Make -t optional and configurable from config file (1/2).

bin/ca-create-cert

@@ -15,15 +15,13 @@ MAKE_P12=0
 usage() {
     cat <<__EOT__
 Usage:
-  $PROGNAME -t server [options] <hostname>
+  $PROGNAME [options] <common name>
-  $PROGNAME -t client [options] <hostname>
-  $PROGNAME -t user   [options] <username>
 
 Options:
   -h, --help            Print this helpful message!
   -c, --encrypt         Encrypt certificate private key with Triple-DES
   -f, --config FILE     Use config file instead of $CONFFILE
-  -t, --type TYPE       Certificate type: "server", "client" or "user"
+  -t, --type TYPE       Certificate type: "server" (default), "client" or "user"
   -d, --days DAYS       Certificate valid for DAYS days instead of CA_CRT_DAYS
   -b, --bits BITS       Generate a BITS bit certificate instead of CA_CRT_BITS
   -n, --alt-name NAME   Alternative host name (can be provided multiple times)

bin/ca-renew-cert

@@ -4,12 +4,12 @@
 
 usage() {
     cat <<__EOT__
-Usage: $PROGNAME -t <type> [options] <hostname|username|certpath>
+Usage: $PROGNAME [options] <common name>|<path to certificate>
 
 Options:
   -h, --help            Print this helpful message!
   -f, --config FILE     Use config file instead of $CONFFILE
-  -t, --type            Certificate type: "server", "client" or "user"
+  -t, --type TYPE       Certificate type: "server" (default), "client" or "user"
   -d, --days DAYS       Renew certificate for DAYS days instead of CA_CRT_DAYS
 
 __EOT__

bin/ca-revoke-cert

@@ -4,12 +4,12 @@
 
 usage() {
     cat <<__EOT__
-Usage: $PROGNAME -t <type> [options] <hostname|username|certpath>
+Usage: $PROGNAME [options] <common name>|<path to certificate>
 
 Options:
   -h, --help            Print this helpful message!
   -f, --config FILE     Use config file instead of $CONFFILE
-  -t, --type            Certificate type: "server", "client" or "user"
+  -t, --type TYPE       Certificate type: "server" (default), "client" or "user"
   -i, --template FILE   Use alternative index.html template
   -o, --output FILE     Generate CA index.html in FILE
 

ca-scripts.conf

@@ -42,9 +42,9 @@ CA_DN_CN="Example Security Services Root Certificate Authority"
 # Default value:
 # CA_CRT_BITS=2048
 
-# OPTIONAL: CA_CRT_DAYS sets the default validity period for certificates.
+# OPTIONAL: CA_CRT_TYPE sets the default type of generated certificate.
 # Default value:
-# CA_CRT_DAYS=365
+# CA_CRT_TYPE="server"
 
 # OPTIONAL: CA_PATHLEN sets the maximum number of intermediate CA certificates
 #           that can be in the chain of authority between the root CA and the 

doc/ca-create-cert.pod

@@ -19,8 +19,8 @@ ca-create-cert - generate a signed X.509 SSL certificate
 
 =head1 SYNOPSIS
 
-B<ca-create-cert> -t I<type> [B<-cprsx>] [B<-f> I<config>] [B<-d> I<days>]
+B<ca-create-cert> [B<-cpqrsx>] [B<-f> I<config>] [B<-t> I<type>] [B<-d> I<days>]
-[B<-n> I<name>] [I<options>] <host or user name>
+[B<-b> I<bits>] [B<-n> I<name>] [I<options>] <common name>
 
 B<ca-create-cert> [B<-h>] | [B<--help>]
 
@@ -56,13 +56,14 @@ Prints out a short synopsis of the options to B<ca-create-cert>.
 
 =item B<-t> I<TYPE>, B<--type> I<TYPE>
 
-This argument is mandatory. B<ca-create-cert> can create three types of
+B<ca-create-cert> can create three types of X.509 certificate: I<server>,
-X.509 certificate: I<server>, I<client>, and I<user>. These differ
+I<client>, and I<user>. The type can also be set using the config variable
-in the X.509v3 extensions present in the signed certificate, and in the uses
+B<CA_CRT_TYPE>; it defaults to I<server> in the absence of either the command
-the certificate is trusted for. See x509(1ssl) and x509v3_config(5ssl)
+line or config variable being present. Certificate types differ in the X.509v3
-for more details about X.509 extensions, and the B<CERTIFICATE TYPES>
+extensions present in the signed certificate, and in the uses the certificate
-section of this manual for more details on the exact differences between the
+is trusted for. See x509(1ssl) and x509v3_config(5ssl) for more details about
-certificate types.
+X.509 extensions, and the B<CERTIFICATE TYPES> section of this manual for more
+details on the exact differences between the certificate types.
 
 =item B<-c>, B<--encrypt>
 

doc/ca-renew-cert.pod

@@ -19,8 +19,8 @@ ca-renew-cert - renew a previously generated X.509 certificate
 
 =head1 SYNOPSIS
 
-B<ca-renew-cert> -t I<type> [B<-f> I<config>] [B<-d> I<days>]
+B<ca-renew-cert> [B<-f> I<config>] [B<-t> I<type>] [B<-d> I<days>]
-I<hostname, username, or path to certificate>
+I<common name>|<path to certificate>
 
 B<ca-renew-cert> [B<-h>] | [B<--help>]
 
@@ -41,8 +41,9 @@ type.
 
 =item B<-t> I<TYPE>, B<--type> I<TYPE>
 
-This argument is mandatory and tells B<ca-renew-cert> what type of certificate
+This argument overrides the type detection if multiple certificate types share
-it is renewing, either I<server>, I<client>, or I<user>.
+the same common name, telling B<ca-renew-cert> what type of certificate it is
+renewing, either I<server>, I<client>, or I<user>.
 
 =item B<-f> I<FILE>, B<--config> I<FILE>
 

doc/ca-revoke-cert.pod

@@ -19,8 +19,8 @@ ca-revoke-cert - revoke a certificate and re-generate CRL
 
 =head1 SYNOPSIS
 
-B<ca-revoke-cert> -t I<type> [B<-f> I<config>] [B<-i> I<template>]
+B<ca-revoke-cert> [B<-f> I<config>] [B<-t> I<type>] [B<-l> I<days>]
-[B<-o> I<file>] I<hostname, username, or path to certificate>
+[B<-i> I<template>] [B<-o> I<file>] I<common name>|I<path to certificate>
 
 B<ca-revoke-cert> [B<-h>] | [B<--help>]
 
@@ -42,8 +42,9 @@ type.
 
 =item B<-t> I<TYPE>, B<--type> I<TYPE>
 
-This argument is mandatory and tells B<ca-revoke-cert> what type of certificate
+This argument overrides the type detection if multiple certificate types share
-it is revoking, either I<server>, I<client>, or I<user>.
+the same common name, telling B<ca-revoke-cert> what type of certificate it is
+revoking, either I<server>, I<client>, or I<user>.
 
 =item B<-f> I<FILE>, B<--config> I<FILE>
 

lib/ca-functions

@@ -73,9 +73,8 @@ __TESTS__
     fi
     
     case "$CA_CRT_TYPE" in
-        server|client|user|ca) :;;
+        server|client|user) :;;
-        '') error "The type option is mandatory!";;
+        *) error "Unrecognised certificate type '$CA_CRT_TYPE'!";;
-        *) error "Unrecognised type '$CA_CRT_TYPE'!";;
     esac
 
     # we need to do these first to use them in other default defs
@@ -92,6 +91,7 @@ CA_CRL_URI      http://$CA_DOMAIN/ca/$CA_NAME.ca.crl
 CA_PATHLEN      0
 CA_CRT_DAYS     365
 CA_CRT_BITS     2048
+CA_CRT_TYPE     server
 CA_CRT_C        $CA_DN_C
 CA_CRT_ST       $CA_DN_ST
 CA_CRT_L        $CA_DN_L
@@ -163,19 +163,33 @@ ca_cnf_name() {
       # tr(1) regex didn't work in the gsub() call above.
 }
 
+ca_cnf_type() {
+    local crt
+    # XXX: dirty hack -- derive type from filename being *.TYPE.crt
+    crt="${1%.crt}"
+    crt="${crt##*.}"
+    case "$crt" in
+        server|client|user) echo "$crt";;
+        *) echo $CA_CRT_TYPE;;
+    esac
+}
+
 ca_find_cnf() {
-    local name _name
+    local name _name _type
     name="$1"
 
     if [ -f "$name" ]; then
-        if ! grep -q "$CA_CRT_TYPE" <<<"$name"; then
+        _name="$(ca_cnf_name $name)"
-            error "Certificate '$name' does not appear to be of type '$CA_CRT_TYPE'"
+        _type="$(ca_cnf_type $name)"
-        else
+        if [ $(basename "$name" .crt) = "${_name}.${_type}" ]; then
-            echo "$(ca_cnf_name $name).$CA_CRT_TYPE"
+            echo "${_name}.${_type}"
-        fi
             return
+        else
+            error "Unable to derive config details from certificate '$name'."
+        fi
     fi
     
+    # XXX: this stil doesn't handle default types. FIXME when it's not 1am.
     _name=$( echo -n "$name" | tr -c '[:alnum:]@-' _ )
     if [ "$CA_CRT_TYPE" = "user" ]; then 
         # user names may have dots etc. in, so use munged version in match