finish off docs from train journey

2009-10-17 14:18:35 +01:00 · 2009-10-17 14:18:35 +01:00 · 21147b6b9a
parent 07f8c26d5d
commit 21147b6b9a
3 changed files with 21 additions and 18 deletions
--- a/bin/ca-init
+++ b/bin/ca-init
@ -19,7 +19,7 @@ __EOT__
 }
 short='hcf:i:o:sx'
-long='help,encrypt,config:,template:,output:,crt-only,tpl-only'
+long='help,encrypt,config:,template:,output:,crt-only,cnf-only'
 opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" )
 if [ 0 -ne $? ]; then echo; usage; exit 1; fi
 eval set -- "$opts";
@ -52,9 +52,6 @@ if [ 1 -ne "$CRT_ONLY" ]; then
    echo "01" > $CA_HOME/db/crlnumber
    touch $CA_HOME/db/index.txt
    touch $CA_HOME/db/.rand
    chmod -R 640 $CA_HOME
    chmod 600 $CA_HOME/db/.rand
    chmod 700 $CA_HOME/key
    # generate an openssl configuration for this CA
    ca_template ca-config "$CA_HOME/cnf/$CA_NAME.ca.cnf"
@ -65,15 +62,16 @@ if [ 1 -ne "$CNF_ONLY" ]; then
    #  ... the certificate in $CA_HOME/crt/$CA_NAME.ca.crt
    #  ... using the config in $CA_HOME/cnf/$CA_NAME.ca.cnf
    openssl req -new $CRYPTKEY -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \
-    -keyout "$CA_HOME/key/$CA_NAME.ca.key" \
+      -keyout "$CA_HOME/key/$CA_NAME.ca.key" \
-    -out    "$CA_HOME/csr/$CA_NAME.ca.csr"
+      -out    "$CA_HOME/csr/$CA_NAME.ca.csr"
    chmod 600 "$CA_HOME/key/$CA_NAME.ca.key"
    openssl ca -create_serial -selfsign -days 3652 -batch \
-    -name ca_scripts -extensions ca_x509_extensions \
+      -name ca_scripts -extensions ca_x509_extensions \
-    -config  "$CA_HOME/cnf/$CA_NAME.ca.cnf" \
+      -config  "$CA_HOME/cnf/$CA_NAME.ca.cnf" \
-    -in      "$CA_HOME/csr/$CA_NAME.ca.csr" \
+      -in      "$CA_HOME/csr/$CA_NAME.ca.csr" \
-    -keyfile "$CA_HOME/key/$CA_NAME.ca.key" \
+      -keyfile "$CA_HOME/key/$CA_NAME.ca.key" \
-    -out     "$CA_HOME/crt/$CA_NAME.ca.crt"
+      -out     "$CA_HOME/crt/$CA_NAME.ca.crt"
    # generate an initial CRL too (yes it will be empty, but we should serve it)
    ca_gen_crl
--- a/doc/README
+++ b/doc/README
@ -43,7 +43,7 @@ templates provided with the scripts.
  ca-create-cert(1) takes a number of options to customise the generated 
 certificate. The --type option is mandatory, and for server certs it is very
-likely that the --alt-name option will be useful to set x509v3 SubjectAltName
+likely that the --alt-name option will be useful to set x509v3 subjectAltName
 DNS records for other hostnames for the server. Both the server hostname and
 any alternative names will be fully-qualified to CA_DOMAIN if they do not
 contain any dots, but if unqualified names are passed in they are also
@ -87,9 +87,9 @@ information required for certificate renewal.
 4. Revoking a certificate.
-  Revoking a certificate is done by giving the hostname, username or path to
+  To revoke a certificate and re-generate the CA certficate revocation list in
-the certificat to revoke-cert.sh. This script also regenerates a new CRL in
+both PEM and DER encodings, invoke ca-revoke-cert(1), again providing the
-both PEM and DER encodings (firefox prefers the latter while IE and other
+--type option and either the hostname, username or the path to the certificate
-browsers work better with the former), and re-generates the html file with the
+to be revoked. Along with ca_init(1) this script can optionally generate a
-new fingerprints.
+basic HTML template to serve the CA certificate and CRL with verifiable MD5 and
-
+SHA1 checksums.
--- a/lib/ca-functions
+++ b/lib/ca-functions
@ -9,6 +9,11 @@ CRYPTKEY="-nodes"
 INDEXTPL="index-html"
 INDEXOUT=""
 # ideally, run these scripts as an unprivileged "ssl" user/group
 # and place users that need access to ssl certs into that group
 # no world-readable stuff here
 umask 027
 error() {
    usage >&2
    echo -e "ERROR: $1\n" >&2