#! /bin/bash . "/home/alex/code/ca-scripts/lib/ca-functions" usage() { cat <<__EOT__ Usage: $PROGNAME [options] Options: -h, --help Print this helpful message! -c, --encrypt Encrypt CA private key with Triple-DES -f, --config FILE Use config file instead of $CONFFILE -i, --template FILE Use alternative index.html template -o, --output FILE Generate CA index.html in FILE -s, --crt-only Only generate CA cert/key, use pre-created config -x, --cnf-only Only generate CA config file, don't create CA cert/key __EOT__ } short='hcf:i:o:sx' long='help,encrypt,config:,template:,output:,crt-only,cnf-only' opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" ) if [ 0 -ne $? ]; then echo; usage; exit 1; fi eval set -- "$opts"; while :; do case "$1" in -h|--help) usage; exit 0;; -c|--encrypt) CRYPTKEY=""; shift;; -f|--config) shift; CONFFILE="$1"; shift;; -i|--template) shift; INDEXTPL="$1"; shift;; -o|--output) shift; INDEXOUT="$1"; shift;; -s|--crt-only) CRT_ONLY=1; shift;; -x|--cnf-only) CNF_ONLY=1; shift;; --) shift; break;; *) echo "Unknown value '$1'"; exit 1;; esac done # load up the configuration file CA_CRT_TYPE="ca" ca_load_conf if [ 1 -eq "$CRT_ONLY" -a 1 -eq "$CNF_ONLY" ]; then error "The --crt-only and --cnf-only options are mutually exclusive." fi if [ 1 -ne "$CRT_ONLY" ]; then # create the directory structure that'll be populated by the scripts mkdir -p $CA_HOME/{cnf,crl,crt,csr,db,idx,key,p12} echo "01" > $CA_HOME/db/crlnumber touch $CA_HOME/db/index.txt touch $CA_HOME/db/.rand # generate an openssl configuration for this CA ca_template ca-config "$CA_HOME/cnf/$CA_NAME.ca.cnf" fi if [ 1 -ne "$CNF_ONLY" ]; then # generate a self-signed cert that is valid for 10 years, with # ... the private key in $CA_HOME/key/$CA_NAME.ca.key # ... the certificate in $CA_HOME/crt/$CA_NAME.ca.crt # ... using the config in $CA_HOME/cnf/$CA_NAME.ca.cnf openssl req -new $CRYPTKEY -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \ -keyout "$CA_HOME/key/$CA_NAME.ca.key" \ -out "$CA_HOME/csr/$CA_NAME.ca.csr" chmod 600 "$CA_HOME/key/$CA_NAME.ca.key" openssl ca -create_serial -selfsign -days 3652 -batch \ -name ca_scripts -extensions ca_x509_extensions \ -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \ -in "$CA_HOME/csr/$CA_NAME.ca.csr" \ -keyfile "$CA_HOME/key/$CA_NAME.ca.key" \ -out "$CA_HOME/crt/$CA_NAME.ca.crt" # generate an initial CRL too (yes it will be empty, but we should serve it) ca_gen_crl if [ -n "$INDEXOUT" ]; then ca_checksum ca_template $INDEXTPL $INDEXOUT fi fi