Skip to content

Instantly share code, notes, and snippets.

@dakatsuka
Forked from yyuu/Makefile
Created February 8, 2012 04:18
Show Gist options
  • Save dakatsuka/1765407 to your computer and use it in GitHub Desktop.
Save dakatsuka/1765407 to your computer and use it in GitHub Desktop.
openssl private CA management script
OPENSSL = openssl
DAYS = -days 3652
CADAYS = -days 3652
REQ = $(OPENSSL) req
CA = $(OPENSSL) ca
VERIFY = $(OPENSSL) verify
X509 = $(OPENSSL) x509
# must be absolute path
CATOP = $(PWD)/ca
CA_CERT_REQ_FILE = $(CATOP)/careq.pem
CA_CERT_KEY_FILE = $(CATOP)/private/cakey.pem
CA_CERT_FILE = $(CATOP)/cacert.pem
CRL_LINK = $(CATOP)/crl/crl.pem
CRL_FILE = $(CATOP)/crl/crl$(shell cat $(CATOP)/crlnumber).pem
ifneq '$(CERT)' ''
CERT_REQ_FILE = certificate_requests/$(CERT).pem
CERT_KEY_FILE = private/$(CERT).pem
CERT_FILE = public/$(CERT).pem
else
CERT_REQ_FILE = certificate_requests/newreq.pem
CERT_KEY_FILE = private/newkey.pem
CERT_FILE = public/newcert.pem
endif
.SUFFIXES: .pem .crt .p12
.PHONY: careq cacert req cert verify revoke clean
help:
@echo "careq - Create certificate request of CA."
@echo "cacert - Sign certificate request of CA."
@echo "req - Create certificate request."
@echo "cert - Sign specified certificate request."
@echo "verify - Verify specified certificate."
@echo "revoke - Revoke specified certificate."
@echo "crl - Generate CRL."
.pem.crt:
$(X509) -in $< -out $@
.pem.p12:
$(OPENSSL) pkcs12 -export -clcerts -in $< -inkey $(CERT_KEY_FILE) -out $@
## Creating new CA
$(CATOP):
mkdir -m 755 $(CATOP)
mkdir -m 755 $(CATOP)/certs
mkdir -m 755 $(CATOP)/crl
mkdir -m 755 $(CATOP)/newcerts
mkdir -m 700 $(CATOP)/private
echo "00" > $(CATOP)/serial
touch $(CATOP)/index.txt
careq: $(CATOP)
$(MAKE) $(CA_CERT_REQ_FILE)
$(CA_CERT_REQ_FILE): $(CA_CERT_KEY_FILE)
chmod 600 $(CA_CERT_REQ_FILE)
$(CA_CERT_KEY_FILE):
$(REQ) -new -keyout $(CA_CERT_KEY_FILE) \
-out $(CA_CERT_REQ_FILE) \
$(NULL)
chmod 600 $(CA_CERT_KEY_FILE)
cacert: careq
$(MAKE) $(CA_CERT_FILE)
$(CA_CERT_FILE): $(CA_CERT_REQ_FILE)
$(CA) -out $(CA_CERT_FILE) $(CADAYS) -batch \
-keyfile $(CA_CERT_KEY_FILE) -selfsign \
-extensions v3_ca \
-infiles $(CA_CERT_REQ_FILE) \
$(NULL)
chmod 644 $(CA_CERT_FILE)
req: $(CATOP)
test -d ./certificate_requests || mkdir -m 700 ./certificate_requests
test -d ./private || mkdir -m 710 ./private
test -d ./public || mkdir -m 755 ./public
$(MAKE) $(CERT_REQ_FILE)
$(CERT_REQ_FILE): $(CERT_KEY_FILE)
chmod 600 $(CERT_REQ_FILE)
$(CERT_KEY_FILE):
$(REQ) -new -keyout $(CERT_KEY_FILE) -out $(CERT_REQ_FILE) $(DAYS)
chmod 600 $(CERT_KEY_FILE)
cert: req
$(MAKE) $(CERT_FILE)
@echo -ne '\033[1;32m'
@echo -n 'Certificate is in $(CERT_FILE).'
@echo -ne '\033[0m\n'
$(CERT_FILE): $(CERT_REQ_FILE)
$(CA) -policy policy_anything -out $(CERT_FILE) -infiles $(CERT_REQ_FILE)
chmod 644 $(CERT_FILE)
verify: $(CERT_FILE)
$(VERIFY) -CAfile $(CA_CERT_FILE) $(CERT_FILE)
revoke: $(CERT_FILE)
$(CA) -revoke $(CERT_FILE)
$(MAKE) crl
crl:
$(MAKE) $(CRL_FILE)
ln -sf $(CRL_FILE) $(CRL_LINK)
@echo -ne '\033[1;32m'
@echo -n 'CRL is in $(CRL_FILE).'
@echo -ne '\033[0m\n'
$(CRL_FILE): $(CATOP)/crlnumber
$(CA) -gencrl -out $(CRL_FILE)
chmod 644 $(CRL_FILE)
$(CATOP)/crlnumber:
echo 01 > $@
clean:
$(RM) \
$(CERT_REQ_FILE) \
$(CERT_KEY_FILE) \
$(CERT_FILE) \
$(NULL)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment