[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CA.pl
Hello:
CA.pl is a script to create a certifying authority for ssl and tls.
I found it while working on a Sendmail project. Anyway I felt there were issues so I sent in a patch to openssl and made one for openbsd too. Let me know if you use it.
Get your own FREE E-mail address at http://www.linuxfreemail.com
Linux FREE Mail is 100% FREE, 100% Linux, and 100% yours!
--- CA.pl Wed May 9 10:44:10 2001
+++ /usr/src/lib/libssl/src/apps/CA.pl Sat Apr 15 02:18:29 2000
@@ -12,11 +12,6 @@
# and the other the certificate) and cat them together and that is what
# you want/need ... I'll make even this a little cleaner later.
#
-# 07-May-01 rjh Code overhaul. Fixed perms on "private" directory, and
-# reliance on a good umask. cleaned unessary regexs,
-# enabled full strictures.
-# $SSLEAY_CONFIG removed. openssl binary
-# honors the OPENSSL_CONF environment variable.
#
# 12-Jan-96 tjh Added more things ... including CA -signcert which
# converts a certificate to a request and then signs it.
@@ -40,131 +35,121 @@
# default openssl.cnf file has setup as per the following
# demoCA ... where everything is stored
-use strict;
-use constant USAGEMSG => <<EOM
-Usage: CA -newcert|-newreq|-newca|-sign|-verify|-signcert
-EOM
-;
-my $DAYS="-days 365";
-my $REQ="openssl req";
-my $CA="openssl ca";
-my $VERIFY="openssl verify";
-my $X509="openssl x509";
-my $PKCS12="openssl pkcs12";
-my $CATOP;
-my $CAKEY = "cakey.pem";
-my $CACERT = "cacert.pem";
-my $DIRMODE = 0755;
-my $RET = 0;
-
-print "Enter a directory name for the CA to reside in [./demoCA]: ";
-$CATOP= <STDIN>;
-$CATOP = "demoCA" if $CATOP eq "\n";
-chomp($CATOP);
-$CATOP = "./" . $CATOP unless $CATOP =~ /^(?:\/|\.|\.\.)/;
-
-$_ = shift;
-
-if ( /^(?:-\?|-h|-help)$/ ) {
- print STDERR USAGEMSG;
- exit 0;
-} elsif ($_ eq "-newcert") {
- # create a certificate
- system ("$REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS");
- $RET=$?;
- print "Certificate (and private key) is in newreq.pem\n" unless $RET;
-} elsif ($_ eq "-newreq") {
- # create a certificate request
- system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS");
- $RET=$?;
- print "Request (and private key) is in newreq.pem\n" unless $RET;
-} elsif ($_ eq "-newca") {
- # if explicitly asked for or it doesn't exist then setup the
- # directory structure that Eric likes to manage things
- unless( -f "${CATOP}/serial" ) {
- # create the directory hierarchy
- mkdir $CATOP, $DIRMODE;
- mkdir "${CATOP}/certs", $DIRMODE;
- mkdir "${CATOP}/crl", $DIRMODE ;
- mkdir "${CATOP}/newcerts", $DIRMODE;
- mkdir "${CATOP}/private", 0700;
- open OUT, ">${CATOP}/serial";
- print OUT "01\n";
- close OUT;
- open OUT, ">${CATOP}/index.txt" && close OUT;
- }
- unless( -f "${CATOP}/private/$CAKEY" ) {
- # ask user for existing CA certificate
- print "CA certificate filename (or enter to create)\n";
- my $FILE = <STDIN>;
-
- chomp $FILE;
-
- if ($FILE) {
- cp_pem($FILE,"${CATOP}/private/$CAKEY", "PRIVATE");
- cp_pem($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
+
+$DAYS="-days 365";
+$REQ="openssl req $SSLEAY_CONFIG";
+$CA="openssl ca $SSLEAY_CONFIG";
+$VERIFY="openssl verify";
+$X509="openssl x509";
+$PKCS12="openssl pkcs12";
+
+$CATOP="./demoCA";
+$CAKEY="cakey.pem";
+$CACERT="cacert.pem";
+
+$DIRMODE = 0777;
+
+$RET = 0;
+
+foreach (@ARGV) {
+ if ( /^(-\?|-h|-help)$/ ) {
+ print STDERR "usage: CA -newcert|-newreq|-newca|-sign|-verify\n";
+ exit 0;
+ } elsif (/^-newcert$/) {
+ # create a certificate
+ system ("$REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS");
$RET=$?;
- } else {
- print "Making CA certificate ...\n";
- system ("$REQ -new -x509 -keyout " .
- "${CATOP}/private/$CAKEY -out ${CATOP}/$CACERT $DAYS");
+ print "Certificate (and private key) is in newreq.pem\n"
+ } elsif (/^-newreq$/) {
+ # create a certificate request
+ system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS");
$RET=$?;
- }
- }
-} elsif ($_ eq "-pkcs12") {
- my $cname = $ARGV[1];
- $cname = "My Certificate" unless defined $cname;
- system ("$PKCS12 -in newcert.pem -inkey newreq.pem " .
- "-certfile ${CATOP}/$CACERT -out newcert.p12 " .
- "-export -name \"$cname\"");
- $RET=$?;
- exit $RET;
-} elsif ($_ eq "-xsign") {
- system ("$CA -policy policy_anything -infiles newreq.pem");
- $RET=$?;
-} elsif (/^(?:-sign|-signreq)$/) {
- system ("$CA -policy policy_anything -out newcert.pem " .
- "-infiles newreq.pem");
- $RET=$?;
- print "Signed certificate is in newcert.pem\n" unless $RET;
-} elsif ($_ eq "-signCA") {
- system ("$CA -policy policy_anything -out newcert.pem " .
- "-extensions v3_ca -infiles newreq.pem");
- $RET=$?;
- print "Signed CA certificate is in newcert.pem\n" unless $RET;
-} elsif ($_ eq "-signcert") {
- system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " .
- "-out tmp.pem");
- system ("$CA -policy policy_anything -out newcert.pem " .
- "-infiles tmp.pem");
- $RET = $?;
- print "Signed certificate is in newcert.pem\n" unless $RET;
-} elsif ($_ eq "-verify") {
- if (shift) {
- foreach my $j (@ARGV) {
- system ("$VERIFY -CAfile $CATOP/$CACERT $j");
- $RET=$? if ($? != 0);
- }
- exit $RET;
- } else {
- system ("$VERIFY -CAfile $CATOP/$CACERT newcert.pem");
+ print "Request (and private key) is in newreq.pem\n";
+ } elsif (/^-newca$/) {
+ # if explicitly asked for or it doesn't exist then setup the
+ # directory structure that Eric likes to manage things
+ $NEW="1";
+ if ( "$NEW" || ! -f "${CATOP}/serial" ) {
+ # create the directory hierarchy
+ mkdir $CATOP, $DIRMODE;
+ mkdir "${CATOP}/certs", $DIRMODE;
+ mkdir "${CATOP}/crl", $DIRMODE ;
+ mkdir "${CATOP}/newcerts", $DIRMODE;
+ mkdir "${CATOP}/private", $DIRMODE;
+ open OUT, ">${CATOP}/serial";
+ print OUT "01\n";
+ close OUT;
+ open OUT, ">${CATOP}/index.txt";
+ close OUT;
+ }
+ if ( ! -f "${CATOP}/private/$CAKEY" ) {
+ print "CA certificate filename (or enter to create)\n";
+ $FILE = <STDIN>;
+
+ chop $FILE;
+
+ # ask user for existing CA certificate
+ if ($FILE) {
+ cp_pem($FILE,"${CATOP}/private/$CAKEY", "PRIVATE");
+ cp_pem($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
+ $RET=$?;
+ } else {
+ print "Making CA certificate ...\n";
+ system ("$REQ -new -x509 -keyout " .
+ "${CATOP}/private/$CAKEY -out ${CATOP}/$CACERT $DAYS");
+ $RET=$?;
+ }
+ }
+ } elsif (/^-pkcs12$/) {
+ my $cname = $ARGV[1];
+ $cname = "My Certificate" unless defined $cname;
+ system ("$PKCS12 -in newcert.pem -inkey newreq.pem " .
+ "-certfile ${CATOP}/$CACERT -out newcert.p12 " .
+ "-export -name \"$cname\"");
$RET=$?;
- exit 0;
- }
-} else {
- print STDERR "Unknown arg $_\n";
- print STDERR USAGEMSG;
- exit 1;
+ exit $RET;
+ } elsif (/^-xsign$/) {
+ system ("$CA -policy policy_anything -infiles newreq.pem");
+ $RET=$?;
+ } elsif (/^(-sign|-signreq)$/) {
+ system ("$CA -policy policy_anything -out newcert.pem " .
+ "-infiles newreq.pem");
+ $RET=$?;
+ print "Signed certificate is in newcert.pem\n";
+ } elsif (/^-signcert$/) {
+ system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " .
+ "-out tmp.pem");
+ system ("$CA -policy policy_anything -out newcert.pem " .
+ "-infiles tmp.pem");
+ $RET = $?;
+ print "Signed certificate is in newcert.pem\n";
+ } elsif (/^-verify$/) {
+ if (shift) {
+ foreach $j (@ARGV) {
+ system ("$VERIFY -CAfile $CATOP/$CACERT $j");
+ $RET=$? if ($? != 0);
+ }
+ exit $RET;
+ } else {
+ system ("$VERIFY -CAfile $CATOP/$CACERT newcert.pem");
+ $RET=$?;
+ exit 0;
+ }
+ } else {
+ print STDERR "Unknown arg $_\n";
+ print STDERR "usage: CA -newcert|-newreq|-newca|-sign|-verify\n";
+ exit 1;
+ }
}
exit $RET;
sub cp_pem {
- my ($infile, $outfile, $bound) = @_;
- open IN, $infile;
- open OUT, ">$outfile";
- my $flag = 0;
- while (<IN>) {
+my ($infile, $outfile, $bound) = @_;
+open IN, $infile;
+open OUT, ">$outfile";
+my $flag = 0;
+while (<IN>) {
$flag = 1 if (/^-----BEGIN.*$bound/) ;
print OUT $_ if ($flag);
if (/^-----END.*$bound/) {
@@ -172,5 +157,6 @@
close OUT;
return;
}
- }
}
+}
+