This makes testing in a sandpit much easier.
The defaults are good, so I've left the configuration file out of the
repository.
private
state
tmp
+etc/config
set -e
certroot=$(cd ${0%/*}/..; pwd)
cd "$certroot"
+. lib/func.sh
umask 022
## Archive any existing CA.
## Build a new one.
mkdir -m750 private
mkdir -m775 certs crls index index/byhash index/byserial state tmp
-chown root:ca certs crls index index/byhash index/byserial private state tmp
+chown $ca_owner:$ca_group certs crls index index/byhash index/byserial private state tmp
touch state/db
echo 01 >state/serial
echo 01 >state/crlnumber
openssl req -new -config openssl.conf -x509 -days 3650 \
-out ca.cert -keyout private/ca.key \
-subj "$subject"
-chown root:ca private/ca.key
+chown $ca_owner:$ca_group private/ca.key
chmod 644 ca.cert
### -*-sh-*-
+## Set up configuration.
+ca_user=ca ca_group=ca ca_owner=root
+if [ -f etc/config ]; then . etc/config; fi
+
runas_ca () {
## runas_ca
##
## to run as root against untrusted input -- especially OpenSSL's one.
case $(id -un) in
- ca) ;;
- *) exec sudo -u ca "$0" "$@" ;;
+ $ca_user) ;;
+ *) exec sudo -u $ca_user "$0" "$@" ;;
esac
}