Implement self-signing in 'openssl ca'. This makes it easier to have

the CA certificate part of the CA database, and combined with 'unique_subject=no', it should make operations like CA certificate roll-over easier.
author: Richard Levitte <levitte@openssl.org> 2003-04-03 22:33:59 +0000
committer: Richard Levitte <levitte@openssl.org> 2003-04-03 22:33:59 +0000
commit: 16b1b03543fc6362f9e48f1bd9d4b153ea58c553 (patch)
tree: a7d45496f96476ba095e385f7a3502dde1f9b6b7 /apps/CA.pl.in
parent: e6526fbf4dc894d71ae3517a1ba484475b79b402 (diff)
1 files changed, 8 insertions, 3 deletions
diff --git a/apps/CA.pl.in b/apps/CA.pl.in
index 8b2ce7ea42..2242f7e03b 100644
--- a/apps/CA.pl.in
+++ b/apps/CA.pl.in
@@ -37,7 +37,8 @@
 # demoCA ... where everything is stored
 
 $SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"};
-$DAYS="-days 365";
+$DAYS="-days 365";	# 1 year
+$CADAYS="-days 1095";	# 3 years
 $REQ="openssl req $SSLEAY_CONFIG";
 $CA="openssl ca $SSLEAY_CONFIG";
 $VERIFY="openssl verify";
@@ -46,6 +47,7 @@ $PKCS12="openssl pkcs12";
 
 $CATOP="./demoCA";
 $CAKEY="cakey.pem";
+$CAREQ="careq.pem";
 $CACERT="cacert.pem";
 
 $DIRMODE = 0777;
@@ -101,8 +103,11 @@ foreach (@ARGV) {
 		    $RET=$?;
 		} else {
 		    print "Making CA certificate ...\n";
-		    system ("$REQ -new -x509 -keyout " .
-			"${CATOP}/private/$CAKEY -out ${CATOP}/$CACERT $DAYS");
+		    system ("$REQ -new -keyout " .
+			"${CATOP}/private/$CAKEY -out ${CATOP}/$CAREQ");
+		    system ("$CA -out ${CATOP}/$CACERT $CADAYS -batch " . 
+			"-keyfile ${CATOP}/private/$CAKEY -selfsign " .
+			"-infiles ${CATOP}/$CAREQ ");
 		    $RET=$?;
 		}
 	    }
author	Richard Levitte <levitte@openssl.org>	2003-04-03 22:33:59 +0000
committer	Richard Levitte <levitte@openssl.org>	2003-04-03 22:33:59 +0000
commit	16b1b03543fc6362f9e48f1bd9d4b153ea58c553 (patch)
tree	a7d45496f96476ba095e385f7a3502dde1f9b6b7 /apps/CA.pl.in
parent	e6526fbf4dc894d71ae3517a1ba484475b79b402 (diff)