Merge branch 'wrap-build-ca' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-wrap-build-ca
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This commit is contained in:
Richard T Bonhomme
commit
6842fb2273
@ -1300,7 +1300,7 @@ build_ca() {
|
|||||||
x509=1
|
x509=1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# If encrypted then create the CA key using AES256 cipher
|
# If encrypted then create the CA key with AES256 cipher
|
||||||
if [ "$EASYRSA_NO_PASS" ]; then
|
if [ "$EASYRSA_NO_PASS" ]; then
|
||||||
unset -v cipher
|
unset -v cipher
|
||||||
else
|
else
|
||||||
@ -1314,14 +1314,16 @@ Unable to create a CA as you already seem to have one set up.
|
|||||||
If you intended to start a new CA, run init-pki first."
|
If you intended to start a new CA, run init-pki first."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# If a private key exists here, a intermediate ca was created but not signed.
|
# If a private key exists, an intermediate ca was created
|
||||||
# Notify the user and require a signed ca.crt or a init-pki:
|
# but not signed.
|
||||||
[ -f "$out_key" ] && \
|
# Notify user and require a signed ca.crt or a init-pki:
|
||||||
|
if [ -f "$out_key" ]; then
|
||||||
die "\
|
die "\
|
||||||
A CA private key exists but no ca.crt is found in your PKI dir of:
|
A CA private key exists but no ca.crt is found in your PKI:
|
||||||
$EASYRSA_PKI
|
$EASYRSA_PKI
|
||||||
Refusing to create a new CA keypair as this operation would overwrite your
|
Refusing to create a new CA as this would overwrite your
|
||||||
current CA keypair. If you intended to start a new CA, run init-pki first."
|
current CA. To start a new CA, run init-pki first."
|
||||||
|
fi
|
||||||
|
|
||||||
# Cert type must exist under the EASYRSA_EXT_DIR
|
# Cert type must exist under the EASYRSA_EXT_DIR
|
||||||
[ -e "$EASYRSA_EXT_DIR/ca" ] || die "\
|
[ -e "$EASYRSA_EXT_DIR/ca" ] || die "\
|
||||||
@ -1333,27 +1335,34 @@ Missing X509-type 'COMMON'"
|
|||||||
if grep -q '^#%CA_X509_TYPES_EXTRA_EXTS%' \
|
if grep -q '^#%CA_X509_TYPES_EXTRA_EXTS%' \
|
||||||
"$EASYRSA_SSL_CONF"
|
"$EASYRSA_SSL_CONF"
|
||||||
then
|
then
|
||||||
[ "$EASYRSA_BATCH" ] || print
|
: # [ "$EASYRSA_BATCH" ] || print
|
||||||
else
|
else
|
||||||
warn "\
|
warn "\
|
||||||
The openssl config file in use does not support X509-type 'ca'.
|
This openssl config file does not support X509-type 'ca'.
|
||||||
* $EASYRSA_SSL_CONF
|
* $EASYRSA_SSL_CONF
|
||||||
Please update openssl-easyrsa.cnf to the latest official release."
|
Please update openssl-easyrsa.cnf to the latest release."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# create necessary files and dirs:
|
# create necessary files and dirs:
|
||||||
err_file="Unable to create necessary PKI files (permissions?)"
|
err_msg="\
|
||||||
for i in issued inline certs_by_serial revoked/certs_by_serial \
|
Unable to create necessary PKI files (permissions?)"
|
||||||
revoked/private_by_serial revoked/reqs_by_serial
|
for i in issued inline certs_by_serial \
|
||||||
|
revoked/certs_by_serial revoked/private_by_serial \
|
||||||
|
revoked/reqs_by_serial
|
||||||
do
|
do
|
||||||
mkdir -p "$EASYRSA_PKI/$i" || die "$err_file"
|
mkdir -p "$EASYRSA_PKI/$i" || die "$err_msg"
|
||||||
done
|
done
|
||||||
printf "" > "$EASYRSA_PKI/index.txt" || die "$err_file"
|
printf "" > "$EASYRSA_PKI/index.txt" || \
|
||||||
printf "" > "$EASYRSA_PKI/index.txt.attr" || die "$err_file"
|
die "$err_msg"
|
||||||
printf '%s\n' "01" > "$EASYRSA_PKI/serial" || die "$err_file"
|
printf "" > "$EASYRSA_PKI/index.txt.attr" || \
|
||||||
|
die "$err_msg"
|
||||||
|
printf '%s\n' "01" > "$EASYRSA_PKI/serial" || \
|
||||||
|
die "$err_msg"
|
||||||
|
unset -v err_msg
|
||||||
|
|
||||||
# Set ssl batch mode, as required
|
# Set ssl batch mode, as required
|
||||||
# --req-cn must be used with --batch, otherwise use default
|
# --req-cn must be used with --batch,
|
||||||
|
# otherwise use default
|
||||||
if [ "$EASYRSA_BATCH" ]; then
|
if [ "$EASYRSA_BATCH" ]; then
|
||||||
ssl_batch=1
|
ssl_batch=1
|
||||||
else
|
else
|
||||||
@ -1376,10 +1385,14 @@ Please update openssl-easyrsa.cnf to the latest official release."
|
|||||||
die "Failed to create temp-cert file"
|
die "Failed to create temp-cert file"
|
||||||
|
|
||||||
# Get passphrase from user if necessary
|
# Get passphrase from user if necessary
|
||||||
if [ "$EASYRSA_NO_PASS" ]; then
|
if [ "$EASYRSA_NO_PASS" ]
|
||||||
|
then
|
||||||
: # No passphrase required
|
: # No passphrase required
|
||||||
elif [ "$EASYRSA_PASSOUT" ] && [ "$EASYRSA_PASSIN" ]; then
|
|
||||||
|
elif [ "$EASYRSA_PASSOUT" ] && [ "$EASYRSA_PASSIN" ]
|
||||||
|
then
|
||||||
: # passphrase defined
|
: # passphrase defined
|
||||||
|
|
||||||
else
|
else
|
||||||
# Assign passphrase vars and temp file
|
# Assign passphrase vars and temp file
|
||||||
in_key_pass_tmp="$(easyrsa_mktemp)" || \
|
in_key_pass_tmp="$(easyrsa_mktemp)" || \
|
||||||
@ -1420,9 +1433,9 @@ Please update openssl-easyrsa.cnf to the latest official release."
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Insert x509-types COMMON and 'ca' and EASYRSA_EXTRA_EXTS, if defined.
|
# Insert x509-types COMMON and 'ca' and EASYRSA_EXTRA_EXTS
|
||||||
# shellcheck disable=SC2016 # vars don't expand in single quote
|
# shellcheck disable=SC2016 # vars don't expand in ''
|
||||||
awkscript='
|
awkscript='\
|
||||||
{if ( match($0, "^#%CA_X509_TYPES_EXTRA_EXTS%") )
|
{if ( match($0, "^#%CA_X509_TYPES_EXTRA_EXTS%") )
|
||||||
{ while ( getline<"/dev/stdin" ) {print} next }
|
{ while ( getline<"/dev/stdin" ) {print} next }
|
||||||
{print}
|
{print}
|
||||||
@ -1439,12 +1452,6 @@ Please update openssl-easyrsa.cnf to the latest official release."
|
|||||||
# Use this new SSL config for the rest of this function
|
# Use this new SSL config for the rest of this function
|
||||||
EASYRSA_SSL_CONF="$conf_tmp"
|
EASYRSA_SSL_CONF="$conf_tmp"
|
||||||
|
|
||||||
# Choose SSL Library version (1, 2(LibreSSL) or 3) and build CA
|
|
||||||
case "$osslv_major" in
|
|
||||||
|
|
||||||
# Version agnostic CA generation
|
|
||||||
# The only remaining option which is version dependent is -nodes/-noenc
|
|
||||||
1|2|3)
|
|
||||||
# Generate CA Key
|
# Generate CA Key
|
||||||
case "$EASYRSA_ALGO" in
|
case "$EASYRSA_ALGO" in
|
||||||
rsa)
|
rsa)
|
||||||
@ -1490,9 +1497,6 @@ Please update openssl-easyrsa.cnf to the latest official release."
|
|||||||
${in_key_pass_tmp:+ -passin file:"$in_key_pass_tmp"} \
|
${in_key_pass_tmp:+ -passin file:"$in_key_pass_tmp"} \
|
||||||
${out_key_pass_tmp:+ -passout file:"$out_key_pass_tmp"} \
|
${out_key_pass_tmp:+ -passout file:"$out_key_pass_tmp"} \
|
||||||
|| die "Failed to build the CA certificate"
|
|| die "Failed to build the CA certificate"
|
||||||
;;
|
|
||||||
*) die "build-ca ssl lib: $osslv_major"
|
|
||||||
esac
|
|
||||||
|
|
||||||
# Remove passphrase temp-file
|
# Remove passphrase temp-file
|
||||||
if [ -f "$out_key_pass_tmp" ]; then
|
if [ -f "$out_key_pass_tmp" ]; then
|
||||||
@ -1506,14 +1510,17 @@ Failed to remove the CA passphrase temp-file!"
|
|||||||
# Success messages
|
# Success messages
|
||||||
if [ "$sub_ca" ]; then
|
if [ "$sub_ca" ]; then
|
||||||
notice "\
|
notice "\
|
||||||
NOTE: Your intermediate CA request is at $out_file
|
Your intermediate CA request is at:
|
||||||
and now must be sent to your parent CA for signing. Place your resulting cert
|
* $out_file
|
||||||
at $EASYRSA_PKI/ca.crt prior to signing operations."
|
and now must be sent to your parent CA for signing.
|
||||||
|
|
||||||
|
Place your resulting cert at:
|
||||||
|
* $EASYRSA_PKI/ca.crt
|
||||||
|
prior to signing operations."
|
||||||
else
|
else
|
||||||
notice "\
|
notice "\
|
||||||
CA creation complete and you may now import and sign cert requests.
|
CA creation complete. Your new CA certificate is at:
|
||||||
Your new CA certificate file for publishing is at:
|
* $out_file"
|
||||||
$out_file"
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
return 0
|
return 0
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user