Context Navigation

← Previous Revision
Next Revision →
Normal
Revision Log

source: npl/internetserver/openvpn_conf/root/etc/openvpn/easyrsa

Last change on this file was c5c522c, checked in by Edwin Eefting <edwin@datux.nl>, 8 years ago
initial commit, transferred from cleaned syn3 svn tree
Property mode set to `100755`
File size: 34.4 KB

Rev	Line
[c5c522c]	1	#!/bin/sh
	2
	3	# Easy-RSA 3 -- A Shell-based CA Utility
	4	#
	5	# Copyright (C) 2013 by the Open-Source OpenVPN development community.
	6	# A full list of contributors can be found in the ChangeLog.
	7	#
	8	# This code released under version 2 of the GNU GPL; see COPYING and the
	9	# Licensing/ directory of this project for full licensing details.
	10
	11	# Help/usage output to stdout
	12	usage() {
	13	# command help:
	14	print "
	15	Easy-RSA 3 usage and overview
	16
	17	USAGE: easyrsa [options] COMMAND [command-options]
	18
	19	A list of commands is shown below. To get detailed usage and help for a
	20	command, run:
	21	./easyrsa help COMMAND
	22
	23	For a listing of options that can be supplied before the command, use:
	24	./easyrsa help options
	25
	26	Here is the list of commands available with a short syntax reminder. Use the
	27	'help' command above to get full usage details.
	28
	29	init-pki
	30	build-ca [ cmd-opts ]
	31	gen-dh
	32	gen-req <filename_base> [ cmd-opts ]
	33	sign-req <type> <filename_base>
	34	build-client-full <filename_base> [ cmd-opts ]
	35	build-server-full <filename_base> [ cmd-opts ]
	36	revoke <filename_base>
	37	gen-crl
	38	update-db
	39	show-req <filename_base> [ cmd-opts ]
	40	show-cert <filename_base> [ cmd-opts ]
	41	import-req <request_file_path> <short_basename>
	42	export-p7 <filename_base> [ cmd-opts ]
	43	export-p12 <filename_base> [ cmd-opts ]
	44	set-rsa-pass <filename_base> [ cmd-opts ]
	45	set-ec-pass <filename_base> [ cmd-opts ]
	46	"
	47
	48	# collect/show dir status:
	49	local err_source="Not defined: vars autodetect failed and no value provided"
	50	local work_dir="${EASYRSA:-$err_source}"
	51	local pki_dir="${EASYRSA_PKI:-$err_source}"
	52	print "\
	53	DIRECTORY STATUS (commands would take effect on these locations)
	54	EASYRSA: $work_dir
	55	PKI: $pki_dir
	56	"
	57	} # => usage()
	58
	59	# Detailed command help
	60	# When called with no args, calls usage(), otherwise shows help for a command
	61	cmd_help() {
	62	local text opts
	63	case "$1" in
	64	init-pki\|clean-all) text="
	65	init-pki [ cmd-opts ]
	66	Removes & re-initializes the PKI dir for a clean PKI" ;;
	67	build-ca) text="
	68	build-ca [ cmd-opts ]
	69	Creates a new CA"
	70	opts="
	71	nopass - do not encrypt the CA key (default is encrypted)
	72	subca - create a sub-CA keypair and request (default is a root CA)" ;;
	73	gen-dh) text="
	74	gen-dh
	75	Generates DH (Diffie-Hellman) parameters" ;;
	76	gen-req) text="
	77	gen-req <filename_base> [ cmd-opts ]
	78	Generate a standalone keypair and request (CSR)
	79
	80	This request is suitable for sending to a remote CA for signing."
	81	opts="
	82	nopass - do not encrypt the private key (default is encrypted)" ;;
	83	sign\|sign-req) text="
	84	sign-req <type> <filename_base>
	85	Sign a certificate request of the defined type. <type> must be a known
	86	type such as 'client', 'server', or 'ca' (or a user-added type.)
	87
	88	This request file must exist in the reqs/ dir and have a .req file
	89	extension. See import-req below for importing reqs from other sources." ;;
	90	build\|build-client-full\|build-server-full) text="
	91	build-client-full <filename_base> [ cmd-opts ]
	92	build-server-full <filename_base> [ cmd-opts ]
	93	Generate a keypair and sign locally for a client or server
	94
	95	This mode uses the <filename_base> as the X509 CN."
	96	opts="
	97	nopass - do not encrypt the private key (default is encrypted)" ;;
	98	revoke) text="
	99	revoke <filename_base>
	100	Revoke a certificate specified by the filename_base" ;;
	101	gen-crl) text="
	102	gen-crl
	103	Generate a CRL" ;;
	104	update-db) text="
	105	update-db
	106	Update the index.txt database
	107
	108	This command will use the system time to update the status of issued
	109	certificates." ;;
	110	show-req\|show-cert) text="
	111	show-req <filename_base> [ cmd-opts ]
	112	show-cert <filename_base> [ cmd-opts ]
	113	Shows details of the req or cert referenced by filename_base
	114
	115	Human-readable output is shown, including any requested cert options when
	116	showing a request."
	117	opts="
	118	full - show full req/cert info, including pubkey/sig data" ;;
	119	import-req) text="
	120	import-req <request_file_path> <short_basename>
	121	Import a certificate request from a file
	122
	123	This will copy the specified file into the reqs/ dir in
	124	preparation for signing.
	125	The <short_basename> is the filename base to create.
	126
	127	Example usage:
	128	import-req /some/where/bob_request.req bob" ;;
	129	export-p12) text="
	130	export-p12 <filename_base> [ cmd-opts ]
	131	Export a PKCS#12 file with the keypair specified by <filename_base>"
	132	opts="
	133	noca - do not include the ca.crt file in the PKCS12 output
	134	nokey - do not include the private key in the PKCS12 output" ;;
	135	export-p7) text="
	136	export-p7 <filename_base> [ cmd-opts ]
	137	Export a PKCS#7 file with the pubkey specified by <filename_base>"
	138	opts="
	139	noca - do not include the ca.crt file in the PKCS7 output" ;;
	140	set-rsa-pass\|set-ec-pass) text="
	141	set-rsa-pass <filename_base> [ cmd-opts ]
	142	set-ec-pass <filename_base> [ cmd-opts ]
	143	Set a new passphrase on an RSA or EC key for the listed <filename_base>."
	144	opts="
	145	nopass - use no password and leave the key unencrypted
	146	file - (advanced) treat the file as a raw path, not a short-name" ;;
	147	altname\|subjectaltname\|san) text="
	148	--subject-alt-name=SAN_FORMAT_STRING
	149	This global option adds a subjectAltName to the request or issued
	150	certificate. It MUST be in a valid format accepted by openssl or
	151	req/cert generation will fail. Note that including multiple such names
	152	requires them to be comma-separated; further invocations of this
	153	option will REPLACE the value.
	154
	155	Examples of the SAN_FORMAT_STRING shown below:
	156	DNS:alternate.example.net
	157	DNS:primary.example.net,DNS:alternate.example.net
	158	IP:203.0.113.29
	159	email:alternate@example.net" ;;
	160	options)
	161	opt_usage ;;
	162	"")
	163	usage ;;
	164	*) text="
	165	Unknown command: '$1' (try without commands for a list of commands)" ;;
	166	esac
	167
	168	# display the help text
	169	print "$text"
	170	[ -n "$opts" ] && print "
	171	cmd-opts is an optional set of command options from this list:
	172	$opts"
	173	} # => cmd_help()
	174
	175	# Options usage
	176	opt_usage() {
	177	print "
	178	Easy-RSA Global Option Flags
	179
	180	The following options may be provided before the command. Options specified
	181	at runtime override env-vars and any 'vars' file in use. Unless noted,
	182	non-empty values to options are mandatory.
	183
	184	General options:
	185
	186	--batch : set automatic (no-prompts when possible) mode
	187	--pki-dir=DIR : declares the PKI directory
	188	--vars=FILE : define a specific 'vars' file to use for Easy-RSA config
	189
	190	Certificate & Request options: (these impact cert/req field values)
	191
	192	--days=# : sets the signing validity to the specified number of days
	193	--digest=ALG : digest to use in the requests & certificates
	194	--dn-mode=MODE : DN mode to use (cn_only or org)
	195	--keysize=# : size in bits of keypair to generate
	196	--req-cn=NAME : default CN to use
	197	--subca-len=# : path length of signed sub-CA certs; must be >= 0 if used
	198	--subject-alt-name : Add a subjectAltName. For more info and syntax, see:
	199	./easyrsa help altname
	200	--use-algo=ALG : crypto alg to use: choose rsa (default) or ec
	201	--curve=NAME : for elliptic curve, sets the named curve to use
	202
	203	Organizational DN options: (only used with the 'org' DN mode)
	204	(values may be blank for org DN options)
	205
	206	--req-c=CC : country code (2-letters)
	207	--req-st=NAME : State/Province
	208	--req-city=NAME : City/Locality
	209	--req-org=NAME : Organization
	210	--req-email=NAME : Email addresses
	211	--req-ou=NAME : Organizational Unit
	212
	213	Deprecated features:
	214
	215	--ns-cert=YESNO : yes or no to including deprecated NS extensions
	216	--ns-comment=COMMENT : NS comment to include (value may be blank)
	217	"
	218	} # => opt_usage()
	219
	220	# Wrapper around printf - clobber print since it's not POSIX anyway
	221	print() { printf "%s\n" "$*"; }
	222
	223	# Exit fatally with a message to stderr
	224	# present even with EASYRSA_BATCH as these are fatal problems
	225	die() {
	226	print "
	227	Easy-RSA error:
	228
	229	$1" 1>&2
	230	exit ${2:-1}
	231	} # => die()
	232
	233	# non-fatal warning output
	234	warn() {
	235	[ ! $EASYRSA_BATCH ] && \
	236	print "
	237	$1" 1>&2
	238	} # => warn()
	239
	240	# informational notices to stdout
	241	notice() {
	242	[ ! $EASYRSA_BATCH ] && \
	243	print "
	244	$1"
	245	} # => notice()
	246
	247	# yes/no case-insensitive match (operates on stdin pipe)
	248	# Returns 0 when input contains yes, 1 for no, 2 for no match
	249	# If both strings are present, returns 1; first matching line returns.
	250	awk_yesno() {
	251	local awkscript='
	252	BEGIN {IGNORECASE=1; r=2}
	253	{ if(match($0,"no")) {r=1; exit}
	254	if(match($0,"yes")) {r=0; exit}
	255	} END {exit r}'
	256	awk "$awkscript"
	257	} # => awk_yesno()
	258
	259	# intent confirmation helper func
	260	# returns without prompting in EASYRSA_BATCH
	261	confirm() {
	262	[ $EASYRSA_BATCH ] && return
	263	local prompt="$1" value="$2" msg="$3" input
	264	print "
	265	$msg
	266
	267	Type the word '$value' to continue, or any other input to abort."
	268	printf %s " $prompt"
	269	read input
	270	[ "$input" = "$value" ] && return
	271	notice "Aborting without confirmation."
	272	exit 9
	273	} # => confirm()
	274
	275	# remove temp files
	276	clean_temp() {
	277	for f in "$EASYRSA_TEMP_FILE" "$EASYRSA_TEMP_FILE_2" "$EASYRSA_TEMP_FILE_3"
	278	do [ -f "$f" ] && rm "$f" 2>/dev/null
	279	done
	280	} # => clean_temp()
	281
	282	vars_source_check() {
	283	# Check for defined EASYRSA_PKI
	284	[ -n "$EASYRSA_PKI" ] \|\| die "\
	285	EASYRSA_PKI env-var undefined"
	286
	287	# Verify EASYRSA_OPENSSL command gives expected output
	288	if [ -z "$EASYRSA_SSL_OK" ]; then
	289	local val="$("$EASYRSA_OPENSSL" version)"
	290	case "${val%% *}" in
	291	OpenSSL\|LibreSSL) ;;
	292	*) die "\
	293	Missing or invalid OpenSSL
	294	Expected to find openssl command at: $EASYRSA_OPENSSL"
	295	esac
	296	fi
	297	EASYRSA_SSL_OK=1
	298
	299	# Verify EASYRSA_SSL_CONF file exists
	300	[ -f "$EASYRSA_SSL_CONF" ] \|\| die "\
	301	The OpenSSL config file cannot be found.
	302	Expected location: $EASYRSA_SSL_CONF"
	303	} # => vars_source_check()
	304
	305	# Verify supplied curve exists and generate curve file if needed
	306	verify_curve() {
	307	if ! "$EASYRSA_OPENSSL" ecparam -name "$EASYRSA_CURVE" > /dev/null; then
	308	die "\
	309	Curve $EASYRSA_CURVE not found. Run openssl ecparam -list_curves to show a
	310	list of supported curves."
	311	fi
	312
	313	# Check that the ecparams dir exists
	314	[ -d "$EASYRSA_EC_DIR" ] \|\| mkdir "$EASYRSA_EC_DIR" \|\| die "\
	315	Failed creating ecparams dir (permissions?) at:
	316	$EASYRSA_EC_DIR"
	317
	318	# Check that the required ecparams file exists
	319	local out="$EASYRSA_EC_DIR/${EASYRSA_CURVE}.pem"
	320	[ -f "$out" ] && return 0
	321	"$EASYRSA_OPENSSL" ecparam -name "$EASYRSA_CURVE" -out "$out" \|\| die "\
	322	Failed to generate ecparam file (permissions?) when writing to:
	323	$out"
	324
	325	# Explicitly return success for caller
	326	return 0
	327	}
	328
	329	# Basic sanity-check of PKI init and complain if missing
	330	verify_pki_init() {
	331	local help_note="Run easyrsa without commands for usage and command help."
	332
	333	# check that the pki dir exists
	334	vars_source_check
	335	[ -d "$EASYRSA_PKI" ] \|\| die "\
	336	EASYRSA_PKI does not exist (perhaps you need to run init-pki)?
	337	Expected to find the EASYRSA_PKI at: $EASYRSA_PKI
	338	$help_note"
	339
	340	# verify expected dirs present:
	341	for i in private reqs; do
	342	[ -d "$EASYRSA_PKI/$i" ] \|\| die "\
	343	Missing expected directory: $i (perhaps you need to run init-pki?)
	344	$help_note"
	345	done
	346	} # => verify_pki_init()
	347
	348	# Verify core CA files present
	349	verify_ca_init() {
	350	local help_note="Run without commands for usage and command help."
	351
	352	# First check the PKI has been initialized
	353	verify_pki_init
	354
	355	# verify expected files present:
	356	for i in serial index.txt ca.crt private/ca.key; do
	357	if [ ! -f "$EASYRSA_PKI/$i" ]; then
	358	[ "$1" = "test" ] && return 1
	359	die "\
	360	Missing expected CA file: $i (perhaps you need to run build-ca?)
	361	$help_note"
	362	fi
	363	done
	364
	365	# When operating in 'test' mode, return success.
	366	# test callers don't care about CA-specific dir structure
	367	[ "$1" = "test" ] && return 0
	368
	369	# verify expected CA-specific dirs:
	370	for i in issued certs_by_serial; do
	371	[ -d "$EASYRSA_PKI/$i" ] \|\| die "\
	372	Missing expected CA dir: $i (perhaps you need to run build-ca?)
	373	$help_note"
	374	done
	375
	376	# explicitly return success for callers
	377	return 0
	378
	379	} # => verify_ca_init()
	380
	381	# init-pki backend:
	382	init_pki() {
	383	vars_source_check
	384
	385	# If EASYRSA_PKI exists, confirm before we rm -rf (skiped with EASYRSA_BATCH)
	386	if [ -e "$EASYRSA_PKI" ]; then
	387	confirm "Confirm removal: " "yes" "
	388	WARNING!!!
	389
	390	You are about to remove the EASYRSA_PKI at: $EASYRSA_PKI
	391	and initialize a fresh PKI here."
	392	# now remove it:
	393	rm -rf "$EASYRSA_PKI" \|\| die "Removal of PKI dir failed. Check/correct errors above"
	394	fi
	395
	396	# new dirs:
	397	for i in private reqs; do
	398	mkdir -p "$EASYRSA_PKI/$i" \|\| die "Failed to create PKI file structure (permissions?)"
	399	done
	400
	401	notice "\
	402	init-pki complete; you may now create a CA or requests.
	403	Your newly created PKI dir is: $EASYRSA_PKI
	404	"
	405	return 0
	406	} # => init_pki()
	407
	408	# build-ca backend:
	409	build_ca() {
	410	local opts= sub_ca=
	411	while [ -n "$1" ]; do
	412	case "$1" in
	413	nopass) opts="$opts -nodes" ;;
	414	subca) sub_ca=1 ;;
	415	*) warn "Ignoring unknown command option: '$1'" ;;
	416	esac
	417	shift
	418	done
	419
	420	verify_pki_init
	421	[ "$EASYRSA_ALGO" = "ec" ] && verify_curve
	422
	423	# setup for the simpler sub-CA situation and overwrite with root-CA if needed:
	424	local out_file="$EASYRSA_PKI/reqs/ca.req"
	425	local out_key="$EASYRSA_PKI/private/ca.key"
	426	if [ ! $sub_ca ]; then
	427	out_file="$EASYRSA_PKI/ca.crt"
	428	opts="$opts -x509 -days $EASYRSA_CA_EXPIRE"
	429	fi
	430
	431	# Test for existing CA, and complain if already present
	432	if verify_ca_init test; then
	433	die "\
	434	Unable to create a CA as you already seem to have one set up.
	435	If you intended to start a new CA, run init-pki first."
	436	fi
	437	# If a private key exists here, a sub-ca was created but not signed.
	438	# Notify the user and require a signed ca.crt or a init-pki:
	439	[ -f "$out_key" ] && \
	440	die "\
	441	A CA private key exists but no ca.crt is found in your PKI dir of:
	442	$EASYRSA_PKI
	443	Refusing to create a new CA keypair as this operation would overwrite your
	444	current CA keypair. If you intended to start a new CA, run init-pki first."
	445
	446	# create necessary files and dirs:
	447	local err_file="Unable to create necessary PKI files (permissions?)"
	448	for i in issued certs_by_serial; do
	449	mkdir -p "$EASYRSA_PKI/$i" \|\| die "$err_file"
	450	done
	451	printf "" > "$EASYRSA_PKI/index.txt" \|\| die "$err_file"
	452	print "01" > "$EASYRSA_PKI/serial" \|\| die "$err_file"
	453
	454	# Default CN only when not in global EASYRSA_BATCH mode:
	455	[ $EASYRSA_BATCH ] && opts="$opts -batch" \|\| export EASYRSA_REQ_CN="Easy-RSA CA"
	456
	457	out_key_tmp="$(mktemp -u "$out_key.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$out_key_tmp"
	458	out_file_tmp="$(mktemp -u "$out_file.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$out_file_tmp"
	459	# create the CA keypair:
	460	"$EASYRSA_OPENSSL" req -utf8 -new -newkey $EASYRSA_ALGO:"$EASYRSA_ALGO_PARAMS" \
	461	-config "$EASYRSA_SSL_CONF" -keyout "$out_key_tmp" -out "$out_file_tmp" $opts \|\| \
	462	die "Failed to build the CA"
	463	mv "$out_key_tmp" "$out_key"; EASYRSA_TEMP_FILE_2=
	464	mv "$out_file_tmp" "$out_file"; EASYRSA_TEMP_FILE_3=
	465
	466	# Success messages
	467	if [ $sub_ca ]; then
	468	notice "\
	469	NOTE: Your sub-CA request is at $out_file
	470	and now must be sent to you parent CA for signing. Place your resulting cert
	471	at $EASYRSA_PKI/ca.crt prior to signing operations.
	472	"
	473	else notice "\
	474	CA creation complete and you may now import and sign cert requests.
	475	Your new CA certificate file for publishing is at:
	476	$out_file
	477	"
	478	fi
	479	return 0
	480	} # => build_ca()
	481
	482	# gen-dh backend:
	483	gen_dh() {
	484	verify_pki_init
	485
	486	local out_file="$EASYRSA_PKI/dh.pem"
	487	"$EASYRSA_OPENSSL" dhparam -out "$out_file" $EASYRSA_KEY_SIZE \|\| \
	488	die "Failed to build DH params"
	489	notice "\
	490	DH parameters of size $EASYRSA_KEY_SIZE created at $out_file
	491	"
	492	return 0
	493	} # => gen_dh()
	494
	495	# gen-req backend:
	496	gen_req() {
	497	# pull filename base and use as default interactive CommonName:
	498	[ -n "$1" ] \|\| die "\
	499	Error: gen-req must have a file base as the first argument.
	500	Run easyrsa without commands for usage and commands."
	501	local key_out="$EASYRSA_PKI/private/$1.key"
	502	local req_out="$EASYRSA_PKI/reqs/$1.req"
	503	[ ! $EASYRSA_BATCH ] && EASYRSA_REQ_CN="$1"
	504	shift
	505
	506	# function opts support
	507	local opts=
	508	while [ -n "$1" ]; do
	509	case "$1" in
	510	nopass) opts="$opts -nodes" ;;
	511	# batch flag supports internal callers needing silent operation
	512	batch) local EASYRSA_BATCH=1 ;;
	513	*) warn "Ignoring unknown command option: '$1'" ;;
	514	esac
	515	shift
	516	done
	517
	518	verify_pki_init
	519	[ "$EASYRSA_ALGO" = "ec" ] && verify_curve
	520
	521	# don't wipe out an existing private key without confirmation
	522	[ -f "$key_out" ] && confirm "Confirm key overwrite: " "yes" "\
	523
	524	WARNING!!!
	525
	526	An existing private key was found at $key_out
	527	Continuing with key generation will replace this key."
	528
	529	# When EASYRSA_EXTRA_EXTS is defined, append it to openssl's [req] section:
	530	if [ -n "$EASYRSA_EXTRA_EXTS" ]; then
	531	# Setup & insert the extra ext data keyed by a magic line
	532	local extra_exts="
	533	req_extensions = req_extra
	534	[ req_extra ]
	535	$EASYRSA_EXTRA_EXTS"
	536	local awkscript='
	537	{if ( match($0, "^#%EXTRA_EXTS%") )
	538	{ while ( getline<"/dev/stdin" ) {print} next }
	539	{print}
	540	}'
	541	print "$extra_exts" \| \
	542	awk "$awkscript" "$EASYRSA_SSL_CONF" \
	543	> "$EASYRSA_TEMP_FILE" \
	544	\|\| die "Copying SSL config to temp file failed"
	545	# Use this new SSL config for the rest of this function
	546	local EASYRSA_SSL_CONF="$EASYRSA_TEMP_FILE"
	547	fi
	548
	549	key_out_tmp="$(mktemp -u "$key_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$key_out_tmp"
	550	req_out_tmp="$(mktemp -u "$req_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$req_out_tmp"
	551	# generate request
	552	[ $EASYRSA_BATCH ] && opts="$opts -batch"
	553	"$EASYRSA_OPENSSL" req -utf8 -new -newkey $EASYRSA_ALGO:"$EASYRSA_ALGO_PARAMS" \
	554	-config "$EASYRSA_SSL_CONF" -keyout "$key_out_tmp" -out "$req_out_tmp" $opts \
	555	\|\| die "Failed to generate request"
	556	mv "$key_out_tmp" "$key_out"; EASYRSA_TEMP_FILE_2=
	557	mv "$req_out_tmp" "$req_out"; EASYRSA_TEMP_FILE_3=
	558	notice "\
	559	Keypair and certificate request completed. Your files are:
	560	req: $req_out
	561	key: $key_out
	562	"
	563	return 0
	564	} # => gen_req()
	565
	566	# common signing backend
	567	sign_req() {
	568	local crt_type="$1" opts=
	569	local req_in="$EASYRSA_PKI/reqs/$2.req"
	570	local crt_out="$EASYRSA_PKI/issued/$2.crt"
	571
	572	# Support batch by internal caller:
	573	[ "$3" = "batch" ] && local EASYRSA_BATCH=1
	574
	575	verify_ca_init
	576
	577	# Check argument sanity:
	578	[ -n "$2" ] \|\| die "\
	579	Incorrect number of arguments provided to sign-req:
	580	expected 2, got $# (see command help for usage)"
	581
	582	# Cert type must exist under the EASYRSA_EXT_DIR
	583	[ -r "$EASYRSA_EXT_DIR/$crt_type" ] \|\| die "\
	584	Unknown cert type '$crt_type'"
	585
	586	# Request file must exist
	587	[ -f "$req_in" ] \|\| die "\
	588	No request found for the input: '$2'
	589	Expected to find the request at: $req_in"
	590
	591	# Confirm input is a cert req
	592	verify_file req "$req_in" \|\| die "\
	593	The certificate request file is not in a valid X509 request format.
	594	Offending file: $req_in"
	595
	596	# Display the request subject in an easy-to-read format
	597	# Confirm the user wishes to sign this request
	598	confirm "Confirm request details: " "yes" "
	599	You are about to sign the following certificate.
	600	Please check over the details shown below for accuracy. Note that this request
	601	has not been cryptographically verified. Please be sure it came from a trusted
	602	source or that you have verified the request checksum with the sender.
	603
	604	Request subject, to be signed as a $crt_type certificate for $EASYRSA_CERT_EXPIRE days:
	605
	606	$(display_dn req "$req_in")
	607	" # => confirm end
	608
	609	# Generate the extensions file for this cert:
	610	{
	611	# Append first any COMMON file (if present) then the cert-type extensions
	612	cat "$EASYRSA_EXT_DIR/COMMON"
	613	cat "$EASYRSA_EXT_DIR/$crt_type"
	614
	615	# Support a dynamic CA path length when present:
	616	[ "$crt_type" = "ca" ] && [ -n "$EASYRSA_SUBCA_LEN" ] && \
	617	print "basicConstraints = CA:TRUE, pathlen:$EASYRSA_SUBCA_LEN"
	618
	619	# Deprecated Netscape extension support, if enabled
	620	if print "$EASYRSA_NS_SUPPORT" \| awk_yesno; then
	621	[ -n "$EASYRSA_NS_COMMENT" ] && \
	622	print "nsComment = \"$EASYRSA_NS_COMMENT\""
	623	case "$crt_type" in
	624	server) print "nsCertType = server" ;;
	625	client) print "nsCertType = client" ;;
	626	ca) print "nsCertType = sslCA" ;;
	627	esac
	628	fi
	629
	630	# Add any advanced extensions supplied by env-var:
	631	[ -n "$EASYRSA_EXTRA_EXTS" ] && print "$EASYRSA_EXTRA_EXTS"
	632
	633	: # needed to keep die from inherting the above test
	634	} > "$EASYRSA_TEMP_FILE" \|\| die "\
	635	Failed to create temp extension file (bad permissions?) at:
	636	$EASYRSA_TEMP_FILE"
	637
	638	# sign request
	639	crt_out_tmp="$(mktemp -u "$crt_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$crt_out_tmp"
	640	"$EASYRSA_OPENSSL" ca -utf8 -in "$req_in" -out "$crt_out_tmp" -config "$EASYRSA_SSL_CONF" \
	641	-extfile "$EASYRSA_TEMP_FILE" -days $EASYRSA_CERT_EXPIRE -batch $opts \
	642	\|\| die "signing failed (openssl output above may have more detail)"
	643	mv "$crt_out_tmp" "$crt_out"; EASYRSA_TEMP_FILE_2=
	644	notice "\
	645	Certificate created at: $crt_out
	646	"
	647	return 0
	648	} # => sign_req()
	649
	650	# common build backend
	651	# used to generate+sign in 1 step
	652	build_full() {
	653	verify_ca_init
	654
	655	local i= serial= check_serial=
	656	for i in 1 2 3 4 5; do
	657	"$EASYRSA_OPENSSL" rand -hex 16 -out "$EASYRSA_PKI/serial"
	658	serial="$(cat "$EASYRSA_PKI/serial")"
	659	check_serial="$("$EASYRSA_OPENSSL" ca -config "$EASYRSA_SSL_CONF" -status "$serial" 2>&1)"
	660	case "$check_serial" in
	661	"not present in db") break ;;
	662	*) continue ;;
	663	esac
	664	done
	665
	666	# pull filename base:
	667	[ -n "$2" ] \|\| die "\
	668	Error: didn't find a file base name as the first argument.
	669	Run easyrsa without commands for usage and commands."
	670	local crt_type="$1" name="$2"
	671	local req_out="$EASYRSA_PKI/reqs/$2.req"
	672	local key_out="$EASYRSA_PKI/private/$2.key"
	673	local crt_out="$EASYRSA_PKI/issued/$2.crt"
	674	shift 2
	675
	676	# function opts support
	677	local req_opts=
	678	while [ -n "$1" ]; do
	679	case "$1" in
	680	nopass) req_opts="$req_opts nopass" ;;
	681	*) warn "Ignoring unknown command option: '$1'" ;;
	682	esac
	683	shift
	684	done
	685
	686	# abort on existing req/key/crt files
	687	local err_exists="\
	688	file already exists. Aborting build to avoid overwriting this file.
	689	If you wish to continue, please use a different name or remove the file.
	690	Matching file found at: "
	691	[ -f "$req_out" ] && die "Request $err_exists $req_out"
	692	[ -f "$key_out" ] && die "Key $err_exists $key_out"
	693	[ -f "$crt_out" ] && die "Certificate $err_exists $crt_out"
	694
	695	# create request
	696	EASYRSA_REQ_CN="$name"
	697	gen_req "$name" batch $req_opts
	698
	699	# Sign it
	700	sign_req "$crt_type" "$name" batch
	701
	702	} # => build_full()
	703
	704	# revoke backend
	705	revoke() {
	706	verify_ca_init
	707
	708	# pull filename base:
	709	[ -n "$1" ] \|\| die "\
	710	Error: didn't find a file base name as the first argument.
	711	Run easyrsa without commands for usage and command help."
	712	local crt_in="$EASYRSA_PKI/issued/$1.crt"
	713
	714	verify_file x509 "$crt_in" \|\| die "\
	715	Unable to revoke as the input file is not a valid certificate. Unexpected
	716	input in file: $crt_in"
	717
	718	# confirm operation by displaying DN:
	719	confirm "Continue with revocation: " "yes" "
	720	Please confirm you wish to revoke the certificate with the following subject:
	721
	722	$(display_dn x509 "$crt_in")
	723	" # => confirm end
	724
	725	# referenced cert must exist:
	726	[ -f "$crt_in" ] \|\| die "\
	727	Unable to revoke as no certificate was found. Certificate was expected
	728	at: $crt_in"
	729
	730	"$EASYRSA_OPENSSL" ca -utf8 -revoke "$crt_in" -config "$EASYRSA_SSL_CONF" \|\| die "\
	731	Failed to revoke certificate: revocation command failed."
	732
	733	notice "\
	734	IMPORTANT!!!
	735
	736	Revocation was successful. You must run gen-crl and upload a CRL to your
	737	infrastructure in order to prevent the revoked cert from being accepted.
	738	" # => notice end
	739	return 0
	740	} #= revoke()
	741
	742	# gen-crl backend
	743	gen_crl() {
	744	verify_ca_init
	745
	746	local out_file="$EASYRSA_PKI/crl.pem"
	747	out_file_tmp="$(mktemp -u "$out_file.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$out_file_tmp"
	748	"$EASYRSA_OPENSSL" ca -utf8 -gencrl -out "$out_file_tmp" -config "$EASYRSA_SSL_CONF" \|\| die "\
	749	CRL Generation failed.
	750	"
	751	mv "$out_file_tmp" "$out_file"; EASYRSA_TEMP_FILE_2=
	752
	753	notice "\
	754	An updated CRL has been created.
	755	CRL file: $out_file
	756	"
	757	return 0
	758	} # => gen_crl()
	759
	760	# import-req backend
	761	import_req() {
	762	verify_pki_init
	763
	764	# pull passed paths
	765	local in_req="$1" short_name="$2"
	766	local out_req="$EASYRSA_PKI/reqs/$2.req"
	767
	768	[ -n "$short_name" ] \|\| die "\
	769	Unable to import: incorrect command syntax.
	770	Run easyrsa without commands for usage and command help."
	771
	772	verify_file req "$in_req" \|\| die "\
	773	The input file does not appear to be a certificate request. Aborting import.
	774	Offending file: $in_req"
	775
	776	# destination must not exist
	777	[ -f "$out_req" ] && die "\
	778	Unable to import the request as the destination file already exists.
	779	Please choose a different name for your imported request file.
	780	Existing file at: $out_req"
	781
	782	# now import it
	783	cp "$in_req" "$out_req"
	784
	785	notice "\
	786	The request has been successfully imported with a short name of: $short_name
	787	You may now use this name to perform signing operations on this request.
	788	"
	789	return 0
	790	} # => import_req()
	791
	792	# export pkcs#12 or pkcs#7
	793	export_pkcs() {
	794	local pkcs_type="$1"
	795	shift
	796
	797	[ -n "$1" ] \|\| die "\
	798	Unable to export p12: incorrect command syntax.
	799	Run easyrsa without commands for usage and command help."
	800
	801	local short_name="$1"
	802	local crt_in="$EASYRSA_PKI/issued/$1.crt"
	803	local key_in="$EASYRSA_PKI/private/$1.key"
	804	local crt_ca="$EASYRSA_PKI/ca.crt"
	805	shift
	806
	807	verify_pki_init
	808
	809	# opts support
	810	local want_ca=1
	811	local want_key=1
	812	while [ -n "$1" ]; do
	813	case "$1" in
	814	noca) want_ca= ;;
	815	nokey) want_key= ;;
	816	*) warn "Ignoring unknown command option: '$1'" ;;
	817	esac
	818	shift
	819	done
	820
	821	local pkcs_opts=
	822	if [ $want_ca ]; then
	823	verify_file x509 "$crt_ca" \|\| die "\
	824	Unable to include CA cert in the $pkcs_type output (missing file, or use noca option.)
	825	Missing file expected at: $crt_ca"
	826	pkcs_opts="$pkcs_opts -certfile $crt_ca"
	827	fi
	828
	829	# input files must exist
	830	verify_file x509 "$crt_in" \|\| die "\
	831	Unable to export $pkcs_type for short name '$short_name' without the certificate.
	832	Missing cert expected at: $crt_in"
	833
	834	case "$pkcs_type" in
	835	p12)
	836	local pkcs_out="$EASYRSA_PKI/private/$short_name.p12"
	837
	838	if [ $want_key ]; then
	839	[ -f "$key_in" ] \|\| die "\
	840	Unable to export p12 for short name '$short_name' without the key
	841	(if you want a p12 without the private key, use nokey option.)
	842	Missing key expected at: $key_in"
	843	else
	844	pkcs_opts="$pkcs_opts -nokeys"
	845	fi
	846
	847	# export the p12:
	848	"$EASYRSA_OPENSSL" pkcs12 -in "$crt_in" -inkey "$key_in" -export \
	849	-out "$pkcs_out" $pkcs_opts \|\| die "\
	850	Export of p12 failed: see above for related openssl errors."
	851	;;
	852	p7)
	853	local pkcs_out="$EASYRSA_PKI/issued/$short_name.p7b"
	854
	855	# export the p7:
	856	"$EASYRSA_OPENSSL" crl2pkcs7 -nocrl -certfile "$crt_in" \
	857	-out "$pkcs_out" $pkcs_opts \|\| die "\
	858	Export of p7 failed: see above for related openssl errors."
	859	;;
	860	esac
	861
	862	notice "\
	863	Successful export of $pkcs_type file. Your exported file is at the following
	864	location: $pkcs_out
	865	"
	866	return 0
	867	} # => export_pkcs()
	868
	869	# set-pass backend
	870	set_pass() {
	871	verify_pki_init
	872
	873	# key type, supplied internally from frontend command call (rsa/ec)
	874	local key_type="$1"
	875
	876	# values supplied by the user:
	877	local raw_file="$2"
	878	local file="$EASYRSA_PKI/private/$raw_file.key"
	879	[ -n "$raw_file" ] \|\| die "\
	880	Missing argument to 'set-$key_type-pass' command: no name/file supplied.
	881	See help output for usage details."
	882
	883	# parse command options
	884	shift 2
	885	local crypto="-aes256"
	886	while [ -n "$1" ]; do
	887	case "$1" in
	888	nopass) crypto= ;;
	889	file) file="$raw_file" ;;
	890	*) warn "Ignoring unknown command option: '$1'" ;;
	891	esac
	892	shift
	893	done
	894
	895	[ -f "$file" ] \|\| die "\
	896	Missing private key: expected to find the private key component at:
	897	$file"
	898
	899	notice "\
	900	If the key is currently encrypted you must supply the decryption passphrase.
	901	${crypto:+You will then enter a new PEM passphrase for this key.$NL}"
	902
	903	"$EASYRSA_OPENSSL" $key_type -in "$file" -out "$file" $crypto \|\| die "\
	904	Failed to change the private key passphrase. See above for possible openssl
	905	error messages."
	906
	907	notice "Key passphrase successfully changed"
	908
	909	} # => set_pass()
	910
	911	# update-db backend
	912	update_db() {
	913	verify_ca_init
	914
	915	"$EASYRSA_OPENSSL" ca -utf8 -updatedb -config "$EASYRSA_SSL_CONF" \|\| die "\
	916	Failed to perform update-db: see above for related openssl errors."
	917	return 0
	918	} # => update_db()
	919
	920	# display cert DN info on a req/X509, passed by full pathname
	921	display_dn() {
	922	local format="$1" path="$2"
	923	print "$("$EASYRSA_OPENSSL" $format -in "$path" -noout -subject -nameopt multiline)"
	924	} # => display_dn()
	925
	926	# verify a file seems to be a valid req/X509
	927	verify_file() {
	928	local format="$1" path="$2"
	929	"$EASYRSA_OPENSSL" $format -in "$path" -noout 2>/dev/null \|\| return 1
	930	return 0
	931	} # => verify_file()
	932
	933	# show-* command backend
	934	# Prints req/cert details in a readable format
	935	show() {
	936	local type="$1" name="$2" in_file format
	937	[ -n "$name" ] \|\| die "\
	938	Missing expected filename_base argument.
	939	Run easyrsa without commands for usage help."
	940	shift 2
	941
	942	# opts support
	943	local opts="-${type}opt no_pubkey,no_sigdump"
	944	while [ -n "$1" ]; do
	945	case "$1" in
	946	full) opts= ;;
	947	*) warn "Ignoring unknown command option: '$1'" ;;
	948	esac
	949	shift
	950	done
	951
	952	# Determine cert/req type
	953	if [ "$type" = "cert" ]; then
	954	verify_ca_init
	955	in_file="$EASYRSA_PKI/issued/${name}.crt"
	956	format="x509"
	957	else
	958	verify_pki_init
	959	in_file="$EASYRSA_PKI/reqs/${name}.req"
	960	format="req"
	961	fi
	962
	963	# Verify file exists and is of the correct type
	964	[ -f "$in_file" ] \|\| die "\
	965	No such $type file with a basename of '$name' is present.
	966	Expected to find this file at:
	967	$in_file"
	968	verify_file $format "$in_file" \|\| die "\
	969	This file is not a valid $type file:
	970	$in_file"
	971
	972	notice "\
	973	Showing $type details for '$name'.
	974	This file is stored at:
	975	$in_file
	976	"
	977	"$EASYRSA_OPENSSL" $format -in "$in_file" -noout -text\
	978	-nameopt multiline $opts \|\| die "\
	979	OpenSSL failure to process the input"
	980	} # => show()
	981
	982	# vars setup
	983	# Here sourcing of 'vars' if present occurs. If not present, defaults are used
	984	# to support running without a sourced config format
	985	vars_setup() {
	986	# Try to locate a 'vars' file in order of location preference.
	987	# If one is found, source it
	988	local vars=
	989
	990	# set up program path
	991	local prog_vars="${0%/*}/vars"
	992
	993	# command-line path:
	994	if [ -f "$EASYRSA_VARS_FILE" ]; then
	995	vars="$EASYRSA_VARS_FILE"
	996	# EASYRSA_PKI, if defined:
	997	elif [ -n "$EASYRSA_PKI" ] && [ -f "$EASYRSA_PKI/vars" ]; then
	998	vars="$EASYRSA_PKI/vars"
	999	# EASYRSA, if defined:
	1000	elif [ -n "$EASYRSA" ] && [ -f "$EASYRSA/vars" ]; then
	1001	vars="$EASYRSA/vars"
	1002	# program location:
	1003	elif [ -f "$prog_vars" ]; then
	1004	vars="$prog_vars"
	1005	fi
	1006
	1007	# If a vars file was located, source it
	1008	# If $EASYRSA_NO_VARS is defined (not blank) this is skipped
	1009	if [ -z "$EASYRSA_NO_VARS" ] && [ -n "$vars" ]; then
	1010	EASYRSA_CALLER=1 . "$vars"
	1011	notice "\
	1012	Note: using Easy-RSA configuration from: $vars"
	1013	fi
	1014
	1015	# Set defaults, preferring existing env-vars if present
	1016	set_var EASYRSA "$PWD"
	1017	set_var EASYRSA_OPENSSL openssl
	1018	set_var EASYRSA_PKI "$EASYRSA/pki"
	1019	set_var EASYRSA_DN cn_only
	1020	set_var EASYRSA_REQ_COUNTRY "US"
	1021	set_var EASYRSA_REQ_PROVINCE "California"
	1022	set_var EASYRSA_REQ_CITY "San Francisco"
	1023	set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
	1024	set_var EASYRSA_REQ_EMAIL me@example.net
	1025	set_var EASYRSA_REQ_OU "My Organizational Unit"
	1026	set_var EASYRSA_ALGO rsa
	1027	set_var EASYRSA_KEY_SIZE 2048
	1028	set_var EASYRSA_CURVE secp384r1
	1029	set_var EASYRSA_EC_DIR "$EASYRSA_PKI/ecparams"
	1030	set_var EASYRSA_CA_EXPIRE 3650
	1031	set_var EASYRSA_CERT_EXPIRE 3650
	1032	set_var EASYRSA_CRL_DAYS 180
	1033	set_var EASYRSA_NS_SUPPORT no
	1034	set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate"
	1035	set_var EASYRSA_TEMP_FILE "$EASYRSA_PKI/extensions.temp"
	1036	set_var EASYRSA_TEMP_FILE_2 ""
	1037	set_var EASYRSA_TEMP_FILE_3 ""
	1038	set_var EASYRSA_REQ_CN ChangeMe
	1039	set_var EASYRSA_DIGEST sha256
	1040
	1041	# Detect openssl config, preferring EASYRSA_PKI over EASYRSA
	1042	if [ -f "$EASYRSA_PKI/openssl-1.0.cnf" ]; then
	1043	set_var EASYRSA_SSL_CONF "$EASYRSA_PKI/openssl-1.0.cnf"
	1044	else set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf"
	1045	fi
	1046
	1047	# Same as above for the x509-types extensions dir
	1048	if [ -d "$EASYRSA_PKI/x509-types" ]; then
	1049	set_var EASYRSA_EXT_DIR "$EASYRSA_PKI/x509-types"
	1050	else set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
	1051	fi
	1052
	1053	# EASYRSA_ALGO_PARAMS must be set depending on selected algo
	1054	if [ "ec" = "$EASYRSA_ALGO" ]; then
	1055	EASYRSA_ALGO_PARAMS="$EASYRSA_EC_DIR/${EASYRSA_CURVE}.pem"
	1056	elif [ "rsa" = "$EASYRSA_ALGO" ]; then
	1057	EASYRSA_ALGO_PARAMS="${EASYRSA_KEY_SIZE}"
	1058	else
	1059	die "Alg '$EASYRSA_ALGO' is invalid: must be 'rsa' or 'ec'"
	1060	fi
	1061
	1062	# Setting OPENSSL_CONF prevents bogus warnings (especially useful on win32)
	1063	export OPENSSL_CONF="$EASYRSA_SSL_CONF"
	1064	} # vars_setup()
	1065
	1066	# variable assignment by indirection when undefined; merely exports
	1067	# the variable when it is already defined (even if currently null)
	1068	# Sets $1 as the value contained in $2 and exports (may be blank)
	1069	set_var() {
	1070	local var=$1
	1071	shift
	1072	local value="$*"
	1073	eval "export $var=\"\${$var-$value}\""
	1074	} #=> set_var()
	1075
	1076	########################################
	1077	# Invocation entry point:
	1078
	1079	NL='
	1080	'
	1081
	1082	# Be secure with a restrictive umask
	1083	[ -z "$EASYRSA_NO_UMASK" ] && umask 077
	1084
	1085	# Parse options
	1086	while :; do
	1087	# Separate option from value:
	1088	opt="${1%%=*}"
	1089	val="${1#*=}"
	1090	empty_ok= # Empty values are not allowed unless excepted
	1091
	1092	case "$opt" in
	1093	--days)
	1094	export EASYRSA_CERT_EXPIRE="$val"
	1095	export EASYRSA_CA_EXPIRE="$val"
	1096	export EASYRSA_CRL_DAYS="$val"
	1097	;;
	1098	--pki-dir)
	1099	export EASYRSA_PKI="$val" ;;
	1100	--use-algo)
	1101	export EASYRSA_ALGO="$val" ;;
	1102	--keysize)
	1103	export EASYRSA_KEY_SIZE="$val" ;;
	1104	--curve)
	1105	export EASYRSA_CURVE="$val" ;;
	1106	--dn-mode)
	1107	export EASYRSA_DN="$val" ;;
	1108	--req-cn)
	1109	export EASYRSA_REQ_CN="$val" ;;
	1110	--digest)
	1111	export EASYRSA_DIGEST="$val" ;;
	1112	--req-c)
	1113	empty_ok=1
	1114	export EASYRSA_REQ_COUNTRY="$val" ;;
	1115	--req-st)
	1116	empty_ok=1
	1117	export EASYRSA_REQ_PROVINCE="$val" ;;
	1118	--req-city)
	1119	empty_ok=1
	1120	export EASYRSA_REQ_CITY="$val" ;;
	1121	--req-org)
	1122	empty_ok=1
	1123	export EASYRSA_REQ_ORG="$val" ;;
	1124	--req-email)
	1125	empty_ok=1
	1126	export EASYRSA_REQ_EMAIL="$val" ;;
	1127	--req-ou)
	1128	empty_ok=1
	1129	export EASYRSA_REQ_OU="$val" ;;
	1130	--ns-cert)
	1131	export EASYRSA_NS_SUPPORT="$val" ;;
	1132	--ns-comment)
	1133	empty_ok=1
	1134	export EASYRSA_NS_COMMENT="$val" ;;
	1135	--batch)
	1136	empty_ok=1
	1137	export EASYRSA_BATCH=1 ;;
	1138	--subca-len)
	1139	export EASYRSA_SUBCA_LEN="$val" ;;
	1140	--vars)
	1141	export EASYRSA_VARS_FILE="$val" ;;
	1142	--subject-alt-name)
	1143	export EASYRSA_EXTRA_EXTS="\
	1144	$EASYRSA_EXTRA_EXTS
	1145	subjectAltName = $val" ;;
	1146	*)
	1147	break ;;
	1148	esac
	1149
	1150	# fatal error when no value was provided
	1151	if [ ! $empty_ok ] && { [ "$val" = "$1" ] \|\| [ -z "$val" ]; }; then
	1152	die "Missing value to option: $opt"
	1153	fi
	1154
	1155	shift
	1156	done
	1157
	1158	# Intelligent env-var detection and auto-loading:
	1159	vars_setup
	1160
	1161	# Register clean_temp on EXIT
	1162	trap "clean_temp" EXIT
	1163
	1164	# determine how we were called, then hand off to the function responsible
	1165	cmd="$1"
	1166	[ -n "$1" ] && shift # scrape off command
	1167	case "$cmd" in
	1168	init-pki\|clean-all)
	1169	init_pki "$@"
	1170	;;
	1171	build-ca)
	1172	build_ca "$@"
	1173	;;
	1174	gen-dh)
	1175	gen_dh
	1176	;;
	1177	gen-req)
	1178	gen_req "$@"
	1179	;;
	1180	sign\|sign-req)
	1181	sign_req "$@"
	1182	;;
	1183	build-client-full)
	1184	build_full client "$@"
	1185	;;
	1186	build-server-full)
	1187	build_full server "$@"
	1188	;;
	1189	gen-crl)
	1190	gen_crl
	1191	;;
	1192	revoke)
	1193	revoke "$@"
	1194	;;
	1195	import-req)
	1196	import_req "$@"
	1197	;;
	1198	export-p12)
	1199	export_pkcs p12 "$@"
	1200	;;
	1201	export-p7)
	1202	export_pkcs p7 "$@"
	1203	;;
	1204	set-rsa-pass)
	1205	set_pass rsa "$@"
	1206	;;
	1207	set-ec-pass)
	1208	set_pass ec "$@"
	1209	;;
	1210	update-db)
	1211	update_db
	1212	;;
	1213	show-req)
	1214	show req "$@"
	1215	;;
	1216	show-cert)
	1217	show cert "$@"
	1218	;;
	1219	""\|help\|-h\|--help\|--usage)
	1220	cmd_help "$1"
	1221	exit 0
	1222	;;
	1223	*)
	1224	die "Unknown command '$cmd'. Run without commands for usage help."
	1225	;;
	1226	esac
	1227
	1228	# vim: ft=sh nu ai sw=8 ts=8

Note: See TracBrowser for help on using the repository browser.

Download in other formats: