From 6a0c5aa76416ec002bd6f1d30ebd9f2ec3e7da04 Mon Sep 17 00:00:00 2001
From: Jonas Smedegaard <dr@jones.dk>
Date: Tue, 4 May 2004 20:55:21 +0000
Subject: Implement generating CA certificate. Yet another fix for generating
 certified host certificates.

---
 localmksslcerts | 32 ++++++++++++++++++++++++++------
 1 file changed, 26 insertions(+), 6 deletions(-)

(limited to 'localmksslcerts')

diff --git a/localmksslcerts b/localmksslcerts
index 489b463..40de3d4 100755
--- a/localmksslcerts
+++ b/localmksslcerts
@@ -3,7 +3,7 @@
 # /usr/local/sbin/localmksslcerts
 # Copyright 2001-2004 Jonas Smedegaard <dr@jones.dk>
 #
-# $Id: localmksslcerts,v 1.10 2004-05-04 20:30:31 jonas Exp $
+# $Id: localmksslcerts,v 1.11 2004-05-04 20:55:21 jonas Exp $
 #
 # Generate certificates for mail (and other) servers
 # Based on uw-imapd-ssl post-install script
@@ -33,6 +33,7 @@ Options:
       --issuer  Email address of the person responsible for the certificate
       --cert    Use certified host certificate
       --cacert  CAcert used for creating missing host certificate
+      --makeca  Create CA certificate if missing
   -f, --force   Force overwriting existing certificate(s)
   -h, --help    This help text
 
@@ -56,6 +57,7 @@ daemons=''
 issuer=''
 cert=''
 cacert=''
+makeca=''
 force=''
 args=''
 while [ $# -gt 0 ]; do
@@ -71,6 +73,7 @@ while [ $# -gt 0 ]; do
 		--issuer)	issuer="$2"; doubleshift=1;;
 		--cert)		cert=1;;
 		--cacert)	cacert="$2"; doubleshift=1;;
+		--makeca)	makeca=1;;
 		--force|-f)	force=1;;
 		-*)		usage;;
 		*)		args="$args$1 ";;
@@ -120,9 +123,26 @@ if [ -n "$cert" ]; then
 			exit 1
 		fi
 		if [ ! -r /etc/ssl/certs/$cacert.pem -o ! -r /etc/ssl/private/$cacert.pem ]; then
-#FIXME: Generate CAcert if --mkcacert is provided
-			echo "ERROR: CAcert (certifying authority certificate) missing!"
-			exit 1
+			if [ -n "$makeca" ]; then
+				# Generate private key for CA certificate
+				cd /etc/ssl/private
+#FIXME: Make strength configurable
+				openssl genrsa -des3 -out $cacert.pem 1024
+				chown root:root $cacert.pem
+				chmod 0400 $cacert.pem
+				# Generate and pre-filled certification request
+				cd /etc/ssl/certs
+#FIXME: Make validity configurable
+				openssl req -new \
+					-key /etc/ssl/private/$cacert.pem \
+					-x509 -days 1095 \
+					-out $cacert.pem
+				# Add hash to certified public certificate and cleanup
+				ln -sf $cacert.pem `openssl x509 -noout -hash -in $cacert.pem`.0
+			else
+				echo "ERROR: CAcert (certifying authority certificate) missing!"
+				exit 1
+			fi
 		fi
 		echo "Generating host certificate for \"$fqdn\"..."
 		for file in /etc/ssl/private/$fqdn.pem /etc/ssl/certs/$fqdn.csr /etc/ssl/certs/$fqdn.pem; do
@@ -135,7 +155,7 @@ if [ -n "$cert" ]; then
 				fi
 			fi
 		done
-		# Generate ptivate key for host certificate
+		# Generate private key for host certificate
 		cd /etc/ssl/private
 		openssl genrsa -out $fqdn.pem
 		chown root:root $fqdn.pem
@@ -160,7 +180,7 @@ $issuer
 			-days $DAYS2EXPIRE \
 			-CA /etc/ssl/certs/$cacert.pem \
 			-CAkey /etc/ssl/private/$cacert.pem \
-			-CAcreateserial -out $fqsn.pem -in $fqdn.csr
+			-CAcreateserial -out $fqdn.pem -in $fqdn.csr
 		# Add hash to certified public certificate and cleanup
 		ln -sf $fqdn.pem `openssl x509 -noout -hash -in $fqdn.pem`.0
 		rm $fqdn.csr
-- 
cgit v1.2.3