| 165 |
- |
1 |
#!/bin/sh
|
|
|
2 |
|
|
|
3 |
# Build a new PKI which is rooted on an intermediate certificate generated
|
|
|
4 |
# by ./build-inter or ./pkitool --inter from a parent PKI. The new PKI should
|
|
|
5 |
# have independent vars settings, and must use a different KEY_DIR directory
|
|
|
6 |
# from the parent. This tool can be used to generate arbitrary depth
|
|
|
7 |
# certificate chains.
|
|
|
8 |
#
|
|
|
9 |
# To build an intermediate CA, follow the same steps for a regular PKI but
|
|
|
10 |
# replace ./build-key or ./pkitool --initca with this script.
|
|
|
11 |
|
|
|
12 |
# The EXPORT_CA file will contain the CA certificate chain and should be
|
|
|
13 |
# referenced by the OpenVPN "ca" directive in config files. The ca.crt file
|
|
|
14 |
# will only contain the local intermediate CA -- it's needed by the easy-rsa
|
|
|
15 |
# scripts but not by OpenVPN directly.
|
|
|
16 |
EXPORT_CA="export-ca.crt"
|
|
|
17 |
|
|
|
18 |
if [ $# -ne 2 ]; then
|
|
|
19 |
echo "usage: $0 <parent-key-dir> <common-name>"
|
|
|
20 |
echo "parent-key-dir: the KEY_DIR directory of the parent PKI"
|
|
|
21 |
echo "common-name: the common name of the intermediate certificate in the parent PKI"
|
|
|
22 |
exit 1;
|
|
|
23 |
fi
|
|
|
24 |
|
|
|
25 |
if [ "$KEY_DIR" ]; then
|
|
|
26 |
cp "$1/$2.crt" "$KEY_DIR/ca.crt"
|
|
|
27 |
cp "$1/$2.key" "$KEY_DIR/ca.key"
|
|
|
28 |
|
|
|
29 |
if [ -e "$1/$EXPORT_CA" ]; then
|
|
|
30 |
PARENT_CA="$1/$EXPORT_CA"
|
|
|
31 |
else
|
|
|
32 |
PARENT_CA="$1/ca.crt"
|
|
|
33 |
fi
|
|
|
34 |
cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA"
|
|
|
35 |
cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA"
|
|
|
36 |
else
|
|
|
37 |
echo 'Please source the vars script first (i.e. "source ./vars")'
|
|
|
38 |
echo 'Make sure you have edited it to reflect your configuration.'
|
|
|
39 |
fi
|