From 8a883205b15a95c06c13a0a44ecb4098a63faa2d Mon Sep 17 00:00:00 2001
From: Alex Bramley <a.bramley@gmail.com>
Date: Sun, 14 Feb 2010 06:58:41 +0000
Subject: [PATCH] Add -b BITS flag to ca-create-cert.

---
 bin/ca-create-cert     | 2 ++
 ca-scripts.conf        | 4 ++++
 doc/ca-create-cert.pod | 5 +++++
 lib/ca-functions       | 1 +
 tpl/req-config.tpl     | 2 +-
 5 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/bin/ca-create-cert b/bin/ca-create-cert
index e1da464..d27c15e 100755
--- a/bin/ca-create-cert
+++ b/bin/ca-create-cert
@@ -26,6 +26,7 @@ Options:
   -f, --config FILE     Use config file instead of $CONFFILE
   -t, --type TYPE       Certificate type: "server", "client" or "user"
   -d, --days DAYS       Certificate is valid for DAYS days instead of 365
+  -b, --bits BITS       Generate a BITS bit certificate instead of 2048
   -n, --alt-name NAME   Alternative host name (can be provided multiple times)
   -p, --pkcs12          Create PKCS#12 certificate archive from generated cert
   -r, --csr-only        Only generate CSR, don't sign it
@@ -56,6 +57,7 @@ while :; do
         -f|--config) shift; CONFFILE="$1"; shift;;
         -t|--type) shift; CA_CRT_TYPE="$1"; shift;;
         -d|--days) shift; CA_CRT_DAYS="-days $1"; shift;;
+        -b|--bits) shift; CA_CRT_BITS="$1"; shift;;
         -n|--alt-name) shift; ALT_NAMES+=("$1"); shift;;
         -p|--pkcs12) MAKE_P12=1; shift;;
         -r|--csr-only) CSR_ONLY=1; shift;;
diff --git a/ca-scripts.conf b/ca-scripts.conf
index 220d03b..1909480 100644
--- a/ca-scripts.conf
+++ b/ca-scripts.conf
@@ -38,6 +38,10 @@ CA_DN_CN="Example Security Services Root Certificate Authority"
 # CA_CRT_URI="http://$CA_DOMAIN/ca/$CA_NAME.ca.crt"
 # CA_CRL_URI="http://$CA_DOMAIN/ca/$CA_NAME.ca.crl"
 
+# OPTIONAL: CA_CRT_BITS sets the default key length for generated keys.
+# Default value:
+# CA_CRT_BITS=2048
+
 # OPTIONAL: CA_PATHLEN sets the maximum number of intermediate CA certificates
 #           that can be in the chain of authority between the root CA and the 
 #           final certificate.
diff --git a/doc/ca-create-cert.pod b/doc/ca-create-cert.pod
index 7c7a217..7b69c59 100755
--- a/doc/ca-create-cert.pod
+++ b/doc/ca-create-cert.pod
@@ -78,6 +78,11 @@ I</etc/ca-scripts.conf>.
 Sign the certificate to be valid for I<DAYS> days instead of the default of
 one year.
 
+=item B<-b> I<BITS>, B<--bits> I<BITS>
+
+Generate a I<BITS>-bit certificate instead of a default 2048-bit one.
+Traditionally this is a power of two, e.g. 512, 1024, 2048, 4096.
+
 =item B<-n> I<NAME>, B<--alt-name> I<NAME>
 
 Only valid for I<server> type certificates. Specifies an alternative host
diff --git a/lib/ca-functions b/lib/ca-functions
index ac36ef8..1682a14 100644
--- a/lib/ca-functions
+++ b/lib/ca-functions
@@ -90,6 +90,7 @@ CA_DESC         $CA_DN_CN
 CA_CRT_URI      http://$CA_DOMAIN/ca/$CA_NAME.ca.crt
 CA_CRL_URI      http://$CA_DOMAIN/ca/$CA_NAME.ca.crl
 CA_PATHLEN      0
+CA_CRT_BITS     2048
 CA_CRT_C        $CA_DN_C
 CA_CRT_ST       $CA_DN_ST
 CA_CRT_L        $CA_DN_L
diff --git a/tpl/req-config.tpl b/tpl/req-config.tpl
index f25b457..a2312c4 100644
--- a/tpl/req-config.tpl
+++ b/tpl/req-config.tpl
@@ -1,5 +1,5 @@
 [ req ]
-default_bits            = 2048
+default_bits            = %CA_CRT_BITS%
 default_md              = sha1
 distinguished_name      = req_dn
 req_extensions          = req_%CA_CRT_TYPE%_extensions