#!/bin/sh # # certutil -- manage trusted X.509 certificates # inspired by Netscape PKCS #11 toolkit # # $Id: certutil,v 0.20 2001/05/31 16:17:43 jt Exp $ # # # INTRODUCTION # # certutil can be used with various OpenSSL routines and tools # that utilize OpenSSL. Example: # # $ openssl s_client -CApath certdir # # where certdir is a directory created by certutil. Other well known # programs that use the same format are stunnel and sendmail. # # # HOWTO # # 1. Initialize certificate "database" # # Simply by adding a new certificate. If the certificate directory # doesn't exist, the script asks for creating a one. Example: # # $ certutil -a -n "First Cert" -i cert.pem -d /home/jt/mycerts # ./certutil: cannot access /home/jt/mycerts, create? [y/N] y # # Another way is to make a directory with mkdir and a file named # ".certutil" in that directory: # # $ mkdir path-to-dir/certdir # $ touch path-to-dir/certdir/.certutil # # 2. Add new certificate # # $ certutil -a -n "My Cert" -i cert.pem [-d certdir] # # Note that nickname (-n) must exist. certdir is optional - if it's # not given, $PWD is used. cert.pem is the actual sertificate. # # 3. Delete certificate # # $ certutil -r -n "My Cert" [-d certdir] # # This command removes the certificate named "My Cert". certdir is # optional, see 2. # # 4. List sertificates # # $ certutil -l [-d certdir] # # And again, certdir is optional. # # 5. View certificate properties # # $ certutil -v -n "My Cert" [-d certdir] # ######################################################################### # default certificate lookup directory CDIR=/tmp/certs # OpenSSL trust settings (see man x509 for details) TRUST=serverAuth ######################################################################### # Print usage usage() { cat << EOF Usage: $0 -l [-d dir] -a -n name -i file [-d dir] -r -n name [-d dir] -v -n name [-d dir] Commands: -l -- List sertificates -a -- Add sertificate and create dir if necessary -r -- Remove sertificate -v -- View sertificate Parameters: dir -- Certificate directory, or \$PWD if not given name -- Nickname of the certificate file -- Certificate file in PEM format EOF exit 1 } # Check path check_path() { # check the directory if [ ! -d $CDIR -a $ADD -eq 1 ]; then printf "%s: cannot access $CDIR, create? [y/N] " $0 read LINE case $LINE in y|Y) mkdir $CDIR chmod 700 $CDIR touch $CDIR/.certutil chmod 600 $CDIR/.certutil ;; *) exit 1 ;; esac fi if [ ! -e $CDIR/.certutil ]; then echo "$0: please specify a valid directory" exit 1 fi } # Add certificates add_cert() { check_path # Check file if [ ! -e $FILE ]; then echo "$0: cannot find $FILE" exit 1 fi HASH=`openssl x509 -in $FILE -hash -noout 2>/dev/null`.0 if [ $? -ne 0 ]; then echo "$0: unable to load certificate $FILE" exit 1 fi for i in `ls -1 $CDIR/*.0 2>/dev/null`; do NICK=`openssl x509 -in $i -alias -noout` if [ "$CNAME" = "$NICK" ]; then echo "$0: nickname already in use" exit 1 fi done if [ -e $CDIR/$HASH ]; then echo "$0: certificate already in directory" echo `openssl x509 -in $CDIR/$HASH -subject -noout` exit 1 else openssl x509 -in $FILE -setalias "$CNAME" \ -addtrust $TRUST > $CDIR/$HASH chmod 600 $CDIR/$HASH fi } # List certificates # # list_cert() { check_path echo NUM=1 for i in `ls -1t $CDIR/*.0 2>/dev/null`; do printf "%d. " $NUM openssl x509 -in $i -alias -subject -issuer -enddate -noout echo NUM=$((NUM+1)) done } # Remove certificates remove_cert() { check_path for i in `ls -1 $CDIR/*.0 2>/dev/null`; do NICK=`openssl x509 -in $i -alias -noout` if [ "$CNAME" = "$NICK" ]; then rm $i return 1 fi done } # View certificate view_cert() { check_path for i in `ls -1 $CDIR/*.0 2>/dev/null`; do NICK=`openssl x509 -in $i -alias -noout` if [ "$CNAME" = "$NICK" ]; then openssl x509 -in $i -text return 1 fi done } # Parse option string ADD=0 REMOVE=0 LIST=0 VIEW=0 while getopts "arlvd:n:i:" OPT; do case $OPT in a) ADD=1 ;; r) REMOVE=1 ;; l) LIST=1 ;; v) VIEW=1 ;; d) CDIR=$OPTARG ;; n) CNAME=$OPTARG ;; i) FILE=$OPTARG ;; *) usage ;; esac done # Default options CDIR=${CDIR:=.} # Check command line options if [ $ADD -eq 1 -a $REMOVE -eq 0 -a $LIST -eq 0 -a $VIEW -eq 0 ]; then if [ -n "$CNAME" -a -n "$FILE" ]; then add_cert else echo "$0: missing certificate name or file" usage fi elif [ $REMOVE -eq 1 -a $ADD -eq 0 -a $LIST -eq 0 -a $VIEW -eq 0 ]; then if [ -n "$CNAME" ]; then remove_cert else echo "$0: missing certificate name" usage fi elif [ $LIST -eq 1 -a $ADD -eq 0 -a $REMOVE -eq 0 -a $VIEW -eq 0 ]; then list_cert elif [ $VIEW -eq 1 -a $ADD -eq 0 -a $REMOVE -eq 0 -a $LIST -eq 0 ]; then if [ -n "$CNAME" ]; then if view_cert; then echo "$0: cert named \"$CNAME\" not found" exit 1 fi else echo "$0: missing certificate name" usage fi else usage fi