5. Create the /usr/bin/sign.sh program file

The openssl ca commands has some strange requirements and the default OpenSSL config doesn't allow one easily to use openssl ca directly. Therefore, well create this sign.sh program to replace it. Create the sign.sh program file, touch /usr/bin/sign.sh and add to this file:

         #!/bin/sh
         ##
         ##  sign.sh -- Sign a SSL Certificate Request (CSR)
         ##  Copyright (c) 1998-1999 Ralf S. Engelschall, All Rights Reserved. 
         ##

         #   argument line handling
         CSR=$1
         if [ $# -ne 1 ]; then
         echo "Usage: sign.sign <whatever>.csr"; exit 1
         fi
         if [ ! -f $CSR ]; then
         echo "CSR not found: $CSR"; exit 1
         fi
         case $CSR in
         *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
         * ) CERT="$CSR.crt" ;;
         esac

         #   make sure environment exists
         if [ ! -d ca.db.certs ]; then
         mkdir ca.db.certs
         fi
         if [ ! -f ca.db.serial ]; then
         echo '01' >ca.db.serial
         fi
         if [ ! -f ca.db.index ]; then
         cp /dev/null ca.db.index
         fi

         #   create an own SSLeay config
         cat >ca.config <<EOT
         [ ca ]
         default_ca	= CA_own
         [ CA_own ]
         dir	= /etc/ssl
         certs	= /etc/ssl/certs
         new_certs_dir	= /etc/ssl/ca.db.certs
         database	= /etc/ssl/ca.db.index
         serial	= /etc/ssl/ca.db.serial
         RANDFILE	= /etc/ssl/ca.db.rand
         certificate	= /etc/ssl/certs/ca.crt
         private_key	= /etc/ssl/private/ca.key
         default_days	= 365
         default_crl_days	= 30
         default_md	= md5
         preserve	= no
         policy	= policy_anything
         [ policy_anything ]
         countryName	= optional
         stateOrProvinceName	= optional
         localityName	= optional
         organizationName	= optional
         organizationalUnitName	= optional
         commonName	= supplied
         emailAddress	= optional
         EOT

         #  sign the certificate
         echo "CA signing: $CSR -> $CERT:"
         openssl ca -config ca.config -out $CERT -infiles $CSR
         echo "CA verifying: $CERT <-> CA cert"
         openssl verify -CAfile /etc/ssl/certs/ca.crt $CERT

         #  cleanup after SSLeay 
         rm -f ca.config
         rm -f ca.db.serial.old
         rm -f ca.db.index.old

         #  die gracefully
         exit 0
         

Now, make this program executable, and change its default permissions:

         [root@deep] /# chmod 755 /usr/bin/sign.sh
         

Tip

You can also find this program sign.sh in the mod_ssl distribution under the mod_ssl-version/pkg.contrib/ subdirectory, or on our floppy.tgz archive file. Also note that the section [ CA_own ] must be changed to refect your own environment and don't forget to change the openssl verify -CAfile /etc/ssl/certs/ca.crt $CERT line too.