Make certificate validity period configurable; fix BITS.

bin/ca-create-cert

@@ -25,8 +25,8 @@ Options:
   -c, --encrypt         Encrypt certificate private key with Triple-DES
   -f, --config FILE     Use config file instead of $CONFFILE
   -t, --type TYPE       Certificate type: "server", "client" or "user"
-  -d, --days DAYS       Certificate is valid for DAYS days instead of 365
-  -b, --bits BITS       Generate a BITS bit certificate instead of 2048
+  -d, --days DAYS       Certificate valid for DAYS days instead of CA_CRT_DAYS
+  -b, --bits BITS       Generate a BITS bit certificate instead of CA_CRT_BITS
   -n, --alt-name NAME   Alternative host name (can be provided multiple times)
   -p, --pkcs12          Create PKCS#12 certificate archive from generated cert
   -r, --csr-only        Only generate CSR, don't sign it
@@ -56,7 +56,7 @@ while :; do
         -c|--encrypt) CRYPTKEY=""; shift;;
         -f|--config) shift; CONFFILE="$1"; shift;;
         -t|--type) shift; CA_CRT_TYPE="$1"; shift;;
-        -d|--days) shift; CA_CRT_DAYS="-days $1"; shift;;
+        -d|--days) shift; CA_CRT_DAYS="$1"; shift;;
         -b|--bits) shift; CA_CRT_BITS="$1"; shift;;
         -n|--alt-name) shift; ALT_NAMES+=("$1"); shift;;
         -p|--pkcs12) MAKE_P12=1; shift;;
@@ -166,7 +166,8 @@ if [ 1 -ne "$CSR_ONLY" ]; then
         if [ ! -f "$CA_HOME/cnf/$CNF_NAME.ext.cnf" ]; then
             error "Couldn't find extensions in $CA_HOME/cnf/$CNF_NAME.ext.cnf"
         fi
-        openssl ca -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" $CA_CRT_DAYS \
+        openssl ca -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \
+          -days    "$CA_CRT_DAYS" \
           -extfile "$CA_HOME/cnf/$CNF_NAME.ext.cnf" -batch \
           -out     "$CA_HOME/crt/$CNF_NAME.crt" \
           -in      "$CA_HOME/csr/$CNF_NAME.csr"

bin/ca-renew-cert

@@ -10,6 +10,7 @@ Options:
   -h, --help            Print this helpful message!
   -f, --config FILE     Use config file instead of $CONFFILE
   -t, --type            Certificate type: "server", "client" or "user"
+  -d, --days DAYS       Renew certificate for DAYS days instead of CA_CRT_DAYS
 
 __EOT__
 }
@@ -25,6 +26,7 @@ while :; do
         -h|--help) usage; exit 0;;
         -f|--config) shift; CONFFILE="$1"; shift;;
         -t|--type) shift; CA_CRT_TYPE="$1"; shift;;
+        -d|--days) shift; CA_CRT_DAYS="$1"; shift;;
         --) shift; break;;
         *) echo "Unknown value '$1'"; exit 1;;
     esac
@@ -54,13 +56,14 @@ fi
 # acquire required info from old certificate
 ENDDATE=$( openssl x509 -in "$CRT" -noout -enddate | cut -d= -f2 )
 SERIAL=$( openssl x509 -in "$CRT" -noout -serial | cut -d= -f2 )
-# work out new expiry date based on expiry date of current cert + 1 year
+# work out new expiry date based on expiry date of current cert
 # these dates are "<year> <day of year>"
 export TZ=UTC 
 NOWYEAR=$( date +%Y )
 NOWDAYS=$( date +%j ) 
-ENDYEAR=$( date +%Y -d "$ENDDATE + 1 year" )
-ENDDAYS=$( date +%j -d "$ENDDATE + 1 year" )
+# XXX: this only works with GNU date, BSD portability fail.
+ENDYEAR=$( date +%Y -d "$ENDDATE + $CA_CRT_DAYS days" )
+ENDDAYS=$( date +%j -d "$ENDDATE + $CA_CRT_DAYS days" )
 CERTDATE=$( date +%Y-%m-%d -d "$ENDDATE" )
 
 # and this does the maths to work out how many days there are from now

ca-scripts.conf

@@ -42,6 +42,10 @@ CA_DN_CN="Example Security Services Root Certificate Authority"
 # Default value:
 # CA_CRT_BITS=2048
 
+# OPTIONAL: CA_CRT_DAYS sets the default validity period for certificates.
+# Default value:
+# CA_CRT_DAYS=365
+
 # OPTIONAL: CA_PATHLEN sets the maximum number of intermediate CA certificates
 #           that can be in the chain of authority between the root CA and the 
 #           final certificate.

doc/ca-create-cert.pod

@@ -77,13 +77,13 @@ I</etc/ca-scripts.conf>.
 
 =item B<-d> I<DAYS>, B<--days> I<DAYS>
 
-Sign the certificate to be valid for I<DAYS> days instead of the default of
-one year.
+Sign the certificate to be valid for I<DAYS> days instead of the default
+B<CA_CRT_DAYS> set in the configuration file.
 
 =item B<-b> I<BITS>, B<--bits> I<BITS>
 
-Generate a I<BITS>-bit certificate instead of a default 2048-bit one.
-Traditionally this is a power of two, e.g. 512, 1024, 2048, 4096.
+Generate a I<BITS>-bit certificate instead of the default B<CA_CRT_BITS> set in
+the configuration file. Traditionally this is a power of two, e.g. 1024 or 2048.
 
 =item B<-n> I<NAME>, B<--alt-name> I<NAME>
 

lib/ca-functions

@@ -90,6 +90,7 @@ CA_DESC         $CA_DN_CN
 CA_CRT_URI      http://$CA_DOMAIN/ca/$CA_NAME.ca.crt
 CA_CRL_URI      http://$CA_DOMAIN/ca/$CA_NAME.ca.crl
 CA_PATHLEN      0
+CA_CRT_DAYS     365
 CA_CRT_BITS     2048
 CA_CRT_C        $CA_DN_C
 CA_CRT_ST       $CA_DN_ST

tpl/ca-config.tpl

@@ -37,8 +37,8 @@ policy          = ca_extension_policy           # policy on required CSR attribu
 # leave these defaults
 name_opt        = oneline               # Subject Name options - x509(1)
 cert_opt        = ca_default            # Certificate field options - x509(1) 
-default_days    = 365                   # how long to certify for
-default_crl_days= 365                   # how long before next CRL
+default_days    = %CA_CRT_DAYS%         # how long to certify for
+default_crl_days= %CA_CRT_DAYS%         # how long before next CRL
 default_md      = sha1                  # which md to use.
 preserve        = no                    # keep passed DN ordering
 unique_subject  = no                    # recommended
@@ -141,7 +141,7 @@ extendedKeyUsage        = serverAuth
 # ---------------------------------------------------------------------------- #
 # This defines default settings for certificate requests and CA cert creation.
 [ req ]
-default_bits            = 2048
+default_bits            = %CA_CRT_BITS%
 default_md              = sha1
 distinguished_name      = ca_req_dn
 x509_extensions         = ca_x509_extensions