summaryrefslogtreecommitdiff
path: root/usr.sbin/ikectl
diff options
context:
space:
mode:
authorPeter Hessler <phessler@cvs.openbsd.org>2010-10-07 09:36:34 +0000
committerPeter Hessler <phessler@cvs.openbsd.org>2010-10-07 09:36:34 +0000
commit2cbba2fa221b857325058727dfb695e96c3388a8 (patch)
tree2506b6e04ed5cf55f42f84b97a75480028c4c33d /usr.sbin/ikectl
parent5f85de940d7dfce3d39ee1a9ad33f3c95d2677fa (diff)
When we create a new CA, also create an empty (but valid) CRL list.
While here, set our used defaults in the config file. OK reyk@, jsg@
Diffstat (limited to 'usr.sbin/ikectl')
-rw-r--r--usr.sbin/ikectl/ikeca.c37
-rw-r--r--usr.sbin/ikectl/ikeca.cnf6
2 files changed, 26 insertions, 17 deletions
diff --git a/usr.sbin/ikectl/ikeca.c b/usr.sbin/ikectl/ikeca.c
index 1e790c7df6f..aff1a4a3718 100644
--- a/usr.sbin/ikectl/ikeca.c
+++ b/usr.sbin/ikectl/ikeca.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ikeca.c,v 1.9 2010/06/23 19:28:18 jsg Exp $ */
+/* $OpenBSD: ikeca.c,v 1.10 2010/10/07 09:36:33 phessler Exp $ */
/* $vantronix: ikeca.c,v 1.13 2010/06/03 15:52:52 reyk Exp $ */
/*
@@ -318,6 +318,9 @@ ca_create(struct ca *ca)
ca->passfile);
system(cmd);
+ /* Create the CRL revocation list */
+ ca_revoke(ca, NULL);
+
return (0);
}
@@ -650,11 +653,13 @@ ca_revoke(struct ca *ca, char *keyname)
char *pass;
size_t len;
- snprintf(path, sizeof(path), "%s/%s.crt",
- ca->sslpath, keyname);
- if (stat(path, &st) != 0) {
- warn("Problem with certificate for '%s'", keyname);
- return (1);
+ if (keyname) {
+ snprintf(path, sizeof(path), "%s/%s.crt",
+ ca->sslpath, keyname);
+ if (stat(path, &st) != 0) {
+ warn("Problem with certificate for '%s'", keyname);
+ return (1);
+ }
}
snprintf(path, sizeof(path), "%s/ikeca.passwd", ca->sslpath);
@@ -673,15 +678,17 @@ ca_revoke(struct ca *ca, char *keyname)
err(1, "could not access %s", path);
}
- snprintf(cmd, sizeof(cmd), "env CADB='%s/index.txt' "
- " %s ca -config %s -keyfile %s/private/ca.key"
- " -key %s"
- " -cert %s/ca.crt"
- " -md sha1"
- " -revoke %s/%s.crt",
- ca->sslpath, PATH_OPENSSL, ca->sslcnf, ca->sslpath, pass,
- ca->sslpath, ca->sslpath, keyname);
- system(cmd);
+ if (keyname) {
+ snprintf(cmd, sizeof(cmd), "env CADB='%s/index.txt' "
+ " %s ca -config %s -keyfile %s/private/ca.key"
+ " -key %s"
+ " -cert %s/ca.crt"
+ " -md sha1"
+ " -revoke %s/%s.crt",
+ ca->sslpath, PATH_OPENSSL, ca->sslcnf, ca->sslpath, pass,
+ ca->sslpath, ca->sslpath, keyname);
+ system(cmd);
+ }
snprintf(cmd, sizeof(cmd), "env CADB='%s/index.txt' "
" %s ca -config %s -keyfile %s/private/ca.key"
diff --git a/usr.sbin/ikectl/ikeca.cnf b/usr.sbin/ikectl/ikeca.cnf
index 8423518a93b..321efb36f72 100644
--- a/usr.sbin/ikectl/ikeca.cnf
+++ b/usr.sbin/ikectl/ikeca.cnf
@@ -1,4 +1,4 @@
-# $OpenBSD: ikeca.cnf,v 1.2 2010/06/10 16:14:04 jsg Exp $
+# $OpenBSD: ikeca.cnf,v 1.3 2010/10/07 09:36:33 phessler Exp $
# $vantronix: ikeca.cnf,v 1.3 2010/05/31 12:26:26 reyk Exp $
RANDFILE = /dev/arandom
@@ -85,5 +85,7 @@ extendedKeyUsage=$ENV::EXTCERTUSAGE
default_ca = CA_default
[CA_default]
-database=$ENV::CADB
+database = $ENV::CADB
+default_md = sha1
+default_crl_days = 365