evolix/shellpki
21
0
Fork 0
Code Issues Pull requests Releases 3 Wiki Activity

More readable variable names

Browse source
This commit is contained in:
Jérémy Lecour 2020-05-04 18:16:07 +02:00 committed by Jérémy Lecour
parent 420fcddb90
commit b03e77d307
2 changed files with 139 additions and 136 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.md
View file

@ -15,6 +15,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Changed ### Changed
* Rename internal function usage() to show_usage() * Rename internal function usage() to show_usage()
* More readable variable names
### Deprecated ### Deprecated

274
shellpki
View file

@ -31,9 +31,9 @@ END
init() { init() {
umask 0177 umask 0177
[ -d "${CADIR}" ] || mkdir -m 0750 "${CADIR}" [ -d "${CA_DIR}" ] || mkdir -m 0750 "${CA_DIR}"
[ -d "${CRTDIR}" ] || mkdir -m 0750 "${CRTDIR}" [ -d "${CRT_DIR}" ] || mkdir -m 0750 "${CRT_DIR}"
[ -f "${INDEX}" ] || touch "${INDEX}" [ -f "${INDEX_FILE}" ] || touch "${INDEX_FILE}"
[ -f "${CRL}" ] || touch "${CRL}" [ -f "${CRL}" ] || touch "${CRL}"
[ -f "${SERIAL}" ] || echo "01" > "${SERIAL}" [ -f "${SERIAL}" ] || echo "01" > "${SERIAL}"
@ -43,48 +43,48 @@ init() {
exit 1 exit 1
fi fi
if [ -f "${CAKEY}" ]; then if [ -f "${CA_KEY}" ]; then
printf "%s already exists, do you really want to erase it ? [y/N] " "${CAKEY}" printf "%s already exists, do you really want to erase it ? [y/N] " "${CA_KEY}"
read -r REPLY read -r REPLY
resp=$(echo "${REPLY}" | tr 'Y' 'y') resp=$(echo "${REPLY}" | tr 'Y' 'y')
if [ "${resp}" = "y" ]; then if [ "${resp}" = "y" ]; then
rm -f "${CAKEY}" "${CACERT}" rm -f "${CA_KEY}" "${CA_CERT}"
fi fi
fi fi
if [ ! -f "${CAKEY}" ]; then if [ ! -f "${CA_KEY}" ]; then
"$OPENSSL" genrsa \ "${OPENSSL_BIN}" genrsa \
-out "${CAKEY}" \ -out "${CA_KEY}" \
-aes256 4096 \ -aes256 4096 \
>/dev/null 2>&1 >/dev/null 2>&1
fi fi
if [ -f "${CACERT}" ]; then if [ -f "${CA_CERT}" ]; then
printf "%s already exists, do you really want to erase it ? [y/N] " "${CACERT}" printf "%s already exists, do you really want to erase it ? [y/N] " "${CA_CERT}"
read -r REPLY read -r REPLY
resp=$(echo "${REPLY}" | tr 'Y' 'y') resp=$(echo "${REPLY}" | tr 'Y' 'y')
if [ "${resp}" = "y" ]; then if [ "${resp}" = "y" ]; then
rm "${CACERT}" rm "${CA_CERT}"
fi fi
fi fi
if [ ! -f "${CACERT}" ]; then if [ ! -f "${CA_CERT}" ]; then
ask_ca_password 0 ask_ca_password 0
fi fi
if [ ! -f "${CACERT}" ]; then if [ ! -f "${CA_CERT}" ]; then
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL}" req \ CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" req \
-new \ -new \
-batch \ -batch \
-sha512 \ -sha512 \
-x509 \ -x509 \
-days 3650 \ -days 3650 \
-extensions v3_ca \ -extensions v3_ca \
-key "${CAKEY}" \ -key "${CA_KEY}" \
-out "${CACERT}" \ -out "${CA_CERT}" \
-passin env:CA_PASSWORD \ -passin env:CA_PASSWORD \
-config /dev/stdin <<EOF -config /dev/stdin <<EOF
$(cat "${CONFFILE}") $(cat "${CONF_FILE}")
commonName_default = ${cn} commonName_default = ${cn}
EOF EOF
fi fi
@ -102,45 +102,45 @@ ocsp() {
url=$(echo "${ocsp_uri}" | cut -d':' -f1) url=$(echo "${ocsp_uri}" | cut -d':' -f1)
port=$(echo "${ocsp_uri}" | cut -d':' -f2) port=$(echo "${ocsp_uri}" | cut -d':' -f2)
if [ ! -f "${OCSPKEY}" ]; then if [ ! -f "${OCSP_KEY}" ]; then
"$OPENSSL" genrsa \ "${OPENSSL_BIN}" genrsa \
-out "${OCSPKEY}" \ -out "${OCSP_KEY}" \
2048 \ ${KEY_LENGTH} \
>/dev/null 2>&1 >/dev/null 2>&1
fi fi
"$OPENSSL" req \ "${OPENSSL_BIN}" req \
-batch \ -batch \
-new \ -new \
-key "${OCSPKEY}" \ -key "${OCSP_KEY}" \
-out "${CSRDIR}/ocsp.csr" \ -out "${CSR_DIR}/ocsp.csr" \
-config /dev/stdin <<EOF -config /dev/stdin <<EOF
$(cat "${CONFFILE}") $(cat "${CONF_FILE}")
commonName_default = ${url} commonName_default = ${url}
[ usr_cert ] [ usr_cert ]
authorityInfoAccess = OCSP;URI:http://${ocsp_uri} authorityInfoAccess = OCSP;URI:http://${ocsp_uri}
EOF EOF
if [ ! -f "${OCSPCERT}" ]; then if [ ! -f "${OCSP_CERT}" ]; then
ask_ca_password 0 ask_ca_password 0
fi fi
if [ ! -f "${OCSPCERT}" ]; then if [ ! -f "${OCSP_CERT}" ]; then
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL}" ca \ CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
-extensions v3_ocsp \ -extensions v3_ocsp \
-in "${CSRDIR}/ocsp.csr" \ -in "${CSR_DIR}/ocsp.csr" \
-out "${OCSPCERT}" \ -out "${OCSP_CERT}" \
-passin env:CA_PASSWORD \ -passin env:CA_PASSWORD \
-config "${CONFFILE}" -config "${CONF_FILE}"
fi fi
exec "${OPENSSL}" ocsp \ exec "${OPENSSL_BIN}" ocsp \
-ignore_err \ -ignore_err \
-index "${INDEX}" \ -index "${INDEX_FILE}" \
-port "${port}" \ -port "${port}" \
-rsigner "${OCSPCERT}" \ -rsigner "${OCSP_CERT}" \
-rkey "${OCSPKEY}" \ -rkey "${OCSP_KEY}" \
-CA "${CACERT}" \ -CA "${CA_CERT}" \
-text -text
} }
@ -152,7 +152,7 @@ Initialize PKI (create CA key and self-signed cert) :
${0} init <commonName_for_CA> ${0} init <commonName_for_CA>
Run OCSPD server : Run OCSP_D server :
${0} ocsp <ocsp_uri:ocsp_port> ${0} ocsp <ocsp_uri:ocsp_port>
@ -190,7 +190,7 @@ warning() {
} }
ask_ca_password() { ask_ca_password() {
[ ! -f "${CAKEY}" ] && error "You must initialize your's PKI with shellpki init !" [ ! -f "${CA_KEY}" ] && error "You must initialize your's PKI with shellpki init !"
attempt=$((${1} + 1)) attempt=$((${1} + 1))
if [ "${attempt}" -gt 1 ]; then if [ "${attempt}" -gt 1 ]; then
warning "Invalid password, retry." warning "Invalid password, retry."
@ -205,8 +205,8 @@ ask_ca_password() {
if [ -z "${CA_PASSWORD}" ]; then if [ -z "${CA_PASSWORD}" ]; then
ask_ca_password "${attempt}" ask_ca_password "${attempt}"
fi fi
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL}" rsa \ CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" rsa \
-in "${CAKEY}" \ -in "${CA_KEY}" \
-passin env:CA_PASSWORD \ -passin env:CA_PASSWORD \
>/dev/null 2>&1 \ >/dev/null 2>&1 \
|| ask_ca_password "${attempt}" || ask_ca_password "${attempt}"
@ -295,14 +295,14 @@ create() {
ask_ca_password 0 ask_ca_password 0
# check if csr_file is a CSR # check if csr_file is a CSR
"${OPENSSL}" req \ "${OPENSSL_BIN}" req \
-noout -subject \ -noout -subject \
-in "${csr_file}" \ -in "${csr_file}" \
>/dev/null 2>&1 \ >/dev/null 2>&1 \
|| error "${csr_file} is not a valid CSR !" || error "${csr_file} is not a valid CSR !"
# check if csr_file contain a CN # check if csr_file contain a CN
"${OPENSSL}" req \ "${OPENSSL_BIN}" req \
-noout -subject \ -noout -subject \
-in "${csr_file}" \ -in "${csr_file}" \
| grep -Eo "CN\s*=[^,/]*" \ | grep -Eo "CN\s*=[^,/]*" \
@ -310,21 +310,21 @@ create() {
|| error "${csr_file} don't contain a CommonName !" || error "${csr_file} don't contain a CommonName !"
# get CN from CSR # get CN from CSR
cn=$("${OPENSSL}" req -noout -subject -in "${csr_file}" | grep -Eo "CN\s*=[^,/]*" | cut -d'=' -f2 | xargs) cn=$("${OPENSSL_BIN}" req -noout -subject -in "${csr_file}" | grep -Eo "CN\s*=[^,/]*" | cut -d'=' -f2 | xargs)
# check if CN already exist # check if CN already exist
if [ -f "${CRTDIR}/${cn}.crt" ]; then if [ -f "${CRT_DIR}/${cn}.crt" ]; then
error "${cn} already used !" error "${cn} already used !"
fi fi
# ca sign and generate cert # ca sign and generate cert
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL}" ca \ CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
-config "${CONFFILE}" \ -config "${CONF_FILE}" \
-in "${csr_file}" \ -in "${csr_file}" \
-passin env:CA_PASSWORD \ -passin env:CA_PASSWORD \
-out "${CRTDIR}/${cn}.crt" -out "${CRT_DIR}/${cn}.crt"
echo "The CRT file is available in ${CRTDIR}/${cn}.crt" echo "The CRT file is available in ${CRT_DIR}/${cn}.crt"
else else
if [ -z "${cn}" ]; then if [ -z "${cn}" ]; then
show_usage >&2 show_usage >&2
@ -332,7 +332,7 @@ create() {
fi fi
# check if CN already exist # check if CN already exist
if [ -f "${CRTDIR}/${cn}.crt" ]; then if [ -f "${CRT_DIR}/${cn}.crt" ]; then
error "${cn} already used !" error "${cn} already used !"
fi fi
@ -359,107 +359,107 @@ create() {
# generate private key # generate private key
if [ -n "${PASSWORD}" ]; then if [ -n "${PASSWORD}" ]; then
PASSWORD="${PASSWORD}" "$OPENSSL" genrsa \ PASSWORD="${PASSWORD}" "${OPENSSL_BIN}" genrsa \
-aes256 \ -aes256 \
-passout env:PASSWORD \ -passout env:PASSWORD \
-out "${KEYDIR}/${cn}-${TIMESTAMP}.key" \ -out "${KEY_DIR}/${cn}-${SUFFIX}.key" \
2048 \ ${KEY_LENGTH} \
>/dev/null 2>&1 >/dev/null 2>&1
else else
"$OPENSSL" genrsa \ "${OPENSSL_BIN}" genrsa \
-out "${KEYDIR}/${cn}-${TIMESTAMP}.key" \ -out "${KEY_DIR}/${cn}-${SUFFIX}.key" \
2048 \ ${KEY_LENGTH} \
>/dev/null 2>&1 >/dev/null 2>&1
fi fi
if [ -n "${PASSWORD}" ]; then if [ -n "${PASSWORD}" ]; then
# generate csr req # generate csr req
PASSWORD="${PASSWORD}" "$OPENSSL" req \ PASSWORD="${PASSWORD}" "${OPENSSL_BIN}" req \
-batch \ -batch \
-new \ -new \
-key "${KEYDIR}/${cn}-${TIMESTAMP}.key" \ -key "${KEY_DIR}/${cn}-${SUFFIX}.key" \
-passin env:PASSWORD \ -passin env:PASSWORD \
-out "${CSRDIR}/${cn}-${TIMESTAMP}.csr" \ -out "${CSR_DIR}/${cn}-${SUFFIX}.csr" \
-config /dev/stdin <<EOF -config /dev/stdin <<EOF
$(cat "${CONFFILE}") $(cat "${CONF_FILE}")
commonName_default = ${cn} commonName_default = ${cn}
EOF EOF
else else
# generate csr req # generate csr req
"$OPENSSL" req \ "${OPENSSL_BIN}" req \
-batch \ -batch \
-new \ -new \
-key "${KEYDIR}/${cn}-${TIMESTAMP}.key" \ -key "${KEY_DIR}/${cn}-${SUFFIX}.key" \
-out "${CSRDIR}/${cn}-${TIMESTAMP}.csr" \ -out "${CSR_DIR}/${cn}-${SUFFIX}.csr" \
-config /dev/stdin <<EOF -config /dev/stdin <<EOF
$(cat "${CONFFILE}") $(cat "${CONF_FILE}")
commonName_default = ${cn} commonName_default = ${cn}
EOF EOF
fi fi
# ca sign and generate cert # ca sign and generate cert
CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL}" ca \ CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
-config "${CONFFILE}" \ -config "${CONF_FILE}" \
-passin env:CA_PASSWORD \ -passin env:CA_PASSWORD \
-in "${CSRDIR}/${cn}-${TIMESTAMP}.csr" \ -in "${CSR_DIR}/${cn}-${SUFFIX}.csr" \
-out "${CRTDIR}/${cn}.crt" -out "${CRT_DIR}/${cn}.crt"
# check if CRT is a valid # check if CRT is a valid
"${OPENSSL}" x509 \ "${OPENSSL_BIN}" x509 \
-noout \ -noout \
-subject \ -subject \
-in "${CRTDIR}/${cn}.crt" \ -in "${CRT_DIR}/${cn}.crt" \
>/dev/null 2>&1 \ >/dev/null 2>&1 \
|| rm -f "${CRTDIR}/${cn}.crt" || rm -f "${CRT_DIR}/${cn}.crt"
if [ ! -f "${CRTDIR}/${cn}.crt" ]; then if [ ! -f "${CRT_DIR}/${cn}.crt" ]; then
error "Error in CSR creation" error "Error in CSR creation"
fi fi
chmod 640 "${CRTDIR}/${cn}.crt" chmod 640 "${CRT_DIR}/${cn}.crt"
echo "The CRT file is available in ${CRTDIR}/${cn}.crt" echo "The CRT file is available in ${CRT_DIR}/${cn}.crt"
# generate pkcs12 format # generate pkcs12 format
if [ -n "${PASSWORD}" ]; then if [ -n "${PASSWORD}" ]; then
PASSWORD="${PASSWORD}" "${OPENSSL}" pkcs12 \ PASSWORD="${PASSWORD}" "${OPENSSL_BIN}" pkcs12 \
-export \ -export \
-nodes \ -nodes \
-passin env:PASSWORD \ -passin env:PASSWORD \
-passout env:PASSWORD \ -passout env:PASSWORD \
-inkey "${KEYDIR}/${cn}-${TIMESTAMP}.key" \ -inkey "${KEY_DIR}/${cn}-${SUFFIX}.key" \
-in "${CRTDIR}/${cn}.crt" \ -in "${CRT_DIR}/${cn}.crt" \
-out "${PKCS12DIR}/${cn}-${TIMESTAMP}.p12" -out "${PKCS12_DIR}/${cn}-${SUFFIX}.p12"
else else
"${OPENSSL}" pkcs12 \ "${OPENSSL_BIN}" pkcs12 \
-export \ -export \
-nodes \ -nodes \
-passout pass: \ -passout pass: \
-inkey "${KEYDIR}/${cn}-${TIMESTAMP}.key" \ -inkey "${KEY_DIR}/${cn}-${SUFFIX}.key" \
-in "${CRTDIR}/${cn}.crt" \ -in "${CRT_DIR}/${cn}.crt" \
-out "${PKCS12DIR}/${cn}-${TIMESTAMP}.p12" -out "${PKCS12_DIR}/${cn}-${SUFFIX}.p12"
fi fi
chmod 640 "${PKCS12DIR}/${cn}-${TIMESTAMP}.p12" chmod 640 "${PKCS12_DIR}/${cn}-${SUFFIX}.p12"
echo "The PKCS12 config file is available in ${PKCS12DIR}/${cn}-${TIMESTAMP}.p12" echo "The PKCS12 config file is available in ${PKCS12_DIR}/${cn}-${SUFFIX}.p12"
# generate openvpn format # generate openvpn format
if [ -e "${CADIR}/ovpn.conf" ]; then if [ -e "${CA_DIR}/ovpn.conf" ]; then
cat "${CADIR}/ovpn.conf" - > "${OVPNDIR}/${cn}-${TIMESTAMP}.ovpn" <<EOF cat "${CA_DIR}/ovpn.conf" - > "${OVPN_DIR}/${cn}-${SUFFIX}.ovpn" <<EOF
<ca> <ca>
$(cat "${CACERT}") $(cat "${CA_CERT}")
</ca> </ca>
<cert> <cert>
$(cat "${CRTDIR}/${cn}.crt") $(cat "${CRT_DIR}/${cn}.crt")
</cert> </cert>
<key> <key>
$(cat "${KEYDIR}/${cn}-${TIMESTAMP}.key") $(cat "${KEY_DIR}/${cn}-${SUFFIX}.key")
</key> </key>
EOF EOF
chmod 640 "${OVPNDIR}/${cn}-${TIMESTAMP}.ovpn" chmod 640 "${OVPN_DIR}/${cn}-${SUFFIX}.ovpn"
echo "The OpenVPN config file is available in ${OVPNDIR}/${cn}-${TIMESTAMP}.ovpn" echo "The OpenVPN config file is available in ${OVPN_DIR}/${cn}-${SUFFIX}.ovpn"
fi fi
fi fi
} }
@ -474,36 +474,36 @@ revoke() {
cn="${1}" cn="${1}"
# check if CRT exists # check if CRT exists
if [ ! -f "${CRTDIR}/${cn}.crt" ]; then if [ ! -f "${CRT_DIR}/${cn}.crt" ]; then
error "Unknow CN : ${cn}" error "Unknow CN : ${cn}"
fi fi
# check if CRT is a valid # check if CRT is a valid
"${OPENSSL}" x509 \ "${OPENSSL_BIN}" x509 \
-noout \ -noout \
-subject \ -subject \
-in "${CRTDIR}/${cn}.crt" \ -in "${CRT_DIR}/${cn}.crt" \
>/dev/null 2>&1 \ >/dev/null 2>&1 \
|| error "${CRTDIR}/${cn}.crt is not a valid CRT, you must delete it !" || error "${CRT_DIR}/${cn}.crt is not a valid CRT, you must delete it !"
# ask for CA passphrase # ask for CA passphrase
ask_ca_password 0 ask_ca_password 0
echo "Revoke certificate ${CRTDIR}/${cn}.crt :" echo "Revoke certificate ${CRT_DIR}/${cn}.crt :"
CA_PASSWORD="${CA_PASSWORD}" "$OPENSSL" ca \ CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
-config "${CONFFILE}" \ -config "${CONF_FILE}" \
-passin env:CA_PASSWORD \ -passin env:CA_PASSWORD \
-revoke "${CRTDIR}/${cn}.crt" \ -revoke "${CRT_DIR}/${cn}.crt" \
&& rm "${CRTDIR}/${cn}.crt" && rm "${CRT_DIR}/${cn}.crt"
CA_PASSWORD="${CA_PASSWORD}" "$OPENSSL" ca \ CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
-config "${CONFFILE}" \ -config "${CONF_FILE}" \
-passin env:CA_PASSWORD \ -passin env:CA_PASSWORD \
-gencrl -out "${CRL}" -gencrl -out "${CRL}"
} }
list() { list() {
if [ ! -f "${INDEX}" ]; then if [ ! -f "${INDEX_FILE}" ]; then
exit 0 exit 0
fi fi
@ -536,15 +536,15 @@ list() {
done done
if [ "${list_valid}" -eq 0 ]; then if [ "${list_valid}" -eq 0 ]; then
certs=$(grep "^V" "${INDEX}") certs=$(grep "^V" "${INDEX_FILE}")
fi fi
if [ "${list_revoked}" -eq 0 ]; then if [ "${list_revoked}" -eq 0 ]; then
certs=$(grep "^R" "${INDEX}") certs=$(grep "^R" "${INDEX_FILE}")
fi fi
if [ "${list_valid}" -eq 0 ] && [ "${list_revoked}" -eq 0 ]; then if [ "${list_valid}" -eq 0 ] && [ "${list_revoked}" -eq 0 ]; then
certs=$(cat "${INDEX}") certs=$(cat "${INDEX_FILE}")
fi fi
echo "${certs}" | grep -Eo "CN\s*=[^,/]*" | cut -d'=' -f2 | xargs -n1 echo "${certs}" | grep -Eo "CN\s*=[^,/]*" | cut -d'=' -f2 | xargs -n1
@ -556,7 +556,7 @@ check() {
min_day=90 min_day=90
cur_epoch=$(date -u +'%s') cur_epoch=$(date -u +'%s')
for cert in ${CRTDIR}/*; do for cert in ${CRT_DIR}/*; do
end_date=$(openssl x509 -noout -enddate -in "${cert}" | cut -d'=' -f2) end_date=$(openssl x509 -noout -enddate -in "${cert}" | cut -d'=' -f2)
end_epoch=$(date -ud "${end_date}" +'%s') end_epoch=$(date -ud "${end_date}" +'%s')
diff_epoch=$((end_epoch - cur_epoch)) diff_epoch=$((end_epoch - cur_epoch))
@ -574,48 +574,50 @@ check() {
main() { main() {
# default config # default config
# TODO : override with /etc/default/shellpki # TODO : override with /etc/default/shellpki
CONFFILE="/etc/shellpki/openssl.cnf" CONF_FILE="/etc/shellpki/openssl.cnf"
if [ "$(uname)" = "OpenBSD" ]; then if [ "$(uname)" = "OpenBSD" ]; then
PKIUSER="_shellpki" PKI_USER="_shellpki"
else else
PKIUSER="shellpki" PKI_USER="shellpki"
fi fi
if [ "${USER}" != "root" ] && [ "${USER}" != "${PKIUSER}" ]; then if [ "${USER}" != "root" ] && [ "${USER}" != "${PKI_USER}" ]; then
error "Please become root before running ${0} !" error "Please become root before running ${0} !"
fi fi
# retrieve CA path from config file # retrieve CA path from config file
CADIR=$(grep -E "^dir" "${CONFFILE}" | cut -d'=' -f2 | xargs -n1) CA_DIR=$(grep -E "^dir" "${CONF_FILE}" | cut -d'=' -f2 | xargs -n1)
CAKEY=$(grep -E "^private_key" "${CONFFILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CADIR}~") CA_KEY=$(grep -E "^private_key" "${CONF_FILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CA_DIR}~")
CACERT=$(grep -E "^certificate" "${CONFFILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CADIR}~") CA_CERT=$(grep -E "^certificate" "${CONF_FILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CA_DIR}~")
OCSPKEY="${CADIR}/ocsp.key" OCSP_KEY="${CA_DIR}/ocsp.key"
OCSPCERT="${CADIR}/ocsp.pem" OCSP_CERT="${CA_DIR}/ocsp.pem"
CRTDIR=$(grep -E "^certs" "${CONFFILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CADIR}~") CRT_DIR=$(grep -E "^certs" "${CONF_FILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CA_DIR}~")
TMPDIR=$(grep -E "^new_certs_dir" "${CONFFILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CADIR}~") TMP_DIR=$(grep -E "^new_certs_dir" "${CONF_FILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CA_DIR}~")
INDEX=$(grep -E "^database" "${CONFFILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CADIR}~") INDEX_FILE=$(grep -E "^database" "${CONF_FILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CA_DIR}~")
SERIAL=$(grep -E "^serial" "${CONFFILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CADIR}~") SERIAL=$(grep -E "^serial" "${CONF_FILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CA_DIR}~")
CRL=$(grep -E "^crl" "${CONFFILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CADIR}~") CRL=$(grep -E "^crl" "${CONF_FILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CA_DIR}~")
# directories for clients key, csr, crt # directories for clients key, csr, crt
KEYDIR="${CADIR}/private" KEY_DIR="${CA_DIR}/private"
CSRDIR="${CADIR}/requests" CSR_DIR="${CA_DIR}/requests"
PKCS12DIR="${CADIR}/pkcs12" PKCS12_DIR="${CA_DIR}/pkcs12"
OVPNDIR="${CADIR}/openvpn" OVPN_DIR="${CA_DIR}/openvpn"
OPENSSL=$(command -v openssl) KEY_LENGTH=2048
TIMESTAMP=$(/bin/date +"%s")
if ! getent passwd "${PKIUSER}" >/dev/null || ! getent group "${PKIUSER}" >/dev/null; then OPENSSL_BIN=$(command -v openssl)
error "You must create ${PKIUSER} user and group !" SUFFIX=$(/bin/date +"%s")
if ! getent passwd "${PKI_USER}" >/dev/null || ! getent group "${PKI_USER}" >/dev/null; then
error "You must create ${PKI_USER} user and group !"
fi fi
if [ ! -e "${CONFFILE}" ]; then if [ ! -e "${CONF_FILE}" ]; then
error "${CONFFILE} is missing" error "${CONF_FILE} is missing"
fi fi
mkdir -p "${CADIR}" "${CRTDIR}" "${KEYDIR}" "${CSRDIR}" "${PKCS12DIR}" "${OVPNDIR}" "${TMPDIR}" mkdir -p "${CA_DIR}" "${CRT_DIR}" "${KEY_DIR}" "${CSR_DIR}" "${PKCS12_DIR}" "${OVPN_DIR}" "${TMP_DIR}"
command=${1:-help} command=${1:-help}
@ -667,10 +669,10 @@ main() {
esac esac
# fix right # fix right
chown -R "${PKIUSER}":"${PKIUSER}" "${CADIR}" chown -R "${PKI_USER}":"${PKI_USER}" "${CA_DIR}"
chmod 750 "${CADIR}" "${CRTDIR}" "${KEYDIR}" "${CSRDIR}" "${PKCS12DIR}" "${OVPNDIR}" "${TMPDIR}" chmod 750 "${CA_DIR}" "${CRT_DIR}" "${KEY_DIR}" "${CSR_DIR}" "${PKCS12_DIR}" "${OVPN_DIR}" "${TMP_DIR}"
chmod 600 "${INDEX}"* "${SERIAL}"* "${CAKEY}" "${CRL}" chmod 600 "${INDEX_FILE}"* "${SERIAL}"* "${CA_KEY}" "${CRL}"
chmod 640 "${CACERT}" chmod 640 "${CA_CERT}"
} }
main "$@" main "$@"