email cert generation working mostly very well with these changes

akhepcat · Feb 20, 2015 · b3d90e8 · b3d90e8
1 parent 0adbe57
commit b3d90e8
Show file tree

Hide file tree

Showing 4 changed files with 45 additions and 32 deletions.
diff --git a/bin/CA-gen.sh b/bin/CA-gen.sh
@@ -30,7 +30,7 @@ do_error() {
 MYDIR=$(dirname $0)
 TS=$(date +"%Y%m%d")
 
-if [ ! -r ${MYDIR}/../conf.d/ca.conf ]
+if [ ! -s ${MYDIR}/../conf.d/ca.conf ]
 then
         do_error "You must create a configuration file in ${MYDIR}/../conf.d/ca.conf"
 fi
@@ -45,18 +45,18 @@ fi
 
 
 ###  Make sure the required indexes are there...
-if [ ! -r ${BASE}/db/serial -o ! -s ${BASE}/db/serial ]
+if [ ! -s ${BASE}/db/serial -o ! -s ${BASE}/db/serial ]
 then
    SERIAL="${TS}000000"
    echo ${SERIAL} > ${BASE}/db/serial
 fi
 
-if [ ! -r ${BASE}/db/certindex.txt ]
+if [ ! -s ${BASE}/db/certindex.txt ]
 then
 	touch  ${BASE}/db/certindex.txt
 fi
 
-if [ ! -r ${BASE}/db/index.txt ]
+if [ ! -s ${BASE}/db/index.txt ]
 then
 	touch  ${BASE}/db/index.txt
 fi
@@ -66,7 +66,7 @@ fi
 #######  ROOT certificate
 
 
-if [ ! -r ${PRIV}/${DOMAIN}-CAcert-key.pem -o ! -r ${CERTS}/${DOMAIN}-CAcert.pem ];
+if [ ! -s ${PRIV}/${DOMAIN}-CAcert-key.pem -o ! -s ${CERTS}/${DOMAIN}-CAcert.pem ];
 then
 echo "Creating root certificate"
         echo "-----"
@@ -77,10 +77,10 @@ echo "Creating root certificate"
         echo "ORG='${ORG}', OU='Root Certificate Authority', CN=${DOMAIN}, email=${CONTACT}"
         echo ""
         # Check for the private key
-        test -r ${PRIV}/${DOMAIN}-CAcert-key.pem || openssl genrsa -aes256 -out ${PRIV}/${DOMAIN}-CAcert-key.pem 4096
+        test -s ${PRIV}/${DOMAIN}-CAcert-key.pem || openssl genrsa -aes256 -out ${PRIV}/${DOMAIN}-CAcert-key.pem 4096
         test $? -eq 0 || do_error "Couldn't generate the ${DOMAIN}-CAcert-key.pem private certificate"
         # Check for the certificate
-        test -r ${CERTS}/${DOMAIN}-CAcert.pem || ${DBG} openssl req -config ${CACFG} -new ${DIGEST} -x509 -days 3650 -key ${PRIV}/${DOMAIN}-CAcert-key.pem -extensions v3_ca -out ${CERTS}/${DOMAIN}-CAcert.pem
+        test -s ${CERTS}/${DOMAIN}-CAcert.pem || ${DBG} openssl req -config ${CACFG} -new ${DIGEST} -x509 -days 3650 -key ${PRIV}/${DOMAIN}-CAcert-key.pem -extensions v3_ca -out ${CERTS}/${DOMAIN}-CAcert.pem
         test $? -eq 0 || do_error "Couldn't generate the ${DOMAIN}-CAcert.pem public certificate"
 
 ${DBG}	openssl x509 -in ${CERTS}/${DOMAIN}-CAcert.pem -text -noout
@@ -94,7 +94,7 @@ echo ""
 
 ######## SIGNING certificate
 
-if [ ! -r ${PRIV}/${DOMAIN}-SIGNcert-key.pem -o ! -r ${CERTS}/${DOMAIN}-SIGNcert.pem ];
+if [ ! -s ${PRIV}/${DOMAIN}-SIGNcert-key.pem -o ! -s ${CERTS}/${DOMAIN}-SIGNcert.pem ];
 then
 echo "Creating Intermediate Signing certificate"
         echo "-----"
@@ -106,13 +106,13 @@ echo "Creating Intermediate Signing certificate"
         echo ""
 
 # Create the intermediate private key 
-        test -r ${PRIV}/${DOMAIN}-SIGNcert-key.pem || ${DBG} openssl genrsa -aes256 -out ${PRIV}/${DOMAIN}-SIGNcert-key.pem 4096
+        test -s ${PRIV}/${DOMAIN}-SIGNcert-key.pem || ${DBG} openssl genrsa -aes256 -out ${PRIV}/${DOMAIN}-SIGNcert-key.pem 4096
         test $? -eq 0 || do_error "Couldn't generate the ${DOMAIN}-SIGNcert-key.pem private certificate"
 # Create the intermediate SIGNING request
-        test -r ${CSRS}/${DOMAIN}-SIGNcert.csr || ${DBG} openssl req -config ${SIGNCFG} -key ${PRIV}/${DOMAIN}-SIGNcert-key.pem -new ${DIGEST} -out ${CSRS}/${DOMAIN}-SIGNcert.csr
+        test -s ${CSRS}/${DOMAIN}-SIGNcert.csr || ${DBG} openssl req -config ${SIGNCFG} -key ${PRIV}/${DOMAIN}-SIGNcert-key.pem -new ${DIGEST} -out ${CSRS}/${DOMAIN}-SIGNcert.csr
         test $? -eq 0 || do_error "Couldn't generate the ${DOMAIN}-SIGNcert.pem certificate request"
 # Create the signed SIGNING certificate
-        test -r ${CERTS}/${DOMAIN}-SIGNcert.pem || ${DBG} openssl ca -config ${SIGNCFG} -extensions v3_ca -notext -in ${CSRS}/${DOMAIN}-SIGNcert.csr -out ${CERTS}/${DOMAIN}-SIGNcert.pem 
+        test -s ${CERTS}/${DOMAIN}-SIGNcert.pem || ${DBG} openssl ca -config ${SIGNCFG} -extensions v3_ca -notext -in ${CSRS}/${DOMAIN}-SIGNcert.csr -out ${CERTS}/${DOMAIN}-SIGNcert.pem 
         test $? -eq 0 || do_error "Couldn't generate the ${DOMAIN}-SIGNcert.pem certificate"
 
 ${DBG}	openssl x509 -in ${CERTS}/${DOMAIN}-SIGNcert.pem -text -noout
@@ -133,25 +133,23 @@ for SERVER in ${HOSTS} ${CUSTOM_HOSTS}
         echo ""
         echo "<--- Certificate for ${SERVER} --->"
         echo ""
-        if [ -r ${CBASE}/${SERVER}.cnf ]
+        if [ -s ${CBASE}/${SERVER}.cnf ]
         then
                 CONF=${CBASE}/${SERVER}.cnf
         else
                 CONF=${SIGNCFG}
         fi
 
 # Create the intermediate private key 
-        test -r ${PRIV}/${SERVER}-key.pem || ${DBG} openssl genrsa -aes256 -out ${PRIV}/${SERVER}-key.pem 4096
+        test -s ${PRIV}/${SERVER}-key.pem || ${DBG} openssl genrsa -aes256 -out ${PRIV}/${SERVER}-key.pem 4096
         test $? -eq 0 || do_error "Couldn't generate the ${SERVER}-key.pem private certificate"
 
 # Create the intermediate SIGNING request
-        test -r ${CSRS}/${SERVER}.csr || ${DBG} openssl req -config ${CONF} -key ${PRIV}/${SERVER}-key.pem -new ${DIGEST} -out ${CSRS}/${SERVER}.csr
-#        test -r ${CSRS}/${SERVER}.csr || ${DBG} openssl req -config ${CONF} -new -nodes -keyout ${PRIV}/${SERVER}-key.pem -out ${CSRS}/${SERVER}.csr
+        test -s ${CSRS}/${SERVER}.csr || ${DBG} openssl req -config ${CONF} -key ${PRIV}/${SERVER}-key.pem -new ${DIGEST} -out ${CSRS}/${SERVER}.csr
         test $? -eq 0 || do_error "Couldn't generate the ${SERVER}-key.pem private certificate"
 
 # Create the signed SIGNING certificate
-        test -r ${CERTS}/${SERVER}.crt || ${DBG} openssl ca -config ${CONF} -notext -in ${CSRS}/${SERVER}.csr -out ${CERTS}/${SERVER}.crt 
-#        test -r ${CERTS}/${SERVER}.crt || ${DBG} openssl ca -config ${CONF} -md ${DIGEST} -out ${CERTS}/${SERVER}.crt -days 3650 -infiles ${CSRS}/${SERVER}.csr
+        test -s ${CERTS}/${SERVER}.crt || ${DBG} openssl ca -config ${CONF} -notext -in ${CSRS}/${SERVER}.csr -out ${CERTS}/${SERVER}.crt 
         test $? -eq 0 || do_error "Couldn't generate the ${SERVER}.pem public certificate"
 
 ${DBG}	openssl x509 -in ${CERTS}/${SERVER}.crt -text -noout
@@ -163,37 +161,47 @@ done
 
 for EMAIL in ${EMAIL_CERTS}
   do
-    if [ ! -r ${CERTS}/${EMAIL}.crt ];
+    if [ ! -s ${CERTS}/${EMAIL}.p12 ];
     then
         echo "-----"
         echo ""
         echo "<--- Certificate for ${EMAIL} --->"
         echo ""
-        if [ -r ${CBASE}/${EMAIL}.cnf ]
+        if [ -s ${CBASE}/${EMAIL}.cnf ]
         then
                 CONF=${CBASE}/${EMAIL}.cnf
         else
                 CONF=${CBASE}/emails.cnf
         fi
+	DAYS="$(grep -i default_days ${CONF} | cut -f 2 -d= | awk '{print $1}')"
+	DAYS="${DAYS:-365}"	# default to 365 if not set.
+	DAYS="-days ${DAYS}"
 
 # Create the intermediate private key 
-        test -r ${PRIV}/${EMAIL}-key.pem || ${DBG} openssl genrsa -des3 -out ${PRIV}/${EMAIL}-key.pem 4096
+        test -s ${PRIV}/${EMAIL}-key.pem || ${DBG} openssl genrsa -des3 -out ${PRIV}/${EMAIL}-key.pem 4096
         test $? -eq 0 || do_error "Couldn't generate the ${EMAIL}-key.pem private certificate"
 
 # Create the intermediate SIGNING request
-        test -r ${CSRS}/${EMAIL}.csr || ${DBG} openssl req -config ${CONF} -key ${PRIV}/${EMAIL}-key.pem -new ${DIGEST} -out ${CSRS}/${EMAIL}.csr
+        test -s ${CSRS}/${EMAIL}.csr || ${DBG} openssl req -config ${CONF} -key ${PRIV}/${EMAIL}-key.pem -new ${DIGEST} -out ${CSRS}/${EMAIL}.csr
         test $? -eq 0 || do_error "Couldn't generate the ${EMAIL}-key.pem private certificate"
 
 # Create the signed SIGNING certificate
-        test -r ${CERTS}/${EMAIL}.crt || ${DBG} \
-        	openssl x509 -req -in ${CSRS}/${EMAIL}.csr -out ${CERTS}/${EMAIL}.crt \
+        if [ ! -s ${CERTS}/${EMAIL}.crt ];
+        then
+        	export OPENSSL_CONF=${CONF}
+        	${DBG} openssl x509 -req -in ${CSRS}/${EMAIL}.csr -out ${CERTS}/${EMAIL}.crt ${DAYS} \
         	   -CA ${CERTS}/${DOMAIN}-SIGNcert.pem -CAkey ${PRIV}/${DOMAIN}-SIGNcert-key.pem -CAserial ${BASE}/db/serial \
-        	   -setalias "${DOMAIN} S/MIME Certificate" -addtrust emailProtection -addreject serverAuth -trustout
-        test $? -eq 0 || do_error "Couldn't generate the ${EMAIL}.pem public certificate"
+        	   -setalias "${EMAIL} S/MIME Certificate" -addtrust emailProtection -addreject serverAuth -trustout
+	        test $? -eq 0 || do_error "Couldn't generate the ${EMAIL}.pem public certificate"
+	fi
 
 # Export the certificate in SMIME format
-	test -r ${CERTS}/${EMAIL}.p12 || ${DBG} openssl pkcs12 -export -in ${CERTS}/${EMAIL}.crt -inkey ${PRIV}/${EMAIL}-key.pem -out ${CERTS}/${EMAIL}.p12
-	test $? -eq 0 || do_error "Couldn't generate the ${EMAIL}.pem PKCS12 certificate"
+        if [ ! -s ${CERTS}/${EMAIL}.p12 ];
+        then
+        	export OPENSSL_CONF=${CONF}
+		${DBG} openssl pkcs12 -export -in ${CERTS}/${EMAIL}.crt -name "${EMAIL} S/MIME Certificate" -inkey ${PRIV}/${EMAIL}-key.pem -out ${CERTS}/${EMAIL}.p12
+		test $? -eq 0 || do_error "Couldn't generate the ${EMAIL}.pem PKCS12 certificate"
+	fi
 
 ${DBG}	openssl x509 -in ${CERTS}/${EMAIL}.crt -text -noout
         test $? -eq 0 || exit

diff --git a/bin/revoke-key b/bin/revoke-key
@@ -54,8 +54,8 @@ ${DBG}  openssl ca -config ${SIGNCFG} -revoke ${CERTS}/${RFILE}
 ${DBG}  test -r "${CRLS}/${CRLFILE}" || ${DBG} openssl ca -config ${SIGNCFG} -gencrl -out ${CRLS}/${CRLFILE}
 ${DBG}  test -r "${CRLS}/${CRLFILE}" -a -d "${CRLDIST}" && ${DBG} openssl crl -in ${CRLS}/${CRLFILE} -outform DER -out ${CRLDIST}/${CRLFILE}
 
-${DBG} mv -f ${CERTS}/${SN}.pem ${REVK}/
-${DBG} mv -f ${CERTS}/${RFILE} ${REVK}/${SN}-${RFILE}
-${DBG} mv -f ${CSRS}/${RFILE%.*}.csr ${REVK}/${SN}-${RFILE%.*}.csr
-${DBG} mv -f ${PRIV}/${RFILE%.*}-key.pem ${REVK}/${SN}-${RFILE%.*}-key.pem
-
+${DBG}	test -r ${CERTS}/${SN}.pem	    && mv -f ${CERTS}/${SN}.pem ${REVK}/
+${DBG}	test -r ${CERTS}/${RFILE}	    && mv -f ${CERTS}/${RFILE} ${REVK}/${SN}-${RFILE}
+${DBG}	test -r ${CERTS}/${RFILE%.*}.p12    && mv -f ${CERTS}/${RFILE%.*}.p12 ${REVK}/${SN}-${RFILE%.*}.p12
+${DBG}	test -r ${CSRS}/${RFILE%.*}.csr	    && mv -f ${CSRS}/${RFILE%.*}.csr ${REVK}/${SN}-${RFILE%.*}.csr
+${DBG}	test -r ${PRIV}/${RFILE%.*}-key.pem && mv -f ${PRIV}/${RFILE%.*}-key.pem ${REVK}/${SN}-${RFILE%.*}-key.pem
diff --git a/conf.d/README.txt b/conf.d/README.txt
@@ -3,3 +3,5 @@ All certificate configurations are stored here.
 Generic hosts are built off of the main 'CA' conf file
 
 Custom hosts have their own conf file
+
+Custom email certs can have their own conf file as well, based off of emails.cnf
diff --git a/conf.d/emails.cnf b/conf.d/emails.cnf
@@ -51,6 +51,9 @@ encrypt_key		= no
 string_mask		= utf8only
 
 [ req_distinguished_name ]
+; uncomment these two lines in custom email certs to embed your PGP fingerprint
+; organizationalUnitName  = "PGP Fingerprint"
+; organizationalUnitName_default = "PGP Fingerprint 0123456789abcdefghijklmnopqrstuvwxyz"
 commonName		= "User Full Name"
 commonName_default	= "John M Doe"
 emailAddress		= "User Email Addres"