Implement self-signing in 'openssl ca'. This makes it easier to have

[openssl.git] / apps / CA.pl.in

diff --git a/apps/CA.pl.in b/apps/CA.pl.in
index 4eef57e6e3919aac3a1b13976d1d9d261d5f9cc9..2242f7e03b1c7b0430dafca30342498f881f4576 100644 (file)
--- a/apps/CA.pl.in
+++ b/apps/CA.pl.in
@@ -5,7 +5,7 @@
 #      things easier between now and when Eric is convinced to fix it :-)
 #
 # CA -newca ... will setup the right stuff
-# CA -newreq ... will generate a certificate request 
+# CA -newreq[-nodes] ... will generate a certificate request 
 # CA -sign ... will sign the generated request and output 
 #
 # At the end of that grab newreq.pem and newcert.pem (one has the key 
@@ -36,7 +36,9 @@
 # default openssl.cnf file has setup as per the following
 # demoCA ... where everything is stored
 
-$DAYS="-days 365";
+$SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"};
+$DAYS="-days 365";     # 1 year
+$CADAYS="-days 1095";  # 3 years
 $REQ="openssl req $SSLEAY_CONFIG";
 $CA="openssl ca $SSLEAY_CONFIG";
 $VERIFY="openssl verify";
@@ -45,6 +47,7 @@ $PKCS12="openssl pkcs12";
 
 $CATOP="./demoCA";
 $CAKEY="cakey.pem";
+$CAREQ="careq.pem";
 $CACERT="cacert.pem";
 
 $DIRMODE = 0777;
@@ -53,7 +56,7 @@ $RET = 0;
 
 foreach (@ARGV) {
        if ( /^(-\?|-h|-help)$/ ) {
-           print STDERR "usage: CA -newcert|-newreq|-newca|-sign|-verify\n";
+           print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
            exit 0;
        } elsif (/^-newcert$/) {
            # create a certificate
@@ -65,6 +68,11 @@ foreach (@ARGV) {
            system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS");
            $RET=$?;
            print "Request (and private key) is in newreq.pem\n";
+       } elsif (/^-newreq-nodes$/) {
+           # create a certificate request
+           system ("$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS");
+           $RET=$?;
+           print "Request (and private key) is in newreq.pem\n";
        } elsif (/^-newca$/) {
                # if explicitly asked for or it doesn't exist then setup the
                # directory structure that Eric likes to manage things 
@@ -95,8 +103,11 @@ foreach (@ARGV) {
                    $RET=$?;
                } else {
                    print "Making CA certificate ...\n";
-                   system ("$REQ -new -x509 -keyout " .
-                       "${CATOP}/private/$CAKEY -out ${CATOP}/$CACERT $DAYS");
+                   system ("$REQ -new -keyout " .
+                       "${CATOP}/private/$CAKEY -out ${CATOP}/$CAREQ");
+                   system ("$CA -out ${CATOP}/$CACERT $CADAYS -batch " . 
+                       "-keyfile ${CATOP}/private/$CAKEY -selfsign " .
+                       "-infiles ${CATOP}/$CAREQ ");
                    $RET=$?;
                }
            }
@@ -116,6 +127,11 @@ foreach (@ARGV) {
                                                        "-infiles newreq.pem");
            $RET=$?;
            print "Signed certificate is in newcert.pem\n";
+       } elsif (/^(-signCA)$/) {
+           system ("$CA -policy policy_anything -out newcert.pem " .
+                                       "-extensions v3_ca -infiles newreq.pem");
+           $RET=$?;
+           print "Signed CA certificate is in newcert.pem\n";
        } elsif (/^-signcert$/) {
            system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " .
                                                                "-out tmp.pem");
@@ -137,7 +153,7 @@ foreach (@ARGV) {
            }
        } else {
            print STDERR "Unknown arg $_\n";
-           print STDERR "usage: CA -newcert|-newreq|-newca|-sign|-verify\n";
+           print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
            exit 1;
        }
 }