This file is indexed.

/usr/sbin/lprng_certs is in lprng 3.8.B-2.1.

This file is owned by root:root, with mode 0o755.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
#!/bin/sh
# Set up LPRng Certificate Authority
# Set up LPRng Server Certificate
# Set up LPRng Client Certificates
#
#  Requires: OpenSSL  (http://www.openssl.org)
#  Based on openssl-0.9.6c, but probably works with an
#
#  This script was stolen^H^H^H^H^H^H derived from the CA.sh script in the
#  ssleay/openssl distribution, and the cca.sh and sign.sh scripts in the
#  mod_ssl 2.8.8 distribution.
#  As noted:
##  CCA -- Trivial Client CA management for testing purposes
##  Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.
##  sign.sh -- Sign a SSL Certificate Request (CSR)
##  Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved. 
#
# The LPRng SSL authentication uses the same general setup as does Apache
# and other systems:
#
#  $sysconfdir default: /etc/lpd/
#       - a directory where you have the SSL stuff
#   SSL_CA_FILE "/etc/lpd/ssl.ca/ca.crt"
#       ${sysconfdir}/lpd/ssl.ca/ca.crt
#       - CA file, i.e. - one file with lots of certs,
#         but we are going to assume that this is our signing cert
#   SSL_CA_KEY "/etc/lpd/ssl.ca/${CA_KEY}"
#       ${sysconfdir}/lpd/ssl.ca/${CA_KEY}
#       - private key for CA file, used to sign certs
#   SSL_SERVER_CERT "/etc/lpd/ssl.server/server.cert"
#       ${sysconfdir}/lpd/ssl.cert/server.cert
#       - server cert file
#   SSL_SERVER_PASSWORD_FILE "/etc/lpd/ssl.server/server.pwd"
#       ${sysconfdir}/lpd/ssl.cert/server.pwd
#       - server private key password in this file
#
#
#  Use:
#    lprng_cert init                 - sets up directory structure
#    lprng_cert newca                - creates CA certs
#    lprng_cert gen                  - generates certificates
#    lprng_cert verify path_to_cert  - verifies certificates
#    lprng_cert defaults             - sets/examines defaults
#    lprng_cert encrypt path_to_key  - encrypts/decrypts key file
#    lprng_cert index                - make certificate index files
#
# we force the location of the CERTS to be whereever we want
# no redeeming social value to this stuff;

#   some optional terminal sequences
case $TERM in
    xterm|xterm*|vt220|vt220*)
        T_MD=`echo dummy | awk '{ printf("%c%c%c%c", 27, 91, 49, 109); }'`
        T_ME=`echo dummy | awk '{ printf("%c%c%c", 27, 91, 109); }'`
        ;;
    vt100|vt100*)
        T_MD=`echo dummy | awk '{ printf("%c%c%c%c%c%c", 27, 91, 49, 109, 0, 0); }'`
        T_ME=`echo dummy | awk '{ printf("%c%c%c%c%c", 27, 91, 109, 0, 0); }'`
        ;;
    default)
        T_MD=''
        T_ME=''
        ;;
esac

# announce what you are doing
cat <<EOF
${T_MD}lprng_certs -- LPRng SSL Certificate Management${T_ME}
Copyright (c) 2002 Patrick Powell
Based on CCA by Ralf S. Engelschall
(Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.)

EOF

#----------------- FUNCTIONS -----------------------

# general purpose failure function
usage() {
	cat >&2 <<EOF
${T_MD}usage: $0 [--TMPDIR=dir] [--TEMP=dir] option${T_ME}
${T_MD}  init             - make directory structure${T_ME}
${T_MD}  newca            - make new root CA and default values for certs${T_ME}
${T_MD}  defaults         - set new default values for certs${T_ME}
${T_MD}  encrypt keyfile  - set or change password on private key file${T_ME}
${T_MD}  gen              - generate user, server, or signing cert${T_ME}
${T_MD}  verify [cert]    - verify cert file${T_ME}
${T_MD}  index [dir]      - make certificate index files in directory dir${T_ME}
${T_MD}  --TEMP=dir       - specify directory for test operations${T_ME}
${T_MD}  --TMPDIR=dir     - specify directory for intermediate files${T_ME}

EOF
	rm -f ${CFG}
    exit 1
}

# ask - prompt with name and default:
#  ask "1. ..." "XY" var
ask() {
	eval v="\$$2"
	echo -n "$n. $1 [default '$v'] "
	read VAR
	if [ "$VAR" = "" ] ; then
		VAR="$v";
	fi
	eval $2=\"$VAR\"
	export $2
	names="$names $2"
	n=`expr $n + 1`
}

#
# set and/or get the new values for defaults
#

defaults() {
	finished=0
	while [ "$finished" = "0" ] ; do
		names=
		n=1
		export n
		ask "Country Name             (2 letter code, C)    " C_val
		ask "State or Province Name   (full name, ST)       " ST_val
		ask "Locality Name            (eg, city, L)         " L_val
		ask "Organization Name        (eg, company, O)      " O_val
		ask "Organizational Unit Name for CA     (eg, section, OU)"  OU_ca_val
		ask "Organizational Unit Name for Signer (eg, section, OU)"  OU_signer_val
		ask "Organizational Unit Name for Server (eg, section, OU)"  OU_server_val
		ask "Organizational Unit Name for User   (eg, section, OU)"  OU_user_val
		ask "Common Name for CA       (eg, CA name, CN)     "  CN_ca_val
		ask "Common Name for Signer   (eg, signer name, CN) "  CN_signer_val
		ask "Common Name for Server   (eg, server name, CN) "  CN_server_val
		ask "Common Name for User     (eg, user name, CN)   "  CN_user_val
		ask "Email Address            (eg, name@FQDN, Email)"  Email_val
		ask "CA Certificate Validity in days                "  Validity_ca_val
		ask "Signer Certificate Validity in days            "  Validity_signer_val
		ask "Server Certificate Validity in days            "  Validity_server_val
		ask "User Certificate Validity in days              "  Validity_user_val
		ask "Signer Certificate Path  (blank indicates CA signs)"  Signer_cert_path
		ask "Signer Private Key File (blank indicates key in cert file)"  Signer_key_path
		ask "Created Certificates Directory (blank indicates default $CA_USER_CERTS)   "  Cert_dir
		ask "Revoked Certificates File (blank indicates default $CA_CRL_FILE)   "  Revoke_file
		for i in $names ; do
			eval v="\$$i"
			echo $i $v
		done
		echo -n "save default values? [Yes/no/again (Yes default)] "
		read VAR
		case "$VAR" in
			[yY]* | "" )
				cp /dev/null ${CA_DEFAULTS}
				for i in $names ; do
					eval v="\$$i"
					echo $i=\"$v\" >>${CA_DEFAULTS}
				done
				finished=1;
				break;
				;;
			[nN]* )
				finished=1;
				break;
				;;
			*) ;;
		esac
	done
}

#
# encrypt the certificate key
#
encrypt() {
	cat <<EOF
______________________________________________________________________

${T_MD}${STEP}Enrypting RSA private key $1 with a pass phrase for security${T_ME}

The contents of the certificate key file (the generated private key)
should be echo kept secret, especially so if it is used to sign
Certificates or for User authentication.
  SSL experts strongly recommend you to encrypt the key file with
a Triple-DES cipher and a Pass Phrase.  When using LPRng, you provide
the password via a file specified by the LPR_SSL_PASSWORD
environent variable, or in the ${HOME}/.lpr/client.pwd file.
The LPD server uses the ssl_server_password_file option to specify
the location of a file containing the password.

EOF
	
	if [ "$1" = "" -o ! -f $1 ] ; then
		echo "The file '$1' does not exist! Cannot encrypt it";
		exit 1;
	fi
	while [ 1 ]; do
		echo -n "Encrypt the private key now? [Y/n]: "
		read VAR
		case "$VAR" in
			[yY] | "" ) VAR=YES; break;;
			[nN] ) VAR=NO; break;;
		esac
	done
	if [ "$VAR" = YES ]; then
		while [ 1 ] ; do
		(umask 077; ${OPENSSL} rsa -des3 -in ${1} -out ${1}.enc)
			if [ $? -ne 0 ] ; then
				echo "Failed to encrypt RSA private key" 1>&2
				echo "You may need to renter the password" 1>&2
		else
				break;
			fi
		done
		(umask 077; cp ${1}.enc ${1}; rm -f ${1}.enc )
		echo "Fine, you're using an encrypted private key to sign CERTS."
		ENCRYPTED=YES
	else
		echo "Warning, you're using an unencrypted private key for signing CERTS."
		echo "Make sure that the key is VERY well protected"
	fi
}

# help for signing
shelp() {
	cat <<EOF
You can select the type of Certificate based on the Netscape Model:
USER: can only send jobs to server
SERVER: can accept jobs and forward them.  Needs to act as both
  client and server
SIGNING AUTHORITY: creates a certificate to be used for signing
  other certificates.  Note: you can select certificate to be used
  for signing.
EOF
}

# set values of various files based on defaults
#

set_values () {
	CA_RND=${CA_DIR}/ca.rnd
	CA_SER=${CA_DIR}/ca.ser
	CA_CSR=${CA_DIR}/ca.csr
	CA_DEFAULTS=${CA_DIR}/ca.defaults
	if [ "$Cert_dir" != "" ] ; then
		CA_USER_CERTS=$Cert_dir
	fi
	if [ "$Revoke_file" != "" ] ; then
		CA_CRL_FILE=$Revoke_file
	fi
}

index_certs() {
	( cd $1;
	#set -x
	echo "Indexing " `pwd`
	rm -f *.[0-9]*
	for file in *.crt; do
		if [ ".`grep SKIPME $file`" != . ]; then
			echo dummy | awk '{ printf("%-15s ... Skipped\n", file); }' "file=$file";
		else
			n=0;
			while [ 1 ]; do
				hash="`${OPENSSL} x509 -noout -hash <$file`";
				if [ -r "$hash.$n" ]; then
					n=`expr $n + 1`;
				else
					echo dummy | awk '{ printf("%-15s ... %s\n", file, hash); }' "file=$file" "hash=$hash.$n";
					ln -s $file $hash.$n;
					break;
				fi;
			done;
		fi;
	done
	)
}

make_cfg() {
    cat >${CFG} <<EOT
[ req ]
default_bits                    = 1024
distinguished_name              = req_DN
RANDFILE                        = ${CA_RND}
[ req_DN ]
countryName                     = "1. Country Name            (2 letter code, C) "
countryName_default             = ${C_val}
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = "2. State or Province Name     (full name, ST) "
stateOrProvinceName_default     = ${ST_val}
localityName                    = "3. Locality Name                (eg, city, L) "
localityName_default            = ${L_val}
0.organizationName              = "4. Organization Name         (eg, company, 0) "
0.organizationName_default      = ${O_val}
organizationalUnitName          = "5. Organizational Unit Name (eg, section, OU) "
organizationalUnitName_default  = ${OU_val}
commonName                      = "6. Common Name           (eg, $TYPE name, CN) "
commonName_max                  = 64
commonName_default              = ${CN_val}
emailAddress                    = "7. Email Address       (eg, name@FQDN, Email) "
emailAddress_max                = 40
emailAddress_default            = ${Email_val}
EOT
}

init_ca_dirs() {
    # if directories do not exist then setup the directory
	for i in ${CA_DIR} ${CA_USER_CERTS} ;  do
		d=$i;
		if [ "$d" != "" -a ! -d "${d}" ] ; then
			# create the directory hierarchy
			echo "creating $d"
			mkdir -p "${d}" 
			if [ ! -d "${d}" ] ; then
				echo "cannot create directory $d";
				exit 1
			fi
		fi
	done
}

#--------------------- START OF MAIN BODY -----------------

if [ "$#" = 0 ] ; then usage; fi

# set default values

case "$1" in
	--TMPDIR=* )
		TMPDIR=`expr "X$1" : "X--TMP=\(.*\)"`
		shift
		;;
	*)
		TMPDIR=`mktemp -d -t lprng.XXXXXX` || {
			echo "$0: Cannot create temporary directory!" >&2
			echo "Perhaps your ${TMPDIR:-/tmp} is not writable or you are missing mktemp." >&2
			echo "try giving --TMPDIR=/place/only-you-can-read-or-write as first argument." >&2
			exit 1;
		}
		;;
esac


CFG=$TMPDIR/$$.sslcfg

OPENSSL=/usr/bin/openssl
CA_KEY=/etc/lprng/ssl.ca/ca.key
CA_CERT=/etc/lprng/ssl.ca/ca.crt
CA_USER_CERTS=/etc/lprng/ssl.certs
CA_CRL_FILE=/etc/lprng/ssl.crl/ssl.crl
SSL_SERVER_CERT=/etc/lprng/ssl.server/server.crt

C_val="XY"
ST_val="Snake Desert"
L_val="Snake Town"
O_val="Snake Oil, Ltd"
OU_ca_val="CA"
OU_signer_val="Signer"
OU_server_val="Server"
OU_user_val="User"
CN_ca_val="Snake Oil CA"
CN_server_val="PrintServer Name"
CN_signer_val="Signer Name"
CN_user_val="John Q. User"
Validity_ca_val=365
Validity_signer_val=365
Validity_user_val=365
Validity_server_val=365
Email_val="name@snakeoil.dom"

case "$1" in
	--TEMP=* )
		s=`expr "X$1" : "X--TEMP=\(.*\)"`
		CA_DIR="$s/ssl.ca"
		CA_CERT="$s/ssl.ca/ca.crt"
		CA_KEY="$s/ssl.ca/ca.key"
		CA_USER_CERTS="$s/ssl.certs"
		CA_CRL_FILE="$s/certs.crl"
		DIRS=""
		shift
		;;
esac

if [ "$CA_DIR" = "" ] ; then
	CA_DIR=`dirname ${CA_CERT}`
fi
CA_DEFAULTS=${CA_DIR}/ca.defaults

# if you have a defaults file, then read it
if [ -f "${CA_DEFAULTS}" ] ; then
. ${CA_DEFAULTS}
fi
set_values

#   find some random files
#   (do not use /dev/random here, because this device 
#   doesn't work as expected on all platforms)
randfiles=''
for file in /var/log/messages /var/adm/messages \
            /kernel /vmunix /vmlinuz \
            /etc/hosts /etc/resolv.conf; do
    if [ -f $file ]; then
        if [ ".$randfiles" = . ]; then
            randfiles="$file"
        else
            randfiles="${randfiles}:$file"
        fi
    fi
done

case $1 in
init )
    # if directories do not exist then setup the directory
	init_ca_dirs
	;;

newca)
    # if directories do not exist then setup the directory
	init_ca_dirs
	if [ -f ${CA_CERT} ] ; then
		while [ 1 ] ; do
			echo -n "WARNING: ${CA_CERT} already exists! Do you want to overwrite it? [N/y]"
			read VAR
			case "$VAR" in
			[Yy]* ) break ;;
			* ) exit 1
			esac
		done
	fi
    echo "${T_MD}INITIALIZATION - SET DEFAULTS in ${CA_DEFAULTS} ${T_ME}"
    echo ""
	if [ -f ${CA_DEFAULTS} ] ; then touch ${CA_DEFAULTS} ; fi
	defaults
	set_values
    echo "${T_MD}Generating custom Certificate Authority (CA)${T_ME}"
    echo "______________________________________________________________________"
    echo ""
    echo "${T_MD}STEP 1: Generating RSA private key for CA (1024 bit)${T_ME}"
    cp /dev/null ${CA_RND}
    echo '02' >${CA_SER}
    if [ ".$randfiles" != . ]; then
        ${OPENSSL} genrsa -rand $randfiles -out ${CA_KEY} 1024
    else
        ${OPENSSL} genrsa -out ${CA_KEY} 1024
    fi
    if [ $? -ne 0 ]; then
        echo "$0: Error: Failed to generate RSA private key" 1>&2
		rm -f ${CFG}
        exit 1
    fi
	TYPE="ca"
    echo "______________________________________________________________________"
    echo ""
    echo "${T_MD}STEP 2: Generating X.509 certificate signing request for CA${T_ME}"
	eval CN_val=\"\$CN_${TYPE}_val\"
	eval OU_val=\"\$OU_${TYPE}_val\"
	eval Validity_val=\"\$Validity_${TYPE}_val\"
	make_cfg
	#cat ${CFG}
    ${OPENSSL} req -config ${CFG} -new -key ${CA_KEY} -out ${CA_CSR}
    if [ $? -ne 0 ]; then
        echo "Error: Failed to generate certificate signing request" 1>&2
		rm -f ${CFG}
        exit 1
    fi
    echo "______________________________________________________________________"
    echo ""
    echo "${T_MD}STEP 3: Generating X.509 certificate for CA signed by itself${T_ME}"
    cat >${CFG} <<EOT
extensions = x509v3
[ x509v3 ]
subjectAltName   = email:copy
basicConstraints = CA:true,pathlen:0
nsComment        = "lprng_cert generated custom CA certificate"
# nsCertType       = sslCA,emailCA,objsign,email ---  we will leave this out, see openssl/doc/openssl.txt
nsCertType=     sslCA,emailCA,objsign,email
EOT
    ${OPENSSL} x509 -extfile ${CFG} -req -days ${Validity_ca_val} -signkey ${CA_KEY} -in ${CA_CSR} -out ${CA_CERT}
    if [ $? -ne 0 ]; then
        echo "Error: Failed to generate self-signed CA certificate" 1>&2
		rm -f ${CFG}
        exit 1
    fi
    echo "______________________________________________________________________"
    echo ""
    echo "${T_MD}RESULT:${T_ME}"
    ${OPENSSL} verify ${CA_CERT}
    if [ $? -ne 0 ]; then
        echo "Error: Failed to verify resulting X.509 certificate" 1>&2
		rm -f ${CFG}
        exit 1
    fi
	STEP="STEP 4. " encrypt ${CA_KEY}
    echo "______________________________________________________________________"
    echo ""

	if [ "$ENCRYPTED" = YES ] ; then
		echo "${T_MD}STEP 5: Combine CERT and KEY file${T_ME}"
		echo "Generate single CERT and KEY file? [N/y] ";
		read VAR
		case "$VAR" in
			[yY]* )
				(umask 077;
				cat ${CA_KEY} ${CA_CERT} \
					> ${CA_CERT}.combined
				mv ${CA_CERT}.combined ${CA_CERT}
				rm ${CA_KEY}
				)
				CA_KEY="${CA_CERT}"
				;;
		esac
	fi
	index_certs ${CA_DIR}

	echo ""
	echo "Use the following commands to examine the CERT and KEY files:" 
    echo "   openssl x509 -text -in ${CA_CERT}"
    echo "   openssl rsa -text -in ${CA_KEY}"
	;;

defaults )
	echo "______________________________________________________________________"
	echo ""
	echo "${T_MD}${STEP}Setting Default Values${T_ME}"
	defaults;
	;;

encrypt )
	shift
	if [ "$1" = "" ] ; then usage; fi;
	if [ ! -f "$1" ] ; then useage; fi;
	sed -n -e '/BEGIN.*PRIVATE KEY/,/END.*PRIVATE KEY/p' $1 >"$TMPDIR"/$$.key
	sed -e '/BEGIN.*PRIVATE KEY/,/END.*PRIVATE KEY/d' $1 >"$TMPDIR"/$$.crt
	STEP="" encrypt "$TMPDIR"/$$.key
	status=$?
	echo STATUS $status
	if [ $status = 0 ] ; then
		mv $1 $1.orig
		cat "$TMPDIR"/$$.crt "$TMPDIR"/$$.key >$1
	fi
    ;;

gen )
    echo "${T_MD}CERTIFICATE GENERATION${T_ME}"
	COMBINE="Y/n"

	while [ 1 ] ; do
		echo -n "What type of certificate? User/Server/Signing Authority/Help? [u/s/a/H] "
		read VAR
		case "$VAR" in
			[uU] ) TYPE=user; nsCertType="client,email";
					if [ "$Signer_cert_path" != "" ] ; then
						CA_CERT=$Signer_cert_path;
						CA_KEY=$Signer_key_path;
					fi
					break;;
			[sS] ) TYPE=server; nsCertType="client,server,email";
					if [ "$Signer_cert_path" != "" ] ; then
						CA_CERT=$Signer_cert_path;
						CA_KEY=$Signer_key_path;
					fi
					break;;
			[Aa] ) TYPE=signer; nsCertType="objsign";
					CA_USER_CERTS=$CA_DIR;
					CA_SER=$CA_DIR/ca.ser
					COMBINE="N/y"
					break;;
			*) shelp; ;;
		esac
	done

	while [ 1 ] ; do
		echo -n "Create in '$CA_USER_CERTS' [return for yes, or specify directory] "
		read VAR
		case "$VAR" in
			"" ) break ;;
			*) 	CA_USER_CERTS=$VAR;
				CA_SER=$VAR/ca.ser
			;;
		esac
	done
	
	if [ ! -d ${CA_USER_CERTS} ] ; then
		mkdir -p ${CA_USER_CERTS}
	fi
	if [ ! -f $CA_SER ] ; then
		echo 1 > $CA_SER;
	fi

	user="$TYPE-`cat ${CA_SER}`"
	while [ 1 ] ; do
		echo -n "CERT name '$user'? [return for yes, or specify name] "
		read VAR
		case "$VAR" in
			"" ) break ;;
			*) 	user="$VAR"
			;;
		esac
	done

	echo "Creating $user in $CA_USER_CERTS" 

	CERT=$CA_CERT;
	KEY=$CA_KEY;
	while [ 1 ] ; do
		if [ ! -f "$CERT" ] ; then
			d=`dirname $CERT`;
			if [ "$d" = "." -o "$d" = "" ] ; then d="${CA_DIR}/"; fi
			if [ -f $d$CERT ] ; then CERT=$d$CERT; fi
			if [ -f $d${CERT}.crt ] ; then CERT=$d${CERT}.crt; fi
		fi
		echo -n "Sign with Certificate '$CERT' [return for yes, ? for list, or specify cert file] "
		read VAR
		case "$VAR" in
			"" )
				if [ ! -f "$CERT" ] ; then
					echo "cert file '$CERT' does not exist" 
					continue
				fi
				break;
				;;
			"?" )
				d=`dirname $CERT`;
				echo "Possible CERTS in directory '$d' are:"
				ls $d/*.crt 2>/dev/null
				;;
			*)
			if [ ! -f "$VAR" ] ; then
				if [ -f "$VAR.crt" ] ; then
					VAR="$VAR.crt"
				fi
				d=`dirname $CERT`;
				v=
				for i in `ls $d/*.crt 2>/dev/null | grep $VAR` ; do
					echo "Match Found $i"
					if [ "$v" = "" ] ; then v="$i" ; else v="$v $i"; fi
				done
				if [ "$v" = "" ] ; then
					echo "Possible CERTS in directory '$d' are:"
					ls $d/*.crt 2>/dev/null
				elif [ -f "$v" ] ; then
					VAR=$v
				else
					continue
				fi
			fi
			CERT="$VAR"; KEY="$VAR"
			;;
		esac
	done

	if [ "`grep 'PRIVATE KEY' $CERT`" != "" ] ; then
		echo Private key in $CERT
		KEY=$CERT
	else
		while [ 1 ] ; do
			echo -n "Private key file '$KEY' [return for yes, or specify path to key file] "
			read VAR
			case "$VAR" in
				"" )
					if [ ! -f "$KEY" ] ; then
						echo "file '$KEY' does not exist" 
						continue
					fi
					break;
					;;
				*)
				if [ ! -f "$VAR" ] ; then
					echo "file '$VAR' does not exist" 
					d=`dirname $CERT`;
					if [ -f $d/$VAR ] ; then
						VAR=$d/$VAR;
						echo "Trying $VAR"
					else
						continue
					fi
				fi
				KEY="$VAR"
				;;
			esac
		done
	fi

    echo ""
    echo "${T_MD}Generating ${TYPE} Certificate [$user] ${T_ME}"
    echo "______________________________________________________________________"
    echo ""
    echo "${T_MD}STEP 1: Generating RSA private key for ${TYPE} (1024 bit)${T_ME}"
    if [ ".$randfiles" != . ]; then
        ${OPENSSL} genrsa -rand $randfiles -out ${CA_USER_CERTS}/$user.key 1024
    else
        ${OPENSSL} genrsa -out ${CA_USER_CERTS}/$user.key 1024
    fi
    if [ $? -ne 0 ]; then
        echo "Error: Failed to generate RSA private key" 1>&2
		rm -f ${CFG}
        exit 1
    fi
    echo "______________________________________________________________________"
    echo ""
    echo "${T_MD}STEP 2: Generating X.509 certificate signing request for ${TYPE}${T_ME}"
	eval CN_val=\"\$CN_${TYPE}_val\"
	eval OU_val=\"\$OU_${TYPE}_val\"
	eval Validity_val=\"\$Validity_${TYPE}_val\"
	make_cfg
    ${OPENSSL} req -config ${CFG} -new -key ${CA_USER_CERTS}/$user.key -out ${CA_USER_CERTS}/$user.csr
    if [ $? -ne 0 ]; then
        echo "Error: Failed to generate certificate signing request" 1>&2
		rm -f ${CFG}
        exit 1
    fi
	while [ 1 ] ; do
		echo -n "User Certificate Validity in days  [default $Validity_val] "
		read VAR
		case "$VAR" in
			"" ) VAR=$Validity_val;;
		esac
		v=`echo ${VAR} | sed -e 's/[0-9]//g'`
		if [ "$v" != "" -o "$VAR" = "" ] ; then
			echo "Must be integer value"
		else
			Validity_val=$VAR;
			break;
		fi
	done
    rm -f ${CFG}
    echo "______________________________________________________________________"
    echo ""
    echo "${T_MD}STEP 3: Generating X.509 certificate signed by ${CERT}${T_ME}"
    cat >${CFG} <<EOT
extensions = x509v3
[ x509v3 ]
subjectAltName   = email:copy
basicConstraints = CA:false,pathlen:0
nsComment        = "lprng_cert generated $TYPE certificate"
# You can really go to town here, but remeber, the server certs
#  must be used for both client AND server operation, so it gets
#  a bit tricky specifying the type of cert
# for end users
# nsCertType       = client,email ---  we will leave this out, see openssl/doc/openssl.txt
# for servers
# nsCertType       = server,client,email ---  we will leave this out, see openssl/doc/openssl.txt
nsCertType= ${nsCertType}
EOT
	while [ 1 ] ; do
		${OPENSSL} x509 -extfile ${CFG} -days ${Validity_val} \
		-CAserial ${CA_SER} -CA ${CERT} -CAkey ${KEY} \
		-in ${CA_USER_CERTS}/$user.csr -req -out ${CA_USER_CERTS}/$user.crt
		if [ $? -ne 0 ] ; then
			echo "Error: Failed to generate X.509 certificate" 1>&2
			echo "try again? [Y/n] "
			read VAR
			case "$VAR" in
				[Yy]* | "" ) ;;
				* )
					rm -f ${CFG}
					exit 1
				;;
			esac
		else
			break;
		fi
	done
#    caname="`${OPENSSL} x509 -noout -text -in ${CERT} |\
#             grep Subject: | sed -e 's;.*CN=;;' -e 's;/Em.*;;'`"
#    username="`${OPENSSL} x509 -noout -text -in ${CA_USER_CERTS}/$user.crt |\
#               grep Subject: | sed -e 's;.*CN=;;' -e 's;/Em.*;;'`"
#    echo "Assembling PKCS#12 package"
#    ${OPENSSL} pkcs12 -export -in ${CA_USER_CERTS}/$user.crt \
#		-inkey ${CA_USER_CERTS}/$user.key -certfile ${CERT} \
#		 -name "$username" -caname "$caname" -out ${CA_USER_CERTS}/$user.p12
    echo "______________________________________________________________________"
    echo ""
    echo "${T_MD}RESULT:${T_ME}"
    ${OPENSSL} verify -CApath ${CA_DIR} -CAfile ${CERT} ${CA_USER_CERTS}/$user.crt
    if [ $? -ne 0 ]; then
        echo ": Failed to verify resulting X.509 certificate" 1>&2
		rm -f ${CFG}
        exit 1
    fi

	STEP="STEP 4. " encrypt  ${CA_USER_CERTS}/$user.key
    echo "______________________________________________________________________"
    echo ""

	ofile=key 
	if [ "$ENCRYPTED" = YES ] ; then
		echo "${T_MD}STEP 5: Combine CERT and KEY file${T_ME}"
		echo "Generate single CERT and KEY file? [$COMBINE] ";
		read VAR
		case "$VAR" in
			[yY]* | "" )
				if [ "$VAR" = "" -a "$COMBINE" = "N/y" ] ; then
					break;
				fi
				(umask 077;
				cat ${CA_USER_CERTS}/$user.key ${CA_USER_CERTS}/$user.crt \
					> ${CA_USER_CERTS}/$user.crt.combined
				mv ${CA_USER_CERTS}/$user.crt.combined \
					${CA_USER_CERTS}/$user.crt
				rm ${CA_USER_CERTS}/$user.key
				)
				ofile=crt
				;;
		esac
	fi

	if [ "${TYPE}" = "signer" ] ; then
		index_certs ${CA_USER_CERTS}
	fi

	echo ""
	echo "Use the following commands to examine the CERT and KEY files:" 
    echo "   openssl x509 -text -in ${CA_USER_CERTS}/$user.crt"
    echo "   openssl rsa -text -in ${CA_USER_CERTS}/$user.$ofile"

	;;

verify )
	shift
	if [ $# = 0 ] ; then
		v=`ls ${CA_USER_CERTS}/*.crt 2>/dev/null`
	else
		for i in $* ; do
			if [ -f $i ] ; then
				v="$v $i"
			elif [ -d $i ] ; then
				for j in $i/*.crt ; do
					v="$v $j"
				done
			fi
		done
	fi
	for i in $v ; do
		if [ -f $i ] ; then
			v=$i;
		elif [ -f $CA_USER_CERTS/$i ] ; then
			v=$CA_USER_CERTS/$i;
		elif [ -f $CA_USER_CERTS/$i.crt ] ; then
			v=$CA_USER_CERTS/$i.crt;
		elif [ -f $CA_DIR/$i ] ; then
			v=$CA_DIR/$i;
		elif [ -f $CA_DIR/$i.crt ] ; then
			v=$CA_DIR/$i.crt;
		else
			echo "cannot find $i in $CA_USER_CERTS or $CA_DIR";
			continue
		fi
		echo "cert: $v"
		${OPENSSL} x509 -in $v -subject -issuer -noout
	    ${OPENSSL} verify -CApath ${CA_DIR} $v
	done
	;;

index )
	shift
	if [ "$1" != "" ] ; then CA_DIR="$1" ; fi
	index_certs ${CA_DIR}
	;;


*)
    echo "Unknown request '$*'";
	usage;
	rm -f ${CFG}
    exit 1
    ;;
esac
rm -f ${CFG}
exit $RET