Make -t optional and configurable from config file (1/2).
This commit is contained in:
parent
1f5f0517f4
commit
34b55f4fec
8 changed files with 50 additions and 35 deletions
|
@ -15,15 +15,13 @@ MAKE_P12=0
|
|||
usage() {
|
||||
cat <<__EOT__
|
||||
Usage:
|
||||
$PROGNAME -t server [options] <hostname>
|
||||
$PROGNAME -t client [options] <hostname>
|
||||
$PROGNAME -t user [options] <username>
|
||||
$PROGNAME [options] <common name>
|
||||
|
||||
Options:
|
||||
-h, --help Print this helpful message!
|
||||
-c, --encrypt Encrypt certificate private key with Triple-DES
|
||||
-f, --config FILE Use config file instead of $CONFFILE
|
||||
-t, --type TYPE Certificate type: "server", "client" or "user"
|
||||
-t, --type TYPE Certificate type: "server" (default), "client" or "user"
|
||||
-d, --days DAYS Certificate valid for DAYS days instead of CA_CRT_DAYS
|
||||
-b, --bits BITS Generate a BITS bit certificate instead of CA_CRT_BITS
|
||||
-n, --alt-name NAME Alternative host name (can be provided multiple times)
|
||||
|
|
|
@ -4,12 +4,12 @@
|
|||
|
||||
usage() {
|
||||
cat <<__EOT__
|
||||
Usage: $PROGNAME -t <type> [options] <hostname|username|certpath>
|
||||
Usage: $PROGNAME [options] <common name>|<path to certificate>
|
||||
|
||||
Options:
|
||||
-h, --help Print this helpful message!
|
||||
-f, --config FILE Use config file instead of $CONFFILE
|
||||
-t, --type Certificate type: "server", "client" or "user"
|
||||
-t, --type TYPE Certificate type: "server" (default), "client" or "user"
|
||||
-d, --days DAYS Renew certificate for DAYS days instead of CA_CRT_DAYS
|
||||
|
||||
__EOT__
|
||||
|
|
|
@ -4,12 +4,12 @@
|
|||
|
||||
usage() {
|
||||
cat <<__EOT__
|
||||
Usage: $PROGNAME -t <type> [options] <hostname|username|certpath>
|
||||
Usage: $PROGNAME [options] <common name>|<path to certificate>
|
||||
|
||||
Options:
|
||||
-h, --help Print this helpful message!
|
||||
-f, --config FILE Use config file instead of $CONFFILE
|
||||
-t, --type Certificate type: "server", "client" or "user"
|
||||
-t, --type TYPE Certificate type: "server" (default), "client" or "user"
|
||||
-i, --template FILE Use alternative index.html template
|
||||
-o, --output FILE Generate CA index.html in FILE
|
||||
|
||||
|
|
|
@ -42,9 +42,9 @@ CA_DN_CN="Example Security Services Root Certificate Authority"
|
|||
# Default value:
|
||||
# CA_CRT_BITS=2048
|
||||
|
||||
# OPTIONAL: CA_CRT_DAYS sets the default validity period for certificates.
|
||||
# OPTIONAL: CA_CRT_TYPE sets the default type of generated certificate.
|
||||
# Default value:
|
||||
# CA_CRT_DAYS=365
|
||||
# CA_CRT_TYPE="server"
|
||||
|
||||
# OPTIONAL: CA_PATHLEN sets the maximum number of intermediate CA certificates
|
||||
# that can be in the chain of authority between the root CA and the
|
||||
|
|
|
@ -19,8 +19,8 @@ ca-create-cert - generate a signed X.509 SSL certificate
|
|||
|
||||
=head1 SYNOPSIS
|
||||
|
||||
B<ca-create-cert> -t I<type> [B<-cprsx>] [B<-f> I<config>] [B<-d> I<days>]
|
||||
[B<-n> I<name>] [I<options>] <host or user name>
|
||||
B<ca-create-cert> [B<-cpqrsx>] [B<-f> I<config>] [B<-t> I<type>] [B<-d> I<days>]
|
||||
[B<-b> I<bits>] [B<-n> I<name>] [I<options>] <common name>
|
||||
|
||||
B<ca-create-cert> [B<-h>] | [B<--help>]
|
||||
|
||||
|
@ -56,13 +56,14 @@ Prints out a short synopsis of the options to B<ca-create-cert>.
|
|||
|
||||
=item B<-t> I<TYPE>, B<--type> I<TYPE>
|
||||
|
||||
This argument is mandatory. B<ca-create-cert> can create three types of
|
||||
X.509 certificate: I<server>, I<client>, and I<user>. These differ
|
||||
in the X.509v3 extensions present in the signed certificate, and in the uses
|
||||
the certificate is trusted for. See x509(1ssl) and x509v3_config(5ssl)
|
||||
for more details about X.509 extensions, and the B<CERTIFICATE TYPES>
|
||||
section of this manual for more details on the exact differences between the
|
||||
certificate types.
|
||||
B<ca-create-cert> can create three types of X.509 certificate: I<server>,
|
||||
I<client>, and I<user>. The type can also be set using the config variable
|
||||
B<CA_CRT_TYPE>; it defaults to I<server> in the absence of either the command
|
||||
line or config variable being present. Certificate types differ in the X.509v3
|
||||
extensions present in the signed certificate, and in the uses the certificate
|
||||
is trusted for. See x509(1ssl) and x509v3_config(5ssl) for more details about
|
||||
X.509 extensions, and the B<CERTIFICATE TYPES> section of this manual for more
|
||||
details on the exact differences between the certificate types.
|
||||
|
||||
=item B<-c>, B<--encrypt>
|
||||
|
||||
|
|
|
@ -19,8 +19,8 @@ ca-renew-cert - renew a previously generated X.509 certificate
|
|||
|
||||
=head1 SYNOPSIS
|
||||
|
||||
B<ca-renew-cert> -t I<type> [B<-f> I<config>] [B<-d> I<days>]
|
||||
I<hostname, username, or path to certificate>
|
||||
B<ca-renew-cert> [B<-f> I<config>] [B<-t> I<type>] [B<-d> I<days>]
|
||||
I<common name>|<path to certificate>
|
||||
|
||||
B<ca-renew-cert> [B<-h>] | [B<--help>]
|
||||
|
||||
|
@ -41,8 +41,9 @@ type.
|
|||
|
||||
=item B<-t> I<TYPE>, B<--type> I<TYPE>
|
||||
|
||||
This argument is mandatory and tells B<ca-renew-cert> what type of certificate
|
||||
it is renewing, either I<server>, I<client>, or I<user>.
|
||||
This argument overrides the type detection if multiple certificate types share
|
||||
the same common name, telling B<ca-renew-cert> what type of certificate it is
|
||||
renewing, either I<server>, I<client>, or I<user>.
|
||||
|
||||
=item B<-f> I<FILE>, B<--config> I<FILE>
|
||||
|
||||
|
|
|
@ -19,8 +19,8 @@ ca-revoke-cert - revoke a certificate and re-generate CRL
|
|||
|
||||
=head1 SYNOPSIS
|
||||
|
||||
B<ca-revoke-cert> -t I<type> [B<-f> I<config>] [B<-i> I<template>]
|
||||
[B<-o> I<file>] I<hostname, username, or path to certificate>
|
||||
B<ca-revoke-cert> [B<-f> I<config>] [B<-t> I<type>] [B<-l> I<days>]
|
||||
[B<-i> I<template>] [B<-o> I<file>] I<common name>|I<path to certificate>
|
||||
|
||||
B<ca-revoke-cert> [B<-h>] | [B<--help>]
|
||||
|
||||
|
@ -42,8 +42,9 @@ type.
|
|||
|
||||
=item B<-t> I<TYPE>, B<--type> I<TYPE>
|
||||
|
||||
This argument is mandatory and tells B<ca-revoke-cert> what type of certificate
|
||||
it is revoking, either I<server>, I<client>, or I<user>.
|
||||
This argument overrides the type detection if multiple certificate types share
|
||||
the same common name, telling B<ca-revoke-cert> what type of certificate it is
|
||||
revoking, either I<server>, I<client>, or I<user>.
|
||||
|
||||
=item B<-f> I<FILE>, B<--config> I<FILE>
|
||||
|
||||
|
|
|
@ -73,9 +73,8 @@ __TESTS__
|
|||
fi
|
||||
|
||||
case "$CA_CRT_TYPE" in
|
||||
server|client|user|ca) :;;
|
||||
'') error "The type option is mandatory!";;
|
||||
*) error "Unrecognised type '$CA_CRT_TYPE'!";;
|
||||
server|client|user) :;;
|
||||
*) error "Unrecognised certificate type '$CA_CRT_TYPE'!";;
|
||||
esac
|
||||
|
||||
# we need to do these first to use them in other default defs
|
||||
|
@ -92,6 +91,7 @@ CA_CRL_URI http://$CA_DOMAIN/ca/$CA_NAME.ca.crl
|
|||
CA_PATHLEN 0
|
||||
CA_CRT_DAYS 365
|
||||
CA_CRT_BITS 2048
|
||||
CA_CRT_TYPE server
|
||||
CA_CRT_C $CA_DN_C
|
||||
CA_CRT_ST $CA_DN_ST
|
||||
CA_CRT_L $CA_DN_L
|
||||
|
@ -163,19 +163,33 @@ ca_cnf_name() {
|
|||
# tr(1) regex didn't work in the gsub() call above.
|
||||
}
|
||||
|
||||
ca_cnf_type() {
|
||||
local crt
|
||||
# XXX: dirty hack -- derive type from filename being *.TYPE.crt
|
||||
crt="${1%.crt}"
|
||||
crt="${crt##*.}"
|
||||
case "$crt" in
|
||||
server|client|user) echo "$crt";;
|
||||
*) echo $CA_CRT_TYPE;;
|
||||
esac
|
||||
}
|
||||
|
||||
ca_find_cnf() {
|
||||
local name _name
|
||||
local name _name _type
|
||||
name="$1"
|
||||
|
||||
if [ -f "$name" ]; then
|
||||
if ! grep -q "$CA_CRT_TYPE" <<<"$name"; then
|
||||
error "Certificate '$name' does not appear to be of type '$CA_CRT_TYPE'"
|
||||
else
|
||||
echo "$(ca_cnf_name $name).$CA_CRT_TYPE"
|
||||
fi
|
||||
_name="$(ca_cnf_name $name)"
|
||||
_type="$(ca_cnf_type $name)"
|
||||
if [ $(basename "$name" .crt) = "${_name}.${_type}" ]; then
|
||||
echo "${_name}.${_type}"
|
||||
return
|
||||
else
|
||||
error "Unable to derive config details from certificate '$name'."
|
||||
fi
|
||||
fi
|
||||
|
||||
# XXX: this stil doesn't handle default types. FIXME when it's not 1am.
|
||||
_name=$( echo -n "$name" | tr -c '[:alnum:]@-' _ )
|
||||
if [ "$CA_CRT_TYPE" = "user" ]; then
|
||||
# user names may have dots etc. in, so use munged version in match
|
||||
|
|
Loading…
Reference in a new issue