diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 4b251ea..5310bee 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -44,6 +44,7 @@ Here is the list of commands available with a short syntax reminder. Use the show-cert [ cmd-opts ] show-ca [ cmd-opts ] show-crl + verify import-req export-p1 [ cmd-opts ] export-p7 [ cmd-opts ] @@ -169,6 +170,9 @@ cmd_help() { Shows details of the current certificate revocation list (CRL) Human-readable output is shown." ;; + verify) text=" + verify + Verify certificate against CA" ;; import-req) text=" import-req Import a certificate request from a file @@ -2373,6 +2377,47 @@ default_server_san() { fi } # => default_server_san() +# Verify certificate against CA +verify_cert() { + # pull filename base: + [ "$1" ] || die "\ +Error: didn't find a file base name as the first argument. +Run easyrsa without commands for usage and command help." + + verify_ca_init + + # Assign file_name_base and dust off! + file_name_base="$1" + shift + + in_dir="$EASYRSA_PKI" + ca_crt="$in_dir/ca.crt" + crt_in="$in_dir/issued/$file_name_base.crt" + + # Cert file must exist + [ -f "$crt_in" ] || die "\ +No certificate found for the input: '$crt_in'" + + # Verify file is a valid cert + verify_file x509 "$crt_in" || die "\ +Input is not a valid certificate: $crt_in" + + # Test and show SSL out + if easyrsa_openssl verify -CAfile "$ca_crt" "$crt_in"; then + [ "$EASYRSA_SILENT" ] || print # Separate Notice below + notice "\ + Certificate name: $file_name_base + Verfication status: GOOD" + exit 0 + fi + + [ "$EASYRSA_SILENT" ] || print # Separate Notice below + warn "\ + Certificate name: $file_name_base + Verfication status: FAILED" + exit 1 +} # => verify_cert() + # verify a file seems to be a valid req/X509 verify_file() { format="$1" @@ -3645,6 +3690,9 @@ case "$cmd" in show-ca) show_ca "$@" ;; + verify) + verify_cert "$@" + ;; upgrade) up23_manage_upgrade_23 "$@" ;;