finish off docs from train journey

This commit is contained in:
Alex Bramley 2009-10-17 14:18:35 +01:00
parent 07f8c26d5d
commit 21147b6b9a
3 changed files with 21 additions and 18 deletions

View file

@ -19,7 +19,7 @@ __EOT__
} }
short='hcf:i:o:sx' short='hcf:i:o:sx'
long='help,encrypt,config:,template:,output:,crt-only,tpl-only' long='help,encrypt,config:,template:,output:,crt-only,cnf-only'
opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" ) opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" )
if [ 0 -ne $? ]; then echo; usage; exit 1; fi if [ 0 -ne $? ]; then echo; usage; exit 1; fi
eval set -- "$opts"; eval set -- "$opts";
@ -52,9 +52,6 @@ if [ 1 -ne "$CRT_ONLY" ]; then
echo "01" > $CA_HOME/db/crlnumber echo "01" > $CA_HOME/db/crlnumber
touch $CA_HOME/db/index.txt touch $CA_HOME/db/index.txt
touch $CA_HOME/db/.rand touch $CA_HOME/db/.rand
chmod -R 640 $CA_HOME
chmod 600 $CA_HOME/db/.rand
chmod 700 $CA_HOME/key
# generate an openssl configuration for this CA # generate an openssl configuration for this CA
ca_template ca-config "$CA_HOME/cnf/$CA_NAME.ca.cnf" ca_template ca-config "$CA_HOME/cnf/$CA_NAME.ca.cnf"
@ -65,15 +62,16 @@ if [ 1 -ne "$CNF_ONLY" ]; then
# ... the certificate in $CA_HOME/crt/$CA_NAME.ca.crt # ... the certificate in $CA_HOME/crt/$CA_NAME.ca.crt
# ... using the config in $CA_HOME/cnf/$CA_NAME.ca.cnf # ... using the config in $CA_HOME/cnf/$CA_NAME.ca.cnf
openssl req -new $CRYPTKEY -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \ openssl req -new $CRYPTKEY -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \
-keyout "$CA_HOME/key/$CA_NAME.ca.key" \ -keyout "$CA_HOME/key/$CA_NAME.ca.key" \
-out "$CA_HOME/csr/$CA_NAME.ca.csr" -out "$CA_HOME/csr/$CA_NAME.ca.csr"
chmod 600 "$CA_HOME/key/$CA_NAME.ca.key"
openssl ca -create_serial -selfsign -days 3652 -batch \ openssl ca -create_serial -selfsign -days 3652 -batch \
-name ca_scripts -extensions ca_x509_extensions \ -name ca_scripts -extensions ca_x509_extensions \
-config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \ -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \
-in "$CA_HOME/csr/$CA_NAME.ca.csr" \ -in "$CA_HOME/csr/$CA_NAME.ca.csr" \
-keyfile "$CA_HOME/key/$CA_NAME.ca.key" \ -keyfile "$CA_HOME/key/$CA_NAME.ca.key" \
-out "$CA_HOME/crt/$CA_NAME.ca.crt" -out "$CA_HOME/crt/$CA_NAME.ca.crt"
# generate an initial CRL too (yes it will be empty, but we should serve it) # generate an initial CRL too (yes it will be empty, but we should serve it)
ca_gen_crl ca_gen_crl

View file

@ -43,7 +43,7 @@ templates provided with the scripts.
ca-create-cert(1) takes a number of options to customise the generated ca-create-cert(1) takes a number of options to customise the generated
certificate. The --type option is mandatory, and for server certs it is very certificate. The --type option is mandatory, and for server certs it is very
likely that the --alt-name option will be useful to set x509v3 SubjectAltName likely that the --alt-name option will be useful to set x509v3 subjectAltName
DNS records for other hostnames for the server. Both the server hostname and DNS records for other hostnames for the server. Both the server hostname and
any alternative names will be fully-qualified to CA_DOMAIN if they do not any alternative names will be fully-qualified to CA_DOMAIN if they do not
contain any dots, but if unqualified names are passed in they are also contain any dots, but if unqualified names are passed in they are also
@ -87,9 +87,9 @@ information required for certificate renewal.
4. Revoking a certificate. 4. Revoking a certificate.
Revoking a certificate is done by giving the hostname, username or path to To revoke a certificate and re-generate the CA certficate revocation list in
the certificat to revoke-cert.sh. This script also regenerates a new CRL in both PEM and DER encodings, invoke ca-revoke-cert(1), again providing the
both PEM and DER encodings (firefox prefers the latter while IE and other --type option and either the hostname, username or the path to the certificate
browsers work better with the former), and re-generates the html file with the to be revoked. Along with ca_init(1) this script can optionally generate a
new fingerprints. basic HTML template to serve the CA certificate and CRL with verifiable MD5 and
SHA1 checksums.

View file

@ -9,6 +9,11 @@ CRYPTKEY="-nodes"
INDEXTPL="index-html" INDEXTPL="index-html"
INDEXOUT="" INDEXOUT=""
# ideally, run these scripts as an unprivileged "ssl" user/group
# and place users that need access to ssl certs into that group
# no world-readable stuff here
umask 027
error() { error() {
usage >&2 usage >&2
echo -e "ERROR: $1\n" >&2 echo -e "ERROR: $1\n" >&2