2
#ident $Id: certutil,v 2.2 2001/05/27 12:16:31 lukeh Exp $
4
# certutil -- manage trusted X.509 certificates
5
# inspired by Netscape PKCS #11 toolkit
6
# contributed by Jarkko Turkulainen <jt@wapit.com>
11
# certutil can be used with various OpenSSL routines and tools
12
# that utilize OpenSSL. Example:
14
# $ openssl s_client -CApath certdir
16
# where certdir is a directory created by certutil. Other well known
17
# programs that use the same format are stunnel, sendmail and pam_ldap
23
# 1. Initialize certificate database
25
# Simply by adding a new certificate. If the certificate directory
26
# doesn't exist, the script asks for creating a one. Example:
28
# $ certutil -a -n "First Cert" -i cert.pem -d /home/jt/mycerts
29
# ./certutil: cannot access /home/jt/mycerts, create? [y/N] y
32
# 2. Add new certificate
34
# $ certutil -a -n "My Cert" -i cert.pem [-d certdir]
36
# Note that nickname (-n) must exist. certdir is optional - if it's
37
# not given, $PWD is used. The directory must have a file named certs.dat.
38
# If that file doesn't exist, the script refuses to do anything. If your
39
# certs.dat file is corrupted, "rm -rf" the whole dir and start from
40
# the scratch. cert.pem is the actual sertificate.
42
# 3. Delete certificate
44
# $ certutil -r -n "My Cert" [-d certdir]
46
# This command removes the certificate named "My Cert". certdir is
49
# 4. List sertificates
51
# $ certutil -l [-d certdir]
53
# And again, certdir is optional.
55
# 5. View certificate properties
57
# $ certutil -v -n "My Cert" [-d certdir]
67
-a -n name -i file [-d dir]
72
-l -- List sertificates (requires a valid dir)
73
-a -- Add sertificate and create dir if necessary
74
-r -- Remove sertificate (requires a valid dir)
75
-v -- View sertificate (requires a valid dir)
78
dir -- Certificate directory, or \$PWD if not given
79
name -- Nickname of the certificate
80
file -- Certificate file in PEM format
90
if [ ! -d $CDIR -a $ADD -eq 1 ]; then
91
echo -n "$0: cannot access $CDIR, create? [y/N] "
98
chmod 600 $CDIR/certs.dat
107
if [ ! -e $CDIR/certs.dat ]; then
108
echo "$0: please specify a valid cert directory"
116
if [ ! -e $FILE ]; then
117
echo "$0: cannot find $FILE"
120
HASH=`openssl x509 -in $FILE -hash -noout 2>/dev/null`.0
121
if [ $? -ne 0 ]; then
122
echo "$0: unable to load certificate $FILE"
126
if grep "^$CNAME|" $CDIR/certs.dat 1>/dev/null 2>&1; then
127
echo "$0: nickname already in use"
131
if [ -e $CDIR/$HASH ]; then
132
echo "$0: certificate already in directory"
133
echo `openssl x509 -in $CDIR/$HASH -subject -noout`
137
chmod 600 $CDIR/$HASH
138
echo "$CNAME|$HASH" >> $CDIR/certs.dat
139
chmod 600 $CDIR/certs.dat
146
# (this is too slow...)
151
echo "Certificates in directory $CDIR"
153
printf "%-30s%s\n" nickname subject/issuer
154
echo "----------------------------------------------------------------------------"
155
cat $CDIR/certs.dat | while read LINE; do
156
NICK=`echo $LINE | cut -d "|" -f 1`
157
HASH=`echo $LINE | cut -d "|" -f 2`
158
SUBJECT=`openssl x509 -in $CDIR/$HASH -subject -noout`
159
ISSUER=`openssl x509 -in $CDIR/$HASH -issuer -noout`
160
printf "%-30s%s\n" "$NICK" "$SUBJECT"
161
printf "%-30s%s\n\n" "" "$ISSUER"
166
# Remove certificates
170
cat $CDIR/certs.dat | while read LINE; do
171
NICK=`echo $LINE | cut -d "|" -f 1`
172
HASH=`echo $LINE | cut -d "|" -f 2`
173
if [ "$CNAME" = "$NICK" ]; then
180
mv /tmp/$$ $CDIR/certs.dat
181
chmod 600 $CDIR/certs.dat
187
cat $CDIR/certs.dat | while read LINE; do
188
NICK=`echo $LINE | cut -d "|" -f 1`
189
HASH=`echo $LINE | cut -d "|" -f 2`
190
if [ "$CNAME" = "$NICK" ]; then
191
openssl x509 -in $CDIR/$HASH -text
197
# Parse option string
202
while getopts "arlvd:n:i:" OPT; do
234
# Check command line options
235
if [ $ADD -eq 1 -a $REMOVE -eq 0 -a $LIST -eq 0 -a $VIEW -eq 0 ]; then
236
if [ -n "$CNAME" -a -n "$FILE" ]; then
239
echo "$0: missing certificate name or file"
242
elif [ $REMOVE -eq 1 -a $ADD -eq 0 -a $LIST -eq 0 -a $VIEW -eq 0 ]; then
243
if [ -n "$CNAME" ]; then
246
echo "$0: missing certificate name"
249
elif [ $LIST -eq 1 -a $ADD -eq 0 -a $REMOVE -eq 0 -a $VIEW -eq 0 ]; then
251
elif [ $VIEW -eq 1 -a $ADD -eq 0 -a $REMOVE -eq 0 -a $LIST -eq 0 ]; then
252
if [ -n "$CNAME" ]; then
254
echo "$0: cert named \"$CNAME\" not found"
258
echo "$0: missing certificate name"