diff --git a/bin/ca-create-cert b/bin/ca-create-cert index d27c15e..a960035 100755 --- a/bin/ca-create-cert +++ b/bin/ca-create-cert @@ -25,8 +25,8 @@ Options: -c, --encrypt Encrypt certificate private key with Triple-DES -f, --config FILE Use config file instead of $CONFFILE -t, --type TYPE Certificate type: "server", "client" or "user" - -d, --days DAYS Certificate is valid for DAYS days instead of 365 - -b, --bits BITS Generate a BITS bit certificate instead of 2048 + -d, --days DAYS Certificate valid for DAYS days instead of CA_CRT_DAYS + -b, --bits BITS Generate a BITS bit certificate instead of CA_CRT_BITS -n, --alt-name NAME Alternative host name (can be provided multiple times) -p, --pkcs12 Create PKCS#12 certificate archive from generated cert -r, --csr-only Only generate CSR, don't sign it @@ -56,7 +56,7 @@ while :; do -c|--encrypt) CRYPTKEY=""; shift;; -f|--config) shift; CONFFILE="$1"; shift;; -t|--type) shift; CA_CRT_TYPE="$1"; shift;; - -d|--days) shift; CA_CRT_DAYS="-days $1"; shift;; + -d|--days) shift; CA_CRT_DAYS="$1"; shift;; -b|--bits) shift; CA_CRT_BITS="$1"; shift;; -n|--alt-name) shift; ALT_NAMES+=("$1"); shift;; -p|--pkcs12) MAKE_P12=1; shift;; @@ -166,7 +166,8 @@ if [ 1 -ne "$CSR_ONLY" ]; then if [ ! -f "$CA_HOME/cnf/$CNF_NAME.ext.cnf" ]; then error "Couldn't find extensions in $CA_HOME/cnf/$CNF_NAME.ext.cnf" fi - openssl ca -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" $CA_CRT_DAYS \ + openssl ca -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \ + -days "$CA_CRT_DAYS" \ -extfile "$CA_HOME/cnf/$CNF_NAME.ext.cnf" -batch \ -out "$CA_HOME/crt/$CNF_NAME.crt" \ -in "$CA_HOME/csr/$CNF_NAME.csr" diff --git a/bin/ca-renew-cert b/bin/ca-renew-cert index ce30d75..922f678 100755 --- a/bin/ca-renew-cert +++ b/bin/ca-renew-cert @@ -10,6 +10,7 @@ Options: -h, --help Print this helpful message! -f, --config FILE Use config file instead of $CONFFILE -t, --type Certificate type: "server", "client" or "user" + -d, --days DAYS Renew certificate for DAYS days instead of CA_CRT_DAYS __EOT__ } @@ -25,6 +26,7 @@ while :; do -h|--help) usage; exit 0;; -f|--config) shift; CONFFILE="$1"; shift;; -t|--type) shift; CA_CRT_TYPE="$1"; shift;; + -d|--days) shift; CA_CRT_DAYS="$1"; shift;; --) shift; break;; *) echo "Unknown value '$1'"; exit 1;; esac @@ -54,13 +56,14 @@ fi # acquire required info from old certificate ENDDATE=$( openssl x509 -in "$CRT" -noout -enddate | cut -d= -f2 ) SERIAL=$( openssl x509 -in "$CRT" -noout -serial | cut -d= -f2 ) -# work out new expiry date based on expiry date of current cert + 1 year +# work out new expiry date based on expiry date of current cert # these dates are " " export TZ=UTC NOWYEAR=$( date +%Y ) NOWDAYS=$( date +%j ) -ENDYEAR=$( date +%Y -d "$ENDDATE + 1 year" ) -ENDDAYS=$( date +%j -d "$ENDDATE + 1 year" ) +# XXX: this only works with GNU date, BSD portability fail. +ENDYEAR=$( date +%Y -d "$ENDDATE + $CA_CRT_DAYS days" ) +ENDDAYS=$( date +%j -d "$ENDDATE + $CA_CRT_DAYS days" ) CERTDATE=$( date +%Y-%m-%d -d "$ENDDATE" ) # and this does the maths to work out how many days there are from now diff --git a/ca-scripts.conf b/ca-scripts.conf index 1909480..445e0bc 100644 --- a/ca-scripts.conf +++ b/ca-scripts.conf @@ -42,6 +42,10 @@ CA_DN_CN="Example Security Services Root Certificate Authority" # Default value: # CA_CRT_BITS=2048 +# OPTIONAL: CA_CRT_DAYS sets the default validity period for certificates. +# Default value: +# CA_CRT_DAYS=365 + # OPTIONAL: CA_PATHLEN sets the maximum number of intermediate CA certificates # that can be in the chain of authority between the root CA and the # final certificate. diff --git a/doc/ca-create-cert.pod b/doc/ca-create-cert.pod index 3989c77..cd99cc2 100755 --- a/doc/ca-create-cert.pod +++ b/doc/ca-create-cert.pod @@ -77,13 +77,13 @@ I. =item B<-d> I, B<--days> I -Sign the certificate to be valid for I days instead of the default of -one year. +Sign the certificate to be valid for I days instead of the default +B set in the configuration file. =item B<-b> I, B<--bits> I -Generate a I-bit certificate instead of a default 2048-bit one. -Traditionally this is a power of two, e.g. 512, 1024, 2048, 4096. +Generate a I-bit certificate instead of the default B set in +the configuration file. Traditionally this is a power of two, e.g. 1024 or 2048. =item B<-n> I, B<--alt-name> I diff --git a/lib/ca-functions b/lib/ca-functions index 1682a14..6870a20 100644 --- a/lib/ca-functions +++ b/lib/ca-functions @@ -90,6 +90,7 @@ CA_DESC $CA_DN_CN CA_CRT_URI http://$CA_DOMAIN/ca/$CA_NAME.ca.crt CA_CRL_URI http://$CA_DOMAIN/ca/$CA_NAME.ca.crl CA_PATHLEN 0 +CA_CRT_DAYS 365 CA_CRT_BITS 2048 CA_CRT_C $CA_DN_C CA_CRT_ST $CA_DN_ST diff --git a/tpl/ca-config.tpl b/tpl/ca-config.tpl index de3a29b..5acb51e 100644 --- a/tpl/ca-config.tpl +++ b/tpl/ca-config.tpl @@ -37,8 +37,8 @@ policy = ca_extension_policy # policy on required CSR attribu # leave these defaults name_opt = oneline # Subject Name options - x509(1) cert_opt = ca_default # Certificate field options - x509(1) -default_days = 365 # how long to certify for -default_crl_days= 365 # how long before next CRL +default_days = %CA_CRT_DAYS% # how long to certify for +default_crl_days= %CA_CRT_DAYS% # how long before next CRL default_md = sha1 # which md to use. preserve = no # keep passed DN ordering unique_subject = no # recommended @@ -141,7 +141,7 @@ extendedKeyUsage = serverAuth # ---------------------------------------------------------------------------- # # This defines default settings for certificate requests and CA cert creation. [ req ] -default_bits = 2048 +default_bits = %CA_CRT_BITS% default_md = sha1 distinguished_name = ca_req_dn x509_extensions = ca_x509_extensions