More fine-grained control over cert/crl validity; rename crt/crl-only options.

bin/ca-create-cert

@@ -27,8 +27,8 @@ Options:
   -n, --alt-name NAME   Alternative host name (can be provided multiple times)
   -p, --pkcs12          Create PKCS#12 certificate archive from generated cert
   -q, --no-qualify      Don't qualify short (dotless) names with CA_DOMAIN
-  -r, --csr-only        Only generate CSR, don't sign it
-  -s, --crt-only        Only sign certificate, requires CSR in place
+  -r, --req-only        Only generate CSR, don't sign it
+  -s, --sign-only       Only sign certificate, requires CSR in place
   -x, --cnf-only        Only generate templates, do not create CSR or sign CRT
   --country             Certificate DN -- C
   --state               Certificate DN -- ST
@@ -41,8 +41,9 @@ Options:
 __EOT__
 }
 
-short='hcf:t:n:prsx'
-long='help,encrypt,config:,type:,alt-name:,pkcs12,csr-only,crt-only,cnf-only'
+short="hcf:t:d:b:n:pqrsx"
+long="help,encrypt,config:,type:,days:,bits:,alt-name:"
+long="$long,pkcs12,no-qualify,req-only,sign-only,cnf-only"
 long="$long,country:,state:,loc:,org:,ounit:,email:,comment:"
 opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" )
 if [ 0 -ne $? ]; then echo; usage; exit 1; fi
@@ -59,8 +60,8 @@ while :; do
         -n|--alt-name) shift; ALT_NAMES+=("$1"); shift;;
         -p|--pkcs12) MAKE_P12=1; shift;;
         -q|--no-qualify) QUALIFY=0; shift;;
-        -r|--csr-only) CSR_ONLY=1; shift;;
-        -s|--crt-only) CRT_ONLY=1; shift;;
+        -r|--req-only) CSR_ONLY=1; shift;;
+        -s|--sign-only) CRT_ONLY=1; shift;;
         -x|--cnf-only) CNF_ONLY=1; shift;;
         --country) shift; USER_CA_CRT_C="$1"; shift;;
         --state) shift; USER_CA_CRT_ST="$1"; shift;;

bin/ca-init

@@ -21,16 +21,20 @@ Options:
   -h, --help            Print this helpful message!
   -c, --encrypt         Encrypt CA private key with Triple-DES
   -f, --config FILE     Use config file instead of $CONFFILE
+  -d, --days DAYS       CA Certificate valid for DAYS days instead of CA_DAYS
+  -l, --crl-days DAYS   Make CRL valid for DAYS days instead of CA_CRL_DAYS
+  -b, --bits BITS       Generate a BITS bit certificate instead of CA_CRT_BITS
   -i, --template FILE   Use alternative index.html template
   -o, --output FILE     Generate CA index.html in FILE
-  -s, --crt-only        Only generate CA cert/key, use pre-created config
+  -s, --sign-only       Only generate CA cert/key, use pre-created config
   -x, --cnf-only        Only generate CA config file, don't create CA cert/key
 
 __EOT__
 }
 
-short='hcf:i:o:sx'
-long='help,encrypt,config:,template:,output:,crt-only,cnf-only'
+short="hcf:d:l:b:i:o:sx"
+long="help,encrypt,config:,days:,crl-days:,bits:"
+long="$long,template:,output:,sign-only,cnf-only"
 opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" )
 if [ 0 -ne $? ]; then echo; usage; exit 1; fi
 eval set -- "$opts";
@@ -40,9 +44,12 @@ while :; do
         -h|--help) usage; exit 0;;
         -c|--encrypt) CRYPTKEY=""; shift;;
         -f|--config) shift; CONFFILE="$1"; shift;;
+        -d|--days) shift; USER_CA_DAYS="$1"; shift;;
+        -l|--crl-days) shift; USER_CA_CRL_DAYS="$1"; shift;;
+        -b|--bits) shift; USER_CA_CRT_BITS="$1"; shift;;
         -i|--template) shift; INDEXTPL="$1"; shift;;
         -o|--output) shift; INDEXOUT="$1"; shift;;
-        -s|--crt-only) CRT_ONLY=1; shift;;
+        -s|--sign-only) CRT_ONLY=1; shift;;
         -x|--cnf-only) CNF_ONLY=1; shift;;
         --) shift; break;;
         *) echo "Unknown value '$1'"; exit 1;;
@@ -83,7 +90,7 @@ if [ 1 -ne "$CNF_ONLY" ]; then
       -out    "$CA_HOME/csr/$CA_NAME.ca.csr"
     chmod 400 "$CA_HOME/key/$CA_NAME.ca.key"
 
-    openssl ca -create_serial -selfsign -days 3652 -batch \
+    openssl ca -create_serial -selfsign -days "$CA_DAYS" -batch \
       -name ca_scripts -extensions ca_x509_extensions \
       -config  "$CA_HOME/cnf/$CA_NAME.ca.cnf" \
       -in      "$CA_HOME/csr/$CA_NAME.ca.csr" \

bin/ca-revoke-cert

@@ -10,14 +10,15 @@ Options:
   -h, --help            Print this helpful message!
   -f, --config FILE     Use config file instead of $CONFFILE
   -t, --type TYPE       Certificate type: "server" (default), "client" or "user"
+  -l, --crl-days DAYS   Make CRL valid for DAYS days instead of CA_CRL_DAYS
   -i, --template FILE   Use alternative index.html template
   -o, --output FILE     Generate CA index.html in FILE
 
 __EOT__
 }
   
-short='hf:t:i:o:'
-long='help,config:,type:,template:,output:'
+short="hf:t:l:i:o:"
+long="help,config:,type:,crl-days:,template:,output:"
 opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" )
 if [ 0 -ne $? ]; then echo; usage; exit 1; fi
 eval set -- "$opts";
@@ -27,6 +28,7 @@ while :; do
         -h|--help) usage; exit 0;;
         -f|--config) shift; CONFFILE="$1"; shift;;
         -t|--type) shift; USER_CA_CRT_TYPE="$1"; shift;;
+        -l|--crl-days) shift; USER_CA_CRL_DAYS="$1"; shift;;
         -i|--template) shift; INDEXTPL="$1"; shift;;
         -o|--output) shift; INDEXOUT="$1"; shift;;
         --) shift; break;;

ca-scripts.conf

@@ -38,6 +38,13 @@ CA_DN_CN="Example Security Services Root Certificate Authority"
 # CA_CRT_URI="http://$CA_DOMAIN/ca/$CA_NAME.ca.crt"
 # CA_CRL_URI="http://$CA_DOMAIN/ca/$CA_NAME.ca.crl"
 
+# OPTIONAL: CA_DAYS, CA_CRT_DAYS and CA_CRL_DAYS set the default validity 
+#           period for the CA cert, certificates and revocation lists.
+# Default value:
+# CA_DAYS=3652
+# CA_CRT_DAYS=365
+# CA_CRL_DAYS=365
+
 # OPTIONAL: CA_CRT_BITS sets the default key length for generated keys.
 # Default value:
 # CA_CRT_BITS=2048

doc/ca-create-cert.pod

@@ -105,22 +105,22 @@ I<subjectAltName> extension in this case. User names are treated as unqualified
 if they do not contain an "@" symbol and are qualified to I<common
 name>@B<CA_DOMAIN>.
 
-=item B<-r>, B<--csr-only>
+=item B<-r>, B<--req-only>
 
 Causes B<ca-create-cert> to generate just the X.509 certificate signing
 request (CSR) from a pre-existing openssl request configuration, without
 signing it to create a valid certificate. When used in conjunction with
 B<--cnf-only>, B<ca-create-cert> only generates the openssl request
 configuration, allowing the user to modify it before creating the CSR.
-Mutually exclusive to B<--crt-only>.
+Mutually exclusive to B<--sign-only>.
 
-=item B<-s>, B<--crt-only>
+=item B<-s>, B<--sign-only>
 
 Causes B<ca-create-cert> to sign a pre-existing CSR using a pre-existing
 X.509 extensions configuration, creating a valid certificate. When used in
 conjunction with B<--cnf-only>, B<ca-create-cert> only generates the
 X.509 extensions configuration, allowing the user to modify it before signing
-the certificate. Mutually exclusive to B<--csr-only>.
+the certificate. Mutually exclusive to B<--req-only>.
 
 =item B<-x>, B<--cnf-only>
 

doc/ca-init.pod

@@ -19,7 +19,8 @@ ca-init - initialise an X.509 SSL CA and generate CA certificate
 
 =head1 SYNOPSIS
 
-B<ca-init> [B<-csx>] [B<-f> I<config>] [B<-i> I<template>] [B<-o> I<output>]
+B<ca-init> [B<-csx>] [B<-f> I<config>] [B<-d> I<days>] [B<-l> I<days>]
+[B<-b> I<bits>] [B<-i> I<template>] [B<-o> I<output>]
 
 B<ca-init> [B<-h>] | [B<--help>]
 
@@ -49,6 +50,21 @@ Encrypt the private key generated for the certificate authority with 3DES.
 Load the ca-scripts configuration from I<FILE> instead of
 I</etc/ca-scripts.conf>.
 
+=item B<-d> I<DAYS>, B<--days> I<DAYS>
+
+Sign the CA certificate to be valid for I<DAYS> days instead of the default
+B<CA_DAYS> set in the configuration file.
+
+=item B<-l> I<DAYS>, B<--crl-days> I<DAYS>
+
+Generate a CRL that is valid for I<DAYS> days instead of the default
+B<CA_CRL_DAYS> set in the configuration file.
+
+=item B<-b> I<BITS>, B<--bits> I<BITS>
+
+Generate a I<BITS>-bit CA certificate instead of the default B<CA_CRT_BITS> set
+in the config file. Traditionally this is a power of two, e.g. 1024 or 2048.
+
 =item B<-i> I<FILE>, B<--template> I<FILE>
 
 Use the index.html template in I<FILE> rather than the standard one provided
@@ -61,7 +77,7 @@ Generate a HTML page in I<FILE> suitable for serving your CA certificate and
 revocation lists via HTTP. The default template is basic but provides MD5 and
 SHA1 fingerprints of both files for verification purposes.
 
-=item B<-s>, B<--crt-only>
+=item B<-s>, B<--sign-only>
 
 Generate the CA certificate and private key from a previously-created openssl
 configuration. May only be used after having run B<ca-init> with the
@@ -71,8 +87,8 @@ B<--cnf-only> option, and mutually exclusive to that option.
 
 Create initial CA directory structure and openssl configuration, but do not
 generate CA certificate and private key. Using this option in conjunction with
-B<--crt-only> allows the user to manually customise the openssl config
-before generating the certificates. Mutually exclusive to B<--crt-only>.
+B<--sign-only> allows the user to manually customise the openssl config
+before generating the certificates. Mutually exclusive to B<--sign-only>.
 
 =back
 

doc/ca-revoke-cert.pod

@@ -51,6 +51,11 @@ revoking, either I<server>, I<client>, or I<user>.
 Load the ca-scripts configuration from I<FILE> instead of
 I</etc/ca-scripts.conf>.
 
+=item B<-l> I<DAYS>, B<--crl-days> I<DAYS>
+
+Generate a CRL that is valid for I<DAYS> days instead of the default
+B<CA_CRL_DAYS> set in the configuration file.
+
 =item B<-i> I<FILE>, B<--template> I<FILE>
 
 Use the index.html template in I<FILE> rather than the standard one provided
@@ -72,6 +77,11 @@ this may change in future releases along with code to deal with key compromise.
 Additionally, the CRLv2 extension I<issuingDistributionPoint> is not yet set in
 generated CRLs due to requiring a very recent version of openssl(1).
 
+These scripts will not handle configuring an OCSP server for you. OCSP is an
+alternative method of checking the validity of X.509 certificates, and is
+Worth Investigating. See ocsp(1ssl) and the
+L<wikipedia entry|http://en.wikipedia.org/wiki/OCSP> for details.
+
 =head1 AVAILABILITY
 
 New releases of the ca-scripts utilities can be found at
@@ -86,8 +96,7 @@ Copyright 2009, 2010 Alex Bramley a.bramley@gmail.com
 =head1 SEE ALSO
 
 ca-init(1), ca-create-cert(1), ca-renew-cert(1), ca-scripts.conf(5),
-openssl(1ssl), ca(1ssl), req(1ssl), x509(1ssl), config(5ssl), and
-x509v3_config(5ssl).
+openssl(1ssl), ca(1ssl), x509(1ssl), and ocsp(1ssl).
 
 =cut
 

lib/ca-functions

@@ -101,10 +101,12 @@ __TESTS__
         ca_set_default "$varname" "$vardef"
     done <<__DEFAULTS__
 CA_DESC         $CA_DN_CN
+CA_DAYS         3652
+CA_PATHLEN      0
 CA_CRT_URI      http://$CA_DOMAIN/ca/$CA_NAME.ca.crt
 CA_CRL_URI      http://$CA_DOMAIN/ca/$CA_NAME.ca.crl
-CA_PATHLEN      0
 CA_CRT_DAYS     365
+CA_CRL_DAYS     365
 CA_CRT_BITS     2048
 CA_CRT_TYPE     server
 CA_CRT_C        $CA_DN_C
@@ -140,8 +142,8 @@ ca_template() {
 }
 
 ca_gen_crl() {
-    openssl ca -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \
-      -gencrl -out "$CA_HOME/crl/$CA_NAME.ca.crl" -md sha1
+    openssl ca -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" -gencrl -md sha1 \
+      -crldays "$CA_CRL_DAYS" -out "$CA_HOME/crl/$CA_NAME.ca.crl"
     openssl crl -in "$CA_HOME/crl/$CA_NAME.ca.crl" \
       -out "$CA_HOME/crl/$CA_NAME.ca.crl.der" -outform DER
 }

tpl/ca-config.tpl

@@ -38,7 +38,7 @@ policy          = ca_extension_policy           # policy on required CSR attribu
 name_opt        = oneline               # Subject Name options - x509(1)
 cert_opt        = ca_default            # Certificate field options - x509(1) 
 default_days    = %CA_CRT_DAYS%         # how long to certify for
-default_crl_days= %CA_CRT_DAYS%         # how long before next CRL
+default_crl_days= %CA_CRL_DAYS%         # how long before next CRL
 default_md      = sha1                  # which md to use.
 preserve        = no                    # keep passed DN ordering
 unique_subject  = no                    # recommended