finish off docs from train journey

bin/ca-init

@@ -19,7 +19,7 @@ __EOT__
 }
 
 short='hcf:i:o:sx'
-long='help,encrypt,config:,template:,output:,crt-only,tpl-only'
+long='help,encrypt,config:,template:,output:,crt-only,cnf-only'
 opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" )
 if [ 0 -ne $? ]; then echo; usage; exit 1; fi
 eval set -- "$opts";
@@ -52,9 +52,6 @@ if [ 1 -ne "$CRT_ONLY" ]; then
     echo "01" > $CA_HOME/db/crlnumber
     touch $CA_HOME/db/index.txt
     touch $CA_HOME/db/.rand
-    chmod -R 640 $CA_HOME
-    chmod 600 $CA_HOME/db/.rand
-    chmod 700 $CA_HOME/key
 
     # generate an openssl configuration for this CA
     ca_template ca-config "$CA_HOME/cnf/$CA_NAME.ca.cnf"
@@ -65,15 +62,16 @@ if [ 1 -ne "$CNF_ONLY" ]; then
     #  ... the certificate in $CA_HOME/crt/$CA_NAME.ca.crt
     #  ... using the config in $CA_HOME/cnf/$CA_NAME.ca.cnf
     openssl req -new $CRYPTKEY -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \
-    -keyout "$CA_HOME/key/$CA_NAME.ca.key" \
-    -out    "$CA_HOME/csr/$CA_NAME.ca.csr"
+      -keyout "$CA_HOME/key/$CA_NAME.ca.key" \
+      -out    "$CA_HOME/csr/$CA_NAME.ca.csr"
+    chmod 600 "$CA_HOME/key/$CA_NAME.ca.key"
 
     openssl ca -create_serial -selfsign -days 3652 -batch \
-    -name ca_scripts -extensions ca_x509_extensions \
-    -config  "$CA_HOME/cnf/$CA_NAME.ca.cnf" \
-    -in      "$CA_HOME/csr/$CA_NAME.ca.csr" \
-    -keyfile "$CA_HOME/key/$CA_NAME.ca.key" \
-    -out     "$CA_HOME/crt/$CA_NAME.ca.crt"
+      -name ca_scripts -extensions ca_x509_extensions \
+      -config  "$CA_HOME/cnf/$CA_NAME.ca.cnf" \
+      -in      "$CA_HOME/csr/$CA_NAME.ca.csr" \
+      -keyfile "$CA_HOME/key/$CA_NAME.ca.key" \
+      -out     "$CA_HOME/crt/$CA_NAME.ca.crt"
 
     # generate an initial CRL too (yes it will be empty, but we should serve it)
     ca_gen_crl

doc/README

@@ -43,7 +43,7 @@ templates provided with the scripts.
 
   ca-create-cert(1) takes a number of options to customise the generated 
 certificate. The --type option is mandatory, and for server certs it is very
-likely that the --alt-name option will be useful to set x509v3 SubjectAltName
+likely that the --alt-name option will be useful to set x509v3 subjectAltName
 DNS records for other hostnames for the server. Both the server hostname and
 any alternative names will be fully-qualified to CA_DOMAIN if they do not
 contain any dots, but if unqualified names are passed in they are also
@@ -87,9 +87,9 @@ information required for certificate renewal.
 
 4. Revoking a certificate.
 
-  Revoking a certificate is done by giving the hostname, username or path to
-the certificat to revoke-cert.sh. This script also regenerates a new CRL in
-both PEM and DER encodings (firefox prefers the latter while IE and other
-browsers work better with the former), and re-generates the html file with the
-new fingerprints.
-
+  To revoke a certificate and re-generate the CA certficate revocation list in
+both PEM and DER encodings, invoke ca-revoke-cert(1), again providing the
+--type option and either the hostname, username or the path to the certificate
+to be revoked. Along with ca_init(1) this script can optionally generate a
+basic HTML template to serve the CA certificate and CRL with verifiable MD5 and
+SHA1 checksums.

lib/ca-functions

@@ -9,6 +9,11 @@ CRYPTKEY="-nodes"
 INDEXTPL="index-html"
 INDEXOUT=""
 
+# ideally, run these scripts as an unprivileged "ssl" user/group
+# and place users that need access to ssl certs into that group
+# no world-readable stuff here
+umask 027
+
 error() {
     usage >&2
     echo -e "ERROR: $1\n" >&2