bin/*: Use plain `/usr/bin/tclsh' in shebang lines.
[ca] / bin / setup
CommitLineData
1f46e042 1#! /usr/bin/tclsh
69ab55f7
MW
2### -*-tcl-*-
3###
4### Initialize a new certificate authority.
5###
6### (c) 2011 Mark Wooding
7###
8
9###----- Licensing notice ---------------------------------------------------
10###
11### This program is free software; you can redistribute it and/or modify
12### it under the terms of the GNU General Public License as published by
13### the Free Software Foundation; either version 2 of the License, or
14### (at your option) any later version.
15###
16### This program is distributed in the hope that it will be useful,
17### but WITHOUT ANY WARRANTY; without even the implied warranty of
18### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19### GNU General Public License for more details.
20###
21### You should have received a copy of the GNU General Public License
22### along with this program; if not, write to the Free Software Foundation,
23### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
24
25## Find the common utilities.
26source [file join [file dirname $argv0] "../lib/func.tcl"]
27cd $CERTROOT
28
29## If there's already a database here, then give up.
30if {[file exists "state/ca.db"]} {
31 puts stderr \
32 "$argv0: It looks like there's already a certificate authority here.
33
34 If you want to clobber it, delete state/ca.db and run this
35 program again."
36 exit 1
37}
38
39## Otherwise, clear any existing stuff away. Either we failed part way
40## through a previous setup attempt, or the user has explicitly deleted the
41## database in order to persuade us to do this.
42file delete -force \
43 "archive" "cert" "req" "state" "private" "crl" "tmp" "ca.cert"
44
45## Set up the state directory.
46make-directories 0775 "state" "archive"
47make-file "state/serial" "01\n"
48make-file "state/crlnumber" "01\n"
49make-file "state/db" ""
50
51## Initialize the database in a temporary file: we'll rename it into place as
52## our last action. This involves installing the tables and indices, and
53## setting up the configured profiles.
54sqlite db "state/ca.db.new"
55db eval [sql create]
56sync-profiles
57db close
58file attributes "state/ca.db.new" \
59 -owner $C(ca-owner) -group $C(ca-group) \
60 -permissions 0664
61
62## Generate the private CA key.
63make-directories 0750 "private"
64set subject ""
65foreach {attr value} $C(ca-name) { append subject "/$attr=$value" }
66exec >@stdout 2>@stderr openssl req -config "etc/openssl.conf" \
7d993891 67 -text -out "ca.cert" -keyout "private/ca.key" \
69ab55f7
MW
68 -new -x509 -days $C(ca-period) \
69 -subj $subject
9d7fd960 70file attributes "private/ca.key" \
69ab55f7
MW
71 -owner $C(ca-owner) -group $C(ca-group) \
72 -permissions 0640
9d7fd960
MW
73file attributes "ca.cert" \
74 -owner $C(ca-owner) -group $C(ca-group) \
75 -permissions 0644
69ab55f7
MW
76
77## Set up the directories for the actual certificates. These are published
78## by the web server.
79make-directories 0775 "cert" "cert/by-seq" "cert/active"
80make-directories 0775 "req" "req/by-id" "req/active"
81
82## Make other directories.
83make-directories 0775 "tmp"
84
85## Finally, put the database in the right place.
86file rename "state/ca.db.new" "state/ca.db"