More fine-grained control over cert/crl validity; rename crt/crl-only options.

This commit is contained in:
Alex Bramley 2010-03-13 15:11:51 +00:00
parent c83c2ae48a
commit ad1e8a6ca8
9 changed files with 71 additions and 27 deletions

View file

@ -27,8 +27,8 @@ Options:
-n, --alt-name NAME Alternative host name (can be provided multiple times) -n, --alt-name NAME Alternative host name (can be provided multiple times)
-p, --pkcs12 Create PKCS#12 certificate archive from generated cert -p, --pkcs12 Create PKCS#12 certificate archive from generated cert
-q, --no-qualify Don't qualify short (dotless) names with CA_DOMAIN -q, --no-qualify Don't qualify short (dotless) names with CA_DOMAIN
-r, --csr-only Only generate CSR, don't sign it -r, --req-only Only generate CSR, don't sign it
-s, --crt-only Only sign certificate, requires CSR in place -s, --sign-only Only sign certificate, requires CSR in place
-x, --cnf-only Only generate templates, do not create CSR or sign CRT -x, --cnf-only Only generate templates, do not create CSR or sign CRT
--country Certificate DN -- C --country Certificate DN -- C
--state Certificate DN -- ST --state Certificate DN -- ST
@ -41,8 +41,9 @@ Options:
__EOT__ __EOT__
} }
short='hcf:t:n:prsx' short="hcf:t:d:b:n:pqrsx"
long='help,encrypt,config:,type:,alt-name:,pkcs12,csr-only,crt-only,cnf-only' long="help,encrypt,config:,type:,days:,bits:,alt-name:"
long="$long,pkcs12,no-qualify,req-only,sign-only,cnf-only"
long="$long,country:,state:,loc:,org:,ounit:,email:,comment:" long="$long,country:,state:,loc:,org:,ounit:,email:,comment:"
opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" ) opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" )
if [ 0 -ne $? ]; then echo; usage; exit 1; fi if [ 0 -ne $? ]; then echo; usage; exit 1; fi
@ -59,8 +60,8 @@ while :; do
-n|--alt-name) shift; ALT_NAMES+=("$1"); shift;; -n|--alt-name) shift; ALT_NAMES+=("$1"); shift;;
-p|--pkcs12) MAKE_P12=1; shift;; -p|--pkcs12) MAKE_P12=1; shift;;
-q|--no-qualify) QUALIFY=0; shift;; -q|--no-qualify) QUALIFY=0; shift;;
-r|--csr-only) CSR_ONLY=1; shift;; -r|--req-only) CSR_ONLY=1; shift;;
-s|--crt-only) CRT_ONLY=1; shift;; -s|--sign-only) CRT_ONLY=1; shift;;
-x|--cnf-only) CNF_ONLY=1; shift;; -x|--cnf-only) CNF_ONLY=1; shift;;
--country) shift; USER_CA_CRT_C="$1"; shift;; --country) shift; USER_CA_CRT_C="$1"; shift;;
--state) shift; USER_CA_CRT_ST="$1"; shift;; --state) shift; USER_CA_CRT_ST="$1"; shift;;

View file

@ -21,16 +21,20 @@ Options:
-h, --help Print this helpful message! -h, --help Print this helpful message!
-c, --encrypt Encrypt CA private key with Triple-DES -c, --encrypt Encrypt CA private key with Triple-DES
-f, --config FILE Use config file instead of $CONFFILE -f, --config FILE Use config file instead of $CONFFILE
-d, --days DAYS CA Certificate valid for DAYS days instead of CA_DAYS
-l, --crl-days DAYS Make CRL valid for DAYS days instead of CA_CRL_DAYS
-b, --bits BITS Generate a BITS bit certificate instead of CA_CRT_BITS
-i, --template FILE Use alternative index.html template -i, --template FILE Use alternative index.html template
-o, --output FILE Generate CA index.html in FILE -o, --output FILE Generate CA index.html in FILE
-s, --crt-only Only generate CA cert/key, use pre-created config -s, --sign-only Only generate CA cert/key, use pre-created config
-x, --cnf-only Only generate CA config file, don't create CA cert/key -x, --cnf-only Only generate CA config file, don't create CA cert/key
__EOT__ __EOT__
} }
short='hcf:i:o:sx' short="hcf:d:l:b:i:o:sx"
long='help,encrypt,config:,template:,output:,crt-only,cnf-only' long="help,encrypt,config:,days:,crl-days:,bits:"
long="$long,template:,output:,sign-only,cnf-only"
opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" ) opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" )
if [ 0 -ne $? ]; then echo; usage; exit 1; fi if [ 0 -ne $? ]; then echo; usage; exit 1; fi
eval set -- "$opts"; eval set -- "$opts";
@ -40,9 +44,12 @@ while :; do
-h|--help) usage; exit 0;; -h|--help) usage; exit 0;;
-c|--encrypt) CRYPTKEY=""; shift;; -c|--encrypt) CRYPTKEY=""; shift;;
-f|--config) shift; CONFFILE="$1"; shift;; -f|--config) shift; CONFFILE="$1"; shift;;
-d|--days) shift; USER_CA_DAYS="$1"; shift;;
-l|--crl-days) shift; USER_CA_CRL_DAYS="$1"; shift;;
-b|--bits) shift; USER_CA_CRT_BITS="$1"; shift;;
-i|--template) shift; INDEXTPL="$1"; shift;; -i|--template) shift; INDEXTPL="$1"; shift;;
-o|--output) shift; INDEXOUT="$1"; shift;; -o|--output) shift; INDEXOUT="$1"; shift;;
-s|--crt-only) CRT_ONLY=1; shift;; -s|--sign-only) CRT_ONLY=1; shift;;
-x|--cnf-only) CNF_ONLY=1; shift;; -x|--cnf-only) CNF_ONLY=1; shift;;
--) shift; break;; --) shift; break;;
*) echo "Unknown value '$1'"; exit 1;; *) echo "Unknown value '$1'"; exit 1;;
@ -83,7 +90,7 @@ if [ 1 -ne "$CNF_ONLY" ]; then
-out "$CA_HOME/csr/$CA_NAME.ca.csr" -out "$CA_HOME/csr/$CA_NAME.ca.csr"
chmod 400 "$CA_HOME/key/$CA_NAME.ca.key" chmod 400 "$CA_HOME/key/$CA_NAME.ca.key"
openssl ca -create_serial -selfsign -days 3652 -batch \ openssl ca -create_serial -selfsign -days "$CA_DAYS" -batch \
-name ca_scripts -extensions ca_x509_extensions \ -name ca_scripts -extensions ca_x509_extensions \
-config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \ -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \
-in "$CA_HOME/csr/$CA_NAME.ca.csr" \ -in "$CA_HOME/csr/$CA_NAME.ca.csr" \

View file

@ -10,14 +10,15 @@ Options:
-h, --help Print this helpful message! -h, --help Print this helpful message!
-f, --config FILE Use config file instead of $CONFFILE -f, --config FILE Use config file instead of $CONFFILE
-t, --type TYPE Certificate type: "server" (default), "client" or "user" -t, --type TYPE Certificate type: "server" (default), "client" or "user"
-l, --crl-days DAYS Make CRL valid for DAYS days instead of CA_CRL_DAYS
-i, --template FILE Use alternative index.html template -i, --template FILE Use alternative index.html template
-o, --output FILE Generate CA index.html in FILE -o, --output FILE Generate CA index.html in FILE
__EOT__ __EOT__
} }
short='hf:t:i:o:' short="hf:t:l:i:o:"
long='help,config:,type:,template:,output:' long="help,config:,type:,crl-days:,template:,output:"
opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" ) opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" )
if [ 0 -ne $? ]; then echo; usage; exit 1; fi if [ 0 -ne $? ]; then echo; usage; exit 1; fi
eval set -- "$opts"; eval set -- "$opts";
@ -27,6 +28,7 @@ while :; do
-h|--help) usage; exit 0;; -h|--help) usage; exit 0;;
-f|--config) shift; CONFFILE="$1"; shift;; -f|--config) shift; CONFFILE="$1"; shift;;
-t|--type) shift; USER_CA_CRT_TYPE="$1"; shift;; -t|--type) shift; USER_CA_CRT_TYPE="$1"; shift;;
-l|--crl-days) shift; USER_CA_CRL_DAYS="$1"; shift;;
-i|--template) shift; INDEXTPL="$1"; shift;; -i|--template) shift; INDEXTPL="$1"; shift;;
-o|--output) shift; INDEXOUT="$1"; shift;; -o|--output) shift; INDEXOUT="$1"; shift;;
--) shift; break;; --) shift; break;;

View file

@ -38,6 +38,13 @@ CA_DN_CN="Example Security Services Root Certificate Authority"
# CA_CRT_URI="http://$CA_DOMAIN/ca/$CA_NAME.ca.crt" # CA_CRT_URI="http://$CA_DOMAIN/ca/$CA_NAME.ca.crt"
# CA_CRL_URI="http://$CA_DOMAIN/ca/$CA_NAME.ca.crl" # CA_CRL_URI="http://$CA_DOMAIN/ca/$CA_NAME.ca.crl"
# OPTIONAL: CA_DAYS, CA_CRT_DAYS and CA_CRL_DAYS set the default validity
# period for the CA cert, certificates and revocation lists.
# Default value:
# CA_DAYS=3652
# CA_CRT_DAYS=365
# CA_CRL_DAYS=365
# OPTIONAL: CA_CRT_BITS sets the default key length for generated keys. # OPTIONAL: CA_CRT_BITS sets the default key length for generated keys.
# Default value: # Default value:
# CA_CRT_BITS=2048 # CA_CRT_BITS=2048

View file

@ -105,22 +105,22 @@ I<subjectAltName> extension in this case. User names are treated as unqualified
if they do not contain an "@" symbol and are qualified to I<common if they do not contain an "@" symbol and are qualified to I<common
name>@B<CA_DOMAIN>. name>@B<CA_DOMAIN>.
=item B<-r>, B<--csr-only> =item B<-r>, B<--req-only>
Causes B<ca-create-cert> to generate just the X.509 certificate signing Causes B<ca-create-cert> to generate just the X.509 certificate signing
request (CSR) from a pre-existing openssl request configuration, without request (CSR) from a pre-existing openssl request configuration, without
signing it to create a valid certificate. When used in conjunction with signing it to create a valid certificate. When used in conjunction with
B<--cnf-only>, B<ca-create-cert> only generates the openssl request B<--cnf-only>, B<ca-create-cert> only generates the openssl request
configuration, allowing the user to modify it before creating the CSR. configuration, allowing the user to modify it before creating the CSR.
Mutually exclusive to B<--crt-only>. Mutually exclusive to B<--sign-only>.
=item B<-s>, B<--crt-only> =item B<-s>, B<--sign-only>
Causes B<ca-create-cert> to sign a pre-existing CSR using a pre-existing Causes B<ca-create-cert> to sign a pre-existing CSR using a pre-existing
X.509 extensions configuration, creating a valid certificate. When used in X.509 extensions configuration, creating a valid certificate. When used in
conjunction with B<--cnf-only>, B<ca-create-cert> only generates the conjunction with B<--cnf-only>, B<ca-create-cert> only generates the
X.509 extensions configuration, allowing the user to modify it before signing X.509 extensions configuration, allowing the user to modify it before signing
the certificate. Mutually exclusive to B<--csr-only>. the certificate. Mutually exclusive to B<--req-only>.
=item B<-x>, B<--cnf-only> =item B<-x>, B<--cnf-only>

View file

@ -19,7 +19,8 @@ ca-init - initialise an X.509 SSL CA and generate CA certificate
=head1 SYNOPSIS =head1 SYNOPSIS
B<ca-init> [B<-csx>] [B<-f> I<config>] [B<-i> I<template>] [B<-o> I<output>] B<ca-init> [B<-csx>] [B<-f> I<config>] [B<-d> I<days>] [B<-l> I<days>]
[B<-b> I<bits>] [B<-i> I<template>] [B<-o> I<output>]
B<ca-init> [B<-h>] | [B<--help>] B<ca-init> [B<-h>] | [B<--help>]
@ -49,6 +50,21 @@ Encrypt the private key generated for the certificate authority with 3DES.
Load the ca-scripts configuration from I<FILE> instead of Load the ca-scripts configuration from I<FILE> instead of
I</etc/ca-scripts.conf>. I</etc/ca-scripts.conf>.
=item B<-d> I<DAYS>, B<--days> I<DAYS>
Sign the CA certificate to be valid for I<DAYS> days instead of the default
B<CA_DAYS> set in the configuration file.
=item B<-l> I<DAYS>, B<--crl-days> I<DAYS>
Generate a CRL that is valid for I<DAYS> days instead of the default
B<CA_CRL_DAYS> set in the configuration file.
=item B<-b> I<BITS>, B<--bits> I<BITS>
Generate a I<BITS>-bit CA certificate instead of the default B<CA_CRT_BITS> set
in the config file. Traditionally this is a power of two, e.g. 1024 or 2048.
=item B<-i> I<FILE>, B<--template> I<FILE> =item B<-i> I<FILE>, B<--template> I<FILE>
Use the index.html template in I<FILE> rather than the standard one provided Use the index.html template in I<FILE> rather than the standard one provided
@ -61,7 +77,7 @@ Generate a HTML page in I<FILE> suitable for serving your CA certificate and
revocation lists via HTTP. The default template is basic but provides MD5 and revocation lists via HTTP. The default template is basic but provides MD5 and
SHA1 fingerprints of both files for verification purposes. SHA1 fingerprints of both files for verification purposes.
=item B<-s>, B<--crt-only> =item B<-s>, B<--sign-only>
Generate the CA certificate and private key from a previously-created openssl Generate the CA certificate and private key from a previously-created openssl
configuration. May only be used after having run B<ca-init> with the configuration. May only be used after having run B<ca-init> with the
@ -71,8 +87,8 @@ B<--cnf-only> option, and mutually exclusive to that option.
Create initial CA directory structure and openssl configuration, but do not Create initial CA directory structure and openssl configuration, but do not
generate CA certificate and private key. Using this option in conjunction with generate CA certificate and private key. Using this option in conjunction with
B<--crt-only> allows the user to manually customise the openssl config B<--sign-only> allows the user to manually customise the openssl config
before generating the certificates. Mutually exclusive to B<--crt-only>. before generating the certificates. Mutually exclusive to B<--sign-only>.
=back =back

View file

@ -51,6 +51,11 @@ revoking, either I<server>, I<client>, or I<user>.
Load the ca-scripts configuration from I<FILE> instead of Load the ca-scripts configuration from I<FILE> instead of
I</etc/ca-scripts.conf>. I</etc/ca-scripts.conf>.
=item B<-l> I<DAYS>, B<--crl-days> I<DAYS>
Generate a CRL that is valid for I<DAYS> days instead of the default
B<CA_CRL_DAYS> set in the configuration file.
=item B<-i> I<FILE>, B<--template> I<FILE> =item B<-i> I<FILE>, B<--template> I<FILE>
Use the index.html template in I<FILE> rather than the standard one provided Use the index.html template in I<FILE> rather than the standard one provided
@ -72,6 +77,11 @@ this may change in future releases along with code to deal with key compromise.
Additionally, the CRLv2 extension I<issuingDistributionPoint> is not yet set in Additionally, the CRLv2 extension I<issuingDistributionPoint> is not yet set in
generated CRLs due to requiring a very recent version of openssl(1). generated CRLs due to requiring a very recent version of openssl(1).
These scripts will not handle configuring an OCSP server for you. OCSP is an
alternative method of checking the validity of X.509 certificates, and is
Worth Investigating. See ocsp(1ssl) and the
L<wikipedia entry|http://en.wikipedia.org/wiki/OCSP> for details.
=head1 AVAILABILITY =head1 AVAILABILITY
New releases of the ca-scripts utilities can be found at New releases of the ca-scripts utilities can be found at
@ -86,8 +96,7 @@ Copyright 2009, 2010 Alex Bramley a.bramley@gmail.com
=head1 SEE ALSO =head1 SEE ALSO
ca-init(1), ca-create-cert(1), ca-renew-cert(1), ca-scripts.conf(5), ca-init(1), ca-create-cert(1), ca-renew-cert(1), ca-scripts.conf(5),
openssl(1ssl), ca(1ssl), req(1ssl), x509(1ssl), config(5ssl), and openssl(1ssl), ca(1ssl), x509(1ssl), and ocsp(1ssl).
x509v3_config(5ssl).
=cut =cut

View file

@ -101,10 +101,12 @@ __TESTS__
ca_set_default "$varname" "$vardef" ca_set_default "$varname" "$vardef"
done <<__DEFAULTS__ done <<__DEFAULTS__
CA_DESC $CA_DN_CN CA_DESC $CA_DN_CN
CA_DAYS 3652
CA_PATHLEN 0
CA_CRT_URI http://$CA_DOMAIN/ca/$CA_NAME.ca.crt CA_CRT_URI http://$CA_DOMAIN/ca/$CA_NAME.ca.crt
CA_CRL_URI http://$CA_DOMAIN/ca/$CA_NAME.ca.crl CA_CRL_URI http://$CA_DOMAIN/ca/$CA_NAME.ca.crl
CA_PATHLEN 0
CA_CRT_DAYS 365 CA_CRT_DAYS 365
CA_CRL_DAYS 365
CA_CRT_BITS 2048 CA_CRT_BITS 2048
CA_CRT_TYPE server CA_CRT_TYPE server
CA_CRT_C $CA_DN_C CA_CRT_C $CA_DN_C
@ -140,8 +142,8 @@ ca_template() {
} }
ca_gen_crl() { ca_gen_crl() {
openssl ca -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \ openssl ca -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" -gencrl -md sha1 \
-gencrl -out "$CA_HOME/crl/$CA_NAME.ca.crl" -md sha1 -crldays "$CA_CRL_DAYS" -out "$CA_HOME/crl/$CA_NAME.ca.crl"
openssl crl -in "$CA_HOME/crl/$CA_NAME.ca.crl" \ openssl crl -in "$CA_HOME/crl/$CA_NAME.ca.crl" \
-out "$CA_HOME/crl/$CA_NAME.ca.crl.der" -outform DER -out "$CA_HOME/crl/$CA_NAME.ca.crl.der" -outform DER
} }

View file

@ -38,7 +38,7 @@ policy = ca_extension_policy # policy on required CSR attribu
name_opt = oneline # Subject Name options - x509(1) name_opt = oneline # Subject Name options - x509(1)
cert_opt = ca_default # Certificate field options - x509(1) cert_opt = ca_default # Certificate field options - x509(1)
default_days = %CA_CRT_DAYS% # how long to certify for default_days = %CA_CRT_DAYS% # how long to certify for
default_crl_days= %CA_CRT_DAYS% # how long before next CRL default_crl_days= %CA_CRL_DAYS% # how long before next CRL
default_md = sha1 # which md to use. default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering preserve = no # keep passed DN ordering
unique_subject = no # recommended unique_subject = no # recommended