More fine-grained control over cert/crl validity; rename crt/crl-only options.

This commit is contained in:
Alex Bramley 2010-03-13 15:11:51 +00:00
parent c83c2ae48a
commit ad1e8a6ca8
9 changed files with 71 additions and 27 deletions

View file

@ -27,8 +27,8 @@ Options:
-n, --alt-name NAME Alternative host name (can be provided multiple times)
-p, --pkcs12 Create PKCS#12 certificate archive from generated cert
-q, --no-qualify Don't qualify short (dotless) names with CA_DOMAIN
-r, --csr-only Only generate CSR, don't sign it
-s, --crt-only Only sign certificate, requires CSR in place
-r, --req-only Only generate CSR, don't sign it
-s, --sign-only Only sign certificate, requires CSR in place
-x, --cnf-only Only generate templates, do not create CSR or sign CRT
--country Certificate DN -- C
--state Certificate DN -- ST
@ -41,8 +41,9 @@ Options:
__EOT__
}
short='hcf:t:n:prsx'
long='help,encrypt,config:,type:,alt-name:,pkcs12,csr-only,crt-only,cnf-only'
short="hcf:t:d:b:n:pqrsx"
long="help,encrypt,config:,type:,days:,bits:,alt-name:"
long="$long,pkcs12,no-qualify,req-only,sign-only,cnf-only"
long="$long,country:,state:,loc:,org:,ounit:,email:,comment:"
opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" )
if [ 0 -ne $? ]; then echo; usage; exit 1; fi
@ -59,8 +60,8 @@ while :; do
-n|--alt-name) shift; ALT_NAMES+=("$1"); shift;;
-p|--pkcs12) MAKE_P12=1; shift;;
-q|--no-qualify) QUALIFY=0; shift;;
-r|--csr-only) CSR_ONLY=1; shift;;
-s|--crt-only) CRT_ONLY=1; shift;;
-r|--req-only) CSR_ONLY=1; shift;;
-s|--sign-only) CRT_ONLY=1; shift;;
-x|--cnf-only) CNF_ONLY=1; shift;;
--country) shift; USER_CA_CRT_C="$1"; shift;;
--state) shift; USER_CA_CRT_ST="$1"; shift;;

View file

@ -21,16 +21,20 @@ Options:
-h, --help Print this helpful message!
-c, --encrypt Encrypt CA private key with Triple-DES
-f, --config FILE Use config file instead of $CONFFILE
-d, --days DAYS CA Certificate valid for DAYS days instead of CA_DAYS
-l, --crl-days DAYS Make CRL valid for DAYS days instead of CA_CRL_DAYS
-b, --bits BITS Generate a BITS bit certificate instead of CA_CRT_BITS
-i, --template FILE Use alternative index.html template
-o, --output FILE Generate CA index.html in FILE
-s, --crt-only Only generate CA cert/key, use pre-created config
-s, --sign-only Only generate CA cert/key, use pre-created config
-x, --cnf-only Only generate CA config file, don't create CA cert/key
__EOT__
}
short='hcf:i:o:sx'
long='help,encrypt,config:,template:,output:,crt-only,cnf-only'
short="hcf:d:l:b:i:o:sx"
long="help,encrypt,config:,days:,crl-days:,bits:"
long="$long,template:,output:,sign-only,cnf-only"
opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" )
if [ 0 -ne $? ]; then echo; usage; exit 1; fi
eval set -- "$opts";
@ -40,9 +44,12 @@ while :; do
-h|--help) usage; exit 0;;
-c|--encrypt) CRYPTKEY=""; shift;;
-f|--config) shift; CONFFILE="$1"; shift;;
-d|--days) shift; USER_CA_DAYS="$1"; shift;;
-l|--crl-days) shift; USER_CA_CRL_DAYS="$1"; shift;;
-b|--bits) shift; USER_CA_CRT_BITS="$1"; shift;;
-i|--template) shift; INDEXTPL="$1"; shift;;
-o|--output) shift; INDEXOUT="$1"; shift;;
-s|--crt-only) CRT_ONLY=1; shift;;
-s|--sign-only) CRT_ONLY=1; shift;;
-x|--cnf-only) CNF_ONLY=1; shift;;
--) shift; break;;
*) echo "Unknown value '$1'"; exit 1;;
@ -83,7 +90,7 @@ if [ 1 -ne "$CNF_ONLY" ]; then
-out "$CA_HOME/csr/$CA_NAME.ca.csr"
chmod 400 "$CA_HOME/key/$CA_NAME.ca.key"
openssl ca -create_serial -selfsign -days 3652 -batch \
openssl ca -create_serial -selfsign -days "$CA_DAYS" -batch \
-name ca_scripts -extensions ca_x509_extensions \
-config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \
-in "$CA_HOME/csr/$CA_NAME.ca.csr" \

View file

@ -10,14 +10,15 @@ Options:
-h, --help Print this helpful message!
-f, --config FILE Use config file instead of $CONFFILE
-t, --type TYPE Certificate type: "server" (default), "client" or "user"
-l, --crl-days DAYS Make CRL valid for DAYS days instead of CA_CRL_DAYS
-i, --template FILE Use alternative index.html template
-o, --output FILE Generate CA index.html in FILE
__EOT__
}
short='hf:t:i:o:'
long='help,config:,type:,template:,output:'
short="hf:t:l:i:o:"
long="help,config:,type:,crl-days:,template:,output:"
opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" )
if [ 0 -ne $? ]; then echo; usage; exit 1; fi
eval set -- "$opts";
@ -27,6 +28,7 @@ while :; do
-h|--help) usage; exit 0;;
-f|--config) shift; CONFFILE="$1"; shift;;
-t|--type) shift; USER_CA_CRT_TYPE="$1"; shift;;
-l|--crl-days) shift; USER_CA_CRL_DAYS="$1"; shift;;
-i|--template) shift; INDEXTPL="$1"; shift;;
-o|--output) shift; INDEXOUT="$1"; shift;;
--) shift; break;;

View file

@ -38,6 +38,13 @@ CA_DN_CN="Example Security Services Root Certificate Authority"
# CA_CRT_URI="http://$CA_DOMAIN/ca/$CA_NAME.ca.crt"
# CA_CRL_URI="http://$CA_DOMAIN/ca/$CA_NAME.ca.crl"
# OPTIONAL: CA_DAYS, CA_CRT_DAYS and CA_CRL_DAYS set the default validity
# period for the CA cert, certificates and revocation lists.
# Default value:
# CA_DAYS=3652
# CA_CRT_DAYS=365
# CA_CRL_DAYS=365
# OPTIONAL: CA_CRT_BITS sets the default key length for generated keys.
# Default value:
# CA_CRT_BITS=2048

View file

@ -105,22 +105,22 @@ I<subjectAltName> extension in this case. User names are treated as unqualified
if they do not contain an "@" symbol and are qualified to I<common
name>@B<CA_DOMAIN>.
=item B<-r>, B<--csr-only>
=item B<-r>, B<--req-only>
Causes B<ca-create-cert> to generate just the X.509 certificate signing
request (CSR) from a pre-existing openssl request configuration, without
signing it to create a valid certificate. When used in conjunction with
B<--cnf-only>, B<ca-create-cert> only generates the openssl request
configuration, allowing the user to modify it before creating the CSR.
Mutually exclusive to B<--crt-only>.
Mutually exclusive to B<--sign-only>.
=item B<-s>, B<--crt-only>
=item B<-s>, B<--sign-only>
Causes B<ca-create-cert> to sign a pre-existing CSR using a pre-existing
X.509 extensions configuration, creating a valid certificate. When used in
conjunction with B<--cnf-only>, B<ca-create-cert> only generates the
X.509 extensions configuration, allowing the user to modify it before signing
the certificate. Mutually exclusive to B<--csr-only>.
the certificate. Mutually exclusive to B<--req-only>.
=item B<-x>, B<--cnf-only>

View file

@ -19,7 +19,8 @@ ca-init - initialise an X.509 SSL CA and generate CA certificate
=head1 SYNOPSIS
B<ca-init> [B<-csx>] [B<-f> I<config>] [B<-i> I<template>] [B<-o> I<output>]
B<ca-init> [B<-csx>] [B<-f> I<config>] [B<-d> I<days>] [B<-l> I<days>]
[B<-b> I<bits>] [B<-i> I<template>] [B<-o> I<output>]
B<ca-init> [B<-h>] | [B<--help>]
@ -49,6 +50,21 @@ Encrypt the private key generated for the certificate authority with 3DES.
Load the ca-scripts configuration from I<FILE> instead of
I</etc/ca-scripts.conf>.
=item B<-d> I<DAYS>, B<--days> I<DAYS>
Sign the CA certificate to be valid for I<DAYS> days instead of the default
B<CA_DAYS> set in the configuration file.
=item B<-l> I<DAYS>, B<--crl-days> I<DAYS>
Generate a CRL that is valid for I<DAYS> days instead of the default
B<CA_CRL_DAYS> set in the configuration file.
=item B<-b> I<BITS>, B<--bits> I<BITS>
Generate a I<BITS>-bit CA certificate instead of the default B<CA_CRT_BITS> set
in the config file. Traditionally this is a power of two, e.g. 1024 or 2048.
=item B<-i> I<FILE>, B<--template> I<FILE>
Use the index.html template in I<FILE> rather than the standard one provided
@ -61,7 +77,7 @@ Generate a HTML page in I<FILE> suitable for serving your CA certificate and
revocation lists via HTTP. The default template is basic but provides MD5 and
SHA1 fingerprints of both files for verification purposes.
=item B<-s>, B<--crt-only>
=item B<-s>, B<--sign-only>
Generate the CA certificate and private key from a previously-created openssl
configuration. May only be used after having run B<ca-init> with the
@ -71,8 +87,8 @@ B<--cnf-only> option, and mutually exclusive to that option.
Create initial CA directory structure and openssl configuration, but do not
generate CA certificate and private key. Using this option in conjunction with
B<--crt-only> allows the user to manually customise the openssl config
before generating the certificates. Mutually exclusive to B<--crt-only>.
B<--sign-only> allows the user to manually customise the openssl config
before generating the certificates. Mutually exclusive to B<--sign-only>.
=back

View file

@ -51,6 +51,11 @@ revoking, either I<server>, I<client>, or I<user>.
Load the ca-scripts configuration from I<FILE> instead of
I</etc/ca-scripts.conf>.
=item B<-l> I<DAYS>, B<--crl-days> I<DAYS>
Generate a CRL that is valid for I<DAYS> days instead of the default
B<CA_CRL_DAYS> set in the configuration file.
=item B<-i> I<FILE>, B<--template> I<FILE>
Use the index.html template in I<FILE> rather than the standard one provided
@ -72,6 +77,11 @@ this may change in future releases along with code to deal with key compromise.
Additionally, the CRLv2 extension I<issuingDistributionPoint> is not yet set in
generated CRLs due to requiring a very recent version of openssl(1).
These scripts will not handle configuring an OCSP server for you. OCSP is an
alternative method of checking the validity of X.509 certificates, and is
Worth Investigating. See ocsp(1ssl) and the
L<wikipedia entry|http://en.wikipedia.org/wiki/OCSP> for details.
=head1 AVAILABILITY
New releases of the ca-scripts utilities can be found at
@ -86,8 +96,7 @@ Copyright 2009, 2010 Alex Bramley a.bramley@gmail.com
=head1 SEE ALSO
ca-init(1), ca-create-cert(1), ca-renew-cert(1), ca-scripts.conf(5),
openssl(1ssl), ca(1ssl), req(1ssl), x509(1ssl), config(5ssl), and
x509v3_config(5ssl).
openssl(1ssl), ca(1ssl), x509(1ssl), and ocsp(1ssl).
=cut

View file

@ -101,10 +101,12 @@ __TESTS__
ca_set_default "$varname" "$vardef"
done <<__DEFAULTS__
CA_DESC $CA_DN_CN
CA_DAYS 3652
CA_PATHLEN 0
CA_CRT_URI http://$CA_DOMAIN/ca/$CA_NAME.ca.crt
CA_CRL_URI http://$CA_DOMAIN/ca/$CA_NAME.ca.crl
CA_PATHLEN 0
CA_CRT_DAYS 365
CA_CRL_DAYS 365
CA_CRT_BITS 2048
CA_CRT_TYPE server
CA_CRT_C $CA_DN_C
@ -140,8 +142,8 @@ ca_template() {
}
ca_gen_crl() {
openssl ca -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \
-gencrl -out "$CA_HOME/crl/$CA_NAME.ca.crl" -md sha1
openssl ca -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" -gencrl -md sha1 \
-crldays "$CA_CRL_DAYS" -out "$CA_HOME/crl/$CA_NAME.ca.crl"
openssl crl -in "$CA_HOME/crl/$CA_NAME.ca.crl" \
-out "$CA_HOME/crl/$CA_NAME.ca.crl.der" -outform DER
}

View file

@ -38,7 +38,7 @@ policy = ca_extension_policy # policy on required CSR attribu
name_opt = oneline # Subject Name options - x509(1)
cert_opt = ca_default # Certificate field options - x509(1)
default_days = %CA_CRT_DAYS% # how long to certify for
default_crl_days= %CA_CRT_DAYS% # how long before next CRL
default_crl_days= %CA_CRL_DAYS% # how long before next CRL
default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering
unique_subject = no # recommended