From 2cbba2fa221b857325058727dfb695e96c3388a8 Mon Sep 17 00:00:00 2001 From: Peter Hessler Date: Thu, 7 Oct 2010 09:36:34 +0000 Subject: When we create a new CA, also create an empty (but valid) CRL list. While here, set our used defaults in the config file. OK reyk@, jsg@ --- usr.sbin/ikectl/ikeca.c | 37 ++++++++++++++++++++++--------------- usr.sbin/ikectl/ikeca.cnf | 6 ++++-- 2 files changed, 26 insertions(+), 17 deletions(-) (limited to 'usr.sbin') diff --git a/usr.sbin/ikectl/ikeca.c b/usr.sbin/ikectl/ikeca.c index 1e790c7df6f..aff1a4a3718 100644 --- a/usr.sbin/ikectl/ikeca.c +++ b/usr.sbin/ikectl/ikeca.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikeca.c,v 1.9 2010/06/23 19:28:18 jsg Exp $ */ +/* $OpenBSD: ikeca.c,v 1.10 2010/10/07 09:36:33 phessler Exp $ */ /* $vantronix: ikeca.c,v 1.13 2010/06/03 15:52:52 reyk Exp $ */ /* @@ -318,6 +318,9 @@ ca_create(struct ca *ca) ca->passfile); system(cmd); + /* Create the CRL revocation list */ + ca_revoke(ca, NULL); + return (0); } @@ -650,11 +653,13 @@ ca_revoke(struct ca *ca, char *keyname) char *pass; size_t len; - snprintf(path, sizeof(path), "%s/%s.crt", - ca->sslpath, keyname); - if (stat(path, &st) != 0) { - warn("Problem with certificate for '%s'", keyname); - return (1); + if (keyname) { + snprintf(path, sizeof(path), "%s/%s.crt", + ca->sslpath, keyname); + if (stat(path, &st) != 0) { + warn("Problem with certificate for '%s'", keyname); + return (1); + } } snprintf(path, sizeof(path), "%s/ikeca.passwd", ca->sslpath); @@ -673,15 +678,17 @@ ca_revoke(struct ca *ca, char *keyname) err(1, "could not access %s", path); } - snprintf(cmd, sizeof(cmd), "env CADB='%s/index.txt' " - " %s ca -config %s -keyfile %s/private/ca.key" - " -key %s" - " -cert %s/ca.crt" - " -md sha1" - " -revoke %s/%s.crt", - ca->sslpath, PATH_OPENSSL, ca->sslcnf, ca->sslpath, pass, - ca->sslpath, ca->sslpath, keyname); - system(cmd); + if (keyname) { + snprintf(cmd, sizeof(cmd), "env CADB='%s/index.txt' " + " %s ca -config %s -keyfile %s/private/ca.key" + " -key %s" + " -cert %s/ca.crt" + " -md sha1" + " -revoke %s/%s.crt", + ca->sslpath, PATH_OPENSSL, ca->sslcnf, ca->sslpath, pass, + ca->sslpath, ca->sslpath, keyname); + system(cmd); + } snprintf(cmd, sizeof(cmd), "env CADB='%s/index.txt' " " %s ca -config %s -keyfile %s/private/ca.key" diff --git a/usr.sbin/ikectl/ikeca.cnf b/usr.sbin/ikectl/ikeca.cnf index 8423518a93b..321efb36f72 100644 --- a/usr.sbin/ikectl/ikeca.cnf +++ b/usr.sbin/ikectl/ikeca.cnf @@ -1,4 +1,4 @@ -# $OpenBSD: ikeca.cnf,v 1.2 2010/06/10 16:14:04 jsg Exp $ +# $OpenBSD: ikeca.cnf,v 1.3 2010/10/07 09:36:33 phessler Exp $ # $vantronix: ikeca.cnf,v 1.3 2010/05/31 12:26:26 reyk Exp $ RANDFILE = /dev/arandom @@ -85,5 +85,7 @@ extendedKeyUsage=$ENV::EXTCERTUSAGE default_ca = CA_default [CA_default] -database=$ENV::CADB +database = $ENV::CADB +default_md = sha1 +default_crl_days = 365 -- cgit v1.2.3