Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Improvements to the CA admin scripts.

  • Loading branch information...
commit 3010700f6d788d39f95ada71f92c271fd3bb098f 1 parent f3c99ad
@jlamoree authored
Showing with 67 additions and 13 deletions.
  1. +48 −0 ssl/backup-ca.sh
  2. +14 −10 ssl/create-ca.sh
  3. +5 −3 ssl/create-server-cert.sh
View
48 ssl/backup-ca.sh
@@ -0,0 +1,48 @@
+#!/bin/sh
+
+# Script to backup the files for a certificate authority
+# Usage: backup-ca.sh ca_name destination
+
+CA_NAME=${1:-"_"}
+BACKUP_DIR=${2:-"_"}
+BACKUP_FILE="$BACKUP_DIR/$CA_NAME-ca-backup-`date +%s`.tar.gz"
+CA_PATH="/etc/pki/CA"
+
+function usage {
+ echo "Usage: `basename $0` ca_name destination"
+}
+
+function error {
+ echo "Error: $@"
+ usage
+ echo
+ exit 1
+}
+
+# Check that the CA is specified
+if [ "$CA_NAME" == "_" ]; then
+ error "The CA name must be specified."
+fi
+
+# Check that the current user has permission to read the CA directory
+if [ ! -r "$CA_PATH" ]; then
+ error "The CA directory ($CA_PATH) is not accessible by user `whoami`"
+fi
+
+# Check that the backup directory is specified
+if [ $BACKUP_DIR == "_" ]; then
+ error "The destination directory for the backup file must be specified."
+elif [ ! -w $BACKUP_DIR ]; then
+ error "The destination directory ($BACKUP_DIR) is not writable."
+fi
+
+# Check that the CA specified actually exists
+if [ ! -r "$CA_PATH/$CA_NAME.crt" ]; then
+ error "The CA specified ($CA_NAME.crt) was not found."
+fi
+
+# Archive the bits
+tar -zcf "$BACKUP_FILE" -C "$CA_PATH" "$CA_NAME.crt" "$CA_NAME.ser" "private/$CA_NAME.key"
+
+echo "Backup file created: $BACKUP_FILE"
+echo
View
24 ssl/create-ca.sh
@@ -5,7 +5,7 @@
CA_NAME="${!#}"
CA_PRIVATE="/etc/pki/CA/private"
CA_PUBLIC="/etc/pki/CA"
-CA_SERIAL="/etc/pki/CA/$CA_NAME.ser"
+CA_SERIAL_FILE="/etc/pki/CA/$CA_NAME.ser"
CA_NEXTVAL=0
function help {
@@ -34,6 +34,11 @@ while getopts ":h" FLAG; do
esac
done
+# Check that the CA name is provided
+if [ $# == 0 ]; then
+ error "The CA name must be provided."
+fi
+
# Check that the current user has permission to the certificates
if [ ! -r "$CA_PRIVATE" ]; then
error "The CA directory ($CA_PRIVATE) is not accessible by user `whoami`"
@@ -49,15 +54,14 @@ if [ -f "$CA_PUBLIC/$CA_NAME.crt" ]; then
error "The CA certificate file ($CA_PUBLIC/$CA_NAME.crt) exists."
fi
-# Check that a CA serial number file does not already exist
-if [ -e "$CA_SERIAL" ]; then
- error "The CA serial number file ($CA_SERIAL) exists."
-fi
-
-
-# Create a CA serial number file
-date > "$CA_SERIAL"
-CA_NEXTVAL=`wc -l < "$CA_SERIAL"`
+# Create a CA serial number file if it does not exist and get the next serial number
+if [ ! -e "$CA_SERIAL_FILE" ]; then
+ touch "$CA_SERIAL_FILE"
+fi
+chmod 600 "$CA_SERIAL_FILE"
+echo -e "`date`\t$CA_NAME certificate authority" >> "$CA_SERIAL_FILE"
+chmod 400 "$CA_SERIAL_FILE"
+CA_NEXTVAL=`wc -l < "$CA_SERIAL_FILE"`
# Create the CA private key
echo
View
8 ssl/create-server-cert.sh
@@ -43,8 +43,8 @@ elif [ ! -r "$CA_CERT_FILE" ]; then
fi
# Validate the CA serial number file
-if [ ! -r "$CA_SERIAL_FILE" -o ! -w "$CA_SERIAL_FILE" ]; then
- error "The CA serial number file ($CA_SERIAL_FILE) exists, but cannot be read and written."
+if [ ! -e "$CA_SERIAL_FILE" ]; then
+ error "The CA serial number file ($CA_SERIAL_FILE) does not exist."
fi
# Verify the server key file
@@ -72,7 +72,9 @@ if [ "$KEY_REQD" == "yes" ]; then
fi
# Get next serial number
-date >> "$CA_SERIAL_FILE"
+chmod 600 "$CA_SERIAL_FILE"
+echo -e "`date`\t$CERT_CERT_FILE" >> "$CA_SERIAL_FILE"
+chmod 400 "$CA_SERIAL_FILE"
CA_SERIAL_NEXTVAL=`wc -l < "$CA_SERIAL_FILE"`
# Create the CSR and certificate
Please sign in to comment.
Something went wrong with that request. Please try again.