Make -t optional and configurable from config file (1/2).

This commit is contained in:
Alex Bramley 2010-03-13 14:47:57 +00:00
parent 1f5f0517f4
commit 34b55f4fec
8 changed files with 50 additions and 35 deletions

View file

@ -15,15 +15,13 @@ MAKE_P12=0
usage() {
cat <<__EOT__
Usage:
$PROGNAME -t server [options] <hostname>
$PROGNAME -t client [options] <hostname>
$PROGNAME -t user [options] <username>
$PROGNAME [options] <common name>
Options:
-h, --help Print this helpful message!
-c, --encrypt Encrypt certificate private key with Triple-DES
-f, --config FILE Use config file instead of $CONFFILE
-t, --type TYPE Certificate type: "server", "client" or "user"
-t, --type TYPE Certificate type: "server" (default), "client" or "user"
-d, --days DAYS Certificate valid for DAYS days instead of CA_CRT_DAYS
-b, --bits BITS Generate a BITS bit certificate instead of CA_CRT_BITS
-n, --alt-name NAME Alternative host name (can be provided multiple times)

View file

@ -4,12 +4,12 @@
usage() {
cat <<__EOT__
Usage: $PROGNAME -t <type> [options] <hostname|username|certpath>
Usage: $PROGNAME [options] <common name>|<path to certificate>
Options:
-h, --help Print this helpful message!
-f, --config FILE Use config file instead of $CONFFILE
-t, --type Certificate type: "server", "client" or "user"
-t, --type TYPE Certificate type: "server" (default), "client" or "user"
-d, --days DAYS Renew certificate for DAYS days instead of CA_CRT_DAYS
__EOT__

View file

@ -4,12 +4,12 @@
usage() {
cat <<__EOT__
Usage: $PROGNAME -t <type> [options] <hostname|username|certpath>
Usage: $PROGNAME [options] <common name>|<path to certificate>
Options:
-h, --help Print this helpful message!
-f, --config FILE Use config file instead of $CONFFILE
-t, --type Certificate type: "server", "client" or "user"
-t, --type TYPE Certificate type: "server" (default), "client" or "user"
-i, --template FILE Use alternative index.html template
-o, --output FILE Generate CA index.html in FILE

View file

@ -42,9 +42,9 @@ CA_DN_CN="Example Security Services Root Certificate Authority"
# Default value:
# CA_CRT_BITS=2048
# OPTIONAL: CA_CRT_DAYS sets the default validity period for certificates.
# OPTIONAL: CA_CRT_TYPE sets the default type of generated certificate.
# Default value:
# CA_CRT_DAYS=365
# CA_CRT_TYPE="server"
# OPTIONAL: CA_PATHLEN sets the maximum number of intermediate CA certificates
# that can be in the chain of authority between the root CA and the

View file

@ -19,8 +19,8 @@ ca-create-cert - generate a signed X.509 SSL certificate
=head1 SYNOPSIS
B<ca-create-cert> -t I<type> [B<-cprsx>] [B<-f> I<config>] [B<-d> I<days>]
[B<-n> I<name>] [I<options>] <host or user name>
B<ca-create-cert> [B<-cpqrsx>] [B<-f> I<config>] [B<-t> I<type>] [B<-d> I<days>]
[B<-b> I<bits>] [B<-n> I<name>] [I<options>] <common name>
B<ca-create-cert> [B<-h>] | [B<--help>]
@ -56,13 +56,14 @@ Prints out a short synopsis of the options to B<ca-create-cert>.
=item B<-t> I<TYPE>, B<--type> I<TYPE>
This argument is mandatory. B<ca-create-cert> can create three types of
X.509 certificate: I<server>, I<client>, and I<user>. These differ
in the X.509v3 extensions present in the signed certificate, and in the uses
the certificate is trusted for. See x509(1ssl) and x509v3_config(5ssl)
for more details about X.509 extensions, and the B<CERTIFICATE TYPES>
section of this manual for more details on the exact differences between the
certificate types.
B<ca-create-cert> can create three types of X.509 certificate: I<server>,
I<client>, and I<user>. The type can also be set using the config variable
B<CA_CRT_TYPE>; it defaults to I<server> in the absence of either the command
line or config variable being present. Certificate types differ in the X.509v3
extensions present in the signed certificate, and in the uses the certificate
is trusted for. See x509(1ssl) and x509v3_config(5ssl) for more details about
X.509 extensions, and the B<CERTIFICATE TYPES> section of this manual for more
details on the exact differences between the certificate types.
=item B<-c>, B<--encrypt>

View file

@ -19,8 +19,8 @@ ca-renew-cert - renew a previously generated X.509 certificate
=head1 SYNOPSIS
B<ca-renew-cert> -t I<type> [B<-f> I<config>] [B<-d> I<days>]
I<hostname, username, or path to certificate>
B<ca-renew-cert> [B<-f> I<config>] [B<-t> I<type>] [B<-d> I<days>]
I<common name>|<path to certificate>
B<ca-renew-cert> [B<-h>] | [B<--help>]
@ -41,8 +41,9 @@ type.
=item B<-t> I<TYPE>, B<--type> I<TYPE>
This argument is mandatory and tells B<ca-renew-cert> what type of certificate
it is renewing, either I<server>, I<client>, or I<user>.
This argument overrides the type detection if multiple certificate types share
the same common name, telling B<ca-renew-cert> what type of certificate it is
renewing, either I<server>, I<client>, or I<user>.
=item B<-f> I<FILE>, B<--config> I<FILE>

View file

@ -19,8 +19,8 @@ ca-revoke-cert - revoke a certificate and re-generate CRL
=head1 SYNOPSIS
B<ca-revoke-cert> -t I<type> [B<-f> I<config>] [B<-i> I<template>]
[B<-o> I<file>] I<hostname, username, or path to certificate>
B<ca-revoke-cert> [B<-f> I<config>] [B<-t> I<type>] [B<-l> I<days>]
[B<-i> I<template>] [B<-o> I<file>] I<common name>|I<path to certificate>
B<ca-revoke-cert> [B<-h>] | [B<--help>]
@ -42,8 +42,9 @@ type.
=item B<-t> I<TYPE>, B<--type> I<TYPE>
This argument is mandatory and tells B<ca-revoke-cert> what type of certificate
it is revoking, either I<server>, I<client>, or I<user>.
This argument overrides the type detection if multiple certificate types share
the same common name, telling B<ca-revoke-cert> what type of certificate it is
revoking, either I<server>, I<client>, or I<user>.
=item B<-f> I<FILE>, B<--config> I<FILE>

View file

@ -73,9 +73,8 @@ __TESTS__
fi
case "$CA_CRT_TYPE" in
server|client|user|ca) :;;
'') error "The type option is mandatory!";;
*) error "Unrecognised type '$CA_CRT_TYPE'!";;
server|client|user) :;;
*) error "Unrecognised certificate type '$CA_CRT_TYPE'!";;
esac
# we need to do these first to use them in other default defs
@ -92,6 +91,7 @@ CA_CRL_URI http://$CA_DOMAIN/ca/$CA_NAME.ca.crl
CA_PATHLEN 0
CA_CRT_DAYS 365
CA_CRT_BITS 2048
CA_CRT_TYPE server
CA_CRT_C $CA_DN_C
CA_CRT_ST $CA_DN_ST
CA_CRT_L $CA_DN_L
@ -163,19 +163,33 @@ ca_cnf_name() {
# tr(1) regex didn't work in the gsub() call above.
}
ca_cnf_type() {
local crt
# XXX: dirty hack -- derive type from filename being *.TYPE.crt
crt="${1%.crt}"
crt="${crt##*.}"
case "$crt" in
server|client|user) echo "$crt";;
*) echo $CA_CRT_TYPE;;
esac
}
ca_find_cnf() {
local name _name
local name _name _type
name="$1"
if [ -f "$name" ]; then
if ! grep -q "$CA_CRT_TYPE" <<<"$name"; then
error "Certificate '$name' does not appear to be of type '$CA_CRT_TYPE'"
else
echo "$(ca_cnf_name $name).$CA_CRT_TYPE"
fi
_name="$(ca_cnf_name $name)"
_type="$(ca_cnf_type $name)"
if [ $(basename "$name" .crt) = "${_name}.${_type}" ]; then
echo "${_name}.${_type}"
return
else
error "Unable to derive config details from certificate '$name'."
fi
fi
# XXX: this stil doesn't handle default types. FIXME when it's not 1am.
_name=$( echo -n "$name" | tr -c '[:alnum:]@-' _ )
if [ "$CA_CRT_TYPE" = "user" ]; then
# user names may have dots etc. in, so use munged version in match