mdw@git.distorted.org.uk Git - ca/blob - bin/setup

   1 #! /usr/bin/tclsh
   2 ### -*-tcl-*-
   3 ###
   4 ### Initialize a new certificate authority.
   5 ###
   6 ### (c) 2011 Mark Wooding
   7 ###
   8
   9 ###----- Licensing notice ---------------------------------------------------
  10 ###
  11 ### This program is free software; you can redistribute it and/or modify
  12 ### it under the terms of the GNU General Public License as published by
  13 ### the Free Software Foundation; either version 2 of the License, or
  14 ### (at your option) any later version.
  15 ###
  16 ### This program is distributed in the hope that it will be useful,
  17 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
  18 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  19 ### GNU General Public License for more details.
  20 ###
  21 ### You should have received a copy of the GNU General Public License
  22 ### along with this program; if not, write to the Free Software Foundation,
  23 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  24
  25 ## Find the common utilities.
  26 source [file join [file dirname $argv0] "../lib/func.tcl"]
  27 cd $CERTROOT
  28
  29 ## If there's already a database here, then give up.
  30 if {[file exists "state/ca.db"]} {
  31   puts stderr \
  32       "$argv0: It looks like there's already a certificate authority here.
  33
  34         If you want to clobber it, delete state/ca.db and run this
  35         program again."
  36   exit 1
  37 }
  38
  39 ## Otherwise, clear any existing stuff away.  Either we failed part way
  40 ## through a previous setup attempt, or the user has explicitly deleted the
  41 ## database in order to persuade us to do this.
  42 file delete -force \
  43     "archive" "cert" "req" "state" "private" "crl" "tmp" "ca.cert"
  44
  45 ## Set up the state directory.
  46 make-directories 0775 "state" "archive"
  47 make-file "state/serial" "01\n"
  48 make-file "state/crlnumber" "01\n"
  49 make-file "state/db" ""
  50
  51 ## Initialize the database in a temporary file: we'll rename it into place as
  52 ## our last action.  This involves installing the tables and indices, and
  53 ## setting up the configured profiles.
  54 sqlite db "state/ca.db.new"
  55 db eval [sql create]
  56 sync-profiles
  57 db close
  58 file attributes "state/ca.db.new" \
  59     -owner $C(ca-owner) -group $C(ca-group) \
  60     -permissions 0664
  61
  62 ## Generate the private CA key.
  63 make-directories 0750 "private"
  64 set subject ""
  65 foreach {attr value} $C(ca-name) { append subject "/$attr=$value" }
  66 exec >@stdout 2>@stderr openssl req -config "etc/openssl.conf"  \
  67     -text -out "ca.cert" -keyout "private/ca.key" \
  68     -new -x509 -days $C(ca-period) \
  69     -subj $subject
  70 file attributes "private/ca.key" \
  71     -owner $C(ca-owner) -group $C(ca-group) \
  72     -permissions 0640
  73 file attributes "ca.cert" \
  74     -owner $C(ca-owner) -group $C(ca-group) \
  75     -permissions 0644
  76
  77 ## Set up the directories for the actual certificates.  These are published
  78 ## by the web server.
  79 make-directories 0775 "cert" "cert/by-seq" "cert/active"
  80 make-directories 0775 "req" "req/by-id" "req/active"
  81
  82 ## Make other directories.
  83 make-directories 0775 "tmp"
  84
  85 ## Finally, put the database in the right place.
  86 file rename "state/ca.db.new" "state/ca.db"