mdw@git.distorted.org.uk Git - ca/blob - bin/make-ca-key

   1 #! /bin/sh
   2
   3 set -e
   4 certroot=$(cd ${0%/*}/..; pwd)
   5 cd "$certroot"
   6 umask 022
   7
   8 ## Archive any existing CA.
   9 if [ -f ca.cert ]; then
  10   mkdir -p archive
  11   if [ -f archive/state/serial ]; then
  12     next=$(cat archive/state/serial)
  13   else
  14     mkdir -p archive/state
  15     next=1
  16   fi
  17   mkdir archive/"$next"
  18   mv ca.cert certs crls index private state archive/"$next"/
  19   expr "$next" + 1 >archive/state/serial.new
  20   mv archive/state/serial.new archive/state/serial
  21 fi
  22
  23 ## Clear out the old CA completely.
  24 rm -rf certs index private tmp state
  25 rm -f ca.cert distorted.crl
  26
  27 ## Build a new one.
  28 mkdir -m750 private
  29 mkdir -m775 certs crls index index/byhash index/byserial state tmp
  30 chown root:ca certs crls index index/byhash index/byserial private state tmp
  31 touch state/db
  32 echo 01 >state/serial
  33 echo 01 >state/crlnumber
  34
  35 ## Set the CA subject name.  It won't fit on one line, and there's no
  36 ## good way of continuing it.  Have fun parsing the sed.
  37 subject=$(sed -n 's:^:/:;1h;2,$H;${x;s/\n//g;p;}' <<EOF
  38 C=GB
  39 ST=Cambridgeshire
  40 O=distorted.org.uk
  41 OU=Certificate Authority
  42 CN=distorted.org.uk top-level CA
  43 emailAddress=ca@distorted.org.uk
  44 EOF
  45 )
  46
  47 ## Build the new CA key and certificate.
  48 umask 027
  49 openssl req -new -config openssl.conf -x509 -days 3650 \
  50         -out ca.cert -keyout private/ca.key \
  51         -subj "$subject"
  52 chown root:ca private/ca.key
  53 chmod 644 ca.cert