Move bundle defaults to /etc/pki/tls/certs/
Fix invalid test cases on command line processing Remove -c/--cadir flags, replace with -b/--bindledir to store all bundles in same location
This commit is contained in:
DJ Lucas
parent
21ec3212be
commit
ca103899f6
@ -1,3 +1,7 @@
|
|||||||
|
1.0 - Move bundle defaults to /etc/pki/tls/certs/
|
||||||
|
- Fix invalid test cases on command line processing
|
||||||
|
- Remove -c/--cadir flags, replace with -b/--bindledir to store
|
||||||
|
all bundles in same location
|
||||||
0.9 - Use P11-Kit trust module to generate alternate certificate stores
|
0.9 - Use P11-Kit trust module to generate alternate certificate stores
|
||||||
from trust policy
|
from trust policy
|
||||||
- Only generate the trust store (and optionally NSSDB and Java PKCS#12)
|
- Only generate the trust store (and optionally NSSDB and Java PKCS#12)
|
||||||
|
|||||||
71
make-ca
71
make-ca
@ -8,7 +8,7 @@
|
|||||||
# Authors: DJ Lucas
|
# Authors: DJ Lucas
|
||||||
# Bruce Dubbs
|
# Bruce Dubbs
|
||||||
|
|
||||||
VERSION="0.9"
|
VERSION="1.0"
|
||||||
|
|
||||||
# Get/set defaults
|
# Get/set defaults
|
||||||
if test -f /etc/make-ca.conf; then
|
if test -f /etc/make-ca.conf; then
|
||||||
@ -22,11 +22,12 @@ else
|
|||||||
OPENSSL="/usr/bin/openssl"
|
OPENSSL="/usr/bin/openssl"
|
||||||
TRUST="/usr/bin/trust"
|
TRUST="/usr/bin/trust"
|
||||||
ANCHORDIR="${PKIDIR}/anchors"
|
ANCHORDIR="${PKIDIR}/anchors"
|
||||||
CABUNDLE="${SSLDIR}/ca-bundle.crt"
|
BUNDLEDIR="${PKIDIR}/tls/certs"
|
||||||
SMBUNDLE="${SSLDIR}/email-ca-bundle.crt"
|
CABUNDLE="${BUNDLEDIR}/ca-bundle.crt"
|
||||||
CSBUNDLE="${SSLDIR}/objsign-ca-bundle.crt"
|
SMBUNDLE="${BUNDLEDIR}/email-ca-bundle.crt"
|
||||||
|
CSBUNDLE="${BUNDLEDIR}/objsign-ca-bundle.crt"
|
||||||
CERTDIR="${SSLDIR}/certs"
|
CERTDIR="${SSLDIR}/certs"
|
||||||
KEYSTORE="${SSLDIR}/java/cacerts"
|
KEYSTORE="${PKIDIR}/tls/java"
|
||||||
NSSDB="${PKIDIR}/nssdb"
|
NSSDB="${PKIDIR}/nssdb"
|
||||||
LOCALDIR="${SSLDIR}/local"
|
LOCALDIR="${SSLDIR}/local"
|
||||||
DESTDIR=""
|
DESTDIR=""
|
||||||
@ -97,16 +98,11 @@ function get_args(){
|
|||||||
-S | --ssldir)
|
-S | --ssldir)
|
||||||
check_arg $1 $2
|
check_arg $1 $2
|
||||||
SSLDIR="${2}"
|
SSLDIR="${2}"
|
||||||
CABUNDLE="${SSLDIR}/ca-bundle.crt"
|
|
||||||
CERTDIR="${SSLDIR}/certs"
|
CERTDIR="${SSLDIR}/certs"
|
||||||
KEYSTORE="${SSLDIR}/java/cacerts"
|
|
||||||
LOCALDIR="${SSLDIR}/local"
|
LOCALDIR="${SSLDIR}/local"
|
||||||
echo "${@}" | grep -e "-c " -e "--cafile" \
|
echo "${@}" | grep -e "-d " -e "--cadir" 2>&1> /dev/null
|
||||||
-e "-d " -e "--cadir" \
|
|
||||||
-e "-j " -e "--javacerts" > /dev/null
|
|
||||||
if test "${?}" == "0"; then
|
if test "${?}" == "0"; then
|
||||||
echo "Error! ${1} cannot be used with the -c/--cafile, -d/--cadir, or"
|
echo "Error! ${1} cannot be used with the -d/--cadir switch."
|
||||||
echo "-j/--javacerts switches."
|
|
||||||
echo ""
|
echo ""
|
||||||
exit 3
|
exit 3
|
||||||
fi
|
fi
|
||||||
@ -116,7 +112,7 @@ function get_args(){
|
|||||||
-a | --anchordir)
|
-a | --anchordir)
|
||||||
check_arg $1 $2
|
check_arg $1 $2
|
||||||
ANCHORDIR="${2}"
|
ANCHORDIR="${2}"
|
||||||
echo "${@}" | grep -e "-P " -e "--pkidir" > /dev/null
|
echo "${@}" | grep -e "-P " -e "--pkidir" 2>&1> /dev/null
|
||||||
if test "${?}" == "0"; then
|
if test "${?}" == "0"; then
|
||||||
echo "Error! ${1} cannot be used with the -P/--pkidir switch."
|
echo "Error! ${1} cannot be used with the -P/--pkidir switch."
|
||||||
echo ""
|
echo ""
|
||||||
@ -124,20 +120,15 @@ function get_args(){
|
|||||||
fi
|
fi
|
||||||
shift 2
|
shift 2
|
||||||
;;
|
;;
|
||||||
-c | --cafile)
|
-b | --bundledir)
|
||||||
check_arg $1 $2
|
check_arg $1 $2
|
||||||
CABUNDLE="${2}"
|
BUNDLEDIR="${2}"
|
||||||
echo "${@}" | grep -e "-S " -e "--ssldir" > /dev/null
|
|
||||||
if test "${?}" == "0"; then
|
|
||||||
echo "Error! ${1} cannot be used with the -S/--ssldir switch."
|
|
||||||
echo ""
|
|
||||||
exit 3
|
|
||||||
fi
|
|
||||||
shift 2
|
shift 2
|
||||||
;;
|
;;
|
||||||
-d | --cadir)
|
-d | --cadir)
|
||||||
check_arg $1 $2
|
check_arg $1 $2
|
||||||
CADIR="${2}"
|
CADIR="${2}"
|
||||||
|
echo "$@" | grep -e "-S" -e "--ssldir" 2>&1 > /dev/null
|
||||||
if test "${?}" == "0"; then
|
if test "${?}" == "0"; then
|
||||||
echo "Error! ${1} cannot be used with the -S/--ssldir switch."
|
echo "Error! ${1} cannot be used with the -S/--ssldir switch."
|
||||||
echo ""
|
echo ""
|
||||||
@ -158,11 +149,6 @@ function get_args(){
|
|||||||
-j | --javacerts)
|
-j | --javacerts)
|
||||||
check_arg $1 $2
|
check_arg $1 $2
|
||||||
KEYSTORE="${2}"
|
KEYSTORE="${2}"
|
||||||
if test "${?}" == "0"; then
|
|
||||||
echo "Error! ${1} cannot be used with the -S/--ssldir switch."
|
|
||||||
echo ""
|
|
||||||
exit 3
|
|
||||||
fi
|
|
||||||
shift 2
|
shift 2
|
||||||
;;
|
;;
|
||||||
-k | --keytool)
|
-k | --keytool)
|
||||||
@ -277,32 +263,31 @@ function showhelp(){
|
|||||||
echo ""
|
echo ""
|
||||||
echo " -S, --ssldir [/etc/ssl]"
|
echo " -S, --ssldir [/etc/ssl]"
|
||||||
echo " The output SSL root direcotry - Cannot be used"
|
echo " The output SSL root direcotry - Cannot be used"
|
||||||
echo " with the -c / --cafile, -d / --cadir, or"
|
echo " with the -d / --cadir switch"
|
||||||
echo " -j / --javacerts switches"
|
|
||||||
echo ""
|
echo ""
|
||||||
echo " -a, --anchordir [\$PKIDIR/anchors]"
|
echo " -a, --anchordir [\$PKIDIR/anchors]"
|
||||||
echo " The output directory for OpenSSL trusted"
|
echo " The output directory for OpenSSL trusted"
|
||||||
echo " CA certificates used as trust anchors"
|
echo " CA certificates used as trust anchors"
|
||||||
echo ""
|
echo ""
|
||||||
echo " -c, --cafile [\$SSLDIR/ca-bundle.crt]"
|
echo " -b, --bundledir [\$PKIDIR/certs]"
|
||||||
echo " The output filename for the PEM formated bundle"
|
echo " The output direcotry for the PEM formated bundles"
|
||||||
echo ""
|
echo ""
|
||||||
echo " -d, --cadir [\$SSLDIR/certs]"
|
echo " -d, --cadir [\$SSLDIR/certs]"
|
||||||
echo " The output directory for the OpenSSL trusted"
|
echo " The output directory for the OpenSSL trusted"
|
||||||
echo " CA certificates"
|
echo " CA certificates"
|
||||||
echo ""
|
echo ""
|
||||||
echo " -j, --javacerts [\$SSLDIR/java/cacerts]"
|
echo " -j, --javacerts [\$PKIDIR/java/cacerts]"
|
||||||
echo " The output filename for the Java cacerts file"
|
echo " The output directory for the Java cacerts file(s)"
|
||||||
echo ""
|
echo ""
|
||||||
echo " -l, --localdir [\$SSLDIR/local]"
|
echo " -l, --localdir [\$SSLDIR/local]"
|
||||||
echo " The path to a local set of OpenSSL trusted"
|
echo " The path to a local set of OpenSSL trusted"
|
||||||
echo " certificates, used to both override trust bits"
|
echo " certificates, used to both override trust bits"
|
||||||
echo " from upstream sources and provide locally"
|
echo " from upstream sources and provide system local"
|
||||||
echo " provided certifiates"
|
echo " certifiates"
|
||||||
echo ""
|
echo ""
|
||||||
echo " -m, --java-p12"
|
echo " -m, --java-p12"
|
||||||
echo " Export Java PKCS#12 store - will default to"
|
echo " Export Java PKCS#12 store - will default to"
|
||||||
echo " \$SSLDIR/java/cacerts.p12 unless modified by"
|
echo " \$PKIDIR/java/cacerts.p12 unless modified by"
|
||||||
echo " the '-j/--javacerts' switch"
|
echo " the '-j/--javacerts' switch"
|
||||||
echo ""
|
echo ""
|
||||||
echo " -n, --nssdb {\$PKIDIR/nssdb}"
|
echo " -n, --nssdb {\$PKIDIR/nssdb}"
|
||||||
@ -699,9 +684,10 @@ fi
|
|||||||
|
|
||||||
# Install Java cacerts.p12 in ${KEYSTORE}
|
# Install Java cacerts.p12 in ${KEYSTORE}
|
||||||
if test "${WITH_P12}" == "1"; then
|
if test "${WITH_P12}" == "1"; then
|
||||||
test -f "${DESTDIR}${KEYSTORE}.p12" &&
|
test -f "${DESTDIR}${KEYSTORE}/cacerts.p12" &&
|
||||||
rm -f "${DESTDIR}${KEYSTORE}.p12"
|
rm -f "${DESTDIR}${KEYSTORE}/cacerts.p12"
|
||||||
install -dm644 "${TEMPDIR}/ssl/java/cacerts.p12" "${DESTDIR}${KEYSTORE}.p12"
|
install -dm644 "${TEMPDIR}/ssl/java/cacerts.p12" \
|
||||||
|
"${DESTDIR}${KEYSTORE}/cacerts.p12"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Import any certs in $LOCALDIR
|
# Import any certs in $LOCALDIR
|
||||||
@ -873,7 +859,7 @@ rm -rf "${TEMPDIR}"
|
|||||||
|
|
||||||
# Build alternate formats using p11-kit trust (if not using DESTDIR)
|
# Build alternate formats using p11-kit trust (if not using DESTDIR)
|
||||||
if test "x${DESTDIR}" == "x"; then
|
if test "x${DESTDIR}" == "x"; then
|
||||||
mkdir -p /etc/ssl/{certs,java}
|
mkdir -p "${BUNDLEDIR}" "${KEYSTORE}"
|
||||||
echo -n "Extracting OpenSSL certificates to ${CERTDIR}..."
|
echo -n "Extracting OpenSSL certificates to ${CERTDIR}..."
|
||||||
"${TRUST}" extract --filter=certificates --format=openssl-directory \
|
"${TRUST}" extract --filter=certificates --format=openssl-directory \
|
||||||
--overwrite --comment "${CERTDIR}" \
|
--overwrite --comment "${CERTDIR}" \
|
||||||
@ -890,12 +876,11 @@ if test "x${DESTDIR}" == "x"; then
|
|||||||
"${TRUST}" extract --filter=ca-anchors --format=pem-bundle \
|
"${TRUST}" extract --filter=ca-anchors --format=pem-bundle \
|
||||||
--purpose code-signing --overwrite --comment \
|
--purpose code-signing --overwrite --comment \
|
||||||
"${CSBUNDLE}" && echo "Done!" || echo "Failed!!!"
|
"${CSBUNDLE}" && echo "Done!" || echo "Failed!!!"
|
||||||
echo -n "Extracting Java cacerts (JKS) to ${KEYSTORE}..."
|
echo -n "Extracting Java cacerts (JKS) to ${KEYSTORE}/cacerts..."
|
||||||
"${TRUST}" extract --filter=ca-anchors --format=java-cacerts \
|
"${TRUST}" extract --filter=ca-anchors --format=java-cacerts \
|
||||||
--purpose server-auth --overwrite --comment "${KEYSTORE}" \
|
--purpose server-auth --overwrite \
|
||||||
|
--comment "${KEYSTORE}/cacerts" \
|
||||||
&& echo "Done!" || echo "Failed!!!"
|
&& echo "Done!" || echo "Failed!!!"
|
||||||
# Remove compatibility symlink for 0.8 at 0.10
|
|
||||||
ln -sf cacerts "${KEYSTORE}.jks"
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# End /usr/sbin/make-ca
|
# End /usr/sbin/make-ca
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user