More fine-grained control over cert/crl validity; rename crt/crl-only options.
This commit is contained in:
parent
c83c2ae48a
commit
ad1e8a6ca8
9 changed files with 71 additions and 27 deletions
|
@ -27,8 +27,8 @@ Options:
|
||||||
-n, --alt-name NAME Alternative host name (can be provided multiple times)
|
-n, --alt-name NAME Alternative host name (can be provided multiple times)
|
||||||
-p, --pkcs12 Create PKCS#12 certificate archive from generated cert
|
-p, --pkcs12 Create PKCS#12 certificate archive from generated cert
|
||||||
-q, --no-qualify Don't qualify short (dotless) names with CA_DOMAIN
|
-q, --no-qualify Don't qualify short (dotless) names with CA_DOMAIN
|
||||||
-r, --csr-only Only generate CSR, don't sign it
|
-r, --req-only Only generate CSR, don't sign it
|
||||||
-s, --crt-only Only sign certificate, requires CSR in place
|
-s, --sign-only Only sign certificate, requires CSR in place
|
||||||
-x, --cnf-only Only generate templates, do not create CSR or sign CRT
|
-x, --cnf-only Only generate templates, do not create CSR or sign CRT
|
||||||
--country Certificate DN -- C
|
--country Certificate DN -- C
|
||||||
--state Certificate DN -- ST
|
--state Certificate DN -- ST
|
||||||
|
@ -41,8 +41,9 @@ Options:
|
||||||
__EOT__
|
__EOT__
|
||||||
}
|
}
|
||||||
|
|
||||||
short='hcf:t:n:prsx'
|
short="hcf:t:d:b:n:pqrsx"
|
||||||
long='help,encrypt,config:,type:,alt-name:,pkcs12,csr-only,crt-only,cnf-only'
|
long="help,encrypt,config:,type:,days:,bits:,alt-name:"
|
||||||
|
long="$long,pkcs12,no-qualify,req-only,sign-only,cnf-only"
|
||||||
long="$long,country:,state:,loc:,org:,ounit:,email:,comment:"
|
long="$long,country:,state:,loc:,org:,ounit:,email:,comment:"
|
||||||
opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" )
|
opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" )
|
||||||
if [ 0 -ne $? ]; then echo; usage; exit 1; fi
|
if [ 0 -ne $? ]; then echo; usage; exit 1; fi
|
||||||
|
@ -59,8 +60,8 @@ while :; do
|
||||||
-n|--alt-name) shift; ALT_NAMES+=("$1"); shift;;
|
-n|--alt-name) shift; ALT_NAMES+=("$1"); shift;;
|
||||||
-p|--pkcs12) MAKE_P12=1; shift;;
|
-p|--pkcs12) MAKE_P12=1; shift;;
|
||||||
-q|--no-qualify) QUALIFY=0; shift;;
|
-q|--no-qualify) QUALIFY=0; shift;;
|
||||||
-r|--csr-only) CSR_ONLY=1; shift;;
|
-r|--req-only) CSR_ONLY=1; shift;;
|
||||||
-s|--crt-only) CRT_ONLY=1; shift;;
|
-s|--sign-only) CRT_ONLY=1; shift;;
|
||||||
-x|--cnf-only) CNF_ONLY=1; shift;;
|
-x|--cnf-only) CNF_ONLY=1; shift;;
|
||||||
--country) shift; USER_CA_CRT_C="$1"; shift;;
|
--country) shift; USER_CA_CRT_C="$1"; shift;;
|
||||||
--state) shift; USER_CA_CRT_ST="$1"; shift;;
|
--state) shift; USER_CA_CRT_ST="$1"; shift;;
|
||||||
|
|
17
bin/ca-init
17
bin/ca-init
|
@ -21,16 +21,20 @@ Options:
|
||||||
-h, --help Print this helpful message!
|
-h, --help Print this helpful message!
|
||||||
-c, --encrypt Encrypt CA private key with Triple-DES
|
-c, --encrypt Encrypt CA private key with Triple-DES
|
||||||
-f, --config FILE Use config file instead of $CONFFILE
|
-f, --config FILE Use config file instead of $CONFFILE
|
||||||
|
-d, --days DAYS CA Certificate valid for DAYS days instead of CA_DAYS
|
||||||
|
-l, --crl-days DAYS Make CRL valid for DAYS days instead of CA_CRL_DAYS
|
||||||
|
-b, --bits BITS Generate a BITS bit certificate instead of CA_CRT_BITS
|
||||||
-i, --template FILE Use alternative index.html template
|
-i, --template FILE Use alternative index.html template
|
||||||
-o, --output FILE Generate CA index.html in FILE
|
-o, --output FILE Generate CA index.html in FILE
|
||||||
-s, --crt-only Only generate CA cert/key, use pre-created config
|
-s, --sign-only Only generate CA cert/key, use pre-created config
|
||||||
-x, --cnf-only Only generate CA config file, don't create CA cert/key
|
-x, --cnf-only Only generate CA config file, don't create CA cert/key
|
||||||
|
|
||||||
__EOT__
|
__EOT__
|
||||||
}
|
}
|
||||||
|
|
||||||
short='hcf:i:o:sx'
|
short="hcf:d:l:b:i:o:sx"
|
||||||
long='help,encrypt,config:,template:,output:,crt-only,cnf-only'
|
long="help,encrypt,config:,days:,crl-days:,bits:"
|
||||||
|
long="$long,template:,output:,sign-only,cnf-only"
|
||||||
opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" )
|
opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" )
|
||||||
if [ 0 -ne $? ]; then echo; usage; exit 1; fi
|
if [ 0 -ne $? ]; then echo; usage; exit 1; fi
|
||||||
eval set -- "$opts";
|
eval set -- "$opts";
|
||||||
|
@ -40,9 +44,12 @@ while :; do
|
||||||
-h|--help) usage; exit 0;;
|
-h|--help) usage; exit 0;;
|
||||||
-c|--encrypt) CRYPTKEY=""; shift;;
|
-c|--encrypt) CRYPTKEY=""; shift;;
|
||||||
-f|--config) shift; CONFFILE="$1"; shift;;
|
-f|--config) shift; CONFFILE="$1"; shift;;
|
||||||
|
-d|--days) shift; USER_CA_DAYS="$1"; shift;;
|
||||||
|
-l|--crl-days) shift; USER_CA_CRL_DAYS="$1"; shift;;
|
||||||
|
-b|--bits) shift; USER_CA_CRT_BITS="$1"; shift;;
|
||||||
-i|--template) shift; INDEXTPL="$1"; shift;;
|
-i|--template) shift; INDEXTPL="$1"; shift;;
|
||||||
-o|--output) shift; INDEXOUT="$1"; shift;;
|
-o|--output) shift; INDEXOUT="$1"; shift;;
|
||||||
-s|--crt-only) CRT_ONLY=1; shift;;
|
-s|--sign-only) CRT_ONLY=1; shift;;
|
||||||
-x|--cnf-only) CNF_ONLY=1; shift;;
|
-x|--cnf-only) CNF_ONLY=1; shift;;
|
||||||
--) shift; break;;
|
--) shift; break;;
|
||||||
*) echo "Unknown value '$1'"; exit 1;;
|
*) echo "Unknown value '$1'"; exit 1;;
|
||||||
|
@ -83,7 +90,7 @@ if [ 1 -ne "$CNF_ONLY" ]; then
|
||||||
-out "$CA_HOME/csr/$CA_NAME.ca.csr"
|
-out "$CA_HOME/csr/$CA_NAME.ca.csr"
|
||||||
chmod 400 "$CA_HOME/key/$CA_NAME.ca.key"
|
chmod 400 "$CA_HOME/key/$CA_NAME.ca.key"
|
||||||
|
|
||||||
openssl ca -create_serial -selfsign -days 3652 -batch \
|
openssl ca -create_serial -selfsign -days "$CA_DAYS" -batch \
|
||||||
-name ca_scripts -extensions ca_x509_extensions \
|
-name ca_scripts -extensions ca_x509_extensions \
|
||||||
-config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \
|
-config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \
|
||||||
-in "$CA_HOME/csr/$CA_NAME.ca.csr" \
|
-in "$CA_HOME/csr/$CA_NAME.ca.csr" \
|
||||||
|
|
|
@ -10,14 +10,15 @@ Options:
|
||||||
-h, --help Print this helpful message!
|
-h, --help Print this helpful message!
|
||||||
-f, --config FILE Use config file instead of $CONFFILE
|
-f, --config FILE Use config file instead of $CONFFILE
|
||||||
-t, --type TYPE Certificate type: "server" (default), "client" or "user"
|
-t, --type TYPE Certificate type: "server" (default), "client" or "user"
|
||||||
|
-l, --crl-days DAYS Make CRL valid for DAYS days instead of CA_CRL_DAYS
|
||||||
-i, --template FILE Use alternative index.html template
|
-i, --template FILE Use alternative index.html template
|
||||||
-o, --output FILE Generate CA index.html in FILE
|
-o, --output FILE Generate CA index.html in FILE
|
||||||
|
|
||||||
__EOT__
|
__EOT__
|
||||||
}
|
}
|
||||||
|
|
||||||
short='hf:t:i:o:'
|
short="hf:t:l:i:o:"
|
||||||
long='help,config:,type:,template:,output:'
|
long="help,config:,type:,crl-days:,template:,output:"
|
||||||
opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" )
|
opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" )
|
||||||
if [ 0 -ne $? ]; then echo; usage; exit 1; fi
|
if [ 0 -ne $? ]; then echo; usage; exit 1; fi
|
||||||
eval set -- "$opts";
|
eval set -- "$opts";
|
||||||
|
@ -27,6 +28,7 @@ while :; do
|
||||||
-h|--help) usage; exit 0;;
|
-h|--help) usage; exit 0;;
|
||||||
-f|--config) shift; CONFFILE="$1"; shift;;
|
-f|--config) shift; CONFFILE="$1"; shift;;
|
||||||
-t|--type) shift; USER_CA_CRT_TYPE="$1"; shift;;
|
-t|--type) shift; USER_CA_CRT_TYPE="$1"; shift;;
|
||||||
|
-l|--crl-days) shift; USER_CA_CRL_DAYS="$1"; shift;;
|
||||||
-i|--template) shift; INDEXTPL="$1"; shift;;
|
-i|--template) shift; INDEXTPL="$1"; shift;;
|
||||||
-o|--output) shift; INDEXOUT="$1"; shift;;
|
-o|--output) shift; INDEXOUT="$1"; shift;;
|
||||||
--) shift; break;;
|
--) shift; break;;
|
||||||
|
|
|
@ -38,6 +38,13 @@ CA_DN_CN="Example Security Services Root Certificate Authority"
|
||||||
# CA_CRT_URI="http://$CA_DOMAIN/ca/$CA_NAME.ca.crt"
|
# CA_CRT_URI="http://$CA_DOMAIN/ca/$CA_NAME.ca.crt"
|
||||||
# CA_CRL_URI="http://$CA_DOMAIN/ca/$CA_NAME.ca.crl"
|
# CA_CRL_URI="http://$CA_DOMAIN/ca/$CA_NAME.ca.crl"
|
||||||
|
|
||||||
|
# OPTIONAL: CA_DAYS, CA_CRT_DAYS and CA_CRL_DAYS set the default validity
|
||||||
|
# period for the CA cert, certificates and revocation lists.
|
||||||
|
# Default value:
|
||||||
|
# CA_DAYS=3652
|
||||||
|
# CA_CRT_DAYS=365
|
||||||
|
# CA_CRL_DAYS=365
|
||||||
|
|
||||||
# OPTIONAL: CA_CRT_BITS sets the default key length for generated keys.
|
# OPTIONAL: CA_CRT_BITS sets the default key length for generated keys.
|
||||||
# Default value:
|
# Default value:
|
||||||
# CA_CRT_BITS=2048
|
# CA_CRT_BITS=2048
|
||||||
|
|
|
@ -105,22 +105,22 @@ I<subjectAltName> extension in this case. User names are treated as unqualified
|
||||||
if they do not contain an "@" symbol and are qualified to I<common
|
if they do not contain an "@" symbol and are qualified to I<common
|
||||||
name>@B<CA_DOMAIN>.
|
name>@B<CA_DOMAIN>.
|
||||||
|
|
||||||
=item B<-r>, B<--csr-only>
|
=item B<-r>, B<--req-only>
|
||||||
|
|
||||||
Causes B<ca-create-cert> to generate just the X.509 certificate signing
|
Causes B<ca-create-cert> to generate just the X.509 certificate signing
|
||||||
request (CSR) from a pre-existing openssl request configuration, without
|
request (CSR) from a pre-existing openssl request configuration, without
|
||||||
signing it to create a valid certificate. When used in conjunction with
|
signing it to create a valid certificate. When used in conjunction with
|
||||||
B<--cnf-only>, B<ca-create-cert> only generates the openssl request
|
B<--cnf-only>, B<ca-create-cert> only generates the openssl request
|
||||||
configuration, allowing the user to modify it before creating the CSR.
|
configuration, allowing the user to modify it before creating the CSR.
|
||||||
Mutually exclusive to B<--crt-only>.
|
Mutually exclusive to B<--sign-only>.
|
||||||
|
|
||||||
=item B<-s>, B<--crt-only>
|
=item B<-s>, B<--sign-only>
|
||||||
|
|
||||||
Causes B<ca-create-cert> to sign a pre-existing CSR using a pre-existing
|
Causes B<ca-create-cert> to sign a pre-existing CSR using a pre-existing
|
||||||
X.509 extensions configuration, creating a valid certificate. When used in
|
X.509 extensions configuration, creating a valid certificate. When used in
|
||||||
conjunction with B<--cnf-only>, B<ca-create-cert> only generates the
|
conjunction with B<--cnf-only>, B<ca-create-cert> only generates the
|
||||||
X.509 extensions configuration, allowing the user to modify it before signing
|
X.509 extensions configuration, allowing the user to modify it before signing
|
||||||
the certificate. Mutually exclusive to B<--csr-only>.
|
the certificate. Mutually exclusive to B<--req-only>.
|
||||||
|
|
||||||
=item B<-x>, B<--cnf-only>
|
=item B<-x>, B<--cnf-only>
|
||||||
|
|
||||||
|
|
|
@ -19,7 +19,8 @@ ca-init - initialise an X.509 SSL CA and generate CA certificate
|
||||||
|
|
||||||
=head1 SYNOPSIS
|
=head1 SYNOPSIS
|
||||||
|
|
||||||
B<ca-init> [B<-csx>] [B<-f> I<config>] [B<-i> I<template>] [B<-o> I<output>]
|
B<ca-init> [B<-csx>] [B<-f> I<config>] [B<-d> I<days>] [B<-l> I<days>]
|
||||||
|
[B<-b> I<bits>] [B<-i> I<template>] [B<-o> I<output>]
|
||||||
|
|
||||||
B<ca-init> [B<-h>] | [B<--help>]
|
B<ca-init> [B<-h>] | [B<--help>]
|
||||||
|
|
||||||
|
@ -49,6 +50,21 @@ Encrypt the private key generated for the certificate authority with 3DES.
|
||||||
Load the ca-scripts configuration from I<FILE> instead of
|
Load the ca-scripts configuration from I<FILE> instead of
|
||||||
I</etc/ca-scripts.conf>.
|
I</etc/ca-scripts.conf>.
|
||||||
|
|
||||||
|
=item B<-d> I<DAYS>, B<--days> I<DAYS>
|
||||||
|
|
||||||
|
Sign the CA certificate to be valid for I<DAYS> days instead of the default
|
||||||
|
B<CA_DAYS> set in the configuration file.
|
||||||
|
|
||||||
|
=item B<-l> I<DAYS>, B<--crl-days> I<DAYS>
|
||||||
|
|
||||||
|
Generate a CRL that is valid for I<DAYS> days instead of the default
|
||||||
|
B<CA_CRL_DAYS> set in the configuration file.
|
||||||
|
|
||||||
|
=item B<-b> I<BITS>, B<--bits> I<BITS>
|
||||||
|
|
||||||
|
Generate a I<BITS>-bit CA certificate instead of the default B<CA_CRT_BITS> set
|
||||||
|
in the config file. Traditionally this is a power of two, e.g. 1024 or 2048.
|
||||||
|
|
||||||
=item B<-i> I<FILE>, B<--template> I<FILE>
|
=item B<-i> I<FILE>, B<--template> I<FILE>
|
||||||
|
|
||||||
Use the index.html template in I<FILE> rather than the standard one provided
|
Use the index.html template in I<FILE> rather than the standard one provided
|
||||||
|
@ -61,7 +77,7 @@ Generate a HTML page in I<FILE> suitable for serving your CA certificate and
|
||||||
revocation lists via HTTP. The default template is basic but provides MD5 and
|
revocation lists via HTTP. The default template is basic but provides MD5 and
|
||||||
SHA1 fingerprints of both files for verification purposes.
|
SHA1 fingerprints of both files for verification purposes.
|
||||||
|
|
||||||
=item B<-s>, B<--crt-only>
|
=item B<-s>, B<--sign-only>
|
||||||
|
|
||||||
Generate the CA certificate and private key from a previously-created openssl
|
Generate the CA certificate and private key from a previously-created openssl
|
||||||
configuration. May only be used after having run B<ca-init> with the
|
configuration. May only be used after having run B<ca-init> with the
|
||||||
|
@ -71,8 +87,8 @@ B<--cnf-only> option, and mutually exclusive to that option.
|
||||||
|
|
||||||
Create initial CA directory structure and openssl configuration, but do not
|
Create initial CA directory structure and openssl configuration, but do not
|
||||||
generate CA certificate and private key. Using this option in conjunction with
|
generate CA certificate and private key. Using this option in conjunction with
|
||||||
B<--crt-only> allows the user to manually customise the openssl config
|
B<--sign-only> allows the user to manually customise the openssl config
|
||||||
before generating the certificates. Mutually exclusive to B<--crt-only>.
|
before generating the certificates. Mutually exclusive to B<--sign-only>.
|
||||||
|
|
||||||
=back
|
=back
|
||||||
|
|
||||||
|
|
|
@ -51,6 +51,11 @@ revoking, either I<server>, I<client>, or I<user>.
|
||||||
Load the ca-scripts configuration from I<FILE> instead of
|
Load the ca-scripts configuration from I<FILE> instead of
|
||||||
I</etc/ca-scripts.conf>.
|
I</etc/ca-scripts.conf>.
|
||||||
|
|
||||||
|
=item B<-l> I<DAYS>, B<--crl-days> I<DAYS>
|
||||||
|
|
||||||
|
Generate a CRL that is valid for I<DAYS> days instead of the default
|
||||||
|
B<CA_CRL_DAYS> set in the configuration file.
|
||||||
|
|
||||||
=item B<-i> I<FILE>, B<--template> I<FILE>
|
=item B<-i> I<FILE>, B<--template> I<FILE>
|
||||||
|
|
||||||
Use the index.html template in I<FILE> rather than the standard one provided
|
Use the index.html template in I<FILE> rather than the standard one provided
|
||||||
|
@ -72,6 +77,11 @@ this may change in future releases along with code to deal with key compromise.
|
||||||
Additionally, the CRLv2 extension I<issuingDistributionPoint> is not yet set in
|
Additionally, the CRLv2 extension I<issuingDistributionPoint> is not yet set in
|
||||||
generated CRLs due to requiring a very recent version of openssl(1).
|
generated CRLs due to requiring a very recent version of openssl(1).
|
||||||
|
|
||||||
|
These scripts will not handle configuring an OCSP server for you. OCSP is an
|
||||||
|
alternative method of checking the validity of X.509 certificates, and is
|
||||||
|
Worth Investigating. See ocsp(1ssl) and the
|
||||||
|
L<wikipedia entry|http://en.wikipedia.org/wiki/OCSP> for details.
|
||||||
|
|
||||||
=head1 AVAILABILITY
|
=head1 AVAILABILITY
|
||||||
|
|
||||||
New releases of the ca-scripts utilities can be found at
|
New releases of the ca-scripts utilities can be found at
|
||||||
|
@ -86,8 +96,7 @@ Copyright 2009, 2010 Alex Bramley a.bramley@gmail.com
|
||||||
=head1 SEE ALSO
|
=head1 SEE ALSO
|
||||||
|
|
||||||
ca-init(1), ca-create-cert(1), ca-renew-cert(1), ca-scripts.conf(5),
|
ca-init(1), ca-create-cert(1), ca-renew-cert(1), ca-scripts.conf(5),
|
||||||
openssl(1ssl), ca(1ssl), req(1ssl), x509(1ssl), config(5ssl), and
|
openssl(1ssl), ca(1ssl), x509(1ssl), and ocsp(1ssl).
|
||||||
x509v3_config(5ssl).
|
|
||||||
|
|
||||||
=cut
|
=cut
|
||||||
|
|
||||||
|
|
|
@ -101,10 +101,12 @@ __TESTS__
|
||||||
ca_set_default "$varname" "$vardef"
|
ca_set_default "$varname" "$vardef"
|
||||||
done <<__DEFAULTS__
|
done <<__DEFAULTS__
|
||||||
CA_DESC $CA_DN_CN
|
CA_DESC $CA_DN_CN
|
||||||
|
CA_DAYS 3652
|
||||||
|
CA_PATHLEN 0
|
||||||
CA_CRT_URI http://$CA_DOMAIN/ca/$CA_NAME.ca.crt
|
CA_CRT_URI http://$CA_DOMAIN/ca/$CA_NAME.ca.crt
|
||||||
CA_CRL_URI http://$CA_DOMAIN/ca/$CA_NAME.ca.crl
|
CA_CRL_URI http://$CA_DOMAIN/ca/$CA_NAME.ca.crl
|
||||||
CA_PATHLEN 0
|
|
||||||
CA_CRT_DAYS 365
|
CA_CRT_DAYS 365
|
||||||
|
CA_CRL_DAYS 365
|
||||||
CA_CRT_BITS 2048
|
CA_CRT_BITS 2048
|
||||||
CA_CRT_TYPE server
|
CA_CRT_TYPE server
|
||||||
CA_CRT_C $CA_DN_C
|
CA_CRT_C $CA_DN_C
|
||||||
|
@ -140,8 +142,8 @@ ca_template() {
|
||||||
}
|
}
|
||||||
|
|
||||||
ca_gen_crl() {
|
ca_gen_crl() {
|
||||||
openssl ca -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \
|
openssl ca -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" -gencrl -md sha1 \
|
||||||
-gencrl -out "$CA_HOME/crl/$CA_NAME.ca.crl" -md sha1
|
-crldays "$CA_CRL_DAYS" -out "$CA_HOME/crl/$CA_NAME.ca.crl"
|
||||||
openssl crl -in "$CA_HOME/crl/$CA_NAME.ca.crl" \
|
openssl crl -in "$CA_HOME/crl/$CA_NAME.ca.crl" \
|
||||||
-out "$CA_HOME/crl/$CA_NAME.ca.crl.der" -outform DER
|
-out "$CA_HOME/crl/$CA_NAME.ca.crl.der" -outform DER
|
||||||
}
|
}
|
||||||
|
|
|
@ -38,7 +38,7 @@ policy = ca_extension_policy # policy on required CSR attribu
|
||||||
name_opt = oneline # Subject Name options - x509(1)
|
name_opt = oneline # Subject Name options - x509(1)
|
||||||
cert_opt = ca_default # Certificate field options - x509(1)
|
cert_opt = ca_default # Certificate field options - x509(1)
|
||||||
default_days = %CA_CRT_DAYS% # how long to certify for
|
default_days = %CA_CRT_DAYS% # how long to certify for
|
||||||
default_crl_days= %CA_CRT_DAYS% # how long before next CRL
|
default_crl_days= %CA_CRL_DAYS% # how long before next CRL
|
||||||
default_md = sha1 # which md to use.
|
default_md = sha1 # which md to use.
|
||||||
preserve = no # keep passed DN ordering
|
preserve = no # keep passed DN ordering
|
||||||
unique_subject = no # recommended
|
unique_subject = no # recommended
|
||||||
|
|
Loading…
Reference in a new issue