175 lines
5.3 KiB
Bash
Executable file
175 lines
5.3 KiB
Bash
Executable file
#! /bin/sh
|
|
|
|
if [ -z "$1" -o "$1" == "man" ]; then
|
|
exec /usr/bin/pod2man -n CA-INIT -s 1 -d "12 February 2010" \
|
|
-r "ca-scripts version 0.9" -c "SSL Certificate Authority utilities" $0
|
|
elif [ "$1" == "html" ]; then
|
|
exec /usr/bin/pod2html --title "ca-init(1)" < $0
|
|
elif [ "$1" == "text" ]; then
|
|
exec /usr/bin/pod2text -o $0
|
|
fi
|
|
echo "Unrecognised output format '$1', try man, html, or text."
|
|
exit 1
|
|
|
|
=pod
|
|
|
|
=head1 NAME
|
|
|
|
ca-init - initialise an X.509 SSL CA and generate CA certificate
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
B<ca-init> [B<-csx>] [B<-f> I<config>] [B<-d> I<days>] [B<-l> I<days>]
|
|
[B<-b> I<bits>] [B<-i> I<template>] [B<-o> I<output>]
|
|
|
|
B<ca-init> [B<-h>] | [B<--help>]
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
B<ca-init> reads the ca-scripts configuration file and generates an openssl(1)
|
|
configuration file and an X.509 certificate and key suitable for use as an
|
|
x509(1) certificate authority. It can also optionally generate an HTML file
|
|
with MD5 and SHA1 fingerprints suitable for publishing the CA certificate and
|
|
the CRL. The format of the ca-scripts configuration file is documented in
|
|
ca-scripts.conf(5).
|
|
|
|
=head1 OPTIONS
|
|
|
|
=over
|
|
|
|
=item B<-h>, B<--help>
|
|
|
|
Prints out a short synopsis of the options to B<ca-init>.
|
|
|
|
=item B<-c>, B<--encrypt>
|
|
|
|
Encrypt the private key generated for the certificate authority with 3DES.
|
|
|
|
=item B<-f> I<FILE>, B<--config> I<FILE>
|
|
|
|
Load the ca-scripts configuration from I<FILE> instead of
|
|
I</etc/ca-scripts.conf>.
|
|
|
|
=item B<-d> I<DAYS>, B<--days> I<DAYS>
|
|
|
|
Sign the CA certificate to be valid for I<DAYS> days instead of the default
|
|
B<CA_DAYS> set in the configuration file.
|
|
|
|
=item B<-l> I<DAYS>, B<--crl-days> I<DAYS>
|
|
|
|
Generate a CRL that is valid for I<DAYS> days instead of the default
|
|
B<CA_CRL_DAYS> set in the configuration file.
|
|
|
|
=item B<-b> I<BITS>, B<--bits> I<BITS>
|
|
|
|
Generate a I<BITS>-bit CA certificate instead of the default B<CA_CRT_BITS> set
|
|
in the config file. Traditionally this is a power of two, e.g. 1024 or 2048.
|
|
|
|
=item B<-i> I<FILE>, B<--template> I<FILE>
|
|
|
|
Use the index.html template in I<FILE> rather than the standard one provided
|
|
with ca-scripts. See the B<TEMPLATING> section of ca-scripts.conf(5) for more
|
|
details of the templating system. Hint: it's sed(1) based...
|
|
|
|
=item B<-o> I<FILE>, B<--output> I<FILE>
|
|
|
|
Generate a HTML page in I<FILE> suitable for serving your CA certificate and
|
|
revocation lists via HTTP. The default template is basic but provides MD5 and
|
|
SHA1 fingerprints of both files for verification purposes.
|
|
|
|
=item B<-s>, B<--sign-only>
|
|
|
|
Generate the CA certificate and private key from a previously-created openssl
|
|
configuration. May only be used after having run B<ca-init> with the
|
|
B<--cnf-only> option, and mutually exclusive to that option.
|
|
|
|
=item B<-x>, B<--cnf-only>
|
|
|
|
Create initial CA directory structure and openssl configuration, but do not
|
|
generate CA certificate and private key. Using this option in conjunction with
|
|
B<--sign-only> allows the user to manually customise the openssl config
|
|
before generating the certificates. Mutually exclusive to B<--sign-only>.
|
|
|
|
=back
|
|
|
|
=head1 THE CA DIRECTORY STRUCTURE
|
|
|
|
B<ca-init> creates a number of subdirectories under the path specified in
|
|
the mandatory configuration variable B<CA_HOME>. This path must exist before
|
|
B<ca-init> will run correctly. All files and directories under this path
|
|
will be created with a restrictive umask of 0027, and in particular the CA
|
|
private key will be created with permissions of 0400.
|
|
|
|
It is recommended but not required that a non-privileged system "ssl" user and
|
|
group are created for running the ca-scripts suite of utilities, and that any
|
|
local services needing access to a certificate are added to the "ssl" group.
|
|
Access to generate certificates can be bestowed to individuals on a multi-user
|
|
system by adding them to the same group and allowing them to run ca-scripts
|
|
utilities via sudo(8).
|
|
|
|
The directories B<ca-init> creates are as follows:
|
|
|
|
=over
|
|
|
|
=item I<cnf/>
|
|
|
|
Contains a cache of openssl configuration files created by the various
|
|
ca-scripts utilities from templates.
|
|
|
|
=item I<crl/>
|
|
|
|
Contains the certificate revocation list for the CA in both PEM and DER forms.
|
|
|
|
=item I<crt/>
|
|
|
|
Contains the signed certificates generated by ca-create-cert(1).
|
|
|
|
=item I<csr/>
|
|
|
|
Contains the unsigned certificate signing requests generated by
|
|
ca-create-cert(1).
|
|
|
|
=item I<db/>
|
|
|
|
Contains internal openssl(1ssl) database files required for certificate
|
|
authority management.
|
|
|
|
=item I<idx/>
|
|
|
|
Contains signed certificates indexed by serial number to make certificate
|
|
revocation simpler.
|
|
|
|
=item I<key/>
|
|
|
|
Contains the private keys associated with the certificates in I<crt/>.
|
|
|
|
=item I<p12/>
|
|
|
|
Contains any PKCS#12 certificate archives created by ca-create-cert(1).
|
|
|
|
=back
|
|
|
|
=head1 BUGS
|
|
|
|
Probably. Of particular note is that the default openssl configuration file
|
|
requires the C (country) and O (organisation) fields of all generated
|
|
certificates to match those in the CA certificate, but ca-create-cert(1)
|
|
allows these fields to be changed.
|
|
|
|
=head1 AVAILABILITY
|
|
|
|
New releases of the ca-scripts utilities can be found at
|
|
L<the developer's website|http://www.pl0rt.org/code/ca-scripts>.
|
|
A L<git repository|git://git.pl0rt.org/alex/code/ca-scripts>
|
|
for development versions also exists.
|
|
|
|
=head1 AUTHORS
|
|
|
|
Copyright 2009, 2010 Alex Bramley a.bramley@gmail.com
|
|
|
|
=head1 SEE ALSO
|
|
|
|
ca-create-cert(1), ca-scripts.conf(5), openssl(1ssl), ca(1ssl), req(1ssl),
|
|
x509(1ssl), config(5ssl), and x509v3_config(5ssl).
|
|
|
|
=cut
|