+
+if ($WHAT eq '-newcert' ) {
+ # create a certificate
+ $RET = run("$REQ -new -x509 -keyout $NEWKEY -out $NEWCERT $DAYS"
+ . " $EXTRA{req}");
+ print "Cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0;
+} elsif ($WHAT eq '-precert' ) {
+ # create a pre-certificate
+ $RET = run("$REQ -x509 -precert -keyout $NEWKEY -out $NEWCERT $DAYS"
+ . " $EXTRA{req}");
+ print "Pre-cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0;
+} elsif ($WHAT =~ /^\-newreq(\-nodes)?$/ ) {
+ # create a certificate request
+ $RET = run("$REQ -new $1 -keyout $NEWKEY -out $NEWREQ $DAYS $EXTRA{req}");
+ print "Request is in $NEWREQ, private key is in $NEWKEY\n" if $RET == 0;
+} elsif ($WHAT eq '-newca' ) {
+ # create the directory hierarchy
+ my @dirs = ( "${CATOP}", "${CATOP}/certs", "${CATOP}/crl",
+ "${CATOP}/newcerts", "${CATOP}/private" );
+ die "${CATOP}/index.txt exists.\nRemove old sub-tree to proceed,"
+ if -f "${CATOP}/index.txt";
+ die "${CATOP}/serial exists.\nRemove old sub-tree to proceed,"
+ if -f "${CATOP}/serial";
+ foreach my $d ( @dirs ) {
+ if ( -d $d ) {
+ warn "Directory $d exists" if -d $d;
+ } else {
+ mkdir $d or die "Can't mkdir $d, $!";
+ }
+ }
+
+ open OUT, ">${CATOP}/index.txt";
+ close OUT;
+ open OUT, ">${CATOP}/crlnumber";
+ print OUT "01\n";
+ close OUT;
+ # ask user for existing CA certificate
+ print "CA certificate filename (or enter to create)\n";
+ my $FILE;
+ $FILE = "" unless defined($FILE = <STDIN>);
+ $FILE =~ s{\R$}{};
+ if ($FILE ne "") {
+ copy_pemfile($FILE,"${CATOP}/private/$CAKEY", "PRIVATE");
+ copy_pemfile($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
+ } else {
+ print "Making CA certificate ...\n";
+ $RET = run("$REQ -new -keyout ${CATOP}/private/$CAKEY"
+ . " -out ${CATOP}/$CAREQ $EXTRA{req}");
+ $RET = run("$CA -create_serial"
+ . " -out ${CATOP}/$CACERT $CADAYS -batch"
+ . " -keyfile ${CATOP}/private/$CAKEY -selfsign"
+ . " $EXTENSIONS"
+ . " -infiles ${CATOP}/$CAREQ $EXTRA{ca}") if $RET == 0;
+ print "CA certificate is in ${CATOP}/$CACERT\n" if $RET == 0;
+ }
+} elsif ($WHAT eq '-pkcs12' ) {
+ my $cname = $ARGV[0];
+ $cname = "My Certificate" unless defined $cname;
+ $RET = run("$PKCS12 -in $NEWCERT -inkey $NEWKEY"
+ . " -certfile ${CATOP}/$CACERT -out $NEWP12"
+ . " -export -name \"$cname\" $EXTRA{pkcs12}");
+ print "PKCS #12 file is in $NEWP12\n" if $RET == 0;
+} elsif ($WHAT eq '-xsign' ) {
+ $RET = run("$CA $POLICY -infiles $NEWREQ $EXTRA{ca}");
+} elsif ($WHAT eq '-sign' ) {
+ $RET = run("$CA $POLICY -out $NEWCERT"
+ . " -infiles $NEWREQ $EXTRA{ca}");
+ print "Signed certificate is in $NEWCERT\n" if $RET == 0;
+} elsif ($WHAT eq '-signCA' ) {
+ $RET = run("$CA $POLICY -out $NEWCERT"
+ . " $EXTENSIONS -infiles $NEWREQ $EXTRA{ca}");
+ print "Signed CA certificate is in $NEWCERT\n" if $RET == 0;
+} elsif ($WHAT eq '-signcert' ) {
+ $RET = run("$X509 -x509toreq -in $NEWREQ -signkey $NEWREQ"
+ . " -out tmp.pem $EXTRA{x509}");
+ $RET = run("$CA $POLICY -out $NEWCERT"
+ . "-infiles tmp.pem $EXTRA{ca}") if $RET == 0;
+ print "Signed certificate is in $NEWCERT\n" if $RET == 0;
+} elsif ($WHAT eq '-verify' ) {
+ my @files = @ARGV ? @ARGV : ( $NEWCERT );
+ foreach my $file (@files) {
+ # -CAfile quoted for VMS, since the C RTL downcases all unquoted
+ # arguments to C programs
+ my $status = run("$VERIFY \"-CAfile\" ${CATOP}/$CACERT $file $EXTRA{verify}");
+ $RET = $status if $status != 0;
+ }
+} elsif ($WHAT eq '-crl' ) {
+ $RET = run("$CA -gencrl -out ${CATOP}/crl/$CACRL $EXTRA{ca}");
+ print "Generated CRL is in ${CATOP}/crl/$CACRL\n" if $RET == 0;
+} elsif ($WHAT eq '-revoke' ) {
+ my $cname = $ARGV[0];
+ if (!defined $cname) {
+ print "Certificate filename is required; reason optional.\n";
+ exit 1;
+ }
+ my $reason = $ARGV[1];
+ $reason = " -crl_reason $reason"
+ if defined $reason && crl_reason_ok($reason);
+ $RET = run("$CA -revoke \"$cname\"" . $reason . $EXTRA{ca});
+} else {
+ print STDERR "Unknown arg \"$WHAT\"\n";
+ print STDERR "Use -help for help.\n";
+ exit 1;