finish off docs from train journey

This commit is contained in:
Alex Bramley 2009-10-17 14:18:35 +01:00
parent 07f8c26d5d
commit 21147b6b9a
3 changed files with 21 additions and 18 deletions

View file

@ -19,7 +19,7 @@ __EOT__
}
short='hcf:i:o:sx'
long='help,encrypt,config:,template:,output:,crt-only,tpl-only'
long='help,encrypt,config:,template:,output:,crt-only,cnf-only'
opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" )
if [ 0 -ne $? ]; then echo; usage; exit 1; fi
eval set -- "$opts";
@ -52,9 +52,6 @@ if [ 1 -ne "$CRT_ONLY" ]; then
echo "01" > $CA_HOME/db/crlnumber
touch $CA_HOME/db/index.txt
touch $CA_HOME/db/.rand
chmod -R 640 $CA_HOME
chmod 600 $CA_HOME/db/.rand
chmod 700 $CA_HOME/key
# generate an openssl configuration for this CA
ca_template ca-config "$CA_HOME/cnf/$CA_NAME.ca.cnf"
@ -65,15 +62,16 @@ if [ 1 -ne "$CNF_ONLY" ]; then
# ... the certificate in $CA_HOME/crt/$CA_NAME.ca.crt
# ... using the config in $CA_HOME/cnf/$CA_NAME.ca.cnf
openssl req -new $CRYPTKEY -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \
-keyout "$CA_HOME/key/$CA_NAME.ca.key" \
-out "$CA_HOME/csr/$CA_NAME.ca.csr"
-keyout "$CA_HOME/key/$CA_NAME.ca.key" \
-out "$CA_HOME/csr/$CA_NAME.ca.csr"
chmod 600 "$CA_HOME/key/$CA_NAME.ca.key"
openssl ca -create_serial -selfsign -days 3652 -batch \
-name ca_scripts -extensions ca_x509_extensions \
-config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \
-in "$CA_HOME/csr/$CA_NAME.ca.csr" \
-keyfile "$CA_HOME/key/$CA_NAME.ca.key" \
-out "$CA_HOME/crt/$CA_NAME.ca.crt"
-name ca_scripts -extensions ca_x509_extensions \
-config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \
-in "$CA_HOME/csr/$CA_NAME.ca.csr" \
-keyfile "$CA_HOME/key/$CA_NAME.ca.key" \
-out "$CA_HOME/crt/$CA_NAME.ca.crt"
# generate an initial CRL too (yes it will be empty, but we should serve it)
ca_gen_crl

View file

@ -43,7 +43,7 @@ templates provided with the scripts.
ca-create-cert(1) takes a number of options to customise the generated
certificate. The --type option is mandatory, and for server certs it is very
likely that the --alt-name option will be useful to set x509v3 SubjectAltName
likely that the --alt-name option will be useful to set x509v3 subjectAltName
DNS records for other hostnames for the server. Both the server hostname and
any alternative names will be fully-qualified to CA_DOMAIN if they do not
contain any dots, but if unqualified names are passed in they are also
@ -87,9 +87,9 @@ information required for certificate renewal.
4. Revoking a certificate.
Revoking a certificate is done by giving the hostname, username or path to
the certificat to revoke-cert.sh. This script also regenerates a new CRL in
both PEM and DER encodings (firefox prefers the latter while IE and other
browsers work better with the former), and re-generates the html file with the
new fingerprints.
To revoke a certificate and re-generate the CA certficate revocation list in
both PEM and DER encodings, invoke ca-revoke-cert(1), again providing the
--type option and either the hostname, username or the path to the certificate
to be revoked. Along with ca_init(1) this script can optionally generate a
basic HTML template to serve the CA certificate and CRL with verifiable MD5 and
SHA1 checksums.

View file

@ -9,6 +9,11 @@ CRYPTKEY="-nodes"
INDEXTPL="index-html"
INDEXOUT=""
# ideally, run these scripts as an unprivileged "ssl" user/group
# and place users that need access to ssl certs into that group
# no world-readable stuff here
umask 027
error() {
usage >&2
echo -e "ERROR: $1\n" >&2