Apache-SecSess
view release on metacpan or search on metacpan
utils/mkcerts view on Meta::CPAN
#
if ($opt_n) {
# server certs to create and sign (dns prefixes to $dns)
@servers = (
'adam.', 'lysander.', 'tom.', # .acme.com domain
'john.sec.', 'milt.sec.', # .sec.acme.com
'stu.transacme.com', 'noam.acme.org' # outside signing domain
);
# pkcs12 client certs to create and sign
@clients = (
{'email' => 'bob', 'full' => 'Col. Robert Bobtight'},
{'email' => 'admin', 'full' => 'Acme Security Administrator'}
);
}
#
# things to do in append mode (no -n option)
#
if (!$opt_n) { @servers = ('www'); }
# # # # # # # # # # # # # # End Configuration # # # # # # # # # # # # # # # #
#
# configuration info which should be OK to LEAVE ALONE
#
$confile = './request.cnf'; # config file for requests
#
# create CA cert, if necessary
#
if ($opt_n) { &newca; }
#
# make basic ssl server certs under CA's domain
#
for $s (@servers) { &mksslserv($s); }
#
# make pkcs12 client cert/key's
#
for $c (@clients) { &mkpkcs12($c); }
#
# subroutine to create new CA
#
sub newca {
my($configinfo);
printf(":\n: Creating CA Cert ...\n:\n");
#
# create root request config file
#
$configinfo = <<"END_CONFILE";
[ req ]
default_bits = $rsabits
default_md = $digest
default_keyfile = $cakey
distinguished_name = req_distinguished_name
prompt = no
output_password = $capasswd
[ req_distinguished_name ]
C = $dnc
ST = $dnst
L = $dnl
O = $company
OU = www.$dns
CN = $company Root CA
emailAddress = trustmaster\@$dns
END_CONFILE
open(CONFILE, ">$confile") || die "cannot create config file: $confile";
printf CONFILE "%s\n", $configinfo;
close(CONFILE);
#
# create self-signed root cert for CA, and display
#
# create/sign
system(
"openssl req -config $confile -x509 -new -days $cadays -out $cacert"
) == 0 or die "problem creating root CA certificate";
# clean up
unlink($confile) || die "cannot remove $confile";
# display
if ($opt_d) {
printf(":\n: Newly Created Root CA Certificate\n:\n");
system(
"openssl x509 -in $cacert -noout -text"
) == 0 or die "problem printing root CA certificate: $cacert";
}
printf(":\n: CA's MD5 fingerprint\n:\n");
system(
"openssl x509 -in $cacert -noout -fingerprint"
) == 0 or die "fingerprint problem with root CA certificate: $cacert";
}
#
# general subroutine to create and sign x509 certs
#
sub mknsign {
my ($opt_e, $hr) = @_; # global $opt_e doesn't apply to pkcs12
my($name, $req, $key, $cert);
my($enccmd, $dtag, $configinfo);
my(@x500tags) = ('C', 'ST', 'L', 'O', 'OU', 'CN');
$name = $hr->{'name'}; # short name for files
$req = sprintf("%s-req.pem", $name); # request file
$key = sprintf("%s-key.pem", $name); # private key file
$cert = sprintf("%s-cert.pem", $name); # cert file
printf("\n:\n: Creating and Signing Cert for '%s' ...\n:\n", $name);
if ($opt_d) {
printf("%s: creating request/key (%s,%s)\n", $name, $req, $key);
}
#
# make configuation file for openssl req
#
$enccmd = ($opt_e) ?
"output_password = $spasswd" :
"encrypt_key = no";
$configinfo = <<"END_CONFILE";
[ req ]
default_bits = $rsabits
default_md = $digest
default_keyfile = $key
distinguished_name = req_distinguished_name
prompt = no
$enccmd
[ req_distinguished_name ]
END_CONFILE
for $dtag (@x500tags) {
if (defined($hr->{$dtag})) {
$configinfo .= sprintf("%s\t\t= %s\n", $dtag, $hr->{$dtag});
}
}
if (defined($hr->{'email'})) {
$configinfo .= sprintf("emailAddress\t\t= %s\n", $hr->{'email'});
}
open(CONFILE, ">$confile") || die "cannot create config file: $confile";
printf CONFILE "%s\n", $configinfo;
close(CONFILE);
#
# create cert request
#
system(
"openssl req -config $confile -new -out $req"
) == 0 or die "problem creating certificate request for: $name";
#
# sign the request
#
# sign
open(SIGNREQ, "| openssl x509 -req -in $req -passin stdin -$digest " .
"-CA $cacert -CAkey $cakey -CAcreateserial -days $days -out $cert"
) or die "problem signing certificate request for: $name";
printf SIGNREQ "%s\n", $capasswd;
close(SIGNREQ);
# clean up
unlink($confile, $req) || die "cannot clean up";
# display
if ($opt_d) {
printf(":\n: Newly Signed Certificate for '%s'\n:\n", $name);
system(
"openssl x509 -in $cert -noout -text"
) == 0 or die "problem printing certificate: $cert";
printf(":\n: Verifying '%s' ...\n:\n", $name);
system(
"openssl x509 -in $cert -noout -fingerprint"
) == 0 or die "certificate fingerprint problem: $name";
printf("verifying signature ...\n");
system(
"openssl verify -verbose -CAfile $cacert $cert"
) == 0 or die "certificate fingerprint problem: $name";
}
}
#
# create the SSL server certs under CA's domain
#
sub mksslserv {
my $s = shift;
( run in 0.967 second using v1.01-cache-2.11-cpan-6aa56a78535 )