psi-jack/ca-scripts
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Make certificate validity period configurable; fix BITS.

Browse source
This commit is contained in:
Alex Bramley 2010-02-14 09:14:35 +00:00
parent 37d21cea57
commit 732248284e
6 changed files with 23 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
bin/ca-create-cert
View file

@ -25,8 +25,8 @@ Options:
-c, --encrypt Encrypt certificate private key with Triple-DES -c, --encrypt Encrypt certificate private key with Triple-DES
-f, --config FILE Use config file instead of $CONFFILE -f, --config FILE Use config file instead of $CONFFILE
-t, --type TYPE Certificate type: "server", "client" or "user" -t, --type TYPE Certificate type: "server", "client" or "user"
-d, --days DAYS Certificate is valid for DAYS days instead of 365 -d, --days DAYS Certificate valid for DAYS days instead of CA_CRT_DAYS
-b, --bits BITS Generate a BITS bit certificate instead of 2048 -b, --bits BITS Generate a BITS bit certificate instead of CA_CRT_BITS
-n, --alt-name NAME Alternative host name (can be provided multiple times) -n, --alt-name NAME Alternative host name (can be provided multiple times)
-p, --pkcs12 Create PKCS#12 certificate archive from generated cert -p, --pkcs12 Create PKCS#12 certificate archive from generated cert
-r, --csr-only Only generate CSR, don't sign it -r, --csr-only Only generate CSR, don't sign it
@ -56,7 +56,7 @@ while :; do
-c|--encrypt) CRYPTKEY=""; shift;; -c|--encrypt) CRYPTKEY=""; shift;;
-f|--config) shift; CONFFILE="$1"; shift;; -f|--config) shift; CONFFILE="$1"; shift;;
-t|--type) shift; CA_CRT_TYPE="$1"; shift;; -t|--type) shift; CA_CRT_TYPE="$1"; shift;;
-d|--days) shift; CA_CRT_DAYS="-days $1"; shift;; -d|--days) shift; CA_CRT_DAYS="$1"; shift;;
-b|--bits) shift; CA_CRT_BITS="$1"; shift;; -b|--bits) shift; CA_CRT_BITS="$1"; shift;;
-n|--alt-name) shift; ALT_NAMES+=("$1"); shift;; -n|--alt-name) shift; ALT_NAMES+=("$1"); shift;;
-p|--pkcs12) MAKE_P12=1; shift;; -p|--pkcs12) MAKE_P12=1; shift;;
@ -166,7 +166,8 @@ if [ 1 -ne "$CSR_ONLY" ]; then
if [ ! -f "$CA_HOME/cnf/$CNF_NAME.ext.cnf" ]; then if [ ! -f "$CA_HOME/cnf/$CNF_NAME.ext.cnf" ]; then
error "Couldn't find extensions in $CA_HOME/cnf/$CNF_NAME.ext.cnf" error "Couldn't find extensions in $CA_HOME/cnf/$CNF_NAME.ext.cnf"
fi fi
openssl ca -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" $CA_CRT_DAYS \ openssl ca -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \
-days "$CA_CRT_DAYS" \
-extfile "$CA_HOME/cnf/$CNF_NAME.ext.cnf" -batch \ -extfile "$CA_HOME/cnf/$CNF_NAME.ext.cnf" -batch \
-out "$CA_HOME/crt/$CNF_NAME.crt" \ -out "$CA_HOME/crt/$CNF_NAME.crt" \
-in "$CA_HOME/csr/$CNF_NAME.csr" -in "$CA_HOME/csr/$CNF_NAME.csr"

9
bin/ca-renew-cert
View file

@ -10,6 +10,7 @@ Options:
-h, --help Print this helpful message! -h, --help Print this helpful message!
-f, --config FILE Use config file instead of $CONFFILE -f, --config FILE Use config file instead of $CONFFILE
-t, --type Certificate type: "server", "client" or "user" -t, --type Certificate type: "server", "client" or "user"
-d, --days DAYS Renew certificate for DAYS days instead of CA_CRT_DAYS
__EOT__ __EOT__
} }
@ -25,6 +26,7 @@ while :; do
-h|--help) usage; exit 0;; -h|--help) usage; exit 0;;
-f|--config) shift; CONFFILE="$1"; shift;; -f|--config) shift; CONFFILE="$1"; shift;;
-t|--type) shift; CA_CRT_TYPE="$1"; shift;; -t|--type) shift; CA_CRT_TYPE="$1"; shift;;
-d|--days) shift; CA_CRT_DAYS="$1"; shift;;
--) shift; break;; --) shift; break;;
*) echo "Unknown value '$1'"; exit 1;; *) echo "Unknown value '$1'"; exit 1;;
esac esac
@ -54,13 +56,14 @@ fi
# acquire required info from old certificate # acquire required info from old certificate
ENDDATE=$( openssl x509 -in "$CRT" -noout -enddate | cut -d= -f2 ) ENDDATE=$( openssl x509 -in "$CRT" -noout -enddate | cut -d= -f2 )
SERIAL=$( openssl x509 -in "$CRT" -noout -serial | cut -d= -f2 ) SERIAL=$( openssl x509 -in "$CRT" -noout -serial | cut -d= -f2 )
# work out new expiry date based on expiry date of current cert + 1 year # work out new expiry date based on expiry date of current cert
# these dates are "<year> <day of year>" # these dates are "<year> <day of year>"
export TZ=UTC export TZ=UTC
NOWYEAR=$( date +%Y ) NOWYEAR=$( date +%Y )
NOWDAYS=$( date +%j ) NOWDAYS=$( date +%j )
ENDYEAR=$( date +%Y -d "$ENDDATE + 1 year" ) # XXX: this only works with GNU date, BSD portability fail.
ENDDAYS=$( date +%j -d "$ENDDATE + 1 year" ) ENDYEAR=$( date +%Y -d "$ENDDATE + $CA_CRT_DAYS days" )
ENDDAYS=$( date +%j -d "$ENDDATE + $CA_CRT_DAYS days" )
CERTDATE=$( date +%Y-%m-%d -d "$ENDDATE" ) CERTDATE=$( date +%Y-%m-%d -d "$ENDDATE" )
# and this does the maths to work out how many days there are from now # and this does the maths to work out how many days there are from now

4
ca-scripts.conf
View file

@ -42,6 +42,10 @@ CA_DN_CN="Example Security Services Root Certificate Authority"
# Default value: # Default value:
# CA_CRT_BITS=2048 # CA_CRT_BITS=2048
# OPTIONAL: CA_CRT_DAYS sets the default validity period for certificates.
# Default value:
# CA_CRT_DAYS=365
# OPTIONAL: CA_PATHLEN sets the maximum number of intermediate CA certificates # OPTIONAL: CA_PATHLEN sets the maximum number of intermediate CA certificates
# that can be in the chain of authority between the root CA and the # that can be in the chain of authority between the root CA and the
# final certificate. # final certificate.

8
doc/ca-create-cert.pod
View file

@ -77,13 +77,13 @@ I</etc/ca-scripts.conf>.
=item B<-d> I<DAYS>, B<--days> I<DAYS> =item B<-d> I<DAYS>, B<--days> I<DAYS>
Sign the certificate to be valid for I<DAYS> days instead of the default of Sign the certificate to be valid for I<DAYS> days instead of the default
one year. B<CA_CRT_DAYS> set in the configuration file.
=item B<-b> I<BITS>, B<--bits> I<BITS> =item B<-b> I<BITS>, B<--bits> I<BITS>
Generate a I<BITS>-bit certificate instead of a default 2048-bit one. Generate a I<BITS>-bit certificate instead of the default B<CA_CRT_BITS> set in
Traditionally this is a power of two, e.g. 512, 1024, 2048, 4096. the configuration file. Traditionally this is a power of two, e.g. 1024 or 2048.
=item B<-n> I<NAME>, B<--alt-name> I<NAME> =item B<-n> I<NAME>, B<--alt-name> I<NAME>

1
lib/ca-functions
View file

@ -90,6 +90,7 @@ CA_DESC $CA_DN_CN
CA_CRT_URI http://$CA_DOMAIN/ca/$CA_NAME.ca.crt CA_CRT_URI http://$CA_DOMAIN/ca/$CA_NAME.ca.crt
CA_CRL_URI http://$CA_DOMAIN/ca/$CA_NAME.ca.crl CA_CRL_URI http://$CA_DOMAIN/ca/$CA_NAME.ca.crl
CA_PATHLEN 0 CA_PATHLEN 0
CA_CRT_DAYS 365
CA_CRT_BITS 2048 CA_CRT_BITS 2048
CA_CRT_C $CA_DN_C CA_CRT_C $CA_DN_C
CA_CRT_ST $CA_DN_ST CA_CRT_ST $CA_DN_ST

6
tpl/ca-config.tpl
View file

@ -37,8 +37,8 @@ policy = ca_extension_policy # policy on required CSR attribu
# leave these defaults # leave these defaults
name_opt = oneline # Subject Name options - x509(1) name_opt = oneline # Subject Name options - x509(1)
cert_opt = ca_default # Certificate field options - x509(1) cert_opt = ca_default # Certificate field options - x509(1)
default_days = 365 # how long to certify for default_days = %CA_CRT_DAYS% # how long to certify for
default_crl_days= 365 # how long before next CRL default_crl_days= %CA_CRT_DAYS% # how long before next CRL
default_md = sha1 # which md to use. default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering preserve = no # keep passed DN ordering
unique_subject = no # recommended unique_subject = no # recommended
@ -141,7 +141,7 @@ extendedKeyUsage = serverAuth
# ---------------------------------------------------------------------------- # # ---------------------------------------------------------------------------- #
# This defines default settings for certificate requests and CA cert creation. # This defines default settings for certificate requests and CA cert creation.
[ req ] [ req ]
default_bits = 2048 default_bits = %CA_CRT_BITS%
default_md = sha1 default_md = sha1
distinguished_name = ca_req_dn distinguished_name = ca_req_dn
x509_extensions = ca_x509_extensions x509_extensions = ca_x509_extensions