Add -b BITS flag to ca-create-cert.

2010-02-14 06:58:41 +00:00 · 2010-02-14 06:58:41 +00:00 · 8a883205b1
commit 8a883205b1
parent 4415635554
5 changed files with 13 additions and 1 deletions
--- a/bin/ca-create-cert
+++ b/bin/ca-create-cert
@ -26,6 +26,7 @@ Options:
  -f, --config FILE     Use config file instead of $CONFFILE
  -t, --type TYPE       Certificate type: "server", "client" or "user"
  -d, --days DAYS       Certificate is valid for DAYS days instead of 365
+  -b, --bits BITS       Generate a BITS bit certificate instead of 2048
  -n, --alt-name NAME   Alternative host name (can be provided multiple times)
  -p, --pkcs12          Create PKCS#12 certificate archive from generated cert
  -r, --csr-only        Only generate CSR, don't sign it
@ -56,6 +57,7 @@ while :; do
        -f|--config) shift; CONFFILE="$1"; shift;;
        -t|--type) shift; CA_CRT_TYPE="$1"; shift;;
        -d|--days) shift; CA_CRT_DAYS="-days $1"; shift;;
+        -b|--bits) shift; CA_CRT_BITS="$1"; shift;;
        -n|--alt-name) shift; ALT_NAMES+=("$1"); shift;;
        -p|--pkcs12) MAKE_P12=1; shift;;
        -r|--csr-only) CSR_ONLY=1; shift;;
--- a/ca-scripts.conf
+++ b/ca-scripts.conf
@ -38,6 +38,10 @@ CA_DN_CN="Example Security Services Root Certificate Authority"
 # CA_CRT_URI="http://$CA_DOMAIN/ca/$CA_NAME.ca.crt"
 # CA_CRL_URI="http://$CA_DOMAIN/ca/$CA_NAME.ca.crl"

+# OPTIONAL: CA_CRT_BITS sets the default key length for generated keys.
+# Default value:
+# CA_CRT_BITS=2048
+
 # OPTIONAL: CA_PATHLEN sets the maximum number of intermediate CA certificates
 #           that can be in the chain of authority between the root CA and the 
 #           final certificate.
--- a/doc/ca-create-cert.pod
+++ b/doc/ca-create-cert.pod
@ -78,6 +78,11 @@ I</etc/ca-scripts.conf>.
 Sign the certificate to be valid for I<DAYS> days instead of the default of
 one year.

+=item B<-b> I<BITS>, B<--bits> I<BITS>
+
+Generate a I<BITS>-bit certificate instead of a default 2048-bit one.
+Traditionally this is a power of two, e.g. 512, 1024, 2048, 4096.
+
 =item B<-n> I<NAME>, B<--alt-name> I<NAME>

 Only valid for I<server> type certificates. Specifies an alternative host
--- a/lib/ca-functions
+++ b/lib/ca-functions
@ -90,6 +90,7 @@ CA_DESC         $CA_DN_CN
 CA_CRT_URI      http://$CA_DOMAIN/ca/$CA_NAME.ca.crt
 CA_CRL_URI      http://$CA_DOMAIN/ca/$CA_NAME.ca.crl
 CA_PATHLEN      0
+CA_CRT_BITS     2048
 CA_CRT_C        $CA_DN_C
 CA_CRT_ST       $CA_DN_ST
 CA_CRT_L        $CA_DN_L
--- a/tpl/req-config.tpl
+++ b/tpl/req-config.tpl
@ -1,5 +1,5 @@
 [ req ]
-default_bits            = 2048
+default_bits            = %CA_CRT_BITS%
 default_md              = sha1
 distinguished_name      = req_dn
 req_extensions          = req_%CA_CRT_TYPE%_extensions