Improvements to the CA admin scripts.

ssl/backup-ca.sh

@@ -0,0 +1,48 @@
+#!/bin/sh
+
+# Script to backup the files for a certificate authority
+# Usage: backup-ca.sh ca_name destination
+
+CA_NAME=${1:-"_"}
+BACKUP_DIR=${2:-"_"}
+BACKUP_FILE="$BACKUP_DIR/$CA_NAME-ca-backup-`date +%s`.tar.gz"
+CA_PATH="/etc/pki/CA"
+
+function usage {
+  echo "Usage: `basename $0` ca_name destination"
+}
+
+function error {
+  echo "Error: $@"
+  usage
+  echo
+  exit 1
+}
+
+# Check that the CA is specified
+if [ "$CA_NAME" == "_" ]; then
+  error "The CA name must be specified."
+fi
+
+# Check that the current user has permission to read the CA directory
+if [ ! -r "$CA_PATH" ]; then
+  error "The CA directory ($CA_PATH) is not accessible by user `whoami`"
+fi
+
+# Check that the backup directory is specified
+if [ $BACKUP_DIR == "_" ]; then
+  error "The destination directory for the backup file must be specified."
+elif [ ! -w $BACKUP_DIR ]; then
+  error "The destination directory ($BACKUP_DIR) is not writable."
+fi
+
+# Check that the CA specified actually exists
+if [ ! -r "$CA_PATH/$CA_NAME.crt" ]; then
+  error "The CA specified ($CA_NAME.crt) was not found."
+fi
+
+# Archive the bits
+tar -zcf "$BACKUP_FILE" -C "$CA_PATH" "$CA_NAME.crt" "$CA_NAME.ser" "private/$CA_NAME.key"
+
+echo "Backup file created: $BACKUP_FILE"
+echo

ssl/create-ca.sh

@@ -5,7 +5,7 @@
 CA_NAME="${!#}"
 CA_PRIVATE="/etc/pki/CA/private"
 CA_PUBLIC="/etc/pki/CA"
-CA_SERIAL="/etc/pki/CA/$CA_NAME.ser"
+CA_SERIAL_FILE="/etc/pki/CA/$CA_NAME.ser"
 CA_NEXTVAL=0
 
 function help {
@@ -34,6 +34,11 @@ while getopts ":h" FLAG; do
   esac
 done
 
+# Check that the CA name is provided
+if [ $# == 0 ]; then
+  error "The CA name must be provided."
+fi
+
 # Check that the current user has permission to the certificates
 if [ ! -r "$CA_PRIVATE" ]; then
   error "The CA directory ($CA_PRIVATE) is not accessible by user `whoami`"
@@ -49,15 +54,14 @@ if [ -f "$CA_PUBLIC/$CA_NAME.crt" ]; then
   error "The CA certificate file ($CA_PUBLIC/$CA_NAME.crt) exists."
 fi
 
-# Check that a CA serial number file does not already exist
-if [ -e "$CA_SERIAL" ]; then
-  error "The CA serial number file ($CA_SERIAL) exists." 
-fi
-
-
-# Create a CA serial number file
-date > "$CA_SERIAL"
-CA_NEXTVAL=`wc -l < "$CA_SERIAL"`
+# Create a CA serial number file if it does not exist and get the next serial number
+if [ ! -e "$CA_SERIAL_FILE" ]; then
+  touch "$CA_SERIAL_FILE"
+fi  
+chmod 600 "$CA_SERIAL_FILE"
+echo -e "`date`\t$CA_NAME certificate authority" >> "$CA_SERIAL_FILE"
+chmod 400 "$CA_SERIAL_FILE"
+CA_NEXTVAL=`wc -l < "$CA_SERIAL_FILE"`
 
 # Create the CA private key
 echo

ssl/create-server-cert.sh

@@ -43,8 +43,8 @@ elif [ ! -r "$CA_CERT_FILE" ]; then
 fi
 
 # Validate the CA serial number file
-if [ ! -r "$CA_SERIAL_FILE" -o ! -w "$CA_SERIAL_FILE" ]; then
-  error "The CA serial number file ($CA_SERIAL_FILE) exists, but cannot be read and written."         
+if [ ! -e "$CA_SERIAL_FILE" ]; then
+  error "The CA serial number file ($CA_SERIAL_FILE) does not exist."         
 fi
 
 # Verify the server key file
@@ -72,7 +72,9 @@ if [ "$KEY_REQD" == "yes" ]; then
 fi
 
 # Get next serial number
-date >> "$CA_SERIAL_FILE"
+chmod 600 "$CA_SERIAL_FILE"
+echo -e "`date`\t$CERT_CERT_FILE" >> "$CA_SERIAL_FILE"
+chmod 400 "$CA_SERIAL_FILE"
 CA_SERIAL_NEXTVAL=`wc -l < "$CA_SERIAL_FILE"`
 
 # Create the CSR and certificate