4 ### Initialize a new certificate authority.
6 ### (c) 2011 Mark Wooding
9 ###----- Licensing notice ---------------------------------------------------
11 ### This program is free software; you can redistribute it and/or modify
12 ### it under the terms of the GNU General Public License as published by
13 ### the Free Software Foundation; either version 2 of the License, or
14 ### (at your option) any later version.
16 ### This program is distributed in the hope that it will be useful,
17 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
18 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 ### GNU General Public License for more details.
21 ### You should have received a copy of the GNU General Public License
22 ### along with this program; if not, write to the Free Software Foundation,
23 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
25 ## Find the common utilities.
26 source [file join [file dirname $argv0] "../lib/func.tcl"]
29 ## If there's already a database here, then give up.
30 if {[file exists "state/ca.db"]} {
32 "$argv0: It looks like there's already a certificate authority here.
34 If you want to clobber it, delete state/ca.db and run this
39 ## Otherwise, clear any existing stuff away. Either we failed part way
40 ## through a previous setup attempt, or the user has explicitly deleted the
41 ## database in order to persuade us to do this.
43 "archive" "cert" "req" "state" "private" "crl" "tmp" "ca.cert"
45 ## Set up the state directory.
46 make-directories 0775 "state" "archive"
47 make-file "state/serial" "01\n"
48 make-file "state/crlnumber" "01\n"
49 make-file "state/db" ""
51 ## Initialize the database in a temporary file: we'll rename it into place as
52 ## our last action. This involves installing the tables and indices, and
53 ## setting up the configured profiles.
54 sqlite db "state/ca.db.new"
58 file attributes "state/ca.db.new" \
59 -owner $C(ca-owner) -group $C(ca-group) \
62 ## Generate the private CA key.
63 make-directories 0750 "private"
65 foreach {attr value} $C(ca-name) { append subject "/$attr=$value" }
66 exec >@stdout 2>@stderr openssl req -config "etc/openssl.conf" \
67 -text -out "ca.cert" -keyout "private/ca.key" \
68 -new -x509 -days $C(ca-period) \
70 file attributes "private/ca.key" \
71 -owner $C(ca-owner) -group $C(ca-group) \
73 file attributes "ca.cert" \
74 -owner $C(ca-owner) -group $C(ca-group) \
77 ## Set up the directories for the actual certificates. These are published
79 make-directories 0775 "cert" "cert/by-seq" "cert/active"
80 make-directories 0775 "req" "req/by-id" "req/active"
82 ## Make other directories.
83 make-directories 0775 "tmp"
85 ## Finally, put the database in the right place.
86 file rename "state/ca.db.new" "state/ca.db"