X-Git-Url: https://git.openssl.org/?a=blobdiff_plain;f=apps%2FCA.pl.in;h=5d829c05eb7f26a34ccd6b644f4991e28953ec66;hb=c5156d952e563fd889caea1df13dfaf939cd8bf9;hp=0e0b7fc0bc9c0a04f063fefeadae61ce415e3e48;hpb=90644dd74d5c5262831bb0be73e1226778099924;p=openssl.git diff --git a/apps/CA.pl.in b/apps/CA.pl.in index 0e0b7fc0bc..5d829c05eb 100644 --- a/apps/CA.pl.in +++ b/apps/CA.pl.in @@ -5,7 +5,7 @@ # things easier between now and when Eric is convinced to fix it :-) # # CA -newca ... will setup the right stuff -# CA -newreq ... will generate a certificate request +# CA -newreq[-nodes] ... will generate a certificate request # CA -sign ... will sign the generated request and output # # At the end of that grab newreq.pem and newcert.pem (one has the key @@ -36,15 +36,26 @@ # default openssl.cnf file has setup as per the following # demoCA ... where everything is stored -$DAYS="-days 365"; -$REQ="openssl req $SSLEAY_CONFIG"; -$CA="openssl ca $SSLEAY_CONFIG"; -$VERIFY="openssl verify"; -$X509="openssl x509"; -$PKCS12="openssl pkcs12"; +my $openssl; +if(defined $ENV{OPENSSL}) { + $openssl = $ENV{OPENSSL}; +} else { + $openssl = "openssl"; + $ENV{OPENSSL} = $openssl; +} + +$SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"}; +$DAYS="-days 365"; # 1 year +$CADAYS="-days 1095"; # 3 years +$REQ="$openssl req $SSLEAY_CONFIG"; +$CA="$openssl ca $SSLEAY_CONFIG"; +$VERIFY="$openssl verify"; +$X509="$openssl x509"; +$PKCS12="$openssl pkcs12"; $CATOP="./demoCA"; $CAKEY="cakey.pem"; +$CAREQ="careq.pem"; $CACERT="cacert.pem"; $DIRMODE = 0777; @@ -53,7 +64,7 @@ $RET = 0; foreach (@ARGV) { if ( /^(-\?|-h|-help)$/ ) { - print STDERR "usage: CA -newcert|-newreq|-newca|-sign|-verify\n"; + print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n"; exit 0; } elsif (/^-newcert$/) { # create a certificate @@ -65,8 +76,13 @@ foreach (@ARGV) { system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS"); $RET=$?; print "Request (and private key) is in newreq.pem\n"; + } elsif (/^-newreq-nodes$/) { + # create a certificate request + system ("$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS"); + $RET=$?; + print "Request (and private key) is in newreq.pem\n"; } elsif (/^-newca$/) { - # if explictly asked for or it doesn't exist then setup the + # if explicitly asked for or it doesn't exist then setup the # directory structure that Eric likes to manage things $NEW="1"; if ( "$NEW" || ! -f "${CATOP}/serial" ) { @@ -76,9 +92,6 @@ foreach (@ARGV) { mkdir "${CATOP}/crl", $DIRMODE ; mkdir "${CATOP}/newcerts", $DIRMODE; mkdir "${CATOP}/private", $DIRMODE; - open OUT, ">${CATOP}/serial"; - print OUT "01\n"; - close OUT; open OUT, ">${CATOP}/index.txt"; close OUT; } @@ -95,8 +108,12 @@ foreach (@ARGV) { $RET=$?; } else { print "Making CA certificate ...\n"; - system ("$REQ -new -x509 -keyout " . - "${CATOP}/private/$CAKEY -out ${CATOP}/$CACERT $DAYS"); + system ("$REQ -new -keyout " . + "${CATOP}/private/$CAKEY -out ${CATOP}/$CAREQ"); + system ("$CA -create_serial " . + "-out ${CATOP}/$CACERT $CADAYS -batch " . + "-keyfile ${CATOP}/private/$CAKEY -selfsign " . + "-infiles ${CATOP}/$CAREQ "); $RET=$?; } } @@ -116,6 +133,11 @@ foreach (@ARGV) { "-infiles newreq.pem"); $RET=$?; print "Signed certificate is in newcert.pem\n"; + } elsif (/^(-signCA)$/) { + system ("$CA -policy policy_anything -out newcert.pem " . + "-extensions v3_ca -infiles newreq.pem"); + $RET=$?; + print "Signed CA certificate is in newcert.pem\n"; } elsif (/^-signcert$/) { system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " . "-out tmp.pem"); @@ -137,7 +159,7 @@ foreach (@ARGV) { } } else { print STDERR "Unknown arg $_\n"; - print STDERR "usage: CA -newcert|-newreq|-newca|-sign|-verify\n"; + print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n"; exit 1; } }