summary |
shortlog |
log |
commit | commitdiff |
tree
raw |
patch |
inline | side by side (from parent 1:
0208298)
This makes testing in a sandpit much easier.
The defaults are good, so I've left the configuration file out of the
repository.
set -e
certroot=$(cd ${0%/*}/..; pwd)
cd "$certroot"
set -e
certroot=$(cd ${0%/*}/..; pwd)
cd "$certroot"
umask 022
## Archive any existing CA.
umask 022
## Archive any existing CA.
## Build a new one.
mkdir -m750 private
mkdir -m775 certs crls index index/byhash index/byserial state tmp
## Build a new one.
mkdir -m750 private
mkdir -m775 certs crls index index/byhash index/byserial state tmp
-chown root:ca certs crls index index/byhash index/byserial private state tmp
+chown $ca_owner:$ca_group certs crls index index/byhash index/byserial private state tmp
touch state/db
echo 01 >state/serial
echo 01 >state/crlnumber
touch state/db
echo 01 >state/serial
echo 01 >state/crlnumber
openssl req -new -config openssl.conf -x509 -days 3650 \
-out ca.cert -keyout private/ca.key \
-subj "$subject"
openssl req -new -config openssl.conf -x509 -days 3650 \
-out ca.cert -keyout private/ca.key \
-subj "$subject"
-chown root:ca private/ca.key
+chown $ca_owner:$ca_group private/ca.key
+## Set up configuration.
+ca_user=ca ca_group=ca ca_owner=root
+if [ -f etc/config ]; then . etc/config; fi
+
runas_ca () {
## runas_ca
##
runas_ca () {
## runas_ca
##
## to run as root against untrusted input -- especially OpenSSL's one.
case $(id -un) in
## to run as root against untrusted input -- especially OpenSSL's one.
case $(id -un) in
- ca) ;;
- *) exec sudo -u ca "$0" "$@" ;;
+ $ca_user) ;;
+ *) exec sudo -u $ca_user "$0" "$@" ;;