More fine-grained control over cert/crl validity; rename crt/crl-only options.

2010-03-13 15:11:51 +00:00 · 2010-03-13 15:11:51 +00:00 · ad1e8a6ca8
parent c83c2ae48a
commit ad1e8a6ca8
9 changed files with 71 additions and 27 deletions
--- a/bin/ca-create-cert
+++ b/bin/ca-create-cert
@ -27,8 +27,8 @@ Options:
  -n, --alt-name NAME   Alternative host name (can be provided multiple times)
  -p, --pkcs12          Create PKCS#12 certificate archive from generated cert
  -q, --no-qualify      Don't qualify short (dotless) names with CA_DOMAIN
-  -r, --csr-only        Only generate CSR, don't sign it
+  -r, --req-only        Only generate CSR, don't sign it
-  -s, --crt-only        Only sign certificate, requires CSR in place
+  -s, --sign-only       Only sign certificate, requires CSR in place
  -x, --cnf-only        Only generate templates, do not create CSR or sign CRT
  --country             Certificate DN -- C
  --state               Certificate DN -- ST
@ -41,8 +41,9 @@ Options:
 __EOT__
 }
-short='hcf:t:n:prsx'
+short="hcf:t:d:b:n:pqrsx"
-long='help,encrypt,config:,type:,alt-name:,pkcs12,csr-only,crt-only,cnf-only'
+long="help,encrypt,config:,type:,days:,bits:,alt-name:"
 long="$long,pkcs12,no-qualify,req-only,sign-only,cnf-only"
 long="$long,country:,state:,loc:,org:,ounit:,email:,comment:"
 opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" )
 if [ 0 -ne $? ]; then echo; usage; exit 1; fi
@ -59,8 +60,8 @@ while :; do
        -n|--alt-name) shift; ALT_NAMES+=("$1"); shift;;
        -p|--pkcs12) MAKE_P12=1; shift;;
        -q|--no-qualify) QUALIFY=0; shift;;
-        -r|--csr-only) CSR_ONLY=1; shift;;
+        -r|--req-only) CSR_ONLY=1; shift;;
-        -s|--crt-only) CRT_ONLY=1; shift;;
+        -s|--sign-only) CRT_ONLY=1; shift;;
        -x|--cnf-only) CNF_ONLY=1; shift;;
        --country) shift; USER_CA_CRT_C="$1"; shift;;
        --state) shift; USER_CA_CRT_ST="$1"; shift;;
--- a/bin/ca-init
+++ b/bin/ca-init
@ -21,16 +21,20 @@ Options:
  -h, --help            Print this helpful message!
  -c, --encrypt         Encrypt CA private key with Triple-DES
  -f, --config FILE     Use config file instead of $CONFFILE
  -d, --days DAYS       CA Certificate valid for DAYS days instead of CA_DAYS
  -l, --crl-days DAYS   Make CRL valid for DAYS days instead of CA_CRL_DAYS
  -b, --bits BITS       Generate a BITS bit certificate instead of CA_CRT_BITS
  -i, --template FILE   Use alternative index.html template
  -o, --output FILE     Generate CA index.html in FILE
-  -s, --crt-only        Only generate CA cert/key, use pre-created config
+  -s, --sign-only       Only generate CA cert/key, use pre-created config
  -x, --cnf-only        Only generate CA config file, don't create CA cert/key
 __EOT__
 }
-short='hcf:i:o:sx'
+short="hcf:d:l:b:i:o:sx"
-long='help,encrypt,config:,template:,output:,crt-only,cnf-only'
+long="help,encrypt,config:,days:,crl-days:,bits:"
 long="$long,template:,output:,sign-only,cnf-only"
 opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" )
 if [ 0 -ne $? ]; then echo; usage; exit 1; fi
 eval set -- "$opts";
@ -40,9 +44,12 @@ while :; do
        -h|--help) usage; exit 0;;
        -c|--encrypt) CRYPTKEY=""; shift;;
        -f|--config) shift; CONFFILE="$1"; shift;;
        -d|--days) shift; USER_CA_DAYS="$1"; shift;;
        -l|--crl-days) shift; USER_CA_CRL_DAYS="$1"; shift;;
        -b|--bits) shift; USER_CA_CRT_BITS="$1"; shift;;
        -i|--template) shift; INDEXTPL="$1"; shift;;
        -o|--output) shift; INDEXOUT="$1"; shift;;
-        -s|--crt-only) CRT_ONLY=1; shift;;
+        -s|--sign-only) CRT_ONLY=1; shift;;
        -x|--cnf-only) CNF_ONLY=1; shift;;
        --) shift; break;;
        *) echo "Unknown value '$1'"; exit 1;;
@ -83,7 +90,7 @@ if [ 1 -ne "$CNF_ONLY" ]; then
      -out    "$CA_HOME/csr/$CA_NAME.ca.csr"
    chmod 400 "$CA_HOME/key/$CA_NAME.ca.key"
-    openssl ca -create_serial -selfsign -days 3652 -batch \
+    openssl ca -create_serial -selfsign -days "$CA_DAYS" -batch \
      -name ca_scripts -extensions ca_x509_extensions \
      -config  "$CA_HOME/cnf/$CA_NAME.ca.cnf" \
      -in      "$CA_HOME/csr/$CA_NAME.ca.csr" \
--- a/bin/ca-revoke-cert
+++ b/bin/ca-revoke-cert
@ -10,14 +10,15 @@ Options:
  -h, --help            Print this helpful message!
  -f, --config FILE     Use config file instead of $CONFFILE
  -t, --type TYPE       Certificate type: "server" (default), "client" or "user"
  -l, --crl-days DAYS   Make CRL valid for DAYS days instead of CA_CRL_DAYS
  -i, --template FILE   Use alternative index.html template
  -o, --output FILE     Generate CA index.html in FILE
 __EOT__
 }
-short='hf:t:i:o:'
+short="hf:t:l:i:o:"
-long='help,config:,type:,template:,output:'
+long="help,config:,type:,crl-days:,template:,output:"
 opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" )
 if [ 0 -ne $? ]; then echo; usage; exit 1; fi
 eval set -- "$opts";
@ -27,6 +28,7 @@ while :; do
        -h|--help) usage; exit 0;;
        -f|--config) shift; CONFFILE="$1"; shift;;
        -t|--type) shift; USER_CA_CRT_TYPE="$1"; shift;;
        -l|--crl-days) shift; USER_CA_CRL_DAYS="$1"; shift;;
        -i|--template) shift; INDEXTPL="$1"; shift;;
        -o|--output) shift; INDEXOUT="$1"; shift;;
        --) shift; break;;
--- a/ca-scripts.conf
+++ b/ca-scripts.conf
@ -38,6 +38,13 @@ CA_DN_CN="Example Security Services Root Certificate Authority"
 # CA_CRT_URI="http://$CA_DOMAIN/ca/$CA_NAME.ca.crt"
 # CA_CRL_URI="http://$CA_DOMAIN/ca/$CA_NAME.ca.crl"
 # OPTIONAL: CA_DAYS, CA_CRT_DAYS and CA_CRL_DAYS set the default validity 
 #           period for the CA cert, certificates and revocation lists.
 # Default value:
 # CA_DAYS=3652
 # CA_CRT_DAYS=365
 # CA_CRL_DAYS=365
 # OPTIONAL: CA_CRT_BITS sets the default key length for generated keys.
 # Default value:
 # CA_CRT_BITS=2048
--- a/doc/ca-create-cert.pod
+++ b/doc/ca-create-cert.pod
@ -105,22 +105,22 @@ I<subjectAltName> extension in this case. User names are treated as unqualified
 if they do not contain an "@" symbol and are qualified to I<common
 name>@B<CA_DOMAIN>.
-=item B<-r>, B<--csr-only>
+=item B<-r>, B<--req-only>
 Causes B<ca-create-cert> to generate just the X.509 certificate signing
 request (CSR) from a pre-existing openssl request configuration, without
 signing it to create a valid certificate. When used in conjunction with
 B<--cnf-only>, B<ca-create-cert> only generates the openssl request
 configuration, allowing the user to modify it before creating the CSR.
-Mutually exclusive to B<--crt-only>.
+Mutually exclusive to B<--sign-only>.
-=item B<-s>, B<--crt-only>
+=item B<-s>, B<--sign-only>
 Causes B<ca-create-cert> to sign a pre-existing CSR using a pre-existing
 X.509 extensions configuration, creating a valid certificate. When used in
 conjunction with B<--cnf-only>, B<ca-create-cert> only generates the
 X.509 extensions configuration, allowing the user to modify it before signing
-the certificate. Mutually exclusive to B<--csr-only>.
+the certificate. Mutually exclusive to B<--req-only>.
 =item B<-x>, B<--cnf-only>
--- a/doc/ca-init.pod
+++ b/doc/ca-init.pod
@ -19,7 +19,8 @@ ca-init - initialise an X.509 SSL CA and generate CA certificate
 =head1 SYNOPSIS
-B<ca-init> [B<-csx>] [B<-f> I<config>] [B<-i> I<template>] [B<-o> I<output>]
+B<ca-init> [B<-csx>] [B<-f> I<config>] [B<-d> I<days>] [B<-l> I<days>]
 [B<-b> I<bits>] [B<-i> I<template>] [B<-o> I<output>]
 B<ca-init> [B<-h>] | [B<--help>]
@ -49,6 +50,21 @@ Encrypt the private key generated for the certificate authority with 3DES.
 Load the ca-scripts configuration from I<FILE> instead of
 I</etc/ca-scripts.conf>.
 =item B<-d> I<DAYS>, B<--days> I<DAYS>
 Sign the CA certificate to be valid for I<DAYS> days instead of the default
 B<CA_DAYS> set in the configuration file.
 =item B<-l> I<DAYS>, B<--crl-days> I<DAYS>
 Generate a CRL that is valid for I<DAYS> days instead of the default
 B<CA_CRL_DAYS> set in the configuration file.
 =item B<-b> I<BITS>, B<--bits> I<BITS>
 Generate a I<BITS>-bit CA certificate instead of the default B<CA_CRT_BITS> set
 in the config file. Traditionally this is a power of two, e.g. 1024 or 2048.
 =item B<-i> I<FILE>, B<--template> I<FILE>
 Use the index.html template in I<FILE> rather than the standard one provided
@ -61,7 +77,7 @@ Generate a HTML page in I<FILE> suitable for serving your CA certificate and
 revocation lists via HTTP. The default template is basic but provides MD5 and
 SHA1 fingerprints of both files for verification purposes.
-=item B<-s>, B<--crt-only>
+=item B<-s>, B<--sign-only>
 Generate the CA certificate and private key from a previously-created openssl
 configuration. May only be used after having run B<ca-init> with the
@ -71,8 +87,8 @@ B<--cnf-only> option, and mutually exclusive to that option.
 Create initial CA directory structure and openssl configuration, but do not
 generate CA certificate and private key. Using this option in conjunction with
-B<--crt-only> allows the user to manually customise the openssl config
+B<--sign-only> allows the user to manually customise the openssl config
-before generating the certificates. Mutually exclusive to B<--crt-only>.
+before generating the certificates. Mutually exclusive to B<--sign-only>.
 =back
--- a/doc/ca-revoke-cert.pod
+++ b/doc/ca-revoke-cert.pod
@ -51,6 +51,11 @@ revoking, either I<server>, I<client>, or I<user>.
 Load the ca-scripts configuration from I<FILE> instead of
 I</etc/ca-scripts.conf>.
 =item B<-l> I<DAYS>, B<--crl-days> I<DAYS>
 Generate a CRL that is valid for I<DAYS> days instead of the default
 B<CA_CRL_DAYS> set in the configuration file.
 =item B<-i> I<FILE>, B<--template> I<FILE>
 Use the index.html template in I<FILE> rather than the standard one provided
@ -72,6 +77,11 @@ this may change in future releases along with code to deal with key compromise.
 Additionally, the CRLv2 extension I<issuingDistributionPoint> is not yet set in
 generated CRLs due to requiring a very recent version of openssl(1).
 These scripts will not handle configuring an OCSP server for you. OCSP is an
 alternative method of checking the validity of X.509 certificates, and is
 Worth Investigating. See ocsp(1ssl) and the
 L<wikipedia entry|http://en.wikipedia.org/wiki/OCSP> for details.
 =head1 AVAILABILITY
 New releases of the ca-scripts utilities can be found at
@ -86,8 +96,7 @@ Copyright 2009, 2010 Alex Bramley a.bramley@gmail.com
 =head1 SEE ALSO
 ca-init(1), ca-create-cert(1), ca-renew-cert(1), ca-scripts.conf(5),
-openssl(1ssl), ca(1ssl), req(1ssl), x509(1ssl), config(5ssl), and
+openssl(1ssl), ca(1ssl), x509(1ssl), and ocsp(1ssl).
 x509v3_config(5ssl).
 =cut
--- a/lib/ca-functions
+++ b/lib/ca-functions
@ -101,10 +101,12 @@ __TESTS__
        ca_set_default "$varname" "$vardef"
    done <<__DEFAULTS__
 CA_DESC         $CA_DN_CN
 CA_DAYS         3652
 CA_PATHLEN      0
 CA_CRT_URI      http://$CA_DOMAIN/ca/$CA_NAME.ca.crt
 CA_CRL_URI      http://$CA_DOMAIN/ca/$CA_NAME.ca.crl
 CA_PATHLEN      0
 CA_CRT_DAYS     365
 CA_CRL_DAYS     365
 CA_CRT_BITS     2048
 CA_CRT_TYPE     server
 CA_CRT_C        $CA_DN_C
@ -140,8 +142,8 @@ ca_template() {
 }
 ca_gen_crl() {
-    openssl ca -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \
+    openssl ca -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" -gencrl -md sha1 \
-      -gencrl -out "$CA_HOME/crl/$CA_NAME.ca.crl" -md sha1
+      -crldays "$CA_CRL_DAYS" -out "$CA_HOME/crl/$CA_NAME.ca.crl"
    openssl crl -in "$CA_HOME/crl/$CA_NAME.ca.crl" \
      -out "$CA_HOME/crl/$CA_NAME.ca.crl.der" -outform DER
 }
--- a/tpl/ca-config.tpl
+++ b/tpl/ca-config.tpl
@ -38,7 +38,7 @@ policy          = ca_extension_policy           # policy on required CSR attribu
 name_opt        = oneline               # Subject Name options - x509(1)
 cert_opt        = ca_default            # Certificate field options - x509(1) 
 default_days    = %CA_CRT_DAYS%         # how long to certify for
-default_crl_days= %CA_CRT_DAYS%         # how long before next CRL
+default_crl_days= %CA_CRL_DAYS%         # how long before next CRL
 default_md      = sha1                  # which md to use.
 preserve        = no                    # keep passed DN ordering
 unique_subject  = no                    # recommended