Improvements of Certs creation scripts

Corrections and usability improvements
of Certificates creation scripts located at:
/aaf/authz/conf/CA

Change-Id: I1b933f4eaf49e94805e5307563886049606d4103
Issue-ID: AAF-441
Signed-off-by: Maciej Wejs <maciej.wejs@nokia.com>

diff --git a/conf/CA/manual.sh b/conf/CA/manual.sh
index 00a23ec..07a1ed6 100644 (file)
--- a/conf/CA/manual.sh
+++ b/conf/CA/manual.sh
@@ -1,84 +1,91 @@
 #
 # Initialize a manual Cert.  This is NOT entered in Certman Records
+# $1 - CN (Common Name)
+# $2 - FQI (Fully Qualified Identity)
+# $3-$n - SANs (Service Alias Names)
 #
-echo "FQI (Fully Qualified Identity): "
-read FQI
-if [ "$1" = "" -o "$1" = "-local" ]; then 
+
+if [ "$2" = "" ]; then
+  echo "FQI (Fully Qualified Identity): "
+  read FQI
+fi
+
+if [ "$1" = "" -o "$1" = "-local" ]; then
   echo "Personal Certificate"
   SUBJECT="/CN=$FQI/OU=V1`cat subject.aaf`"
   NAME=$FQI
-else 
+else
   echo "Application Certificate"
   SUBJECT="/CN=$1/OU=$FQI`cat subject.aaf`"
-  FQDN=$1
-  NAME=$FQDN
-  shift
+  NAME=$1
 
-  echo "Enter any SANS, delimited by spaces: "
-  read SANS
+  if [ "$3" = "" ]; then
+    echo "Enter any SANS, delimited by spaces: "
+    read SANS
+  else
+    SANS=""
+    while [ ! "$3" = "" ]; do
+    SANS=${SANS}" "$3
+    shift
+    done
+  fi
 fi
 
 # Do SANs
 if [ "$SANS" = "" ]; then
    echo no SANS
-    if [ -e $NAME.san ]; then 
+    if [ -e $NAME.san ]; then
       rm $NAME.san
     fi
   else
-   echo some SANS
+   echo some SANS: $SANS
     cp ../san.conf $NAME.san
     NUM=1
-    for D in $SANS; do 
+    for D in $SANS; do
         echo "DNS.$NUM = $D" >> $NAME.san
-       NUM=$((NUM+1))
+             NUM=$((NUM+1))
     done
 fi
 
 echo $SUBJECT
 
-if [ -e $NAME.csr ]; then
-  SIGN_IT=true
-else 
+if [ ! -e $NAME.csr ]; then
   if [ "$1" = "-local" ]; then
        echo "IMPORTANT: If for any reason, you kill this process, type 'stty sane'"
        echo "Enter the PassPhrase for the Key for $FQI: "
        `stty -echo`
        read PASSPHRASE
        `stty echo`
- 
+
        # remove any previous Private key
        rm private/$NAME.key
-       # Create j regaular rsa encrypted key
+       # Create regular rsa encrypted key
        openssl req -new -newkey rsa:2048 -sha256 -keyout private/$NAME.key \
          -out $NAME.csr -outform PEM -subj "$SUBJECT" \
          -passout stdin  << EOF
 $PASSPHRASE
 EOF
-       chmod 400 private/$NAME.key 
-       SIGN_IT=true
-  else 
-       echo openssl req -newkey rsa:2048 -sha256 -keyout $NAME.key -out $NAME.csr -outform PEM -subj '"'$SUBJECT'"'
-       echo chmod 400 $NAME.key
+       chmod 400 private/$NAME.key
+  else
+       openssl req -newkey rsa:2048 -sha256 -keyout private/$NAME.key -out $NAME.csr -outform PEM -subj "$SUBJECT"
+       chmod 400 $NAME.key
        echo "# All done, print result"
-       echo openssl req -verify -text -noout -in $NAME.csr
+       openssl req -verify -text -noout -in $NAME.csr
   fi
 fi
 
-if [ "$SIGN_IT" = "true" ]; then
   # Sign it
   if [ -e $NAME.san ]; then
-    openssl ca -config ../openssl.conf -extensions server_cert -out $NAME.crt \
+    openssl ca -config ../openssl.conf -extensions server_cert -out certs/$NAME.crt \
        -cert certs/ca.crt -keyfile private/ca.key \
        -policy policy_loose \
        -days 360 \
        -extfile $NAME.san \
        -infiles $NAME.csr
-  else 
-    openssl ca -config ../openssl.conf -extensions server_cert -out $NAME.crt \
+  else
+    openssl ca -config ../openssl.conf -extensions server_cert -out certs/$NAME.crt \
        -cert certs/ca.crt -keyfile private/ca.key \
        -policy policy_loose \
        -days 360 \
        -infiles $NAME.csr
   fi
-fi
-

diff --git a/conf/CA/newIntermediate.sh b/conf/CA/newIntermediate.sh
index 303c22e..b548dd4 100644 (file)
--- a/conf/CA/newIntermediate.sh
+++ b/conf/CA/newIntermediate.sh
@@ -41,19 +41,18 @@ echo $SUBJECT
 $PASSPHRASE
 EOF
 
-  chmod 400 $DIR/private/$CN.key 
+  chmod 400 $DIR/private/ca.key
   openssl req -verify -text -noout -in $DIR/$CN.csr
 
   # Sign it
   openssl ca -config openssl.conf -extensions v3_intermediate_ca \
        -days 1826 \
-       -cert certs/ca.crt -keyfile private/ca.key -out $DIR/certs/ca.crt \
+  -cert certs/ca.crt -keyfile private/ca.key -out $DIR/certs/ca.crt \
        -infiles $DIR/$CN.csr
 
-    openssl x509 -text -noout -in $DIR/certs/ca.crt
+   openssl x509 -text -noout -in $DIR/certs/ca.crt
 
-
-     openssl verify -CAfile certs/ca.crt $DIR/certs/ca.crt
+   openssl verify -CAfile certs/ca.crt $DIR/certs/ca.crt
 
 
 # Create a Signer p12 script

diff --git a/conf/CA/p12.sh b/conf/CA/p12.sh
index 53184e2..23e7624 100644 (file)
--- a/conf/CA/p12.sh
+++ b/conf/CA/p12.sh
@@ -1,22 +1,20 @@
 #
 # Create a p12 file from local certs
 #
-echo "FQI (Fully Qualified Identity): "
-read FQI
 
 if [ "$1" = "" ]; then
-  MACH=$FQI  
-else 
+  echo "Enter Keystore Name: "
+  read MACH
+else
   MACH=$1
 fi
 
-# Add Cert AND Intermediate CAs (Clients will have Root CAs (or not))
-  cat $MACH.crt  > $MACH.chain
+  # Add Cert AND Intermediate CAs (Clients will have Root CAs (or not))
+  cat certs/$MACH.crt  > $MACH.chain
   # Add THIS Intermediate CA into chain
-  cat "certs/ca.crt" >> $MACH.chain
+  cat certs/ca.crt >> $MACH.chain
 
   # Make a pkcs12 keystore, a jks keystore and a pem keystore
   rm -f $MACH.p12
   # Note: Openssl will pickup and load all Certs in the Chain file
-  openssl pkcs12 -name $FQI -export -in $MACH.chain -inkey private/$MACH.key -out $MACH.p12 
-
+  openssl pkcs12 -name $MACH -export -in $MACH.chain -inkey private/$MACH.key -out $MACH.p12