Adding needed config variables to scripts, formatting

Author: mikegioia

README.md

@@ -1,4 +1,4 @@
-# Certificate Authority Management Utilities
+## Certificate Authority Management Utilities
 
 ---
 
@@ -7,3 +7,4 @@ infrastructure at your organization, or for yourself. You can generate a Root Ce
 Authority, intermediate CAs like a Software Signing or Email CA, individual web server
 certificates for your domains to use both locally and on the Internet, and personal
 email and browser PK12 certificates for email and web-based authentication.
+

bin/client.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
 #
 # Sets up a new TLS client certificate, signed by the TLS
 # certificate authority.
@@ -15,13 +17,13 @@ basepath="$rootpath/.."
 . $basepath/etc/bash/colors
 
 ## Export the ENV variables
-export BASEPATH=$basepath
 export TLSCANAME=$tlsCA
+export BASEPATH=$basepath
 export CABASEURL=$caBaseURL
 export COUNTRYNAME=$countryName
 export ORGNAME=$organizationName
-export ORGUNITNAME=$organizationalUnitName
 export TLSCOMMONNAME=$tlsCommonName
+export ORGUNITNAME=$organizationalUnitName
 
 ## Help message
 function showHelp {

bin/email-ca.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
 #
 # Sets up the Email CA
 ##
@@ -15,12 +17,14 @@ basepath="$rootpath/.."
 
 ## Export the ENV variables
 export BASEPATH=$basepath
-export EMAILCANAME=$emailCA
+export ROOTCANAME=$rootCA
 export CABASEURL=$caBaseURL
+export EMAILCANAME=$emailCA
 export COUNTRYNAME=$countryName
 export ORGNAME=$organizationName
-export ORGUNITNAME=$organizationalUnitName
+export ROOTCOMMONNAME=$rootCommonName
 export EMAILCOMMONNAME=$emailCommonName
+export ORGUNITNAME=$organizationalUnitName
 
 ## Create directories
 mkdir -p $basepath/ca/email-ca/private $basepath/ca/email-ca/db

bin/root-ca.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
 #
 # Sets up the Primary Root CA
 ##
@@ -19,33 +21,70 @@ export ROOTCANAME=$rootCA
 export CABASEURL=$caBaseURL
 export COUNTRYNAME=$countryName
 export ORGNAME=$organizationName
-export ORGUNITNAME=$organizationalUnitName
 export ROOTCOMMONNAME=$rootCommonName
+export ORGUNITNAME=$organizationalUnitName
+
+## Help message
+function showHelp {
+    echo -e "${yellow}Usage:${NC}"
+    echo "  $0 [options] [command]"
+    echo ""
+    echo -e "${yellow}Options:${NC}"
+    echo -e "  ${green}--help      -h${NC} Display this help message."
+    echo ""
+    echo -e "${yellow}Available Commands:${NC}"
+    echo -e "  ${green}create        ${NC} Creates a new Root CA."
+    echo ""
+    echo -e "Default command is ${green}create${NC} if none is specified."
+}
+
+## Info message
+function showCreateMessage {
+    echo -e "${yellow}You will be creating a new Root Certificate Authority.${NC}"
+    echo -e "${yellow}This will create new directories, certificates, keys and ${NC}"
+    echo -e "${yellow}other files, and may overwrite files with the same names ${NC}"
+    echo -e "${yellow}that already exist.${NC}"
+    echo -n "Do you want to proceed? [y/N] "
+    read answer
+    echo ""
+    if [[ "$answer" != "y" && "$answer" != "Y" ]] ; then
+        exit 0
+    fi
+}
 
 ## Create directories
-mkdir -p $basepath/ca/root-ca/private $basepath/ca/root-ca/db $basepath/crl $basepath/certs
-chmod 700 $basepath/ca/root-ca/private
-echo -n "*.key" > $basepath/ca/root-ca/private/.gitignore
+function createDirectories {
+    mkdir -p $basepath/ca/root-ca/private $basepath/ca/root-ca/db $basepath/crl $basepath/certs
+    chmod 700 $basepath/ca/root-ca/private
+    echo -n "*.key" > $basepath/ca/root-ca/private/.gitignore
+}
 
 ## Create database
-if ! [[ -f "$basepath/ca/root-ca/db/$rootCA.db" ]] ; then
-    cp /dev/null $basepath/ca/root-ca/db/$rootCA.db
-fi
-if ! [[ -f "$basepath/ca/root-ca/db/$rootCA.db.attr" ]] ; then
-    cp /dev/null $basepath/ca/root-ca/db/$rootCA.db.attr
-fi
-if ! [[ -f "$basepath/ca/root-ca/db/$rootCA.crt.srl" ]] ; then
-    echo 01 > $basepath/ca/root-ca/db/$rootCA.crt.srl
-fi
-if ! [[ -f "$basepath/ca/root-ca/db/$rootCA.crl.srl" ]] ; then
-    echo 01 > $basepath/ca/root-ca/db/$rootCA.crl.srl
-fi
+function createDatabase {
+    if ! [[ -f "$basepath/ca/root-ca/db/$rootCA.db" ]] ; then
+        cp /dev/null $basepath/ca/root-ca/db/$rootCA.db
+    fi
+    if ! [[ -f "$basepath/ca/root-ca/db/$rootCA.db.attr" ]] ; then
+        cp /dev/null $basepath/ca/root-ca/db/$rootCA.db.attr
+    fi
+    if ! [[ -f "$basepath/ca/root-ca/db/$rootCA.crt.srl" ]] ; then
+        echo 01 > $basepath/ca/root-ca/db/$rootCA.crt.srl
+    fi
+    if ! [[ -f "$basepath/ca/root-ca/db/$rootCA.crl.srl" ]] ; then
+        echo 01 > $basepath/ca/root-ca/db/$rootCA.crl.srl
+    fi
+}
 
 ## Create CA request
 ## Use -key ca/root-ca/private/root-ca.key to generate
 ## a new CSR.
 function genCsr {
-    if ! [[ -f "$basepath/ca/root-ca/private/$rootCA.key" ]] ; then
+    keyPath="$basepath/ca/root-ca/private/$rootCA.key"
+
+    if ! [[ -f $keyPath && -s $keyPath ]] ; then
+        echo -e "${yellow}A new key will now be created.${NC}"
+        echo -e "${yellowBold}You must enter a password between 4 and 1024 characters.${NC}"
+
         openssl req -new \
             -sha256 \
             -config $basepath/etc/root-ca.conf \
@@ -62,17 +101,19 @@ function genCsr {
 
 ## Check if the CSR exists. If so, ask the user if they
 ## want to replace it. Otherwise, just create the CSR.
-if [[ -f "$basepath/ca/$rootCA.csr" ]] ; then
-    echo -e "${red}Root CA CSR exists!${NC}"
-    echo -n "Do you want to create a new one? (y/N): "
-    read answer
-    echo ""
-    if [[ "$answer" == "y" || "$answer" == "Y" ]] ; then
+function checkCsr {
+    if [[ -f "$basepath/ca/$rootCA.csr" ]] ; then
+        echo -e "${red}Root CA CSR exists!${NC}"
+        echo -n "Do you want to create a new one? (y/N): "
+        read answer
+        echo ""
+        if [[ "$answer" == "y" || "$answer" == "Y" ]] ; then
+            genCsr
+        fi
+    else
         genCsr
     fi
-else
-    genCsr
-fi
+}
 
 ## Create CA certificate
 function genCrt {
@@ -84,27 +125,69 @@ function genCrt {
         -enddate 20501231235959Z
 }
 
-if [[ -f "$basepath/ca/$rootCA.crt" ]] ; then
-    echo -e "${red}Root CA certificate exists!${NC}"
-    echo -n "Do you want to create a new one? (y/N): "
-    read answer
-    echo ""
-    if [[ "$answer" == "y" || "$answer" == "Y" ]] ; then
+## Check if certificate exists and prompt to overwrite
+function checkCrt {
+    if [[ -f "$basepath/ca/$rootCA.crt" ]] ; then
+        echo -e "${red}Root CA certificate exists!${NC}"
+        echo -n "Do you want to create a new one? (y/N): "
+        read answer
+        echo ""
+        if [[ "$answer" == "y" || "$answer" == "Y" ]] ; then
+            genCrt
+        fi
+    else
         genCrt
     fi
-else
-    genCrt
-fi
+}
 
 ## Create CRL
-echo -n "Do you want to generate a CRL? (y/N): "
-read answer
-echo ""
-
-if [[ "$answer" == "y" || "$answer" == "Y" ]] ; then
+function genCrl {
     openssl ca -gencrl \
         -config $basepath/etc/root-ca.conf \
         -out $basepath/crl/$rootCA.crl
+}
+
+## Ask to create a CRL file
+function checkCrl {
+    echo -n "Do you want to generate a CRL? (y/N): "
+    read answer
+    echo ""
+
+    if [[ "$answer" == "y" || "$answer" == "Y" ]] ; then
+        genCrl
+    fi
+}
+
+function finish {
+    echo -e "${greenBold}Done!${NC}"
+}
+
+## If no arguments came in, default to create
+if [[ -z "$@" ]] ; then
+    set "create"
 fi
 
-echo -e "${greenBold}Done!${NC}"
+## Loop through command parameters
+for i
+do
+case $i in
+    -\? | -h | help )
+        showHelp
+        exit 0
+        ;;
+    create )
+        ## Create a new CA
+        showCreateMessage
+        createDirectories
+        createDatabase
+        checkCsr
+        checkCrt
+        checkCrl
+        finish
+        ;;
+    * )
+        echo -e "${redBold}Unknown arg '$i'${NC}";
+        exit 1
+        ;;
+esac
+done

bin/server.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
 #
 # Sets up a new server certificate, signed by the TLS
 # certificate authority.
@@ -15,13 +17,13 @@ basepath="$rootpath/.."
 . $basepath/etc/bash/colors
 
 ## Export the ENV variables
-export BASEPATH=$basepath
 export TLSCANAME=$tlsCA
+export BASEPATH=$basepath
 export CABASEURL=$caBaseURL
 export COUNTRYNAME=$countryName
 export ORGNAME=$organizationName
-export ORGUNITNAME=$organizationalUnitName
 export TLSCOMMONNAME=$tlsCommonName
+export ORGUNITNAME=$organizationalUnitName
 
 ## Script vars
 fqdns=()

bin/software-ca.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
 #
 # Sets up the Software CA
 ##
@@ -15,10 +17,12 @@ basepath="$rootpath/.."
 
 ## Export the ENV variables
 export BASEPATH=$basepath
-export SOFTWARECANAME=$softwareCA
+export ROOTCANAME=$rootCA
 export CABASEURL=$caBaseURL
 export COUNTRYNAME=$countryName
 export ORGNAME=$organizationName
+export SOFTWARECANAME=$softwareCA
+export ROOTCOMMONNAME=$rootCommonName
 export ORGUNITNAME=$organizationalUnitName
 export SOFTWARECOMMONNAME=$softwareCommonName
 

bin/tls-ca.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
 #
 # Sets up the TLS CA
 ##
@@ -14,13 +16,15 @@ basepath="$rootpath/.."
 . $basepath/etc/bash/colors
 
 ## Export the ENV variables
-export BASEPATH=$basepath
 export TLSCANAME=$tlsCA
+export BASEPATH=$basepath
+export ROOTCANAME=$rootCA
 export CABASEURL=$caBaseURL
 export COUNTRYNAME=$countryName
 export ORGNAME=$organizationName
-export ORGUNITNAME=$organizationalUnitName
 export TLSCOMMONNAME=$tlsCommonName
+export ROOTCOMMONNAME=$rootCommonName
+export ORGUNITNAME=$organizationalUnitName
 
 ## Create directories
 mkdir -p $basepath/ca/tls-ca/private $basepath/ca/tls-ca/db
@@ -63,7 +67,7 @@ function genCsr {
 ## Check if the CSR exists. If so, ask the user if they
 ## want to replace it. Otherwise, just create the CSR.
 if [[ -f "$basepath/ca/$tlsCA.csr" ]] ; then
-    echo -e "${red}TLS CA CSR exists!{$NC}"
+    echo -e "${red}TLS CA CSR exists!${NC}"
     echo -n "Do you want to create a new one? (y/N): "
     read answer
     echo ""
@@ -84,7 +88,7 @@ function genCrt {
 }
 
 if [[ -f "$basepath/ca/$tlsCA.crt" ]] ; then
-    echo -e "${red}TLS CA certificate exists!{$NC}"
+    echo -e "${red}TLS CA certificate exists!${NC}"
     echo -n "Do you want to create a new one? (y/N): "
     read answer
     echo ""

etc/client.conf

@@ -1,4 +1,4 @@
-# TLS client certificate request
+## TLS client certificate request
 
 [ req ]
 default_bits            = 2048                  # RSA key size

etc/codesign.conf

@@ -1,4 +1,4 @@
-# Code-signing certificate request
+## Code-signing certificate request
 
 [ req ]
 default_bits            = 2048                  # RSA key size

etc/email.conf

@@ -1,4 +1,4 @@
-# Email certificate request
+## Email certificate request
 
 [ req ]
 default_bits            = 2048                  # RSA key size

etc/software-ca.conf

@@ -74,7 +74,7 @@ organizationalUnitName  = optional
 commonName              = optional
 emailAddress            = optional
 
-# Extensions
+## Extensions
 
 [ codesign_ext ]
 keyUsage                = critical,digitalSignature