diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 4d33d37..4320a38 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -38,6 +38,7 @@ Here is the list of commands available with a short syntax reminder. Use the show-req [ cmd-opts ] show-cert [ cmd-opts ] import-req + export-p7 [ cmd-opts ] export-p12 [ cmd-opts ] " @@ -128,7 +129,13 @@ cmd_help() { export-p12 [ cmd-opts ] Export a PKCS#12 file with the keypair specified by " opts=" - noca - do not include the ca.crt file in the PKCS12 output" ;; + noca - do not include the ca.crt file in the PKCS12 output + nokey - do not include the private key in the PKCS12 output" ;; + export-p7) text=" + export-p7 [ cmd-opts ] + Export a PKCS#7 file with the pubkey specified by " + opts=" + noca - do not include the ca.crt file in the PKCS7 output" ;; altname|subjectaltname|san) text=" --subject-alt-name=SAN_FORMAT_STRING This global option adds a subjectAltName to the request or issued @@ -755,8 +762,13 @@ You may now use this name to perform signing operations on this request. return 0 } # => import_req() -# export-p12 backend -export_p12() { +# export pkcs#12 or pkcs#7 +export_pkcs() { + [[ -n "$1" ]] && [[ ( "$1" == "p12" || "$1" == "p7" ) ]] || die "\ +The first argument must be p12 or p7." + local pkcs_type="$1" + shift + [ -n "$1" ] || die "\ Unable to export p12: incorrect command syntax. Run easyrsa without commands for usage and command help." @@ -764,7 +776,6 @@ Run easyrsa without commands for usage and command help." local short_name="$1" local crt_in="$EASYRSA_PKI/issued/$1.crt" local key_in="$EASYRSA_PKI/private/$1.key" - local p12_out="$EASYRSA_PKI/private/$1.p12" local crt_ca="$EASYRSA_PKI/ca.crt" shift @@ -772,42 +783,62 @@ Run easyrsa without commands for usage and command help." # opts support local want_ca=1 + local want_key=1 while [ -n "$1" ]; do case "$1" in noca) want_ca=0 ;; + nokey) want_key=0 ;; *) warn "Ignoring unknown command option: '$1'" ;; esac shift done - local p12_opts= + local pkcs_opts= if [ $want_ca -eq 1 ]; then verify_file x509 "$crt_ca" || die "\ -Unable to include CA cert in the p12 output (missing file, or use noca option.) +Unable to include CA cert in the $pkcs_type output (missing file, or use noca option.) Missing file expected at: $crt_ca" - p12_opts="$p12_opts -certfile $crt_ca" + pkcs_opts="$pkcs_opts -certfile $crt_ca" fi # input files must exist verify_file x509 "$crt_in" || die "\ -Unable to export p12 for short name '$short_name' without the certificate. +Unable to export $pkcs_type for short name '$short_name' without the certificate. Missing cert expected at: $crt_in" - [ -f "$key_in" ] || die "\ -Unable to export p12 for short name '$short_name' without the key. -Missing key expected at: $key_in" + case "$pkcs_type" in + p12) + local pkcs_out="$EASYRSA_PKI/private/$short_name.p12" - # export the p12: - "$EASYRSA_OPENSSL" pkcs12 -in "$crt_in" -inkey "$key_in" -export \ - -out "$p12_out" $p12_opts || die "\ + if [ $want_key -eq 1 ]; then + [ -f "$key_in" ] || die "\ +Unable to export p12 for short name '$short_name' without the key. +Missing key expected at: $key_in, or use nokey option.)" + else + pkcs_opts="$pkcs_opts -nokeys" + fi + + # export the p12: + "$EASYRSA_OPENSSL" pkcs12 -in "$crt_in" -inkey "$key_in" -export \ + -out "$pkcs_out" $pkcs_opts || die "\ Export of p12 failed: see above for related openssl errors." + ;; + p7) + local pkcs_out="$EASYRSA_PKI/private/$short_name.p7b" + + # export the p7: + "$EASYRSA_OPENSSL" crl2pkcs7 -nocrl -certfile "$crt_in" \ + -out "$pkcs_out" $pkcs_opts || die "\ +Export of p7 failed: see above for related openssl errors." + ;; + esac notice "\ -Successful export of p12 file. Your exported file is at the following -location: $p12_out +Successful export of $pkcs_type file. Your exported file is at the following +location: $pkcs_out " return 0 -} # => export_p12() +} # => export_pkcs() # update-db backend update_db() { @@ -1097,8 +1128,12 @@ case "$cmd" in import_req "$@" ;; export-p12) - export_p12 "$@" + export_pkcs p12 "$@" ;; + export-p7) + export_pkcs p7 "$@" + ;; + update-db) update_db ;;