Binary Revolution Forums: OpenSSL on OpenBSD - Binary Revolution Forums

I'm using OpenBSD (v 4.2) to run a RADIUS server, which I intend to use for the WLAN. I've got FreeRADIUS (v 1.1.6) installed and it seems to be working properly, at least as far as simple username/password authentication. OpenBSD has proven to be a bit of a challenge for this purpose, in some interesting ways. The most recent challenge has been using OpenSSL (v 0.9.7j)... I have only tacit knowledge of the whole "certificate" process, and futzing with SSL on the command line has invoked some serious head-scratching and Google-jutsu to say the least.Most frustrating thing (so far) has been mention of a magical shell script named CA.sh, that streamlines the process of setting up a certification authority for the certs for use with RADIUS. Apparently the default OpenSSL install that comes with OpenBSD has some stuff stripped out. And, wouldn't you know it, this magical CA.sh script was one of the things they removed.One guy suggested just re-downloading the OpenSSL source and grabbing the file from there, which I did. I am posting the contents of the file here, in the bizarre chance that someone doing the same thing I did should stumble across this site first, or not think to check the source code on the openssl.org website. So here it is, CA.sh in its entirety:

#!/bin/sh## CA - wrapper around ca to make it easier to use ... basically ca requires#      some setup stuff to be done before you can use it and this makes#      things easier between now and when Eric is convinced to fix it :-)## CA -newca ... will setup the right stuff# CA -newreq ... will generate a certificate request # CA -sign ... will sign the generated request and output ## At the end of that grab newreq.pem and newcert.pem (one has the key # and the other the certificate) and cat them together and that is what# you want/need ... I'll make even this a little cleaner later.### 12-Jan-96 tjh    Added more things ... including CA -signcert which#                  converts a certificate to a request and then signs it.# 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG#		   environment variable so this can be driven from#		   a script.# 25-Jul-96 eay    Cleaned up filenames some more.# 11-Jun-96 eay    Fixed a few filename missmatches.# 03-May-96 eay    Modified to use 'ssleay cmd' instead of 'cmd'.# 18-Apr-96 tjh    Original hacking## Tim Hudson# tjh@cryptsoft.com## default openssl.cnf file has setup as per the following# demoCA ... where everything is storedif [ -z "$OPENSSL" ]; then OPENSSL=openssl; fiDAYS="-days 365"REQ="$OPENSSL req $SSLEAY_CONFIG"CA="$OPENSSL ca $SSLEAY_CONFIG"VERIFY="$OPENSSL verify"X509="$OPENSSL x509"CATOP=./demoCACAKEY=./cakey.pemCACERT=./cacert.pemfor idocase $i in-\?|-h|-help)    echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" >&2    exit 0    ;;-newcert)     # create a certificate    $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS    RET=$?    echo "Certificate is in newcert.pem, private key is in newkey.pem"    ;;-newreq)     # create a certificate request    $REQ -new -keyout newkey.pem -out newreq.pem $DAYS    RET=$?    echo "Request is in newreq.pem, private key is in newkey.pem"    ;;-newca)         # if explicitly asked for or it doesn't exist then setup the directory    # structure that Eric likes to manage things     NEW="1"    if [ "$NEW" -o ! -f ${CATOP}/serial ]; then	# create the directory hierarchy	mkdir ${CATOP} 	mkdir ${CATOP}/certs 	mkdir ${CATOP}/crl 	mkdir ${CATOP}/newcerts	mkdir ${CATOP}/private	echo "01" > ${CATOP}/serial	touch ${CATOP}/index.txt    fi    if [ ! -f ${CATOP}/private/$CAKEY ]; then	echo "CA certificate filename (or enter to create)"	read FILE	# ask user for existing CA certificate	if [ "$FILE" ]; then	    cp $FILE ${CATOP}/private/$CAKEY	    RET=$?	else	    echo "Making CA certificate ..."	    $REQ -new -x509 -keyout ${CATOP}/private/$CAKEY \			   -out ${CATOP}/$CACERT $DAYS	    RET=$?	fi    fi    ;;-xsign)    $CA -policy policy_anything -infiles newreq.pem     RET=$?    ;;-sign|-signreq)     $CA -policy policy_anything -out newcert.pem -infiles newreq.pem    RET=$?    cat newcert.pem    echo "Signed certificate is in newcert.pem"    ;;-signcert)     echo "Cert passphrase will be requested twice - bug?"    $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem    $CA -policy policy_anything -out newcert.pem -infiles tmp.pem    cat newcert.pem    echo "Signed certificate is in newcert.pem"    ;;-verify)     shift    if [ -z "$1" ]; then	    $VERIFY -CAfile $CATOP/$CACERT newcert.pem	    RET=$?    else	for j	do	    $VERIFY -CAfile $CATOP/$CACERT $j	    if [ $? != 0 ]; then		    RET=$?	    fi	done    fi    exit 0    ;;*)    echo "Unknown arg $i";    exit 1    ;;esacdoneexit $RET

Some other sites suggest a program called CA.pl, which is obtainable in the same way (also being absent from OpenBSD). Looks to be the same thing, just written in Perl instead of a normal shell script (for those of you who like gibberish):

#!/usr/bin/perl## CA - wrapper around ca to make it easier to use ... basically ca requires#      some setup stuff to be done before you can use it and this makes#      things easier between now and when Eric is convinced to fix it :-)## CA -newca ... will setup the right stuff# CA -newreq[-nodes] ... will generate a certificate request # CA -sign ... will sign the generated request and output ## At the end of that grab newreq.pem and newcert.pem (one has the key # and the other the certificate) and cat them together and that is what# you want/need ... I'll make even this a little cleaner later.### 12-Jan-96 tjh    Added more things ... including CA -signcert which#                  converts a certificate to a request and then signs it.# 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG#		   environment variable so this can be driven from#		   a script.# 25-Jul-96 eay    Cleaned up filenames some more.# 11-Jun-96 eay    Fixed a few filename missmatches.# 03-May-96 eay    Modified to use 'ssleay cmd' instead of 'cmd'.# 18-Apr-96 tjh    Original hacking## Tim Hudson# tjh@cryptsoft.com## 27-Apr-98 snh    Translation into perl, fix existing CA bug.### Steve Henson# shenson@bigfoot.com# default openssl.cnf file has setup as per the following# demoCA ... where everything is storedmy $openssl;if(defined $ENV{OPENSSL}) {	$openssl = $ENV{OPENSSL};} else {	$openssl = "openssl";	$ENV{OPENSSL} = $openssl;}$SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"};$DAYS="-days 365";$REQ="$openssl req $SSLEAY_CONFIG";$CA="$openssl ca $SSLEAY_CONFIG";$VERIFY="$openssl verify";$X509="$openssl x509";$PKCS12="$openssl pkcs12";$CATOP="./demoCA";$CAKEY="cakey.pem";$CACERT="cacert.
pem";$DIRMODE = 0777;$RET = 0;foreach (@ARGV) {	if ( /^(-\?|-h|-help)$/ ) {	    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";	    exit 0;	} elsif (/^-newcert$/) {	    # create a certificate	    system ("$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS");	    $RET=$?;	    print "Certificate is in newcert.pem, private key is in newkey.pem\n"	} elsif (/^-newreq$/) {	    # create a certificate request	    system ("$REQ -new -keyout newkey.pem -out newreq.pem $DAYS");	    $RET=$?;	    print "Request is in newreq.pem, private key is in newkey.pem\n";	} elsif (/^-newreq-nodes$/) {	    # create a certificate request	    system ("$REQ -new -nodes -keyout newkey.pem -out newreq.pem $DAYS");	    $RET=$?;	    print "Request is in newreq.pem, private key is in newkey.pem\n";	} elsif (/^-newca$/) {		# if explicitly asked for or it doesn't exist then setup the		# directory structure that Eric likes to manage things 	    $NEW="1";	    if ( "$NEW" || ! -f "${CATOP}/serial" ) {		# create the directory hierarchy		mkdir $CATOP, $DIRMODE;		mkdir "${CATOP}/certs", $DIRMODE;		mkdir "${CATOP}/crl", $DIRMODE ;		mkdir "${CATOP}/newcerts", $DIRMODE;		mkdir "${CATOP}/private", $DIRMODE;		open OUT, ">${CATOP}/index.txt";		close OUT;	    }	    if ( ! -f "${CATOP}/private/$CAKEY" ) {		print "CA certificate filename (or enter to create)\n";		$FILE = <STDIN>;		chop $FILE;		# ask user for existing CA certificate		if ($FILE) {		    cp_pem($FILE,"${CATOP}/private/$CAKEY", "PRIVATE");		    cp_pem($FILE,"${CATOP}/$CACERT", "CERTIFICATE");		    $RET=$?;		} else {		    print "Making CA certificate ...\n";		    system ("$REQ -new -x509 -keyout " .			"${CATOP}/private/$CAKEY -out ${CATOP}/$CACERT $DAYS");		    $RET=$?;		}	    }	    if (! -f "${CATOP}/serial" ) {		system ("$X509 -in ${CATOP}/$CACERT -noout "			. "-next_serial -out ${CATOP}/serial");	    }	} elsif (/^-pkcs12$/) {	    my $cname = $ARGV[1];	    $cname = "My Certificate" unless defined $cname;	    system ("$PKCS12 -in newcert.pem -inkey newkey.pem " .			"-certfile ${CATOP}/$CACERT -out newcert.p12 " .			"-export -name \"$cname\"");	    $RET=$?;	    print "PKCS #12 file is in newcert.p12\n";	    exit $RET;	} elsif (/^-xsign$/) {	    system ("$CA -policy policy_anything -infiles newreq.pem");	    $RET=$?;	} elsif (/^(-sign|-signreq)$/) {	    system ("$CA -policy policy_anything -out newcert.pem " .							"-infiles newreq.pem");	    $RET=$?;	    print "Signed certificate is in newcert.pem\n";	} elsif (/^(-signCA)$/) {	    system ("$CA -policy policy_anything -out newcert.pem " .					"-extensions v3_ca -infiles newreq.pem");	    $RET=$?;	    print "Signed CA certificate is in newcert.pem\n";	} elsif (/^-signcert$/) {	    system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " .								"-out tmp.pem");	    system ("$CA -policy policy_anything -out newcert.pem " .							"-infiles tmp.pem");	    $RET = $?;	    print "Signed certificate is in newcert.pem\n";	} elsif (/^-verify$/) {	    if (shift) {		foreach $j (@ARGV) {		    system ("$VERIFY -CAfile $CATOP/$CACERT $j");		    $RET=$? if ($? != 0);		}		exit $RET;	    } else {		    system ("$VERIFY -CAfile $CATOP/$CACERT newcert.pem");		    $RET=$?;	    	    exit 0;	    }	} else {	    print STDERR "Unknown arg $_\n";	    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";	    exit 1;	}}exit $RET;sub cp_pem {my ($infile, $outfile, $bound) = @_;open IN, $infile;open OUT, ">$outfile";my $flag = 0;while (<IN>) {	$flag = 1 if (/^-----BEGIN.*$bound/) ;	print OUT $_ if ($flag);	if (/^-----END.*$bound/) {		close IN;		close OUT;		return;	}}}

Here's hoping this will be useful to someone.