-#! /usr/bin/tclsh8.5
+#! /usr/bin/tclsh
### -*-tcl-*-
###
### Initialize a new certificate authority.
set subject ""
foreach {attr value} $C(ca-name) { append subject "/$attr=$value" }
exec >@stdout 2>@stderr openssl req -config "etc/openssl.conf" \
- -out "ca.cert" -keyout "private/ca.key" \
+ -text -out "ca.cert" -keyout "private/ca.key" \
-new -x509 -days $C(ca-period) \
-subj $subject
-file attributes "ca.cert" \
+file attributes "private/ca.key" \
-owner $C(ca-owner) -group $C(ca-group) \
-permissions 0640
+file attributes "ca.cert" \
+ -owner $C(ca-owner) -group $C(ca-group) \
+ -permissions 0644
## Set up the directories for the actual certificates. These are published
## by the web server.