# default openssl.cnf file has setup as per the following
# demoCA ... where everything is stored
-DAYS="-days 365"
-REQ="openssl req $SSLEAY_CONFIG"
-CA="openssl ca $SSLEAY_CONFIG"
-VERIFY="openssl verify"
-X509="openssl x509"
+if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi
+
+DAYS="-days 365" # 1 year
+CADAYS="-days 1095" # 3 years
+REQ="$OPENSSL req $SSLEAY_CONFIG"
+CA="$OPENSSL ca $SSLEAY_CONFIG"
+VERIFY="$OPENSSL verify"
+X509="$OPENSSL x509"
CATOP=./demoCA
CAKEY=./cakey.pem
+CAREQ=./careq.pem
CACERT=./cacert.pem
for i
;;
-newcert)
# create a certificate
- $REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS
+ $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS
RET=$?
- echo "Certificate (and private key) is in newreq.pem"
+ echo "Certificate is in newcert.pem, private key is in newkey.pem"
;;
-newreq)
# create a certificate request
- $REQ -new -keyout newreq.pem -out newreq.pem $DAYS
+ $REQ -new -keyout newkey.pem -out newreq.pem $DAYS
RET=$?
- echo "Request (and private key) is in newreq.pem"
+ echo "Request is in newreq.pem, private key is in newkey.pem"
;;
-newca)
# if explicitly asked for or it doesn't exist then setup the directory
mkdir ${CATOP}/crl
mkdir ${CATOP}/newcerts
mkdir ${CATOP}/private
- echo "01" > ${CATOP}/serial
+ echo "00" > ${CATOP}/serial
touch ${CATOP}/index.txt
fi
if [ ! -f ${CATOP}/private/$CAKEY ]; then
RET=$?
else
echo "Making CA certificate ..."
- $REQ -new -x509 -keyout ${CATOP}/private/$CAKEY \
- -out ${CATOP}/$CACERT $DAYS
+ $REQ -new -keyout ${CATOP}/private/$CAKEY \
+ -out ${CATOP}/$CAREQ
+ $CA -out ${CATOP}/$CACERT $CADAYS -batch \
+ -keyfile ${CATOP}/private/$CAKEY -selfsign \
+ -infiles ${CATOP}/$CAREQ
RET=$?
fi
fi