Created
October 14, 2016 01:05
-
-
Save inC3ASE/1cf573d421f1c3f264a9f238b5675b37 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # print out the hash values | |
| # c_hash | |
| for i in $* | |
| do | |
| h=`openssl x509 -hash -noout -in $i` | |
| echo "$h.0 => $i" | |
| done | |
| #!/bin/sh | |
| # | |
| # print the subject | |
| # c_info | |
| for i in $* | |
| do | |
| n=`openssl x509 -subject -issuer -enddate -noout -in $i` | |
| echo "$i" | |
| echo "$n" | |
| echo "--------" | |
| done | |
| #!/bin/sh | |
| # | |
| # print out the issuer | |
| # c_issuer | |
| for i in $* | |
| do | |
| n=`openssl x509 -issuer -noout -in $i` | |
| echo "$i $n" | |
| done | |
| #!/bin/sh | |
| # | |
| # print the subject | |
| # c_name | |
| for i in $* | |
| do | |
| n=`openssl x509 -subject -noout -in $i` | |
| echo "$i $n" | |
| done | |
| #!/usr/bin/perl | |
| # CA.pl # # # # # # | |
| # CA - wrapper around ca to make it easier to use ... basically ca requires | |
| # some setup stuff to be done before you can use it and this makes | |
| # things easier between now and when Eric is convinced to fix it :-) | |
| # | |
| # CA -newca ... will setup the right stuff | |
| # CA -newreq[-nodes] ... will generate a certificate request | |
| # CA -sign ... will sign the generated request and output | |
| # | |
| # At the end of that grab newreq.pem and newcert.pem (one has the key | |
| # and the other the certificate) and cat them together and that is what | |
| # you want/need ... I'll make even this a little cleaner later. | |
| # | |
| # | |
| # 12-Jan-96 tjh Added more things ... including CA -signcert which | |
| # converts a certificate to a request and then signs it. | |
| # 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG | |
| # environment variable so this can be driven from | |
| # a script. | |
| # 25-Jul-96 eay Cleaned up filenames some more. | |
| # 11-Jun-96 eay Fixed a few filename missmatches. | |
| # 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'. | |
| # 18-Apr-96 tjh Original hacking | |
| # | |
| # Tim Hudson | |
| # tjh@cryptsoft.com | |
| # | |
| # 27-Apr-98 snh Translation into perl, fix existing CA bug. | |
| # | |
| # | |
| # Steve Henson | |
| # shenson@bigfoot.com | |
| # default openssl.cnf file has setup as per the following | |
| # demoCA ... where everything is stored | |
| my $openssl; | |
| if(defined $ENV{OPENSSL}) { | |
| $openssl = $ENV{OPENSSL}; | |
| } else { | |
| $openssl = "openssl"; | |
| $ENV{OPENSSL} = $openssl; | |
| } | |
| $SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"}; | |
| $DAYS="-days 365"; # 1 year | |
| $CADAYS="-days 1095"; # 3 years | |
| $REQ="$openssl req $SSLEAY_CONFIG"; | |
| $CA="$openssl ca $SSLEAY_CONFIG"; | |
| $VERIFY="$openssl verify"; | |
| $X509="$openssl x509"; | |
| $PKCS12="$openssl pkcs12"; | |
| $CATOP="./demoCA"; | |
| $CAKEY="cakey.pem"; | |
| $CAREQ="careq.pem"; | |
| $CACERT="cacert.pem"; | |
| $DIRMODE = 0777; | |
| $RET = 0; | |
| foreach (@ARGV) { | |
| if ( /^(-\?|-h|-help)$/ ) { | |
| print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n"; | |
| exit 0; | |
| } elsif (/^-newcert$/) { | |
| # create a certificate | |
| system ("$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS"); | |
| $RET=$?; | |
| print "Certificate is in newcert.pem, private key is in newkey.pem\n" | |
| } elsif (/^-newreq$/) { | |
| # create a certificate request | |
| system ("$REQ -new -keyout newkey.pem -out newreq.pem $DAYS"); | |
| $RET=$?; | |
| print "Request is in newreq.pem, private key is in newkey.pem\n"; | |
| } elsif (/^-newreq-nodes$/) { | |
| # create a certificate request | |
| system ("$REQ -new -nodes -keyout newkey.pem -out newreq.pem $DAYS"); | |
| $RET=$?; | |
| print "Request is in newreq.pem, private key is in newkey.pem\n"; | |
| } elsif (/^-newca$/) { | |
| # if explicitly asked for or it doesn't exist then setup the | |
| # directory structure that Eric likes to manage things | |
| $NEW="1"; | |
| if ( "$NEW" || ! -f "${CATOP}/serial" ) { | |
| # create the directory hierarchy | |
| mkdir $CATOP, $DIRMODE; | |
| mkdir "${CATOP}/certs", $DIRMODE; | |
| mkdir "${CATOP}/crl", $DIRMODE ; | |
| mkdir "${CATOP}/newcerts", $DIRMODE; | |
| mkdir "${CATOP}/private", $DIRMODE; | |
| open OUT, ">${CATOP}/index.txt"; | |
| close OUT; | |
| open OUT, ">${CATOP}/crlnumber"; | |
| print OUT "01\n"; | |
| close OUT; | |
| } | |
| if ( ! -f "${CATOP}/private/$CAKEY" ) { | |
| print "CA certificate filename (or enter to create)\n"; | |
| $FILE = <STDIN>; | |
| chop $FILE; | |
| # ask user for existing CA certificate | |
| if ($FILE) { | |
| cp_pem($FILE,"${CATOP}/private/$CAKEY", "PRIVATE"); | |
| cp_pem($FILE,"${CATOP}/$CACERT", "CERTIFICATE"); | |
| $RET=$?; | |
| } else { | |
| print "Making CA certificate ...\n"; | |
| system ("$REQ -new -keyout " . | |
| "${CATOP}/private/$CAKEY -out ${CATOP}/$CAREQ"); | |
| system ("$CA -create_serial " . | |
| "-out ${CATOP}/$CACERT $CADAYS -batch " . | |
| "-keyfile ${CATOP}/private/$CAKEY -selfsign " . | |
| "-extensions v3_ca " . | |
| "-infiles ${CATOP}/$CAREQ "); | |
| $RET=$?; | |
| } | |
| } | |
| } elsif (/^-pkcs12$/) { | |
| my $cname = $ARGV[1]; | |
| $cname = "My Certificate" unless defined $cname; | |
| system ("$PKCS12 -in newcert.pem -inkey newkey.pem " . | |
| "-certfile ${CATOP}/$CACERT -out newcert.p12 " . | |
| "-export -name \"$cname\""); | |
| $RET=$?; | |
| print "PKCS #12 file is in newcert.p12\n"; | |
| exit $RET; | |
| } elsif (/^-xsign$/) { | |
| system ("$CA -policy policy_anything -infiles newreq.pem"); | |
| $RET=$?; | |
| } elsif (/^(-sign|-signreq)$/) { | |
| system ("$CA -policy policy_anything -out newcert.pem " . | |
| "-infiles newreq.pem"); | |
| $RET=$?; | |
| print "Signed certificate is in newcert.pem\n"; | |
| } elsif (/^(-signCA)$/) { | |
| system ("$CA -policy policy_anything -out newcert.pem " . | |
| "-extensions v3_ca -infiles newreq.pem"); | |
| $RET=$?; | |
| print "Signed CA certificate is in newcert.pem\n"; | |
| } elsif (/^-signcert$/) { | |
| system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " . | |
| "-out tmp.pem"); | |
| system ("$CA -policy policy_anything -out newcert.pem " . | |
| "-infiles tmp.pem"); | |
| $RET = $?; | |
| print "Signed certificate is in newcert.pem\n"; | |
| } elsif (/^-verify$/) { | |
| if (shift) { | |
| foreach $j (@ARGV) { | |
| system ("$VERIFY -CAfile $CATOP/$CACERT $j"); | |
| $RET=$? if ($? != 0); | |
| } | |
| exit $RET; | |
| } else { | |
| system ("$VERIFY -CAfile $CATOP/$CACERT newcert.pem"); | |
| $RET=$?; | |
| exit 0; | |
| } | |
| } else { | |
| print STDERR "Unknown arg $_\n"; | |
| print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n"; | |
| exit 1; | |
| } | |
| } | |
| exit $RET; | |
| sub cp_pem { | |
| my ($infile, $outfile, $bound) = @_; | |
| open IN, $infile; | |
| open OUT, ">$outfile"; | |
| my $flag = 0; | |
| while (<IN>) { | |
| $flag = 1 if (/^-----BEGIN.*$bound/) ; | |
| print OUT $_ if ($flag); | |
| if (/^-----END.*$bound/) { | |
| close IN; | |
| close OUT; | |
| return; | |
| } | |
| } | |
| } | |
| #!/bin/sh | |
| # # # # # # # # CA.sh | |
| # CA - wrapper around ca to make it easier to use ... basically ca requires | |
| # some setup stuff to be done before you can use it and this makes | |
| # things easier between now and when Eric is convinced to fix it :-) | |
| # | |
| # CA -newca ... will setup the right stuff | |
| # CA -newreq ... will generate a certificate request | |
| # CA -sign ... will sign the generated request and output | |
| # | |
| # At the end of that grab newreq.pem and newcert.pem (one has the key | |
| # and the other the certificate) and cat them together and that is what | |
| # you want/need ... I'll make even this a little cleaner later. | |
| # | |
| # | |
| # 12-Jan-96 tjh Added more things ... including CA -signcert which | |
| # converts a certificate to a request and then signs it. | |
| # 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG | |
| # environment variable so this can be driven from | |
| # a script. | |
| # 25-Jul-96 eay Cleaned up filenames some more. | |
| # 11-Jun-96 eay Fixed a few filename missmatches. | |
| # 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'. | |
| # 18-Apr-96 tjh Original hacking | |
| # | |
| # Tim Hudson | |
| # tjh@cryptsoft.com | |
| # | |
| # default openssl.cnf file has setup as per the following | |
| # demoCA ... where everything is stored | |
| cp_pem() { | |
| infile=$1 | |
| outfile=$2 | |
| bound=$3 | |
| flag=0 | |
| exec <$infile; | |
| while read line; do | |
| if [ $flag -eq 1 ]; then | |
| echo $line|grep "^-----END.*$bound" 2>/dev/null 1>/dev/null | |
| if [ $? -eq 0 ] ; then | |
| echo $line >>$outfile | |
| break | |
| else | |
| echo $line >>$outfile | |
| fi | |
| fi | |
| echo $line|grep "^-----BEGIN.*$bound" 2>/dev/null 1>/dev/null | |
| if [ $? -eq 0 ]; then | |
| echo $line >$outfile | |
| flag=1 | |
| fi | |
| done | |
| } | |
| usage() { | |
| echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2 | |
| } | |
| if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi | |
| if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi # 1 year | |
| CADAYS="-days 1095" # 3 years | |
| REQ="$OPENSSL req $SSLEAY_CONFIG" | |
| CA="$OPENSSL ca $SSLEAY_CONFIG" | |
| VERIFY="$OPENSSL verify" | |
| X509="$OPENSSL x509" | |
| PKCS12="openssl pkcs12" | |
| if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi | |
| CAKEY=./cakey.pem | |
| CAREQ=./careq.pem | |
| CACERT=./cacert.pem | |
| RET=0 | |
| while [ "$1" != "" ] ; do | |
| case $1 in | |
| -\?|-h|-help) | |
| usage | |
| exit 0 | |
| ;; | |
| -newcert) | |
| # create a certificate | |
| $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS | |
| RET=$? | |
| echo "Certificate is in newcert.pem, private key is in newkey.pem" | |
| ;; | |
| -newreq) | |
| # create a certificate request | |
| $REQ -new -keyout newkey.pem -out newreq.pem $DAYS | |
| RET=$? | |
| echo "Request is in newreq.pem, private key is in newkey.pem" | |
| ;; | |
| -newreq-nodes) | |
| # create a certificate request | |
| $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS | |
| RET=$? | |
| echo "Request (and private key) is in newreq.pem" | |
| ;; | |
| -newca) | |
| # if explicitly asked for or it doesn't exist then setup the directory | |
| # structure that Eric likes to manage things | |
| NEW="1" | |
| if [ "$NEW" -o ! -f ${CATOP}/serial ]; then | |
| # create the directory hierarchy | |
| mkdir -p ${CATOP} | |
| mkdir -p ${CATOP}/certs | |
| mkdir -p ${CATOP}/crl | |
| mkdir -p ${CATOP}/newcerts | |
| mkdir -p ${CATOP}/private | |
| touch ${CATOP}/index.txt | |
| fi | |
| if [ ! -f ${CATOP}/private/$CAKEY ]; then | |
| echo "CA certificate filename (or enter to create)" | |
| read FILE | |
| # ask user for existing CA certificate | |
| if [ "$FILE" ]; then | |
| cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE | |
| cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE | |
| RET=$? | |
| if [ ! -f "${CATOP}/serial" ]; then | |
| $X509 -in ${CATOP}/$CACERT -noout -next_serial \ | |
| -out ${CATOP}/serial | |
| fi | |
| else | |
| echo "Making CA certificate ..." | |
| $REQ -new -keyout ${CATOP}/private/$CAKEY \ | |
| -out ${CATOP}/$CAREQ | |
| $CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \ | |
| -keyfile ${CATOP}/private/$CAKEY -selfsign \ | |
| -extensions v3_ca \ | |
| -infiles ${CATOP}/$CAREQ | |
| RET=$? | |
| fi | |
| fi | |
| ;; | |
| -xsign) | |
| $CA -policy policy_anything -infiles newreq.pem | |
| RET=$? | |
| ;; | |
| -pkcs12) | |
| if [ -z "$2" ] ; then | |
| CNAME="My Certificate" | |
| else | |
| CNAME="$2" | |
| fi | |
| $PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \ | |
| -out newcert.p12 -export -name "$CNAME" | |
| RET=$? | |
| exit $RET | |
| ;; | |
| -sign|-signreq) | |
| $CA -policy policy_anything -out newcert.pem -infiles newreq.pem | |
| RET=$? | |
| cat newcert.pem | |
| echo "Signed certificate is in newcert.pem" | |
| ;; | |
| -signCA) | |
| $CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem | |
| RET=$? | |
| echo "Signed CA certificate is in newcert.pem" | |
| ;; | |
| -signcert) | |
| echo "Cert passphrase will be requested twice - bug?" | |
| $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem | |
| $CA -policy policy_anything -out newcert.pem -infiles tmp.pem | |
| RET=$? | |
| cat newcert.pem | |
| echo "Signed certificate is in newcert.pem" | |
| ;; | |
| -verify) | |
| shift | |
| if [ -z "$1" ]; then | |
| $VERIFY -CAfile $CATOP/$CACERT newcert.pem | |
| RET=$? | |
| else | |
| for j | |
| do | |
| $VERIFY -CAfile $CATOP/$CACERT $j | |
| if [ $? != 0 ]; then | |
| RET=$? | |
| fi | |
| done | |
| fi | |
| exit $RET | |
| ;; | |
| *) | |
| echo "Unknown arg $i" >&2 | |
| usage | |
| exit 1 | |
| ;; | |
| esac | |
| shift | |
| done | |
| exit $RET | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment