NAME-ext.cnf"
43 | fi
44 | 
45 | # according to the below URL we should create the new CRT using the old CSR
46 | # and with the same serial as the previous certificate.
47 | #   http://blog.fupps.com/2007/11/30/x509ssl-certificate-prolongation/
48 | # After some fun googling, I found the following URL which tells us how...
49 | #   http://ca.dutchgrid.nl/info/CA_gymnastics.html
50 | # XXX: this is only *really* relevant for certs that have been used for code
51 | #      or e-mail encryption. should we regenerate client/server certs entirely?
52 | #      ... for the moment there's always the revoke/recreate route for people.
53 | 
54 | # acquire required info from old certificate
55 | ENDDATE=$( openssl x509 -in "$CRT" -noout -enddate | cut -d= -f2 )
56 | SERIAL=$( openssl x509 -in "$CRT" -noout -serial | cut -d= -f2 )
57 | # work out new expiry date based on expiry date of current cert
58 | # these dates are "<year> <day of year>"
59 | export TZ=UTC
60 | NOWYEAR=$( date +%Y )
61 | NOWDAYS=$( date +%j )
62 | # XXX: this only works with GNU date, BSD portability fail.
63 | ENDYEAR=$( date +%Y -d "$ENDDATE + $CA_CRT_DAYS days" )
64 | ENDDAYS=$( date +%j -d "$ENDDATE + $CA_CRT_DAYS days" )
65 | CERTDATE=$( date +%Y-%m-%d -d "$ENDDATE" )
66 | 
67 | # and this does the maths to work out how many days there are from now
68 | # (when we're creating the new cert) to the new expiry date
69 | DAYS=$(( ($ENDYEAR-$NOWYEAR)*365 + ($ENDDAYS-$NOWDAYS) ))
70 | 
71 | # Now perform required CA gymnastics ;p
72 | openssl x509 -req -set_serial "0x$SERIAL" -days "$DAYS" \
73 |   -CA      "$CA_HOME/crt/$CA_NAME.ca.crt" \
74 |   -CAkey   "$CA_HOME/key/$CA_NAME.ca.key" \
75 |   -extfile "$CA_HOME/cnf/$CNF_NAME.ext.cnf" \
76 |   -out     "$CA_HOME/crt/$CNF_NAME.crt" \
77 |   -in      "$CA_HOME/csr/$CNF_NAME.csr"
78 | 
79 | # This doesn't update the original certificate in the index, so let's do that
80 | mv "$CA_HOME/idx/$SERIAL.pem" "$CA_HOME/idx/$SERIAL.$CERTDATE.pem"
81 | cp "$CA_HOME/crt/$CNF_NAME.crt" "$CA_HOME/idx/$SERIAL.pem"
82 | 


--------------------------------------------------------------------------------
/doc/ca-renew-cert.pod:
--------------------------------------------------------------------------------
 1 | #! /bin/sh
 2 | 
 3 | if [ -z "$1" -o "$1" == "man" ]; then
 4 |   exec /usr/bin/pod2man -n CA-RENEW-CERT -s 1 -d "12 February 2010" \
 5 |     -r "ca-scripts version 0.9" -c "SSL Certificate Authority utilities" $0
 6 | elif [ "$1" == "html" ]; then
 7 |   exec /usr/bin/pod2html --title "ca-renew-cert(1)" < $0
 8 | elif [ "$1" == "text" ]; then
 9 |   exec /usr/bin/pod2text -o $0
10 | fi
11 | echo "Unrecognised output format '$1', try man, html, or text."
12 | exit 1
13 | 
14 | =pod
15 | 
16 | =head1 NAME
17 | 
18 | ca-renew-cert - renew a previously generated X.509 certificate
19 | 
20 | =head1 SYNOPSIS
21 | 
22 | B<ca-renew-cert> [B<-f> I<config>] [B<-t> I<type>] [B<-d> I<days>]
23 | I<common name>|<path to certificate>
24 | 
25 | B<ca-renew-cert> [B<-h>] | [B<--help>]
26 | 
27 | =head1 DESCRIPTION
28 | 
29 | B<ca-renew-cert> renews certificates generated with ca-create-cert(1),
30 | extending their validity for a configurable number of days, defaulting to
31 | B<CA_CRT_DAYS>.
32 | 
33 | =head1 OPTIONS
34 | 
35 | B<ca-renew-cert> can infer the correct cached configurations to use for
36 | certificate renewal from the hostname of a I<server> or I<client>, the
37 | username of a I<user>, or the path to a previously generated certificate of any
38 | type.
39 | 
40 | =over
41 | 
42 | =item B<-t> I<TYPE>, B<--type> I<TYPE>
43 | 
44 | This argument overrides the type detection if multiple certificate types share
45 | the same common name, telling B<ca-renew-cert> what type of certificate it is
46 | renewing, either I<server>, I<client>, or I<user>.
47 | 
48 | =item B<-f> I<FILE>, B<--config> I<FILE>
49 | 
50 | Load the ca-scripts configuration from I<FILE> instead of
51 | I</etc/ca-scripts.conf>.
52 | 
53 | =item B<-d> I<DAYS>, B<--days> I<DAYS>
54 | 
55 | Renew the certificate to be valid for I<DAYS> days instead of the default
56 | B<CA_CRT_DAYS> set in the configuration file.
57 | 
58 | =back
59 | 
60 | =head1 BUGS
61 | 
62 | B<ca-renew-cert> is currently very careful to re-use the original key and
63 | certificate serial when it renews a certificate. This is not strictly necessary
64 | for most renewals, and may in fact reduce the long-term security of your SSL
65 | certificates.
66 | 
67 | The usual renewal process is to re-generate a new CSR and private
68 | key with the same DN and sign it as valid for the required time period.
69 | This has the unfortunate side-effect of rendering unreadable all S/MIME e-mail
70 | and data encrypted with the previous certificate and private key. It will also
71 | invalidate any old digital signatures created with the previous certificate.
72 | Instead, B<ca-renew-cert> re-signs the old CSR with the same serial and a new
73 | validity period, which ensures that no data is lost.
74 | 
75 | Arguably, it would be better to support both modes of renewal, and re-generate
76 | a new CSR and key for I<server> and I<client> certificates while re-signing old
77 | CSRs for I<user> certificates. This may be implemented in future releases.
78 | 
79 | =head1 AVAILABILITY
80 | 
81 | New releases of the ca-scripts utilities can be found at
82 | L<the developer's website|http://www.pl0rt.org/code/ca-scripts>.
83 | A L<git repository|git://git.pl0rt.org/alex/code/ca-scripts>
84 | for development versions also exists.
85 | 
86 | =head1 AUTHORS
87 | 
88 | Copyright 2009, 2010 Alex Bramley a.bramley@gmail.com
89 | 
90 | =head1 SEE ALSO
91 | 
92 | ca-create-cert(1), ca-scripts.conf(5), openssl(1ssl), ca(1ssl), req(1ssl),
93 | x509(1ssl), config(5ssl), and x509v3_config(5ssl).
94 | 
95 | =cut
96 | 


--------------------------------------------------------------------------------
/doc/ca-revoke-cert.pod:
--------------------------------------------------------------------------------
  1 | #! /bin/sh
  2 | 
  3 | if [ -z "$1" -o "$1" == "man" ]; then
  4 |   exec /usr/bin/pod2man -n CA-REVOKE-CERT -s 1 -d "12 February 2010" \
  5 |     -r "ca-scripts version 0.9" -c "SSL Certificate Authority utilities" $0
  6 | elif [ "$1" == "html" ]; then
  7 |   exec /usr/bin/pod2html --title "ca-revoke-cert(1)" < $0
  8 | elif [ "$1" == "text" ]; then
  9 |   exec /usr/bin/pod2text -o $0
 10 | fi
 11 | echo "Unrecognised output format '$1', try man, html, or text."
 12 | exit 1
 13 | 
 14 | =pod
 15 | 
 16 | =head1 NAME
 17 | 
 18 | ca-revoke-cert - revoke a certificate and re-generate CRL
 19 | 
 20 | =head1 SYNOPSIS
 21 | 
 22 | B<ca-revoke-cert> [B<-f> I<config>] [B<-t> I<type>] [B<-l> I<days>]
 23 | [B<-i> I<template>] [B<-o> I<file>] I<common name>|I<path to certificate>
 24 | 
 25 | B<ca-revoke-cert> [B<-h>] | [B<--help>]
 26 | 
 27 | =head1 DESCRIPTION
 28 | 
 29 | B<ca-revoke-cert> revokes certificates generated with ca-create-cert(1) and
 30 | updates the CA's certificate revocation lists in both PEM and DER-encoded
 31 | formats. It can also optionally generate an HTML file with MD5 and SHA1
 32 | fingerprints suitable for publishing the CA certificate and the CRL.
 33 | 
 34 | =head1 OPTIONS
 35 | 
 36 | B<ca-revoke-cert> can infer the correct cached configurations to use for
 37 | certificate revocation from the hostname of a I<server> or I<client>, the
 38 | username of a I<user>, or the path to a previously generated certificate of any
 39 | type.
 40 | 
 41 | =over
 42 | 
 43 | =item B<-t> I<TYPE>, B<--type> I<TYPE>
 44 | 
 45 | This argument overrides the type detection if multiple certificate types share
 46 | the same common name, telling B<ca-revoke-cert> what type of certificate it is
 47 | revoking, either I<server>, I<client>, or I<user>.
 48 | 
 49 | =item B<-f> I<FILE>, B<--config> I<FILE>
 50 | 
 51 | Load the ca-scripts configuration from I<FILE> instead of
 52 | I</etc/ca-scripts.conf>.
 53 | 
 54 | =item B<-l> I<DAYS>, B<--crl-days> I<DAYS>
 55 | 
 56 | Generate a CRL that is valid for I<DAYS> days instead of the default
 57 | B<CA_CRL_DAYS> set in the configuration file.
 58 | 
 59 | =item B<-i> I<FILE>, B<--template> I<FILE>
 60 | 
 61 | Use the index.html template in I<FILE> rather than the standard one provided
 62 | with ca-scripts. See the B<TEMPLATING> section of ca-scripts.conf(5) for more
 63 | details of the templating system. Hint: it's sed(1) based...
 64 | 
 65 | =item B<-o> I<FILE>, B<--output> I<FILE>
 66 | 
 67 | Generate a HTML page in I<FILE> suitable for serving your CA certificate and
 68 | revocation lists via HTTP. The default template is basic but provides MD5 and
 69 | SHA1 fingerprints of both files for verification purposes.
 70 | 
 71 | =back
 72 | 
 73 | =head1 BUGS
 74 | 
 75 | Probably. At the moment the revocation reason is hardcoded to "superseded";
 76 | this may change in future releases along with code to deal with key compromise.
 77 | Additionally, the CRLv2 extension I<issuingDistributionPoint> is not yet set in
 78 | generated CRLs due to requiring a very recent version of openssl(1).
 79 | 
 80 | These scripts will not handle configuring an OCSP server for you. OCSP is an
 81 | alternative method of checking the validity of X.509 certificates, and is
 82 | Worth Investigating. See ocsp(1ssl) and the
 83 | L<wikipedia entry|http://en.wikipedia.org/wiki/OCSP> for details.
 84 | 
 85 | =head1 AVAILABILITY
 86 | 
 87 | New releases of the ca-scripts utilities can be found at
 88 | L<the developer's website|http://www.pl0rt.org/code/ca-scripts>.
 89 | A L<git repository|git://git.pl0rt.org/alex/code/ca-scripts>
 90 | for development versions also exists.
 91 | 
 92 | =head1 AUTHORS
 93 | 
 94 | Copyright 2009, 2010 Alex Bramley a.bramley@gmail.com
 95 | 
 96 | =head1 SEE ALSO
 97 | 
 98 | ca-init(1), ca-create-cert(1), ca-renew-cert(1), ca-scripts.conf(5),
 99 | openssl(1ssl), ca(1ssl), x509(1ssl), and ocsp(1ssl).
100 | 
101 | =cut
102 | 
103 | 


--------------------------------------------------------------------------------
/bin/ca-init:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | set -e
  3 | source $(dirname $(readlink -f $0))/../lib/ca-functions
  4 | 
  5 | # XXX: Add an interactive mode to this script to obviate the need for a
  6 | # pre-existing config file? e.g.
  7 | #    $ cd /empty/directory or /dir/containing/partial/conf
  8 | #    $ ca-init -i
  9 | # or maybe:
 10 | #    $ ca-init -i /path/to/CA_HOME
 11 | # + modify config file loading to check current directory too?
 12 | 
 13 | # XXX: corollary to above: provide --long-options for all config file
 14 | # variables also, reducing or eliminating *requirement* for config file?
 15 | 
 16 | usage() {
 17 |     cat <<__EOT__
 18 | Usage: $PROGNAME [options]
 19 | 
 20 | Options:
 21 |   -h, --help            Print this helpful message!
 22 |   -c, --encrypt         Encrypt CA private key with Triple-DES
 23 |   -f, --config FILE     Use config file instead of $CONFFILE
 24 |   -d, --days DAYS       CA Certificate valid for DAYS days instead of CA_DAYS
 25 |   -l, --crl-days DAYS   Make CRL valid for DAYS days instead of CA_CRL_DAYS
 26 |   -b, --bits BITS       Generate a BITS bit certificate instead of CA_CRT_BITS
 27 |   -i, --template FILE   Use alternative index.html template
 28 |   -o, --output FILE     Generate CA index.html in FILE
 29 |   -s, --sign-only       Only generate CA cert/key, use pre-created config
 30 |   -x, --cnf-only        Only generate CA config file, don't create CA cert/key
 31 | 
 32 | __EOT__
 33 | }
 34 | 
 35 | short="hcf:d:l:b:i:o:sx"
 36 | long="help,encrypt,config:,days:,crl-days:,bits:"
 37 | long="$long,template:,output:,sign-only,cnf-only"
 38 | opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" )
 39 | if [ 0 -ne $? ]; then echo; usage; exit 1; fi
 40 | eval set -- "$opts";
 41 | 
 42 | CRT_ONLY=0
 43 | CNF_ONLY=0
 44 | 
 45 | while :; do
 46 |     case "$1" in
 47 |         -h|--help) usage; exit 0;;
 48 |         -c|--encrypt) CRYPTKEY=""; shift;;
 49 |         -f|--config) shift; CONFFILE="$1"; CONFFILECLI=1; shift;;
 50 |         -d|--days) shift; USER_CA_DAYS="$1"; shift;;
 51 |         -l|--crl-days) shift; USER_CA_CRL_DAYS="$1"; shift;;
 52 |         -b|--bits) shift; USER_CA_CRT_BITS="$1"; shift;;
 53 |         -i|--template) shift; INDEXTPL="$1"; shift;;
 54 |         -o|--output) shift; INDEXOUT="$1"; shift;;
 55 |         -s|--sign-only) CRT_ONLY=1; shift;;
 56 |         -x|--cnf-only) CNF_ONLY=1; shift;;
 57 |         --) shift; break;;
 58 |         *) echo "Unknown value '$1'"; exit 1;;
 59 |     esac
 60 | done
 61 | 
 62 | # load up the configuration file
 63 | ca_load_conf
 64 | 
 65 | if [ 1 -eq "$CRT_ONLY" -a 1 -eq "$CNF_ONLY" ]; then
 66 |     error "The --crt-only and --cnf-only options are mutually exclusive."
 67 | fi
 68 | if [ 1 -eq "$CNF_ONLY" -a -n "$INDEXOUT" ]; then
 69 |     error "Cannot generate index.html when not creating certificates."
 70 | fi
 71 | 
 72 | if [ 1 -ne "$CRT_ONLY" ]; then
 73 |     # create the directory structure that'll be populated by the scripts
 74 |     mkdir -p $CA_HOME/{cnf,crl,crt,csr,db,idx,key,p12}
 75 |     echo "01" > $CA_HOME/db/crlnumber
 76 |     touch $CA_HOME/db/index.txt
 77 |     touch $CA_HOME/db/.rand
 78 | 
 79 |     # generate an openssl configuration for this CA
 80 |     ca_template ca-config "$CA_HOME/cnf/$CA_NAME.ca.cnf"
 81 | fi
 82 | if [ 1 -ne "$CNF_ONLY" ]; then
 83 |     if [ ! -f "$CA_HOME/cnf/$CA_NAME.ca.cnf" ]; then
 84 |         # looks like someone's running ca-init with -s without using -x first
 85 |         error "Could not find CA config. Please run ca-init -x before using ca-init -s."
 86 |     fi
 87 |     # generate a self-signed cert that is valid for 10 years, with
 88 |     #  ... the private key in $CA_HOME/key/$CA_NAME.ca.key
 89 |     #  ... the certificate in $CA_HOME/crt/$CA_NAME.ca.crt
 90 |     #  ... using the config in $CA_HOME/cnf/$CA_NAME.ca.cnf
 91 |     openssl req -new $CRYPTKEY -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \
 92 |       -keyout "$CA_HOME/key/$CA_NAME.ca.key" \
 93 |       -out    "$CA_HOME/csr/$CA_NAME.ca.csr"
 94 |     chmod 400 "$CA_HOME/key/$CA_NAME.ca.key"
 95 | 
 96 |     openssl ca -create_serial -selfsign -days "$CA_DAYS" -batch \
 97 |       -name ca_scripts -extensions ca_x509_extensions \
 98 |       -md      "$CA_DEFAULT_MD" \
 99 |       -config  "$CA_HOME/cnf/$CA_NAME.ca.cnf" \
100 |       -in      "$CA_HOME/csr/$CA_NAME.ca.csr" \
101 |       -keyfile "$CA_HOME/key/$CA_NAME.ca.key" \
102 |       -out     "$CA_HOME/crt/$CA_NAME.ca.crt"
103 | 
104 |     # generate an initial CRL too (yes it will be empty, but we should serve it)
105 |     ca_gen_crl
106 |     if [ -n "$INDEXOUT" ]; then
107 |         ca_checksum
108 |         ca_template $INDEXTPL $INDEXOUT
109 |     fi
110 | fi
111 | 


--------------------------------------------------------------------------------
/doc/ca-init.pod:
--------------------------------------------------------------------------------
  1 | #! /bin/sh
  2 | 
  3 | if [ -z "$1" -o "$1" == "man" ]; then
  4 |   exec /usr/bin/pod2man -n CA-INIT -s 1 -d "12 February 2010" \
  5 |     -r "ca-scripts version 0.9" -c "SSL Certificate Authority utilities" $0
  6 | elif [ "$1" == "html" ]; then
  7 |   exec /usr/bin/pod2html --title "ca-init(1)" < $0
  8 | elif [ "$1" == "text" ]; then
  9 |   exec /usr/bin/pod2text -o $0
 10 | fi
 11 | echo "Unrecognised output format '$1', try man, html, or text."
 12 | exit 1
 13 | 
 14 | =pod
 15 | 
 16 | =head1 NAME
 17 | 
 18 | ca-init - initialise an X.509 SSL CA and generate CA certificate
 19 | 
 20 | =head1 SYNOPSIS
 21 | 
 22 | B<ca-init> [B<-csx>] [B<-f> I<config>] [B<-d> I<days>] [B<-l> I<days>]
 23 | [B<-b> I<bits>] [B<-i> I<template>] [B<-o> I<output>]
 24 | 
 25 | B<ca-init> [B<-h>] | [B<--help>]
 26 | 
 27 | =head1 DESCRIPTION
 28 | 
 29 | B<ca-init> reads the ca-scripts configuration file and generates an openssl(1)
 30 | configuration file and an X.509 certificate and key suitable for use as an
 31 | x509(1) certificate authority. It can also optionally generate an HTML file
 32 | with MD5 and SHA1 fingerprints suitable for publishing the CA certificate and
 33 | the CRL. The format of the ca-scripts configuration file is documented in
 34 | ca-scripts.conf(5).
 35 | 
 36 | =head1 OPTIONS
 37 | 
 38 | =over
 39 | 
 40 | =item B<-h>, B<--help>
 41 | 
 42 | Prints out a short synopsis of the options to B<ca-init>.
 43 | 
 44 | =item B<-c>, B<--encrypt>
 45 | 
 46 | Encrypt the private key generated for the certificate authority with 3DES.
 47 | 
 48 | =item B<-f> I<FILE>, B<--config> I<FILE>
 49 | 
 50 | Load the ca-scripts configuration from I<FILE> instead of
 51 | I</etc/ca-scripts.conf>.
 52 | 
 53 | =item B<-d> I<DAYS>, B<--days> I<DAYS>
 54 | 
 55 | Sign the CA certificate to be valid for I<DAYS> days instead of the default
 56 | B<CA_DAYS> set in the configuration file.
 57 | 
 58 | =item B<-l> I<DAYS>, B<--crl-days> I<DAYS>
 59 | 
 60 | Generate a CRL that is valid for I<DAYS> days instead of the default
 61 | B<CA_CRL_DAYS> set in the configuration file.
 62 | 
 63 | =item B<-b> I<BITS>, B<--bits> I<BITS>
 64 | 
 65 | Generate a I<BITS>-bit CA certificate instead of the default B<CA_CRT_BITS> set
 66 | in the config file. Traditionally this is a power of two, e.g. 1024 or 2048.
 67 | 
 68 | =item B<-i> I<FILE>, B<--template> I<FILE>
 69 | 
 70 | Use the index.html template in I<FILE> rather than the standard one provided
 71 | with ca-scripts. See the B<TEMPLATING> section of ca-scripts.conf(5) for more
 72 | details of the templating system. Hint: it's sed(1) based...
 73 | 
 74 | =item B<-o> I<FILE>, B<--output> I<FILE>
 75 | 
 76 | Generate a HTML page in I<FILE> suitable for serving your CA certificate and
 77 | revocation lists via HTTP. The default template is basic but provides MD5 and
 78 | SHA1 fingerprints of both files for verification purposes.
 79 | 
 80 | =item B<-s>, B<--sign-only>
 81 | 
 82 | Generate the CA certificate and private key from a previously-created openssl
 83 | configuration. May only be used after having run B<ca-init> with the
 84 | B<--cnf-only> option, and mutually exclusive to that option.
 85 | 
 86 | =item B<-x>, B<--cnf-only>
 87 | 
 88 | Create initial CA directory structure and openssl configuration, but do not
 89 | generate CA certificate and private key. Using this option in conjunction with
 90 | B<--sign-only> allows the user to manually customise the openssl config
 91 | before generating the certificates. Mutually exclusive to B<--sign-only>.
 92 | 
 93 | =back
 94 | 
 95 | =head1 THE CA DIRECTORY STRUCTURE
 96 | 
 97 | B<ca-init> creates a number of subdirectories under the path specified in
 98 | the mandatory configuration variable B<CA_HOME>. This path must exist before
 99 | B<ca-init> will run correctly. All files and directories under this path
100 | will be created with a restrictive umask of 0027, and in particular the CA
101 | private key will be created with permissions of 0400.
102 | 
103 | It is recommended but not required that a non-privileged system "ssl" user and
104 | group are created for running the ca-scripts suite of utilities, and that any
105 | local services needing access to a certificate are added to the "ssl" group.
106 | Access to generate certificates can be bestowed to individuals on a multi-user
107 | system by adding them to the same group and allowing them to run ca-scripts
108 | utilities via sudo(8).
109 | 
110 | The directories B<ca-init> creates are as follows:
111 | 
112 | =over
113 | 
114 | =item I<cnf/>
115 | 
116 | Contains a cache of openssl configuration files created by the various
117 | ca-scripts utilities from templates.
118 | 
119 | =item I<crl/>
120 | 
121 | Contains the certificate revocation list for the CA in both PEM and DER forms.
122 | 
123 | =item I<crt/>
124 | 
125 | Contains the signed certificates generated by ca-create-cert(1).
126 | 
127 | =item I<csr/>
128 | 
129 | Contains the unsigned certificate signing requests generated by
130 | ca-create-cert(1).
131 | 
132 | =item I<db/>
133 | 
134 | Contains internal openssl(1ssl) database files required for certificate
135 | authority management.
136 | 
137 | =item I<idx/>
138 | 
139 | Contains signed certificates indexed by serial number to make certificate
140 | revocation simpler.
141 | 
142 | =item I<key/>
143 | 
144 | Contains the private keys associated with the certificates in I<crt/>.
145 | 
146 | =item I<p12/>
147 | 
148 | Contains any PKCS#12 certificate archives created by ca-create-cert(1).
149 | 
150 | =back
151 | 
152 | =head1 BUGS
153 | 
154 | Probably. Of particular note is that the default openssl configuration file
155 | requires the C (country) and O (organisation) fields of all generated
156 | certificates to match those in the CA certificate, but ca-create-cert(1)
157 | allows these fields to be changed.
158 | 
159 | =head1 AVAILABILITY
160 | 
161 | New releases of the ca-scripts utilities can be found at
162 | L<the developer's website|http://www.pl0rt.org/code/ca-scripts>.
163 | A L<git repository|git://git.pl0rt.org/alex/code/ca-scripts>
164 | for development versions also exists.
165 | 
166 | =head1 AUTHORS
167 | 
168 | Copyright 2009, 2010 Alex Bramley a.bramley@gmail.com
169 | 
170 | =head1 SEE ALSO
171 | 
172 | ca-create-cert(1), ca-scripts.conf(5), openssl(1ssl), ca(1ssl), req(1ssl),
173 | x509(1ssl), config(5ssl), and x509v3_config(5ssl).
174 | 
175 | =cut
176 | 


--------------------------------------------------------------------------------
/tpl/ca-config.tpl:
--------------------------------------------------------------------------------
  1 | # CA configuration file template
  2 | 
  3 | # ---------------------------------------------------------------------------- #
  4 | # This defines the CA configuration to use
  5 | [ ca ]
  6 | default_ca = ca_scripts
  7 | 
  8 | # ---------------------------------------------------------------------------- #
  9 | # This defines our CA configuration
 10 | [ ca_scripts ]
 11 | # interpolation variables defining the directories to use
 12 | dir             = %CA_HOME%                     # root data directory of CA
 13 | db_dir          = $dir/db                       # database files are kept here
 14 | csr_dir         = $dir/csr                      # generated CSRs are kept here
 15 | crt_dir         = $dir/crt                      # signed CRTs are kept here
 16 | key_dir         = $dir/key                      # generated KEYs are kept here
 17 | crl_dir         = $dir/crl                      # generated CRL is kept here
 18 | new_certs_dir   = $dir/idx                      # default place for new CRTs
 19 | 
 20 | # required settings
 21 | database        = $db_dir/index.txt             # database index file
 22 | serial          = $db_dir/serial                # serial number index file
 23 | certificate     = $crt_dir/%CA_NAME%.ca.crt     # CA certificate
 24 | private_key     = $key_dir/%CA_NAME%.ca.key     # CA private key
 25 | crl             = $crl_dir/%CA_NAME%.ca.crl     # current CRL
 26 | RANDFILE        = $db_dir/.rand                 # private random number file
 27 | 
 28 | # these two CA directives can be commented out so that v1 CRLs are created
 29 | crlnumber       = $db_dir/crlnumber             # crlnumber index file
 30 | crl_extensions  = ca_crl_extensions             # extensions in v2 CRL
 31 | 
 32 | # x509v3 certificate extensions and certificate signing policy
 33 | x509_extensions = ca_x509_default_extensions
 34 | copy_extensions = copy                          # copy extensions from CSR to CRT
 35 | policy          = ca_extension_policy           # policy on required CSR attributes
 36 | 
 37 | # leave these defaults
 38 | name_opt        = oneline               # Subject Name options - x509(1)
 39 | cert_opt        = ca_default            # Certificate field options - x509(1)
 40 | default_days    = %CA_CRT_DAYS%         # how long to certify for
 41 | default_crl_days= %CA_CRL_DAYS%         # how long before next CRL
 42 | default_md      = sha1                  # which md to use.
 43 | preserve        = no                    # keep passed DN ordering
 44 | unique_subject  = no                    # recommended
 45 | email_in_dn     = no                    # remove email from CSR DN when signing
 46 | 
 47 | # ---------------------------------------------------------------------------- #
 48 | # This defines the CA's policy on required CSR attributes.
 49 | # It requires:
 50 | #   the country [C] to be supplied in the CSR and match the CA
 51 | #   the state or province [ST] to be supplied in the CSR
 52 | #   the locality [L] to be supplied in the CSR
 53 | #   the organisation name [O] to be supplied in the CSR and match the CA
 54 | #   the organisational unit [OU] to be supplied in the CSR
 55 | #   the server common name [CN] to be supplied in the CSR
 56 | # ... and an [emailAddress] may optionally be supplied in the CSR
 57 | # XXX: is this too restrictive or not restrictive enough?
 58 | #      should options for ca-create-cert to change "match" values even exist?
 59 | [ ca_extension_policy ]
 60 | countryName             = match
 61 | stateOrProvinceName     = supplied
 62 | localityName            = supplied
 63 | organizationName        = match
 64 | organizationalUnitName  = supplied
 65 | commonName              = supplied
 66 | emailAddress            = optional
 67 | 
 68 | # ---------------------------------------------------------------------------- #
 69 | # This defines the default x509 extensions present in a cert signed by the CA.
 70 | # These should be replaced by a specific set of extensions per certificate.
 71 | [ ca_x509_default_extensions ]
 72 | 
 73 | # certificates signed by this CA by default are not CA certificates themselves
 74 | basicConstraints        = CA:FALSE
 75 | 
 76 | # old netscape certificate attributes
 77 | nsCertType              = server
 78 | nsComment               = "%CA_DESC% Certificate"
 79 | nsRevocationUrl         = %CA_CRL_URI%
 80 | 
 81 | # key usage restrictions
 82 | keyUsage                = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
 83 | extendedKeyUsage        = serverAuth
 84 | 
 85 | issuerAltName           = issuer:copy
 86 | subjectAltName          = URI:%CA_CRT_URI%
 87 | subjectKeyIdentifier    = hash
 88 | authorityKeyIdentifier  = keyid,issuer:always
 89 | authorityInfoAccess     = caIssuers;URI:%CA_CRT_URI%
 90 | crlDistributionPoints   = URI:%CA_CRL_URI%
 91 | 
 92 | # ---------------------------------------------------------------------------- #
 93 | # This defines the x509 extensions present in the generated CA certificate.
 94 | [ ca_x509_extensions ]
 95 | 
 96 | # this certificate is authoritative and allowed to sign other certificates
 97 | # pathlen=1 implies there may be up to one intermediate CA in the chain
 98 | # that leads to this root CA certificate.
 99 | basicConstraints        = critical,CA:TRUE,pathlen:%CA_PATHLEN%
100 | 
101 | # old netscape certificate attributes
102 | nsCertType              = objsign, sslCA, emailCA, objCA
103 | nsComment               = "%CA_DESC%"
104 | nsRevocationUrl         = %CA_CRL_URI%
105 | nsCaRevocationUrl       = %CA_CRL_URI%
106 | 
107 | # key usage restrictions
108 | keyUsage                = critical, cRLSign, keyCertSign
109 | extendedKeyUsage        = serverAuth, clientAuth, codeSigning, emailProtection, timeStamping
110 | 
111 | issuerAltName           = @ca_altname
112 | subjectAltName          = @ca_altname
113 | subjectKeyIdentifier    = hash
114 | authorityKeyIdentifier  = keyid,issuer:always
115 | authorityInfoAccess     = caIssuers;URI:%CA_CRT_URI%
116 | crlDistributionPoints   = URI:%CA_CRL_URI%
117 | 
118 | # ---------------------------------------------------------------------------- #
119 | # This is a separate section defining the attributes in the CA's subjectAltName.
120 | [ ca_altname ]
121 | URI=%CA_CRT_URI%
122 | DNS.1=%CA_DOMAIN%
123 | DNS.2=*.%CA_DOMAIN%
124 | email=%CA_EMAIL%
125 | 
126 | # ---------------------------------------------------------------------------- #
127 | # This defines the extensions present in the CRLs generated by this CA.
128 | [ ca_crl_extensions ]
129 | issuerAltName           = issuer:copy
130 | authorityKeyIdentifier  = keyid:always, issuer:always
131 | # the below is only supported in the very latest releases of openssl
132 | # issuingDistributionPoint= URI:%CA_CRL_URI%
133 | 
134 | # ---------------------------------------------------------------------------- #
135 | # This defines the extensions present in the CSRs created by this CA.
136 | [ ca_req_extensions ]
137 | basicConstraints        = critical, CA:FALSE
138 | keyUsage                = critical, nonRepudiation, keyEncipherment, keyAgreement
139 | extendedKeyUsage        = serverAuth
140 | 
141 | # ---------------------------------------------------------------------------- #
142 | # This defines default settings for certificate requests and CA cert creation.
143 | [ req ]
144 | default_bits            = %CA_CRT_BITS%
145 | default_md              = sha1
146 | distinguished_name      = ca_req_dn
147 | x509_extensions         = ca_x509_extensions
148 | req_extensions          = ca_req_extensions
149 | string_mask             = nombstr
150 | prompt                  = no
151 | 
152 | # ---------------------------------------------------------------------------- #
153 | # This defines the DN of the CA certificate.
154 | [ ca_req_dn ]
155 | C                       = %CA_DN_C%
156 | ST                      = %CA_DN_ST%
157 | L                       = %CA_DN_L%
158 | O                       = %CA_DN_O%
159 | OU                      = %CA_DN_OU%
160 | CN                      = %CA_DN_CN%
161 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | ca-scripts
  2 | ==========
  3 | 
  4 | A set of **bash**(1) scripts for working with SSL Certificate Authorities.
  5 | 
  6 | These scripts are designed to provide a configurable wrapping layer around
  7 | [**openssl**(1)](http://www.openssl.org/), similar to CA.pl. They're potentially
  8 | a little heavyweight if you just need a single self-signed certificate to secure
  9 | an HTTPs webserver, but they may come in handy if you want to:
 10 | 
 11 |   * Generate multiple service certificates signed by a single authority
 12 |   * Provide signed client certificates to end users for authentication purposes
 13 |   * Provide client certificates for S/MIME encrypted e-mail or code signing
 14 |   * Easily set extensions such as x509v3 subjectAltName in your certificates
 15 | 
 16 | Portability
 17 | -----------
 18 | 
 19 | Currently, these scripts are limited to systems with a recent install of
 20 | **openssl**(1), GNU **date**(1) -- sorry BSD folks; patches welcome -- and
 21 | version 3 or greater of **bash**(1).
 22 | 
 23 | Installation
 24 | ------------
 25 | 
 26 | There aren't any tarballs as yet. Nor will the `make` command below work until
 27 | I've written a Makefile. It's coming, sometime. Sorry ;-)
 28 | 
 29 |     $ git clone git://github.com/fluffle/ca-scripts
 30 |     $ cd ca-scripts
 31 |     $ make; sudo make install
 32 | 
 33 | This will by default install to `/usr/local`, either `export PREFIX=/path` or
 34 | `make PREFIX=/path; sudo make PREFIX=/path install` to change this to an
 35 | alternative location.
 36 | 
 37 | Creating a Certificate Authority
 38 | --------------------------------
 39 | 
 40 |   Before running **ca-init**(1), a configuration file for the CA scripts must be
 41 | created. This configuration file sets up some templating variables that will
 42 | be present in certificates created for this CA, such as the domain, CA name,
 43 | and the root directory which will be populated with the generated certificates.
 44 | An example configuration file is provided with the scripts, and the comments
 45 | should be self-explanatory.
 46 | 
 47 |   By default the CA scripts will read `/etc/ca-scripts.conf`. This is fine for
 48 | creating a single CA serving a single domain with no intermediary certificates,
 49 | but for a more complex setup a directory of configuration files will probably
 50 | be needed. Some settings are required, namely the **CA\_HOME**, **CA\_DOMAIN**,
 51 | and **CA\_DN\_\*** variables, while others can be inferred from these or have
 52 | sensible defaults set. See **ca-scripts.conf**(5) for more detail on these.
 53 | 
 54 |   Once the configuration has been created the initial CA setup can be performed
 55 | with **ca-init(1)**, but please note that the path set in **CA\_HOME** must exist
 56 | and be writeable before it will run correctly. It is recommended (but not in an
 57 | way required) to create an unprivileged "ssl" user to run all the scripts as, so
 58 | the permissions are correctly set. A number of subdirectories will be set
 59 | up underneath this root, and an openssl configuration file, certificate and
 60 | private key will be generated. This key can be 3DES encrypted for security.
 61 | 
 62 |   Optionally, it is possible to split the initial setup process so that the
 63 | directory structure and openssl configuration generation can be done in a
 64 | seperate step to the generation of the CA certificates, so that the config can
 65 | be manually edited. To fully understand it's contents you're unfortunately
 66 | going to need to read the following:
 67 | 
 68 |   * [**ca**(1ssl)](http://www.openssl.org/docs/apps/ca.html)
 69 |   * [**req**(1ssl)](http://www.openssl.org/docs/apps/req.html)
 70 |   * [**x509**(1ssl)](http://www.openssl.org/docs/apps/x509.html)
 71 |   * [**config**(5ssl)](http://www.openssl.org/docs/apps/config.html)
 72 |   * [**x509v3\_config**(5ssl)](http://www.openssl.org/docs/apps/x509v3_config.html)
 73 | 
 74 | Particularly important are the x509v3 extensions present in the certificate,
 75 | which are defined in the "ca\_x509\_extensions" section of the config file.
 76 | 
 77 | Creating a certificate
 78 | ----------------------
 79 | 
 80 |   The **ca-create-cert**(1) script can generate three "types" of certificate:
 81 | *server* certificates for securing a service with SSL/TLS; *client* certificates
 82 | for authenticating a client to these services; and *user* certificates for
 83 | authentication, S/MIME e-mail signing or encryption, and code signing. There
 84 | are minor but important differences in the key usage extensions present in
 85 | these different certificate types, details can be found in the documentation
 86 | for **ca-create-cert**(1). In each case, a Common Name must be provided to give
 87 | a unique name for the certificate.
 88 | 
 89 |   **ca-create-cert**(1) takes a number of options to customise the generated
 90 | certificate. The **--type** option defaults to creating *server* certs. It is
 91 | likely that the **--alt-name** option (which sets X.509v3 subjectAltName DNS
 92 | records for other hostnames for the server) will be useful; it may also be used
 93 | when creating *client* certs.  Both the server hostname and any alternative
 94 | names will be fully-qualified to **CA\_DOMAIN** if they do not contain any dots
 95 | unless the **--no-qualify** option is used. If unqualified names are passed in
 96 | they are preserved as alternative DNS names in the certificate. The private key
 97 | may be encrypted with 3DES using the **--encrypt** option, and the certificate,
 98 | key, and CA certificate can be bundled together into a PKCS#12 format
 99 | certificate archive by passing **--pkcs12**. By default certificates are valid
100 | for 365 days from signing, but this may be changed with the **--days** option.
101 | 
102 |   The certificate's DN can be completely changed from the defaults provided by
103 | **ca-scripts.conf**(5), but be wary as by default the generated openssl config
104 | file requires that the country (C) and organisation (O) fields match those of
105 | the CA certificate. A comment may also be set that will show up in user browsers
106 | when they click on their padlock icons to examine the certificate's properties.
107 | As  with the CA setup, the steps to generate the certificate can be split up so
108 | that configurations that are created from templates can be edited beforehand.
109 | 
110 | Renewing a certificate
111 | ----------------------
112 | 
113 |   Certificates are renewed using **ca-renew-cert**(1). This script currently
114 | does some painful certificate manipulation that is not strictly necessary in
115 | most cases, and may in fact decrease SSL security slightly. This is done because
116 | the normal renewal process re-generates the certificate signing request and
117 | thus creates a new public/private keypair. If the certificates are used for
118 | S/MIME encryption or code signing, this renders all the encrypted e-mail
119 | unreadable and requires you to re-sign the code with your new private key.
120 | 
121 |   To avoid this, **ca-renew-cert**(1) re-signs the old certificate request with
122 | a new expiry date using the extensions generated when the old certificate was
123 | signed. In the future it is possible (even likely) that this renewal method
124 | will only be used on *user* type certificates, and the *server* and *client*
125 | types will be renewed normally. If the current renewal method doesn't provide
126 | sufficient security, the current certificate should be revoked and a new one
127 | generated that is valid for the correct period of time using the **--days**
128 | option to **ca-create-cert**(1).
129 | 
130 |   As with the certificate creation script a Common Name can be passed to
131 | identify the certificate to renew; alternatively the path to a previously
132 | created certificate can be given. Internally these will be both be resolved to
133 | the correct information required for certificate renewal.
134 | 
135 | Revoking a certificate
136 | ----------------------
137 | 
138 |   To revoke a certificate and re-generate the CA certficate revocation list in
139 | both PEM and DER encodings, invoke **ca-revoke-cert**(1), again providing a
140 | Common Name or the path to the certificate to be revoked. Along with
141 | **ca-init**(1) this script can optionally generate a basic HTML template to
142 | serve the CA certificate and CRL with verifiable MD5 and SHA1 checksums.
143 | 


--------------------------------------------------------------------------------
/doc/ca-scripts.conf.pod:
--------------------------------------------------------------------------------
  1 | #! /bin/sh
  2 | 
  3 | if [ -z "$1" -o "$1" == "man" ]; then
  4 |   exec /usr/bin/pod2man -n CA-SCRIPTS.CONF -s 5 -d "12 February 2010" \
  5 |     -r "ca-scripts version 0.9" -c "SSL Certificate Authority utilities" $0
  6 | elif [ "$1" == "html" ]; then
  7 |   exec /usr/bin/pod2html --title "ca-scripts.conf(5)" < $0
  8 | elif [ "$1" == "text" ]; then
  9 |   exec /usr/bin/pod2text -o $0
 10 | fi
 11 | echo "Unrecognised output format '$1', try man, html, or text."
 12 | exit 1
 13 | 
 14 | =pod
 15 | 
 16 | =head1 NAME
 17 | 
 18 | ca-scripts.conf - configuration file for ca management scripts
 19 | 
 20 | =head1 SYNOPSIS
 21 | 
 22 | B</etc/ca-scripts.conf>
 23 | 
 24 | =head1 DESCRIPTION
 25 | 
 26 | The B<ca-scripts.conf> configuration file is used to set various parameters for
 27 | the creation of certificate authorities and signed certificates. It is sourced
 28 | directly and must be valid bash(1) syntax.
 29 | 
 30 | =head1 OPTIONS
 31 | 
 32 | =head2 Required Configuration Settings
 33 | 
 34 | The following settings MUST be present in the configuration file for the ca
 35 | management scripts to work. The values given in this manpage are the ones from
 36 | the example configuration file.
 37 | 
 38 | =over
 39 | 
 40 | =item B<CA_HOME>="/etc/ssl/ca-scripts"
 41 | 
 42 | CA_HOME provides the path to the root of the CA directory tree. This directory
 43 | must exist and be writeable by the user running the scripts.
 44 | 
 45 | =item B<CA_DOMAIN>="example.com"
 46 | 
 47 | CA_DOMAIN provides a template for other optional variables and the filenames
 48 | that are generated within the directory tree. It should be set to the domain
 49 | that you are generating SSL certificates for.
 50 | 
 51 | =back
 52 | 
 53 | =head2 CA Distinguished Name Configuration
 54 | 
 55 | These settings configure the Distinguished Name fields present in the CA
 56 | certificate generated by ca-init(1) and provide default values for the DN
 57 | fields in other certificates generated by ca-create-cert(1). They should be
 58 | set to sensible defaults for the organisation you are generating SSL
 59 | certificates for, and MUST be present in the configuration file.
 60 | 
 61 | =over
 62 | 
 63 | =item B<CA_DN_C>="GB"
 64 | 
 65 | CA_DN_C sets the I<Country> (C) field of the DN. It should be the two-letter
 66 | country code for the country your organisation resides in.
 67 | 
 68 | =item B<CA_DN_ST>="London"
 69 | 
 70 | CA_DN_ST sets the I<State> (ST) field of the DN.
 71 | 
 72 | =item B<CA_DN_L>="Example House, Mayfair"
 73 | 
 74 | CA_DN_L sets the I<Locality> (L) field of the DN.
 75 | 
 76 | =item B<CA_DN_O>="Example Security Services Ltd."
 77 | 
 78 | CA_DN_O sets the I<Organisation> (O) field of the DN.
 79 | 
 80 | =item B<CA_DN_OU>="Example Internet Encryption Division"
 81 | 
 82 | CA_DN_OU sets the I<Organisational Unit> (OU) field of the DN.
 83 | 
 84 | =item B<CA_DN_CN>="Example Security Services Root Certificate Authority"
 85 | 
 86 | CA_DN_CN sets the I<Common Name> (CN) field of the DN. This is what users will
 87 | see listed in their browser when they look at the certificate properties.
 88 | 
 89 | =back
 90 | 
 91 | =head2 Optional Configuration Settings
 92 | 
 93 | These settings can be derived programmatically from the above, or have sensible
 94 | defaults that may be overridden in the configuration file.
 95 | 
 96 | =over
 97 | 
 98 | =item B<CA_DESC>="$CA_DN_CN"
 99 | 
100 | CA_DESC configures a single-line description for your CA. Using the CN= or O=
101 | line from your DN is recommended. This is used as the I<nsComment> extension in
102 | the generated CA certificate, and as a header in the default HTML template.
103 | 
104 | =item B<CA_EMAIL>="ca@$CA_DOMAIN"
105 | 
106 | CA_EMAIL provides an e-mail address that is embedded into all generated
107 | certificates as a point-of-contact for the issuing certificate authority. It's
108 | probably a good idea to ensure that this address is valid and checked
109 | regularly.
110 | 
111 | =item B<CA_CRT_URI>="http://$CA_DOMAIN/ca/$CA_NAME.ca.crt"
112 | 
113 | =item B<CA_CRL_URI>="http://$CA_DOMAIN/ca/$CA_NAME.ca.crl"
114 | 
115 | CA_CRT_URI and CA_CRL_URI provide globally accessible locations where the CA
116 | certificate and revocation lists can be found. These are embedded into every
117 | generated certificate, so they should point to valid URIs.
118 | 
119 | =item B<CA_DAYS>=3650
120 | 
121 | =item B<CA_CRT_DAYS>=365
122 | 
123 | =item B<CA_CRL_DAYS>=365
124 | 
125 | CA_CRT_DAYS and CA_CRL_DAYS sets the default validity period for certificates
126 | respectively. If your CA generates and revokes a lot of certificates, it is
127 | probably a good idea to reduce the latter value considerably or use OCSP
128 | instead.
129 | 
130 | =item B<CA_CRT_BITS>=2048
131 | 
132 | CA_CRT_BITS sets the default key length for generated private keys.
133 | 
134 | =item B<CA_CRT_TYPE>="server"
135 | 
136 | CA_CRT_TYPE sets the default type of certificate created by ca-create-cert(1).
137 | This can be set to I<server>, I<client>, or I<user>.
138 | 
139 | =item B<CA_PATHLEN>=0
140 | 
141 | CA_PATHLEN sets the maximum number of intermediate CA certificates that can be
142 | in the chain of authority between the root CA and the final certificate.
143 | 
144 | =back
145 | 
146 | =head2 Certificate Distinguished Name Configuration
147 | 
148 | The DN of a certificate generated with ca-create-cert(1) defaults to copying
149 | that of the CA, but alternative defaults can be set instead using the following
150 | options. These values are more usually set with command-line arguments, but
151 | there may be useful reasons to do otherwise. Note that there is no way to set a
152 | default CN, as this should be unique to the certificate being generated.
153 | 
154 | =over
155 | 
156 | =item B<CA_CRT_C>="$CA_DN_C"
157 | 
158 | CA_CRT_C sets the I<Country> (C) field of the DN. It should be the two-letter
159 | country code for the country your organisation resides in. WARNING: changing
160 | this from the value in your CA certificate may break certificate validation,
161 | due to the extension policy defined in the openssl configuration for the CA.
162 | Equivalent to the B<--country> argument to ca-create-cert(1).
163 | 
164 | =item B<CA_CRT_ST>="$CA_DN_ST"
165 | 
166 | CA_CRT_ST sets the I<State> (ST) field of the DN. Equivalent to B<--state>.
167 | 
168 | =item B<CA_CRT_L>="$CA_DN_L"
169 | 
170 | CA_CRT_L sets the I<Locality> (L) field of the DN. Equivalent to B<--loc>.
171 | 
172 | =item B<CA_CRT_O>="$CA_DN_O"
173 | 
174 | CA_CRT_O sets the I<Organisation> (O) field of the DN. WARNING: changing
175 | this from the value in your CA certificate may break certificate validation,
176 | due to the extension policy defined in the openssl configuration for the CA.
177 | Equivalent to B<--org>.
178 | 
179 | =item B<CA_CRT_OU>="$CA_DN_OU"
180 | 
181 | CA_CRT_OU sets the I<Organisational Unit> (OU) field of the DN. Equivalent to
182 | B<--ounit>.
183 | 
184 | =item B<CA_CRT_E>="$CA_EMAIL"
185 | 
186 | CA_CRT_E sets the I<E-Mail Address> (E) field of the DN. This will be moved
187 | into the X.509v3 I<subhectAltName> extension when the certificate is signed as
188 | per the X.509 spec. Equivalent to B<--email>.
189 | 
190 | =back
191 | 
192 | =head1 TEMPLATING
193 | 
194 | Under the hood, the ca management scripts work by substituting values from the
195 | configuration file and command line arguments into a set of config(5)
196 | templates, then calling the openssl(1) binary to Do The Right Thing. The HTML
197 | for the CA index page is generated in the same manner.
198 | 
199 | =head1 CAVEATS
200 | 
201 | The templating system is really just a couple of bash(1) functions that build
202 | up a sed(1) script to substitute environment variables into the template files.
203 | It works, but could potentially be considered as a bug just for existing. Using
204 | ascii 1 ("\001", ctrl-a) in your templating variables will break Everything.
205 | Don't do it!
206 | 
207 | =head1 AVAILABILITY
208 | 
209 | New releases of the ca-scripts utilities can be found at
210 | L<the developer's website|http://www.pl0rt.org/code/ca-scripts>.
211 | A L<git repository|git://git.pl0rt.org/alex/code/ca-scripts>
212 | for development versions also exists.
213 | 
214 | =head1 AUTHORS
215 | 
216 | Copyright 2009, 2010 Alex Bramley a.bramley@gmail.com
217 | 
218 | =head1 SEE ALSO
219 | 
220 | ca-init(1), ca-create-cert(1), ca-renew-cert(1), ca-revoke-cert(1),
221 | openssl(1ssl), ca(1ssl), x509(1ssl), and ocsp(1ssl).
222 | 
223 | =cut
224 | 


--------------------------------------------------------------------------------
/bin/ca-create-cert:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | set -e
  3 | source $(dirname $(readlink -f $0))/../lib/ca-functions
  4 | 
  5 | ALT_NAMES=()
  6 | QUALIFY=1
  7 | CNF_ONLY=0
  8 | CSR_ONLY=0
  9 | CRT_ONLY=0
 10 | MAKE_P12=0
 11 | 
 12 | # XXX: in the ca_extension_policy section of ca-config.tpl it states that the
 13 | #      C= and O= DN values in a CSR have to match those of the CA
 14 | #      should we have options here to change them when it will cause breakage?
 15 | usage() {
 16 |     cat <<__EOT__
 17 | Usage:
 18 |   $PROGNAME [options] <common name>
 19 | 
 20 | Options:
 21 |   -h, --help            Print this helpful message!
 22 |   -c, --encrypt         Encrypt certificate private key with Triple-DES
 23 |   -f, --config FILE     Use config file instead of $CONFFILE
 24 |   -t, --type TYPE       Certificate type: "server" (default), "client" or "user"
 25 |   -d, --days DAYS       Certificate valid for DAYS days instead of CA_CRT_DAYS
 26 |   -b, --bits BITS       Generate a BITS bit certificate instead of CA_CRT_BITS
 27 |   -n, --alt-name NAME   Alternative host name (can be provided multiple times)
 28 |   -i, --ip IP ADDRESS   IP addresses to include in the certificate
 29 |   -p, --pkcs12          Create PKCS#12 certificate archive from generated cert
 30 |   -q, --no-qualify      Don't qualify short (dotless) names with CA_DOMAIN
 31 |   -r, --req-only        Only generate CSR, don't sign it
 32 |   -s, --sign-only       Only sign certificate, requires CSR in place
 33 |   -x, --cnf-only        Only generate templates, do not create CSR or sign CRT
 34 |   --country             Certificate DN -- C
 35 |   --state               Certificate DN -- ST
 36 |   --loc                 Certificate DN -- L
 37 |   --org                 Certificate DN -- O
 38 |   --ounit               Certificate DN -- OU
 39 |   --email               Certificate DN -- E
 40 |   --comment             Certificate nsComment field
 41 | 
 42 | __EOT__
 43 | }
 44 | 
 45 | short="hcf:t:d:b:n:i:pqrsx"
 46 | long="help,encrypt,config:,type:,days:,bits:,alt-name:,ip:"
 47 | long="$long,pkcs12,no-qualify,req-only,sign-only,cnf-only"
 48 | long="$long,country:,state:,loc:,org:,ounit:,email:,comment:"
 49 | opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" )
 50 | if [ 0 -ne $? ]; then echo; usage; exit 1; fi
 51 | eval set -- "$opts";
 52 | 
 53 | while :; do
 54 |     case "$1" in
 55 |         -h|--help) usage; exit 0;;
 56 |         -c|--encrypt) CRYPTKEY=""; shift;;
 57 |         -f|--config) shift; CONFFILE="$1"; CONFFILECLI=1; shift;;
 58 |         -t|--type) shift; USER_CA_CRT_TYPE="$1"; shift;;
 59 |         -d|--days) shift; USER_CA_CRT_DAYS="$1"; shift;;
 60 |         -b|--bits) shift; USER_CA_CRT_BITS="$1"; shift;;
 61 |         -n|--alt-name) shift; ALT_NAMES+=("$1"); shift;;
 62 |         -i|--ip) shift; ALT_IPS+=("$1"); shift;;
 63 |         -p|--pkcs12) MAKE_P12=1; shift;;
 64 |         -q|--no-qualify) QUALIFY=0; shift;;
 65 |         -r|--req-only) CSR_ONLY=1; shift;;
 66 |         -s|--sign-only) CRT_ONLY=1; shift;;
 67 |         -x|--cnf-only) CNF_ONLY=1; shift;;
 68 |         --country) shift; USER_CA_CRT_C="$1"; shift;;
 69 |         --state) shift; USER_CA_CRT_ST="$1"; shift;;
 70 |         --location) shift; USER_CA_CRT_L="$1"; shift;;
 71 |         --org) shift; USER_CA_CRT_O="$1"; shift;;
 72 |         --ounit) shift; USER_CA_CRT_OU="$1"; shift;;
 73 |         --email) shift; USER_CA_CRT_E="$1"; shift;;
 74 |         --comment) shift; USER_CA_CRT_COMMENT="$1"; shift;;
 75 |         --) shift; break;;
 76 |         *) echo "Unknown value '$1'"; exit 1;;
 77 |     esac
 78 | done
 79 | 
 80 | # load up the configuration file
 81 | ca_load_conf
 82 | 
 83 | # This must be provided on the command line. There's no point setting a
 84 | # "default" certificate CN in the config, it should be different every time.
 85 | CA_CRT_CN="$1"
 86 | 
 87 | # parameter checking fun -- we need a type and a cn (either user or host name)
 88 | if [ -z "$CA_CRT_CN" ]; then
 89 |     error "The host or username parameter is mandatory!"
 90 | fi
 91 | 
 92 | if [ 1 -eq "$CSR_ONLY" -a 1 -eq "$CRT_ONLY" ]; then
 93 |     error "Options --csr-only and --crt-only are mutually exclusive."
 94 | fi
 95 | 
 96 | if [ "$CA_CRT_TYPE" = "user" ]; then
 97 |     # append @$CA_DOMAIN to user CN if it's not already there and -q not set
 98 |     if [ 1 -eq "$QUALIFY" -a "${CA_CRT_CN%%@*}" = "$CA_CRT_CN" ]; then
 99 |         CA_CRT_CN="$CA_CRT_CN@$CA_DOMAIN";
100 |     fi
101 | else
102 |     # fully qualify server or client CN with $CA_DOMAIN if it's not already
103 |     if [ 1 -eq "$QUALIFY" -a "${CA_CRT_CN%%.*}" = "$CA_CRT_CN" ]; then
104 |         # however we may also want the unqualified one as an alt-name
105 |         ALT_NAMES+=("$CA_CRT_CN")
106 |         CA_CRT_CN="$CA_CRT_CN.$CA_DOMAIN"
107 |     fi
108 | fi
109 | CNF_NAME=$( echo -n "$CA_CRT_CN" | tr -c '[:alnum:]@-' _ )".$CA_CRT_TYPE";
110 | 
111 | # if they've provided a comment, reformat it correctly
112 | if [ -n "$CA_CRT_COMMENT" ]; then
113 |     CA_CRT_COMMENT="$( tr -d\" <<< $CA_CRT_COMMENT )"
114 |     CA_CRT_COMMENT="nsComment               = \"$CA_CRT_COMMENT\"\n"
115 | else
116 |     CA_CRT_COMMENT=""
117 | fi
118 | 
119 | CA_CRT_ALT_NAMES=""
120 | # generate a list of alternative DNS names for server or client certificates
121 | if [ "$CA_CRT_TYPE" != "user" ]; then
122 |     i=1
123 |     for ALT_NAME in "$CA_CRT_CN" "${ALT_NAMES[@]}"; do
124 |         # also fully-qualify unqualified alt-names too (see below)
125 |         # NOTE: except when it's the previously-fully-qualified CN...
126 |         # XXX: maybe we should uniq the alt-names? hmm.
127 |         if [ 1 -eq "$QUALIFY" -a "${ALT_NAME%%.*}" = "$ALT_NAME" \
128 |           -a "${CA_CRT_CN%%.*}" != "$ALT_NAME" ]; then
129 |             CA_CRT_ALT_NAMES="${CA_CRT_ALT_NAMES}DNS.$i=$ALT_NAME.$CA_DOMAIN\n"
130 |             i=$(( $i+1 ))
131 |         fi
132 |         CA_CRT_ALT_NAMES="${CA_CRT_ALT_NAMES}DNS.$i=$ALT_NAME\n"
133 |         i=$(( $i+1 ))
134 |     done
135 |     p=1
136 |     for ALT_IP in "${ALT_IPS[@]}"; do
137 |         # add ips as IP.x
138 |             CA_CRT_ALT_NAMES="${CA_CRT_ALT_NAMES}IP.$p=$ALT_IP\n"
139 |             p=$(( $p+1 ))
140 |     done
141 | fi
142 | 
143 | if [ 1 -ne "$CRT_ONLY" ]; then
144 |     if [ 1 -eq "$CNF_ONLY" -o "$CSR_ONLY" -eq "$CNF_ONLY" ]; then
145 |         # dirty logic here that probably needs commenting!
146 |         # generate a *new* certificate request configuration if...
147 |         #   a) --cnf-only is set, i.e. we only want to generate a config
148 |         #   b) both --cnf-only and --csr-only are unset, i.e.
149 |         #      we're just generating a csr/crt as per usual
150 |         #   c) both --cnf-only and --csr-only are set, i.e.
151 |         #      we're just generating the config and not the csr itself
152 |         ca_template "req-config" "$CA_HOME/cnf/$CNF_NAME.req.cnf"
153 |     fi
154 |     if [ 1 -ne "$CNF_ONLY" ]; then
155 |         if [ ! -f "$CA_HOME/cnf/$CNF_NAME.req.cnf" ]; then
156 |             error "Couldn't find CSR config $CA_HOME/cnf/$CNF_NAME.req.cnf!"
157 |         fi
158 |         # the above logic means that if you pass --csr-only but not
159 |         # --cnf-only, you can re-use a pre-existing config to generate
160 |         # a new csr, should you wish to do so...
161 |         openssl req -new $CRYPTKEY -config "$CA_HOME/cnf/$CNF_NAME.req.cnf" \
162 |           -keyout "$CA_HOME/key/$CNF_NAME.key" \
163 |           -out    "$CA_HOME/csr/$CNF_NAME.csr"
164 |     fi
165 | fi
166 | if [ 1 -ne "$CSR_ONLY" ]; then
167 |     if [ 1 -eq "$CNF_ONLY" -o "$CRT_ONLY" -eq "$CNF_ONLY" ]; then
168 |         # same logic above applies here, but for generating the extensions
169 |         # configuration file and signed certificate instead
170 |         ca_template "$CA_CRT_TYPE-ext" "$CA_HOME/cnf/$CNF_NAME.ext.cnf"
171 |     fi
172 |     if [ 1 -ne "$CNF_ONLY" ]; then
173 |         # ensure relevant files are in place before continuing...
174 |         if [ ! -f "$CA_HOME/csr/$CNF_NAME.csr" ]; then
175 |             error "CSR not present in $CA_HOME/csr/$CNF_NAME.csr"
176 |         fi
177 |         if [ ! -f "$CA_HOME/cnf/$CNF_NAME.ext.cnf" ]; then
178 |             error "Couldn't find extensions in $CA_HOME/cnf/$CNF_NAME.ext.cnf"
179 |         fi
180 |         openssl ca -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \
181 |           -days    "$CA_CRT_DAYS" \
182 |           -md      "$CA_DEFAULT_MD" \
183 |           -extfile "$CA_HOME/cnf/$CNF_NAME.ext.cnf" -batch \
184 |           -out     "$CA_HOME/crt/$CNF_NAME.crt" \
185 |           -in      "$CA_HOME/csr/$CNF_NAME.csr"
186 |     fi
187 | fi
188 | 
189 | if [ 1 -eq "$MAKE_P12" ]; then
190 |     ca_gen_p12 "$CNF_NAME"
191 | fi
192 | 


--------------------------------------------------------------------------------
/lib/ca-functions:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | # Common functions for ca-scripts.
  3 | 
  4 | PROGNAME=$( basename $0 )
  5 | CONFFILE="/etc/ca-scripts.conf"
  6 | OVERRIDE_FILE=/tmp/$$ca_overrides.conf
  7 | SHAREDIR=$(dirname $(readlink -f $0))/../tpl
  8 | CRYPTKEY="-nodes"
  9 | INDEXTPL="index-html"
 10 | INDEXOUT=""
 11 | 
 12 | # ideally, run these scripts as an unprivileged "ssl" user/group
 13 | # and place users that need access to ssl certs into that group
 14 | # no world-readable stuff here
 15 | umask 027
 16 | 
 17 | error() {
 18 |     usage >&2
 19 |     echo -e "ERROR: $1\n" >&2
 20 |     exit 1
 21 | }
 22 | 
 23 | ca_check_var() {
 24 |     local varname vartest
 25 | 
 26 |     varname="$1"
 27 |     vartest="$2"
 28 |     eval "if [ ! $vartest \"\$$varname\" ]; then
 29 |               echo '$varname value \"\$$varname\" failed \"$vartest\" test'
 30 |           fi"
 31 | }
 32 | 
 33 | ca_override_conf() {
 34 |     local varname
 35 | 
 36 | 
 37 |     varname="${1#USER_}"
 38 |     #eval "$varname=\"\$USER_$varname\""
 39 |     # fix for user overrides scope issue
 40 |     # push variables to a file to source them later
 41 |     echo "$varname=\"\$USER_$varname\"" >> $OVERRIDE_FILE
 42 | 
 43 | }
 44 | 
 45 | ca_set_default() {
 46 |     local varname vardef
 47 | 
 48 |     varname="$1"
 49 |     vardef="$2"
 50 |     eval "if [ -z \"\$$varname\" ]; then
 51 |               $varname=\"$vardef\"
 52 |           fi"
 53 | }
 54 | 
 55 | ca_load_conf() {
 56 |     local varname vartest varerr vardef error ca_name
 57 |     if [ -r "$HOME/.ca-scripts.conf" ]; then
 58 |         # Does a system-wide config exist? If so load it first.
 59 |         if [ -r "$CONFFILE" ]; then
 60 |             source "$CONFFILE"
 61 |         fi
 62 |         # Override system configuration with local values.
 63 | 	# If manually set on command-line, don't load.
 64 |         if [ -z "$CONFFILECLI" ]; then
 65 |             source "$HOME/.ca-scripts.conf"
 66 |         fi
 67 |     elif [ -r "$CONFFILE" ]; then
 68 |         source "$CONFFILE"
 69 |     else
 70 |         if [ -n "$CONFFILECLI" ]; then
 71 |             error "Unable to load $HOME/.ca-scripts.conf or $CONFFILE"
 72 |         else
 73 |             error "Unable to load $CONFFILE"
 74 |         fi
 75 |     fi
 76 | 
 77 |     # TODO: Refactored config loader with error fallback, allowing local overrides.
 78 |     #if [ ! -r "$CONFFILE" ]; then
 79 |     #    error "Unable to find $CONFFILE."
 80 |     #fi
 81 |     ## XXX: seems like . <file> doesn't work if it's not relative to a directory
 82 |     ##      look this up on the internet sometime to work out why...
 83 |     #if [ "$CONFFILE" = "$( basename $CONFFILE )" ]; then
 84 |     #    CONFFILE="./$CONFFILE"
 85 |     #fi
 86 |     #. "$CONFFILE"
 87 | 
 88 |     error=""
 89 |     while read vartest varname; do
 90 |         varerr=$( ca_check_var "$varname" "$vartest" )
 91 |         if [ -n "$varerr" ]; then
 92 |             error="$error\n  $varerr"
 93 |         fi
 94 |     done <<__TESTS__
 95 | -d CA_HOME
 96 | -n CA_DOMAIN
 97 | -n CA_DN_C
 98 | -n CA_DN_ST
 99 | -n CA_DN_L
100 | -n CA_DN_O
101 | -n CA_DN_OU
102 | -n CA_DN_CN
103 | __TESTS__
104 |     if [ -n "$error" ]; then
105 |         error "Parsing config file $CONFFILE failed:\n$error"
106 |     fi
107 | 
108 |     # check user-provided variables and copy them to CA_ namespace to override
109 |     # any defaults that have potentially been set in configuration file
110 |     # XXX: this is getting really dirty now, perhaps find an alternative?
111 |     set | awk -F\= '/^USER_CA_[A-Z_]*=/{print $1}' | while read user_var; do
112 |         ca_override_conf "$user_var"
113 |     done
114 |     #Check if fike containing user overrides exist
115 |     # the file is created if any USER_CA.* variables are set
116 |      [ -f $OVERRIDE_FILE ] && source $OVERRIDE_FILE
117 |     # remove file after sourcing it
118 |      [ -f $OVERRIDE_FILE ] && rm -rf $OVERRIDE_FILE
119 |     # XXX: and this alternative should probably have better validation ;-)
120 |     case "$CA_CRT_TYPE" in
121 |         server|client|user) :;;
122 |         *) error "Unrecognised certificate type '$CA_CRT_TYPE'!";;
123 |     esac
124 | 
125 |     # we need to do these first to use them in other default defs
126 |     # NOTE: bash's here-string syntax appends \n which tr turns to _ :(
127 |     # CA_NAME is NOT configurable, due to the breakage this could cause.
128 |     CA_NAME="$( echo -n "$CA_DOMAIN" | tr -c '[:alnum:]@-' _ )"
129 |     ca_set_default CA_EMAIL "ca@$CA_DOMAIN"
130 | 
131 |     while read varname vardef; do
132 |         ca_set_default "$varname" "$vardef"
133 |     done <<__DEFAULTS__
134 | CA_DESC         $CA_DN_CN
135 | CA_DAYS         3652
136 | CA_PATHLEN      0
137 | CA_CRT_URI      http://$CA_DOMAIN/ca/$CA_NAME.ca.crt
138 | CA_CRL_URI      http://$CA_DOMAIN/ca/$CA_NAME.ca.crl
139 | CA_CRT_DAYS     365
140 | CA_CRL_DAYS     365
141 | CA_CRT_BITS     2048
142 | CA_CRT_TYPE     server
143 | CA_CRT_C        $CA_DN_C
144 | CA_CRT_ST       $CA_DN_ST
145 | CA_CRT_L        $CA_DN_L
146 | CA_CRT_O        $CA_DN_O
147 | CA_CRT_OU       $CA_DN_OU
148 | CA_CRT_E        $CA_EMAIL
149 | CA_DEFAULT_MD   sha256
150 | __DEFAULTS__
151 | }
152 | 
153 | # TODO: Remove this, as it's no longer used.
154 | ca_sed_cmd() {
155 |     # MD5 in CA_CR[TL]_MD5_FP has a non alphabetic character :(
156 |     # XXX: pretty sure this is a dirty and wrong way of templating vars
157 |     #      but we can hope that there's no ascii 001 in the values...
158 |     set | awk -F\= '/^CA_[A-Z5_]*=/{print $1}' | while read ca_var; do
159 |         echo -e "s\001%$ca_var%\001${!ca_var}\001g;"
160 |     done
161 | }
162 | 
163 | ca_template() {
164 |     local template dest sedstr
165 | 
166 |     if [ -r "$1" ]; then
167 |         template="$1"
168 |     elif [ -r "$SHAREDIR/$1.tpl" ]; then
169 |         template="$SHAREDIR/$1.tpl"
170 |     else
171 |         error "Could not read from template $1"
172 |     fi
173 |     dest="$2"
174 | 
175 |     while read ca_var; do
176 |         sedstr="${sedstr}s"$'\1'"%$ca_var%"$'\1'"${!ca_var}"$'\1'"g; "
177 |         #sedstr="${sedstr}s
%$ca_var%
${!ca_var}
g; "
178 |     done < <(set | awk -F\= '/^CA_[A-Z5_]*=/{print $1}')
179 | 
180 |     #echo "DEBUG: setstr=$sedstr"
181 |     sed -e "$sedstr" <"$template" >"$dest"
182 | }
183 | 
184 | ca_gen_crl() {
185 |     openssl ca -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" -gencrl -md sha1 \
186 |       -crldays "$CA_CRL_DAYS" -out "$CA_HOME/crl/$CA_NAME.ca.crl"
187 |     openssl crl -in "$CA_HOME/crl/$CA_NAME.ca.crl" \
188 |       -out "$CA_HOME/crl/$CA_NAME.ca.crl.der" -outform DER
189 | }
190 | 
191 | ca_gen_p12() {
192 |     local cnf_name
193 |     cnf_name="$1"
194 |     openssl pkcs12 -export -descert -out $CA_HOME/p12/$cnf_name.p12 \
195 |       -in       $CA_HOME/crt/$cnf_name.crt \
196 |       -inkey    $CA_HOME/key/$cnf_name.key \
197 |       -certfile $CA_HOME/crt/$CA_NAME.ca.crt
198 | }
199 | 
200 | ca_checksum() {
201 |     CA_CRT_MD5_FP="$( openssl x509 -in $CA_HOME/crt/$CA_NAME.ca.crt \
202 |       -noout -md5 -fingerprint | cut -d= -f2 )"
203 |     CA_CRT_SHA_FP="$( openssl x509 -in $CA_HOME/crt/$CA_NAME.ca.crt \
204 |       -noout -sha1 -fingerprint | cut -d= -f2 )"
205 |     CA_CRL_MD5_FP="$( openssl crl -in $CA_HOME/crl/$CA_NAME.ca.crl \
206 |       -noout -md5 -fingerprint | cut -d= -f2 )"
207 |     CA_CRL_SHA_FP="$( openssl crl -in $CA_HOME/crl/$CA_NAME.ca.crl \
208 |       -noout -sha1 -fingerprint | cut -d= -f2 )"
209 | }
210 | 
211 | ca_cnf_name() {
212 |     local crt
213 |     crt="$1"
214 |     # work out what configuration files we should be using from the cert's CN
215 |     echo $( openssl x509 -in "$crt" -noout -nameopt sep_multiline,use_quote \
216 |       -subject | awk -F= '/CN=/{ gsub("[^A-Za-z0-9@-]", "_", $2); print $2}' )
217 |       #          grep "CN=" | cut -d= -f2 | tr -c '[:alnum:]@-' _ )
218 |       # originally did this like the above but tried awk instead. awk(1) seems
219 |       # to lie about it's egrep(1) support though as no matter what I tried the
220 |       # tr(1) regex didn't work in the gsub() call above.
221 | }
222 | 
223 | ca_cnf_type() {
224 |     local crt
225 |     # XXX: dirty hack -- derive type from filename being *.TYPE.crt
226 |     crt="${1%.crt}"
227 |     crt="${crt##*.}"
228 |     case "$crt" in
229 |         server|client|user) echo "$crt";;
230 |         *) echo $CA_CRT_TYPE;;
231 |     esac
232 | }
233 | 
234 | ca_find_cnf() {
235 |     local name _name _type
236 |     name="$1"
237 | 
238 |     if [ -f "$name" ]; then
239 |         _name="$(ca_cnf_name $name)"
240 |         _type="$(ca_cnf_type $name)"
241 |         if [ $(basename "$name" .crt) = "${_name}.${_type}" ]; then
242 |             echo "${_name}.${_type}"
243 |             return
244 |         else
245 |             error "Unable to derive config details from certificate '$name'."
246 |         fi
247 |     fi
248 | 
249 |     # XXX: this stil doesn't handle default types. FIXME when it's not 1am.
250 |     _name=$( echo -n "$name" | tr -c '[:alnum:]@-' _ )
251 |     if [ "$CA_CRT_TYPE" = "user" ]; then
252 |         # user names may have dots etc. in, so use munged version in match
253 |         # check if name is "user@domain", append $CA_DOMAIN if not
254 |         if [ "${_name%%@*}" = "$_name" \
255 |              -a -f "$CA_HOME/crt/${_name}@$CA_NAME.$CA_CRT_TYPE.crt" ];
256 |         then
257 |             # name is not fully-qualified, but a cert exists for it
258 |             echo "${_name}@$CA_NAME.$CA_CRT_TYPE"
259 |         elif [ -f "$CA_HOME/crt/$_name.$CA_CRT_TYPE.crt" ]; then
260 |             # name was fully-qualified and a cert exists
261 |             echo "$_name.$CA_CRT_TYPE"
262 |         else
263 |             error "Could not find $CA_CRT_TYPE certificate configuration matching '$name'"
264 |         fi
265 |     else
266 |         # check if name is fully-qualified -- contains more than 1 dot
267 |         # NOTE: we have to do this test with the unmunged name ...
268 |         if [ "${name%%.*}" = "$name" \
269 |              -a -f "$CA_HOME/crt/${_name}_$CA_NAME.$CA_CRT_TYPE.crt" ];
270 |         then
271 |             # name is not fully-qualified, but a cert exists for it
272 |             echo "${_name}_$CA_NAME.$CA_CRT_TYPE"
273 |         elif [ -f "$CA_HOME/crt/$_name.$CA_CRT_TYPE.crt" ]; then
274 |             # name was fully-qualified and a cert exists
275 |             echo "$_name.$CA_CRT_TYPE"
276 |         else
277 |             error "Could not find $CA_CRT_TYPE certificate configuration matching '$name'"
278 |         fi
279 |     fi
280 | }
281 | 
282 | cert_info() {
283 |     local certFile="$1"
284 |     local certCN certIssuer certValid certExpire certCA certFilename
285 | 
286 |     if [ -r "$certFile" ]; then
287 | 	certFilename=$(basename "$certFile")
288 |         certCN="$(openssl x509 -in "$certFile" -noout -subject | sed -r 's|.*CN=(.*)|\1|; s|/[^/]*=.*$||')"
289 |         certIssuer="$(openssl x509 -in "$certFile" -noout -issuer | sed -r 's|.*CN=(.*)|\1|; s|/[^/]*=.*$||')"
290 |         certValid="$(openssl x509 -in "$certFile" -noout -startdate | sed -r 's|.*notBefore=(.*)|\1|;')"
291 |         certExpire="$(openssl x509 -in "$certFile" -noout -enddate | sed -r 's|.*notAfter=(.*)$|\1|;')"
292 | 	if [ "$certCN" = "$certIssuer" ]; then
293 |             echo "$certFilename: $certCN expires on $certExpire"
294 |         else
295 |             echo "$certFilename: $certCN issued by $certIssuer expires on $certExpire"
296 |         fi
297 |     else
298 |         echo "ERROR: $certFile does not exist or cannot be read"
299 |     fi
300 | }
301 | 
302 | 


--------------------------------------------------------------------------------
/doc/ca-create-cert.pod:
--------------------------------------------------------------------------------
  1 | #! /bin/sh
  2 | 
  3 | if [ -z "$1" -o "$1" == "man" ]; then
  4 |   exec /usr/bin/pod2man -n CA-CREATE-CERT -s 1 -d "12 February 2010" \
  5 |     -r "ca-scripts version 0.9" -c "SSL Certificate Authority utilities" $0
  6 | elif [ "$1" == "html" ]; then
  7 |   exec /usr/bin/pod2html --title "ca-create-cert(1)" < $0
  8 | elif [ "$1" == "text" ]; then
  9 |   exec /usr/bin/pod2text -o $0
 10 | fi
 11 | echo "Unrecognised output format '$1', try man, html, or text."
 12 | exit 1
 13 | 
 14 | =pod
 15 | 
 16 | =head1 NAME
 17 | 
 18 | ca-create-cert - generate a signed X.509 SSL certificate
 19 | 
 20 | =head1 SYNOPSIS
 21 | 
 22 | B<ca-create-cert> [B<-cpqrsx>] [B<-f> I<config>] [B<-t> I<type>] [B<-d> I<days>]
 23 | [B<-b> I<bits>] [B<-n> I<name>] [I<options>] <common name>
 24 | 
 25 | B<ca-create-cert> [B<-h>] | [B<--help>]
 26 | 
 27 | =head1 DESCRIPTION
 28 | 
 29 | B<ca-create-cert> creates an openssl configuration necessary for generating a
 30 | signed X.509 SSL certificate, generates a certificate signing request using
 31 | these configuration files, and signs that request using the CA private key so
 32 | that it may be considered as trusted by anything that has imported the CA
 33 | certificate.
 34 | 
 35 | =head1 OPTIONS
 36 | 
 37 | =head2 The Common Name
 38 | 
 39 | This argument to B<ca-create-cert> is mandatory, and specifies the common name
 40 | of the certificate. Depending on the type of certificate being created, it is
 41 | interpreted as either a host name or a user name.
 42 | 
 43 | =head2 General options
 44 | 
 45 | =over
 46 | 
 47 | =item B<-h>, B<--help>
 48 | 
 49 | Prints out a short synopsis of the options to B<ca-create-cert>.
 50 | 
 51 | =item B<-t> I<TYPE>, B<--type> I<TYPE>
 52 | 
 53 | B<ca-create-cert> can create three types of X.509 certificate: I<server>,
 54 | I<client>, and I<user>. The type can also be set using the config variable
 55 | B<CA_CRT_TYPE>; it defaults to I<server> in the absence of either the command
 56 | line or config variable being present. Certificate types differ in the X.509v3
 57 | extensions present in the signed certificate, and in the uses the certificate
 58 | is trusted for. See x509(1ssl) and x509v3_config(5ssl) for more details about
 59 | X.509 extensions, and the B<CERTIFICATE TYPES> section of this manual for more
 60 | details on the exact differences between the certificate types.
 61 | 
 62 | =item B<-c>, B<--encrypt>
 63 | 
 64 | Encrypt the generated private key with 3DES. This is not recommended for
 65 | I<server> or I<client> type certificates, but is probably a good idea for
 66 | I<user> certs.
 67 | 
 68 | =item B<-f> I<FILE>, B<--config> I<FILE>
 69 | 
 70 | Load the ca-scripts configuration from I<FILE> instead of
 71 | I</etc/ca-scripts.conf>.
 72 | 
 73 | =item B<-d> I<DAYS>, B<--days> I<DAYS>
 74 | 
 75 | Sign the certificate to be valid for I<DAYS> days instead of the default
 76 | B<CA_CRT_DAYS> set in the configuration file.
 77 | 
 78 | =item B<-b> I<BITS>, B<--bits> I<BITS>
 79 | 
 80 | Generate a I<BITS>-bit certificate instead of the default B<CA_CRT_BITS> set in
 81 | the configuration file. Traditionally this is a power of two, e.g. 1024 or 2048.
 82 | 
 83 | =item B<-n> I<NAME>, B<--alt-name> I<NAME>
 84 | 
 85 | Only valid for I<server> type certificates. Specifies an alternative host
 86 | name to add to the X.509v3 I<subjectAltName> extension field, which will
 87 | also be recognised as a valid host name for the certificate. May be provided
 88 | multiple times to add multiple host names.
 89 | 
 90 | =item B<-p>, B<--pkcs12>
 91 | 
 92 | Generate a PKCS#12 format certificate archive containing the new certificate
 93 | and private key along with the CA certificate. See pkcs12(1ssl) for more
 94 | details about PKCS#12 archives.
 95 | 
 96 | =item B<-q>, B<--no-qualify>
 97 | 
 98 | Disable qualifying of the certificate's common name (and alternative names) with
 99 | B<CA_DOMAIN>.
100 | 
101 | Host names for I<server> and I<client> certificates are treated as unqualified
102 | if they do not contain any dots and qualified to I<common name>.B<CA_DOMAIN>.
103 | The unqualified name is preserved as an additional DNS name in the X.509v3
104 | I<subjectAltName> extension in this case. User names are treated as unqualified
105 | if they do not contain an "@" symbol and are qualified to I<common
106 | name>@B<CA_DOMAIN>.
107 | 
108 | =item B<-r>, B<--req-only>
109 | 
110 | Causes B<ca-create-cert> to generate just the X.509 certificate signing
111 | request (CSR) from a pre-existing openssl request configuration, without
112 | signing it to create a valid certificate. When used in conjunction with
113 | B<--cnf-only>, B<ca-create-cert> only generates the openssl request
114 | configuration, allowing the user to modify it before creating the CSR.
115 | Mutually exclusive to B<--sign-only>.
116 | 
117 | =item B<-s>, B<--sign-only>
118 | 
119 | Causes B<ca-create-cert> to sign a pre-existing CSR using a pre-existing
120 | X.509 extensions configuration, creating a valid certificate. When used in
121 | conjunction with B<--cnf-only>, B<ca-create-cert> only generates the
122 | X.509 extensions configuration, allowing the user to modify it before signing
123 | the certificate. Mutually exclusive to B<--req-only>.
124 | 
125 | =item B<-x>, B<--cnf-only>
126 | 
127 | Causes B<ca-create-cert> to generate the openssl request and X.509
128 | extensions configurations, without creating a CSR or signing it. When used in
129 | conjunction with either of the previous two options, causes only one of the two
130 | configuration files to be generated.
131 | 
132 | =back
133 | 
134 | =head2 Distinguished Name (DN) options
135 | 
136 | These options allow the user to change the value of various DN fields. Be careful
137 | about changing the C and O fields, as by default the CA configuration requires
138 | these to match the fields in the CA certificate when the CSR is signed. By
139 | default these values are taken from the ca-scripts configuration file, and will
140 | match those of the CA certificate. The certificate's common name (CN) is set by
141 | the mandatory host or user name parameter.
142 | 
143 | =over
144 | 
145 | =item B<--country> I<"STRING">
146 | 
147 | Sets the country (C) field of the DN.
148 | 
149 | =item B<--state> I<"STRING">
150 | 
151 | Sets the state (ST) field of the DN.
152 | 
153 | =item B<--loc> I<"STRING">
154 | 
155 | Sets the locality (L) field of the DN.
156 | 
157 | =item B<--org> I<"STRING">
158 | 
159 | Sets the organization (O) field of the DN.
160 | 
161 | =item B<--ounit> I<"STRING">
162 | 
163 | Sets the organizational unit (OU) field of the DN.
164 | 
165 | =item B<--email> I<"STRING">
166 | 
167 | Sets the e-mail address (E) field of the DN. As per the X.509 spec, this field
168 | is removed from the DN and placed in the X.509v3 I<subjectAltName> extension
169 | when the certificate is signed.
170 | 
171 | =item B<--comment> I<"STRING">
172 | 
173 | Sets the nsComment X.509 extension.
174 | 
175 | =back
176 | 
177 | =head1 CERTIFICATE TYPES
178 | 
179 | B<ca-create-cert> generates three types of certificates, differentiated by the
180 | SSL extensions present in the signed cert. It will always generate X.509v3
181 | certificates; creating a v1 certificate is not supported. All certificate types
182 | have the following extensions present:
183 | 
184 | =over
185 | 
186 | =item basicConstraints = critical, CA:FALSE
187 | 
188 | Prevents the certificate from being used as a CA.
189 | 
190 | =item nsRevocationUrl = B<CA_CRL_URI>
191 | 
192 | Points to the world-accessible CRL distribution point for the CA.
193 | 
194 | =item issuerAltName = issuer:copy
195 | 
196 | Records the issuing CA certificate's I<subjectAltName> extension as
197 | I<issuerAltName>.
198 | 
199 | =item subjectKeyIdentifier = hash
200 | 
201 | Records the certificate's fingerprint as the information used to uniquely
202 | identify the certificate.
203 | 
204 | =item authorityKeyIdentifier = keyid;issuer:always
205 | 
206 | Records the issuing CA certificate's fingerprint, DN, and serial for
207 | verification purposes.
208 | 
209 | =item authorityInfoAccess = caIssuers;URI:B<CA_CRT_URI>
210 | 
211 | Points to the world-accessible CA certificate distribution point.
212 | 
213 | =item crlDistributionPoints = URI:B<CA_CRL_URI>
214 | 
215 | Points to the world-accessible CRL distribution point for the CA.
216 | 
217 | =back
218 | 
219 | =head2 Server certificates
220 | 
221 | I<Server> certificates are used for securing SSL/TLS services, such as
222 | TLS-encrypted LDAP connections or HTTPS. In this case the I<hostname> argument
223 | is used for the Common Name in the certificate, and any additional alternative
224 | names supplied by B<-n> are added to the X.509v3 I<subjectAltName> extension
225 | field.
226 | 
227 | I<Server> certificates contain the following extensions:
228 | 
229 | =over
230 | 
231 | =item nsCertType = server
232 | 
233 | Marks the certificate as valid for server authentication. This is the old
234 | Netscape SSL extension, but many things still rely on it.
235 | 
236 | =item keyUsage = critical, keyEncipherment, keyAgreement
237 | 
238 | Allows the certificate to be used for key negotiation and encryption.
239 | 
240 | =item extendedKeyUsage = serverAuth
241 | 
242 | Marks the certificate as valid for server authentication. This is the newer
243 | X.509v3 extension.
244 | 
245 | =item subjectAltName = @server_altname
246 | 
247 | Includes the templated [server_altname] extensions section as the X.509v3
248 | I<subjectAltName>. This extension contains alternate DNS entries for the server as
249 | provided to the B<--alt-name> option, as well as the CA certificate URI and the
250 | e-mail address provided to the B<--email> option.
251 | 
252 | =back
253 | 
254 | =head2 Client certificates
255 | 
256 | I<Client> certificates are used for authenticating to SSL/TLS services.
257 | For the most part they are intended to be used by automated systems to identify
258 | and authenticate themselves to services they interact with.
259 | 
260 | I<Client> certificates contain the following extensions:
261 | 
262 | =over
263 | 
264 | =item nsCertType = client
265 | 
266 | Marks the certificate as valid for client authentication. This is the old
267 | Netscape SSL extension, but many things still rely on it.
268 | 
269 | =item keyUsage = critical, keyEncipherment, keyAgreement, digitalSignature
270 | 
271 | Allows the certificate to be used for key negotiation, encryption and creating
272 | digital signatures. The latter option is useful for e.g. automatically creating
273 | signed tarballs for distribution.
274 | 
275 | =item extendedKeyUsage = clientAuth, timeStamping
276 | 
277 | Marks the certificate as valid for client authentication and digital time
278 | stamping. This is the newer X.509v3 extension.
279 | 
280 | =item subjectAltName = @client_altname
281 | 
282 | Includes the templated [client_altname] extensions section as the X.509v3
283 | I<subjectAltName>. This extension contains the CA certificate URI and the e-mail
284 | address provided to the B<--email> option.
285 | 
286 | =back
287 | 
288 | =head2 User certificates
289 | 
290 | I<User> certificates are for individuals to authenticate themselves to
291 | SSL/TLS services in the same manner as client certificates, but they may also
292 | be used for S/MIME e-mail encryption, data encryption and code signing.
293 | 
294 | I<User> certificates contain the following extensions:
295 | 
296 | =over
297 | 
298 | =item nsCertType = client
299 | 
300 | Marks the certificate as valid for client authentication. This is the old
301 | Netscape SSL extension, but many things still rely on it.
302 | 
303 | =item keyUsage = critical, keyEncipherment, keyAgreement, digitalSignature, nonRepudiation, dataEncipherment
304 | 
305 | Allows the certificate to be used for key negotiation and encryption; creating
306 | digital signatures; validating the source of signed data; and encrypting data.
307 | 
308 | =item extendedKeyUsage = clientAuth, codeSigning, emailProtection
309 | 
310 | Marks the certificate as valid for client authentication, code signing, and
311 | S/MIME e-mail encryption. This is the newer X.509v3 extension.
312 | 
313 | =item subjectAltName = @user_altname
314 | 
315 | Includes the templated [user_altname] extensions section as the X.509v3
316 | I<subjectAltName>. This extension contains the CA certificate URI and the e-mail
317 | address provided to the B<--email> option.
318 | 
319 | =back
320 | 
321 | =head1 BUGS
322 | 
323 | Probably. Of particular note is that the default openssl configuration file
324 | requires the C (country) and O (organisation) fields of all generated
325 | certificates to match those in the CA certificate, but B<ca-create-cert>
326 | allows these fields to be changed.
327 | 
328 | =head1 AVAILABILITY
329 | 
330 | New releases of the ca-scripts utilities can be found at
331 | L<the developer's website|http://www.pl0rt.org/code/ca-scripts>.
332 | A L<git repository|git://git.pl0rt.org/alex/code/ca-scripts>
333 | for development versions also exists.
334 | 
335 | =head1 AUTHORS
336 | 
337 | Copyright 2009, 2010 Alex Bramley a.bramley@gmail.com
338 | 
339 | =head1 SEE ALSO
340 | 
341 | ca-init(1), ca-renew-cert(1), ca-revoke-cert(1), ca-scripts.conf(5),
342 | openssl(1ssl), ca(1ssl), req(1ssl), x509(1ssl), config(5ssl), and
343 | x509v3_config(5ssl).
344 | 
345 | =cut
346 | 


--------------------------------------------------------------------------------