diff --git a/ssl_mgmt/ssl_mgmt b/ssl_mgmt/ssl_mgmt index dcf1089..c22819e 100755 --- a/ssl_mgmt/ssl_mgmt +++ b/ssl_mgmt/ssl_mgmt @@ -21,7 +21,22 @@ set -u -confFile=openssl.cnf +cnfFilePath=${cnfFilePath:-/etc/${0##*/}.conf} + +. $cnfFilePath + +workDir=${workDir:-/usr/lib/ssl/CA} +csrSubdir=${csrSubdir:-csr} +certSubdir=${certSubdir:-newcerts} +keySubdir=${keySubdir:-newkeys} +certDestDir=${certDestDir:-/etc/ssl/certs} +keyDestDir=${keyDestDir:-/etc/ssl/private} +CACertPath=${CACertPath:-$certDestDir/ca-cert.pem} +CAKeyPath=${CAKeyPath:-$keyDestDir/ca-key.pem} +opensslCnfFile=openssl.cnf +rootCAPwdPath=${rootCAPwdPath:-/root/passwords/root_ca} +managedCerts=${managedCerts:-$(xargs &2 + echo -n "Error! You must be root or being able to become root" + echo -n " by sudo without password to\ncreate an email account" + echo -n " or add an email alias." >&2 fi exit $ret } @@ -211,18 +228,18 @@ generate_config () replaceCmd="$(add_to_replace_cmd "$replaceCmd" "@COMMONNAME@" "${commonName:-}")" replaceCmd="$(add_to_replace_cmd "$replaceCmd" "@ALTNAME@" "${altName:-}")" replaceCmd="$replaceCmd${replaceCmd:+;}s/\(.*=[[:blank:]]*\$\)/#\\1/" - cnfTmpFile="$(mktemp --tmpdir=. openssl.cnf.XXXXXXXXXX)" - sed "$replaceCmd" $confFile.in > $cnfTmpFile + opensslCnfTmpFile="$(mktemp --tmpdir=. openssl.cnf.XXXXXXXXXX)" + sed "$replaceCmd" $opensslCnfFile.in > $opensslCnfTmpFile if ask_user_default_no "Do you want to edit the openssl configuration file?" then if [ -n "${EDITOR:-}" ] then - $EDITOR $cnfTmpFile + $EDITOR $opensslCnfTmpFile else - editor $cnfTmpFile + editor $opensslCnfTmpFile fi fi - mv $cnfTmpFile $confFile + mv $opensslCnfTmpFile $opensslCnfFile } # @param service the name of the service associated with the certificate to @@ -244,36 +261,36 @@ generate_cert () certFile=${certPath##*/} keyFile=${keyPath##*/} keycertFile=${service}-keycert.pem - openssl req -new -nodes -out csr/$reqFile -keyout newkeys/$keyFile -config $confFile - openssl req -in csr/$reqFile -text -verify -noout + openssl req -new -nodes -out $csrSubdir/$reqFile -keyout $keySubdir/$keyFile -config $opensslCnfFile + openssl req -in $csrSubdir/$reqFile -text -verify -noout if ! ask_user_default_no "Is the Certificate Signing Request correct?" then return 1 fi - getfacl "$keyPath" | setfacl --set-file=- newkeys/$keyFile + getfacl "$keyPath" | setfacl --set-file=- $keySubdir/$keyFile if [ -z "$no_overwrite" ] then - if [ ! -f "private/$keyFile" ] + if [ ! -f "$keyDestDir/$keyFile" ] then - echo -n "Error! No file named $keyFile in directory" >&2 - echo " $(readlink -f private):" >&2 - echo "there might be a problem" >&2 + echo "Error! No file named $keyFile in directory $keyDestDir:" >&2 + echo "there might be a problem." >&2 fi - mv newkeys/$keyFile private + mv $keySubdir/$keyFile $keyDestDir fi - openssl ca -batch -out newcerts/$certFile -config $confFile -passin file:/root/passwords/root_ca -infiles csr/$reqFile - getfacl "$certPath" | setfacl --set-file=- newcerts/$certFile + openssl ca -batch -config $opensslCnfFile -cert $CACertPath \ + -keyfile $CAKeyPath -passin file:$rootCAPwdPath \ + -out $certSubdir/$certFile -infiles $csrSubdir/$reqFile + getfacl "$certPath" | setfacl --set-file=- $certSubdir/$certFile if [ -z "$no_overwrite" ] then - if [ ! -f "certs/$certFile" ] + if [ ! -f "$certDestDir/$certFile" ] then - echo "No file named $certFile in directory" >&2 - echo " $(readlink -f certs):" >&2 + echo "No file named $certFile in directory $certDestDir:" >&2 echo "there might be a problem" >&2 fi - mv newcerts/$certFile certs + mv $certSubdir/$certFile $certDestDir fi - cat private/$keyFile certs/$certFile > private/$keycertFile + cat $keyDestDir/$keyFile $certDestDir/$certFile > $keyDestDir/$keycertFile return 0 } @@ -288,14 +305,14 @@ main () then try_sudo "$@" fi - cd /usr/lib/ssl/CA/ + cd $workDir if [ "${service}" = "all" ] then services="" - while read service + for service in $managedCerts do services="$services $service" - done