projects / z_archive / vpsm.git / blame
| Commit | Line | Data |
|---|---|---|
| dd71f1b5 JR |
1 | #!/bin/sh |
| 2 | ||
| 3 | # Build a new PKI which is rooted on an intermediate certificate generated | |
| 4 | # by ./build-inter or ./pkitool --inter from a parent PKI. The new PKI should | |
| 5 | # have independent vars settings, and must use a different KEY_DIR directory | |
| 6 | # from the parent. This tool can be used to generate arbitrary depth | |
| 7 | # certificate chains. | |
| 8 | # | |
| 9 | # To build an intermediate CA, follow the same steps for a regular PKI but | |
| 10 | # replace ./build-key or ./pkitool --initca with this script. | |
| 11 | ||
| 12 | # The EXPORT_CA file will contain the CA certificate chain and should be | |
| 13 | # referenced by the OpenVPN "ca" directive in config files. The ca.crt file | |
| 14 | # will only contain the local intermediate CA -- it's needed by the easy-rsa | |
| 15 | # scripts but not by OpenVPN directly. | |
| 16 | EXPORT_CA="export-ca.crt" | |
| 17 | ||
| 18 | if [ $# -ne 2 ]; then | |
| 19 | echo "usage: $0 <parent-key-dir> <common-name>" | |
| 20 | echo "parent-key-dir: the KEY_DIR directory of the parent PKI" | |
| 21 | echo "common-name: the common name of the intermediate certificate in the parent PKI" | |
| 22 | exit 1; | |
| 23 | fi | |
| 24 | ||
| 25 | if [ "$KEY_DIR" ]; then | |
| 26 | cp "$1/$2.crt" "$KEY_DIR/ca.crt" | |
| 27 | cp "$1/$2.key" "$KEY_DIR/ca.key" | |
| 28 | ||
| 29 | if [ -e "$1/$EXPORT_CA" ]; then | |
| 30 | PARENT_CA="$1/$EXPORT_CA" | |
| 31 | else | |
| 32 | PARENT_CA="$1/ca.crt" | |
| 33 | fi | |
| 34 | cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA" | |
| 35 | cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA" | |
| 36 | else | |
| 37 | echo 'Please source the vars script first (i.e. "source ./vars")' | |
| 38 | echo 'Make sure you have edited it to reflect your configuration.' | |
| 39 | fi |