diff --git a/README.rst b/README.rst
index 17b091223c84be154c6c7b96abec379ebfa075d0..7d63b9cb97d8d0e1fc0f8d033211e2d44169fd9d 100644
--- a/README.rst
+++ b/README.rst
@@ -1,8 +1,8 @@
SSL-CA
######
-This is a program (written in POSIX shell) to generate an SSL/TLS certificate
-authority, signed certificates and to sign existing certificates.
+This utility automates generating an SSL certificate authority, keys and signed
+certificates. The only dependecy is openssl.
Installation
------------
@@ -12,62 +12,34 @@ Installation
cd ssl-ca
sudo make install
-The only dependency is openssl.
-
Usage
-----
-To start a new CA ::
+This will generate, inside the new directory, the directory stucture, a starting
+configuration for starting work and a new CA key and certificate. ::
- $ mkdir mycerts
- $ cd mycerts
+ $ mkdir domain.tld
+ $ cd domain.tld
$ ssl-ca init
-This will create a new directory with the directory structure and a
-configuration file **Remember to change the configuration in `openssl.cnf`.**
-
-To generate a new CA key and certificate (inside the new directory)::
-
- $ ssl-ca ca-gen
-
-To generate a new key and certificate for the www.example.com domain ::
+To generate a new key and certificate for the www host, the key will at
+``keys/www`` and the certificate at ``certs/www`` ::
- $ ssl-ca gen www.example.com
+ $ ssl-ca gen www
-The key will be at ``keys/www.example.com.key`` and the certificate at
-``certs/www.example.com.pem``.
-
-To sign existing keys, copy them to ``keys/subdomain.domain.tld.key`` and run (this will sign all of keys found under ``keys/``) ::
+To sign existing keys, copy them to the ``keys/`` folder. All keys that don't
+have a matching certificate under ``certs/`` will be signed when running ::
$ ssl-ca sign
-To resign **ALL** existing keys (overriding existing certificates) ::
+To resign **ALL** existing keys (regardles of existing certificates) ::
$ ssl-ca resign
-Example config
---------------
-::
-
- # This file is sourced by ssl-ca, so comments start with #
- # and usual shell evaluation and variables can be used.
- # No setting is mandatory and missing setting will be left blank or the
- # default value will be used.
- keysize=2048
- keytype='rsa'
- cipher='aes256'
- days=365
- countrycode='US'
- state='Somewhere'
- locality='Some other place.'
- orgname='Acme'
- orgunit='Widgets'
- email='hostmaster@example.com'
-
License
-------
-This software is licnesed under the MIT licese (see the LICENSE.txt file).
+This software is licnesed under the MIT licese (see the ``LICENSE.txt`` file).
Author
------
@@ -77,5 +49,6 @@ Nimrod Adar.
TODO
----
-- Write said program.
- Fill out example output in the usage section.
+- Add checks and failure messages to each action.
+- Finish openssl configuration.
diff --git a/ssl-ca b/ssl-ca
index 688014146330be7e3e0faf3f955942b5fd0fc96f..6b507c5cc01c185ae749594333ade1d6b9e70f0a 100755
--- a/ssl-ca
+++ b/ssl-ca
@@ -32,29 +32,26 @@ default_bits = 2048"
#orgunit='Widgets'
usage () {
- echo "Usage: $0 "
+ echo "Usage: $0 init|gen|sign|resign"
}
init () {
- mkdir "$1/certs"
- mkdir "$1/keys"
- echo "$default_config" > "$1/openssl.cnf"
+ mkdir "certs"
+ mkdir "keys"
+ openssl genra -out CA.key
+ openssl req -x509 -new -config openssl.cnf -key CA.key -out CA.crt
+ echo "$default_config" > "openssl.cnf"
}
sign_key () {
csr="$(mktemp)"
- openssl req -new -config openssl.cnf -out $csr
- openssl x509 -req -in $csr -out certs/$1.crt
- rm $csr
+ openssl req -new -config openssl.cnf -out "$csr"
+ openssl x509 -req -in "$csr" -out "certs/$1.crt"
+ rm "$csr"
}
gen_key () {
- openssl genrsa -out keys/$1.key
-}
-
-ca_gen () {
- openssl genra -out CA.key
- openssl req -x509 -new -config openssl.cnf -key CA.key -out CA.crt
+ openssl genrsa -out "keys/$1"
}
if [ $# -lt 1 ]
@@ -67,26 +64,23 @@ case "$1" in
init)
init
;;
- ca-gen)
- ca-gen
- ;;
gen)
- gen_key
- sign_key $key
+ gen_key "$2"
+ sign_key "$2"
;;
sign)
- for key in keys/*.key
+ for key in keys/*
do
- if [ ! -f certs/$key.pem ]
+ if [ ! -f "certs/$(basename $key)" ]
then
- sign_key $key
+ sign_key "$(basename $key)"
fi
done
;;
resign)
for key in keys/*
do
- sign_key $key
+ sign_key "$(basename $key)"
done
;;
*)