From ad1e8a6ca8676904291139370cf30492592ae418 Mon Sep 17 00:00:00 2001 From: Alex Bramley Date: Sat, 13 Mar 2010 15:11:51 +0000 Subject: [PATCH] More fine-grained control over cert/crl validity; rename crt/crl-only options. --- bin/ca-create-cert | 13 +++++++------ bin/ca-init | 17 ++++++++++++----- bin/ca-revoke-cert | 6 ++++-- ca-scripts.conf | 7 +++++++ doc/ca-create-cert.pod | 8 ++++---- doc/ca-init.pod | 24 ++++++++++++++++++++---- doc/ca-revoke-cert.pod | 13 +++++++++++-- lib/ca-functions | 8 +++++--- tpl/ca-config.tpl | 2 +- 9 files changed, 71 insertions(+), 27 deletions(-) diff --git a/bin/ca-create-cert b/bin/ca-create-cert index 2748e0e..3a563d0 100755 --- a/bin/ca-create-cert +++ b/bin/ca-create-cert @@ -27,8 +27,8 @@ Options: -n, --alt-name NAME Alternative host name (can be provided multiple times) -p, --pkcs12 Create PKCS#12 certificate archive from generated cert -q, --no-qualify Don't qualify short (dotless) names with CA_DOMAIN - -r, --csr-only Only generate CSR, don't sign it - -s, --crt-only Only sign certificate, requires CSR in place + -r, --req-only Only generate CSR, don't sign it + -s, --sign-only Only sign certificate, requires CSR in place -x, --cnf-only Only generate templates, do not create CSR or sign CRT --country Certificate DN -- C --state Certificate DN -- ST @@ -41,8 +41,9 @@ Options: __EOT__ } -short='hcf:t:n:prsx' -long='help,encrypt,config:,type:,alt-name:,pkcs12,csr-only,crt-only,cnf-only' +short="hcf:t:d:b:n:pqrsx" +long="help,encrypt,config:,type:,days:,bits:,alt-name:" +long="$long,pkcs12,no-qualify,req-only,sign-only,cnf-only" long="$long,country:,state:,loc:,org:,ounit:,email:,comment:" opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" ) if [ 0 -ne $? ]; then echo; usage; exit 1; fi @@ -59,8 +60,8 @@ while :; do -n|--alt-name) shift; ALT_NAMES+=("$1"); shift;; -p|--pkcs12) MAKE_P12=1; shift;; -q|--no-qualify) QUALIFY=0; shift;; - -r|--csr-only) CSR_ONLY=1; shift;; - -s|--crt-only) CRT_ONLY=1; shift;; + -r|--req-only) CSR_ONLY=1; shift;; + -s|--sign-only) CRT_ONLY=1; shift;; -x|--cnf-only) CNF_ONLY=1; shift;; --country) shift; USER_CA_CRT_C="$1"; shift;; --state) shift; USER_CA_CRT_ST="$1"; shift;; diff --git a/bin/ca-init b/bin/ca-init index 83cffe3..3b30454 100755 --- a/bin/ca-init +++ b/bin/ca-init @@ -21,16 +21,20 @@ Options: -h, --help Print this helpful message! -c, --encrypt Encrypt CA private key with Triple-DES -f, --config FILE Use config file instead of $CONFFILE + -d, --days DAYS CA Certificate valid for DAYS days instead of CA_DAYS + -l, --crl-days DAYS Make CRL valid for DAYS days instead of CA_CRL_DAYS + -b, --bits BITS Generate a BITS bit certificate instead of CA_CRT_BITS -i, --template FILE Use alternative index.html template -o, --output FILE Generate CA index.html in FILE - -s, --crt-only Only generate CA cert/key, use pre-created config + -s, --sign-only Only generate CA cert/key, use pre-created config -x, --cnf-only Only generate CA config file, don't create CA cert/key __EOT__ } -short='hcf:i:o:sx' -long='help,encrypt,config:,template:,output:,crt-only,cnf-only' +short="hcf:d:l:b:i:o:sx" +long="help,encrypt,config:,days:,crl-days:,bits:" +long="$long,template:,output:,sign-only,cnf-only" opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" ) if [ 0 -ne $? ]; then echo; usage; exit 1; fi eval set -- "$opts"; @@ -40,9 +44,12 @@ while :; do -h|--help) usage; exit 0;; -c|--encrypt) CRYPTKEY=""; shift;; -f|--config) shift; CONFFILE="$1"; shift;; + -d|--days) shift; USER_CA_DAYS="$1"; shift;; + -l|--crl-days) shift; USER_CA_CRL_DAYS="$1"; shift;; + -b|--bits) shift; USER_CA_CRT_BITS="$1"; shift;; -i|--template) shift; INDEXTPL="$1"; shift;; -o|--output) shift; INDEXOUT="$1"; shift;; - -s|--crt-only) CRT_ONLY=1; shift;; + -s|--sign-only) CRT_ONLY=1; shift;; -x|--cnf-only) CNF_ONLY=1; shift;; --) shift; break;; *) echo "Unknown value '$1'"; exit 1;; @@ -83,7 +90,7 @@ if [ 1 -ne "$CNF_ONLY" ]; then -out "$CA_HOME/csr/$CA_NAME.ca.csr" chmod 400 "$CA_HOME/key/$CA_NAME.ca.key" - openssl ca -create_serial -selfsign -days 3652 -batch \ + openssl ca -create_serial -selfsign -days "$CA_DAYS" -batch \ -name ca_scripts -extensions ca_x509_extensions \ -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \ -in "$CA_HOME/csr/$CA_NAME.ca.csr" \ diff --git a/bin/ca-revoke-cert b/bin/ca-revoke-cert index ebe8804..efb467b 100755 --- a/bin/ca-revoke-cert +++ b/bin/ca-revoke-cert @@ -10,14 +10,15 @@ Options: -h, --help Print this helpful message! -f, --config FILE Use config file instead of $CONFFILE -t, --type TYPE Certificate type: "server" (default), "client" or "user" + -l, --crl-days DAYS Make CRL valid for DAYS days instead of CA_CRL_DAYS -i, --template FILE Use alternative index.html template -o, --output FILE Generate CA index.html in FILE __EOT__ } -short='hf:t:i:o:' -long='help,config:,type:,template:,output:' +short="hf:t:l:i:o:" +long="help,config:,type:,crl-days:,template:,output:" opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" ) if [ 0 -ne $? ]; then echo; usage; exit 1; fi eval set -- "$opts"; @@ -27,6 +28,7 @@ while :; do -h|--help) usage; exit 0;; -f|--config) shift; CONFFILE="$1"; shift;; -t|--type) shift; USER_CA_CRT_TYPE="$1"; shift;; + -l|--crl-days) shift; USER_CA_CRL_DAYS="$1"; shift;; -i|--template) shift; INDEXTPL="$1"; shift;; -o|--output) shift; INDEXOUT="$1"; shift;; --) shift; break;; diff --git a/ca-scripts.conf b/ca-scripts.conf index 38e9fe2..f296e1a 100644 --- a/ca-scripts.conf +++ b/ca-scripts.conf @@ -38,6 +38,13 @@ CA_DN_CN="Example Security Services Root Certificate Authority" # CA_CRT_URI="http://$CA_DOMAIN/ca/$CA_NAME.ca.crt" # CA_CRL_URI="http://$CA_DOMAIN/ca/$CA_NAME.ca.crl" +# OPTIONAL: CA_DAYS, CA_CRT_DAYS and CA_CRL_DAYS set the default validity +# period for the CA cert, certificates and revocation lists. +# Default value: +# CA_DAYS=3652 +# CA_CRT_DAYS=365 +# CA_CRL_DAYS=365 + # OPTIONAL: CA_CRT_BITS sets the default key length for generated keys. # Default value: # CA_CRT_BITS=2048 diff --git a/doc/ca-create-cert.pod b/doc/ca-create-cert.pod index d1784d3..b9944c9 100755 --- a/doc/ca-create-cert.pod +++ b/doc/ca-create-cert.pod @@ -105,22 +105,22 @@ I extension in this case. User names are treated as unqualified if they do not contain an "@" symbol and are qualified to I@B. -=item B<-r>, B<--csr-only> +=item B<-r>, B<--req-only> Causes B to generate just the X.509 certificate signing request (CSR) from a pre-existing openssl request configuration, without signing it to create a valid certificate. When used in conjunction with B<--cnf-only>, B only generates the openssl request configuration, allowing the user to modify it before creating the CSR. -Mutually exclusive to B<--crt-only>. +Mutually exclusive to B<--sign-only>. -=item B<-s>, B<--crt-only> +=item B<-s>, B<--sign-only> Causes B to sign a pre-existing CSR using a pre-existing X.509 extensions configuration, creating a valid certificate. When used in conjunction with B<--cnf-only>, B only generates the X.509 extensions configuration, allowing the user to modify it before signing -the certificate. Mutually exclusive to B<--csr-only>. +the certificate. Mutually exclusive to B<--req-only>. =item B<-x>, B<--cnf-only> diff --git a/doc/ca-init.pod b/doc/ca-init.pod index 5b475ec..73fbff2 100755 --- a/doc/ca-init.pod +++ b/doc/ca-init.pod @@ -19,7 +19,8 @@ ca-init - initialise an X.509 SSL CA and generate CA certificate =head1 SYNOPSIS -B [B<-csx>] [B<-f> I] [B<-i> I