Re: mod-ssl

["J.H.M. Dassen \(Ray\)" <jhm@cistron.nl>]

On Sun, Mar 04, 2001 at 17:51:52 -0500, MaD dUCK wrote:
> so i established my own certificate authority and have a server
> certification - and now i would like to create a new server
> certificate, signed by the same ca. however, when i do
> mod-ssl-makecert

It appears mod-ssl-makecert wasn't written to deal with this case. Here's a
modified version - use at your own peril, and make sure you have a ca.config
(see the one that's commented out for inspiration).

HTH,
Ray

#!/bin/sh
##
##  sign.sh -- Sign a SSL Certificate Request (CSR)
##  Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved. 
##

# Modified by Ray Dassen <jdassen@cistron-office.nl>
set -e

#   argument line handling
CSR=$1
if [ $# -ne 1 ]; then
    echo "Usage: sign.sign <whatever>.csr"; exit 1
fi
if [ ! -f $CSR ]; then
    echo "CSR not found: $CSR"; exit 1
fi
case $CSR in
   *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
       * ) CERT="$CSR.crt" ;;
esac

#   make sure environment exists
if [ ! -d ca.db.certs ]; then
    mkdir ca.db.certs
fi
if [ ! -f ca.db.serial ]; then
    echo '01' >ca.db.serial
fi
if [ ! -f ca.db.index ]; then
    cp /dev/null ca.db.index
fi

CACONFIG=/home/staff/admin/CA/ca.config
if [ ! -r $CACONFIG ]; then
        echo "Can't read $CACONFIG"
        exit 1
fi
##   create an own SSLeay config
#cat >ca.config <<EOT
#[ ca ]
#default_ca              = CA_own
#[ CA_own ]
#dir                     = .
#certs                   = \$dir
#new_certs_dir           = \$dir/ca.db.certs
#database                = \$dir/ca.db.index
#serial                  = \$dir/ca.db.serial
#RANDFILE                = \$dir/ca.db.rand
#certificate             = \$dir/ca.crt
#private_key             = \$dir/ca.key
#default_days            = 365
#default_crl_days        = 30
#default_md              = md5
#preserve                = no
#policy                  = policy_anything
#[ policy_anything ]
#countryName             = optional
#stateOrProvinceName     = optional
#localityName            = optional
#organizationName        = optional
#organizationalUnitName  = optional
#commonName              = supplied
#emailAddress            = optional
#EOT

#  sign the certificate
echo "CA signing: $CSR -> $CERT:"
openssl ca -config $CACONFIG -out $CERT -infiles $CSR
echo "CA verifying: $CERT <-> CA cert"
openssl verify -CAfile ca.crt $CERT

#  cleanup after SSLeay 
rm -f ca.db.serial.old
rm -f ca.db.index.old

#  die gracefully
exit 0
-- 
Tevens ben ik van mening dat Nederland overdekt dient te worden.