--- /dev/null
+#! /usr/bin/tclsh8.5
+### -*-tcl-*-
+###
+### Initialize a new certificate authority.
+###
+### (c) 2011 Mark Wooding
+###
+
+###----- Licensing notice ---------------------------------------------------
+###
+### This program is free software; you can redistribute it and/or modify
+### it under the terms of the GNU General Public License as published by
+### the Free Software Foundation; either version 2 of the License, or
+### (at your option) any later version.
+###
+### This program is distributed in the hope that it will be useful,
+### but WITHOUT ANY WARRANTY; without even the implied warranty of
+### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+### GNU General Public License for more details.
+###
+### You should have received a copy of the GNU General Public License
+### along with this program; if not, write to the Free Software Foundation,
+### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+## Find the common utilities.
+source [file join [file dirname $argv0] "../lib/func.tcl"]
+cd $CERTROOT
+
+## If there's already a database here, then give up.
+if {[file exists "state/ca.db"]} {
+ puts stderr \
+ "$argv0: It looks like there's already a certificate authority here.
+
+ If you want to clobber it, delete state/ca.db and run this
+ program again."
+ exit 1
+}
+
+## Otherwise, clear any existing stuff away. Either we failed part way
+## through a previous setup attempt, or the user has explicitly deleted the
+## database in order to persuade us to do this.
+file delete -force \
+ "archive" "cert" "req" "state" "private" "crl" "tmp" "ca.cert"
+
+## Set up the state directory.
+make-directories 0775 "state" "archive"
+make-file "state/serial" "01\n"
+make-file "state/crlnumber" "01\n"
+make-file "state/db" ""
+
+## Initialize the database in a temporary file: we'll rename it into place as
+## our last action. This involves installing the tables and indices, and
+## setting up the configured profiles.
+sqlite db "state/ca.db.new"
+db eval [sql create]
+sync-profiles
+db close
+file attributes "state/ca.db.new" \
+ -owner $C(ca-owner) -group $C(ca-group) \
+ -permissions 0664
+
+## Generate the private CA key.
+make-directories 0750 "private"
+set subject ""
+foreach {attr value} $C(ca-name) { append subject "/$attr=$value" }
+exec >@stdout 2>@stderr openssl req -config "etc/openssl.conf" \
+ -out "ca.cert" -keyout "private/ca.key" \
+ -new -x509 -days $C(ca-period) \
+ -subj $subject
+file attributes "ca.cert" \
+ -owner $C(ca-owner) -group $C(ca-group) \
+ -permissions 0640
+
+## Set up the directories for the actual certificates. These are published
+## by the web server.
+make-directories 0775 "cert" "cert/by-seq" "cert/active"
+make-directories 0775 "req" "req/by-id" "req/active"
+
+## Make other directories.
+make-directories 0775 "tmp"
+
+## Finally, put the database in the right place.
+file rename "state/ca.db.new" "state/ca.db"
~mdw / ca / blobdiff