From 21147b6b9a62065a8b18b0a616be8ab574d8d07c Mon Sep 17 00:00:00 2001 From: Alex Bramley Date: Sat, 17 Oct 2009 14:18:35 +0100 Subject: [PATCH] finish off docs from train journey --- bin/ca-init | 20 +++++++++----------- doc/README | 14 +++++++------- lib/ca-functions | 5 +++++ 3 files changed, 21 insertions(+), 18 deletions(-) diff --git a/bin/ca-init b/bin/ca-init index 910b55a..27d634c 100755 --- a/bin/ca-init +++ b/bin/ca-init @@ -19,7 +19,7 @@ __EOT__ } short='hcf:i:o:sx' -long='help,encrypt,config:,template:,output:,crt-only,tpl-only' +long='help,encrypt,config:,template:,output:,crt-only,cnf-only' opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" ) if [ 0 -ne $? ]; then echo; usage; exit 1; fi eval set -- "$opts"; @@ -52,9 +52,6 @@ if [ 1 -ne "$CRT_ONLY" ]; then echo "01" > $CA_HOME/db/crlnumber touch $CA_HOME/db/index.txt touch $CA_HOME/db/.rand - chmod -R 640 $CA_HOME - chmod 600 $CA_HOME/db/.rand - chmod 700 $CA_HOME/key # generate an openssl configuration for this CA ca_template ca-config "$CA_HOME/cnf/$CA_NAME.ca.cnf" @@ -65,15 +62,16 @@ if [ 1 -ne "$CNF_ONLY" ]; then # ... the certificate in $CA_HOME/crt/$CA_NAME.ca.crt # ... using the config in $CA_HOME/cnf/$CA_NAME.ca.cnf openssl req -new $CRYPTKEY -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \ - -keyout "$CA_HOME/key/$CA_NAME.ca.key" \ - -out "$CA_HOME/csr/$CA_NAME.ca.csr" + -keyout "$CA_HOME/key/$CA_NAME.ca.key" \ + -out "$CA_HOME/csr/$CA_NAME.ca.csr" + chmod 600 "$CA_HOME/key/$CA_NAME.ca.key" openssl ca -create_serial -selfsign -days 3652 -batch \ - -name ca_scripts -extensions ca_x509_extensions \ - -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \ - -in "$CA_HOME/csr/$CA_NAME.ca.csr" \ - -keyfile "$CA_HOME/key/$CA_NAME.ca.key" \ - -out "$CA_HOME/crt/$CA_NAME.ca.crt" + -name ca_scripts -extensions ca_x509_extensions \ + -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \ + -in "$CA_HOME/csr/$CA_NAME.ca.csr" \ + -keyfile "$CA_HOME/key/$CA_NAME.ca.key" \ + -out "$CA_HOME/crt/$CA_NAME.ca.crt" # generate an initial CRL too (yes it will be empty, but we should serve it) ca_gen_crl diff --git a/doc/README b/doc/README index 6b24f47..2fd750b 100644 --- a/doc/README +++ b/doc/README @@ -43,7 +43,7 @@ templates provided with the scripts. ca-create-cert(1) takes a number of options to customise the generated certificate. The --type option is mandatory, and for server certs it is very -likely that the --alt-name option will be useful to set x509v3 SubjectAltName +likely that the --alt-name option will be useful to set x509v3 subjectAltName DNS records for other hostnames for the server. Both the server hostname and any alternative names will be fully-qualified to CA_DOMAIN if they do not contain any dots, but if unqualified names are passed in they are also @@ -87,9 +87,9 @@ information required for certificate renewal. 4. Revoking a certificate. - Revoking a certificate is done by giving the hostname, username or path to -the certificat to revoke-cert.sh. This script also regenerates a new CRL in -both PEM and DER encodings (firefox prefers the latter while IE and other -browsers work better with the former), and re-generates the html file with the -new fingerprints. - + To revoke a certificate and re-generate the CA certficate revocation list in +both PEM and DER encodings, invoke ca-revoke-cert(1), again providing the +--type option and either the hostname, username or the path to the certificate +to be revoked. Along with ca_init(1) this script can optionally generate a +basic HTML template to serve the CA certificate and CRL with verifiable MD5 and +SHA1 checksums. diff --git a/lib/ca-functions b/lib/ca-functions index 12f6bc1..ac36ef8 100644 --- a/lib/ca-functions +++ b/lib/ca-functions @@ -9,6 +9,11 @@ CRYPTKEY="-nodes" INDEXTPL="index-html" INDEXOUT="" +# ideally, run these scripts as an unprivileged "ssl" user/group +# and place users that need access to ssl certs into that group +# no world-readable stuff here +umask 027 + error() { usage >&2 echo -e "ERROR: $1\n" >&2