Better names for the root and intermediate CAs.

bin/certified

@@ -67,7 +67,7 @@ then . "$DB/defaults.sh"
 fi
 [ "$CN" ] || usage 1
 : ${NAME:="$(echo "$CN" | tr "[:upper:]" "[:lower:]" | tr " " "-")"}
-: ${ISSUER:="ca"}
+: ${ISSUER:="intermediate-ca"}
 : ${ISSUER_NAME:="$(echo "$ISSUER" | tr "[:upper:]" "[:lower:]" | tr " " "-")"}
 
 mkdir -p "$DB"

bin/certified-ca

@@ -62,17 +62,17 @@ cd "$DB"
 
 if [ "$REVOKE" ]
 then
-    certified-revoke --ca-password="$ROOT_PASSWORD" --db="." --issuer="root-ca" --issuer-name="root-ca" --name="ca" CN="ca"
-    git rm -q "certs/ca.crt" "ca.csr" "private/ca.key"
+    certified-revoke --ca-password="$ROOT_PASSWORD" --db="." --issuer="root-ca" --issuer-name="root-ca" --name="intermediate-ca" CN="intermediate-ca"
+    git rm -q "certs/intermediate-ca.crt" "intermediate-ca.csr" "private/intermediate-ca.key"
     git add "."
     git commit -m"$MESSAGE" -q
     exit
 fi
 
-if [ -f "certs/ca.crt" ]
+if [ -f "certs/intermediate-ca.crt" ]
 then die "CA already exists in $DB"
 fi
-if [ -f "private/ca.key" ]
+if [ -f "private/intermediate-ca.key" ]
 then die "CA already partially exists in $DB"
 fi
 if [ -f "private/root-ca.key" -o -f "certs/root-ca.crt" ]
@@ -119,7 +119,7 @@ EOF
     if_echo "$L" "L = $L"
     if_echo "$O" "O = $O"
     cat <<EOF
-CN = $CN
+CN = $CN Root
 
 [req]
 default_bits = $BITS
@@ -134,7 +134,7 @@ EOF
 keyUsage = critical, cRLSign, keyCertSign, nonRepudiation
 subjectKeyIdentifier = hash
 EOF
-} >"ca.cnf"
+} >"intermediate-ca.cnf"
 
 if [ ! -f "certs/root-ca.crt" ]
 then
@@ -147,17 +147,17 @@ then
         log "generating RSA private key"
         openssl genrsa -des3 -out "private/root-ca.key" -passout "$PASSOUT" "$BITS"
         log "signing the CA certificate"
-        openssl req -config "ca.cnf" -days "$DAYS" -extensions "x509_extensions" -key "private/root-ca.key" -new -out "certs/root-ca.crt" -passin "$PASSIN" -x509
+        openssl req -config "intermediate-ca.cnf" -days "$DAYS" -extensions "x509_extensions" -key "private/root-ca.key" -new -out "certs/root-ca.crt" -passin "$PASSIN" -x509
     else
         log "generating RSA private key; please choose and confirm a root CA password"
         openssl genrsa -des3 -out "private/root-ca.key" "$BITS"
         log "signing the CA certificate; please enter the root CA password"
-        openssl req -config "ca.cnf" -days "$DAYS" -extensions "x509_extensions" -key "private/root-ca.key" -new -out "certs/root-ca.crt" -x509
+        openssl req -config "intermediate-ca.cnf" -days "$DAYS" -extensions "x509_extensions" -key "private/root-ca.key" -new -out "certs/root-ca.crt" -x509
     fi
 fi
 
-certified-csr --bits="$BITS" --ca --crl-url="$ROOT_CRL_URL" --days="$DAYS" --db="." $ENCRYPT --issuer="$CN" --issuer-name="root-ca" --name="ca" --ocsp-url="$OCSP_URL" --password="$INTERMEDIATE_PASSWORD" C="$C" CN="$CN" L="$L" O="$O" ST="$ST"
-certified-crt --ca-password="$ROOT_PASSWORD" --days="$DAYS" --db="." --name="ca" CN="$CN"
+certified-csr --bits="$BITS" --ca --crl-url="$ROOT_CRL_URL" --days="$DAYS" --db="." $ENCRYPT --issuer="$CN Root" --issuer-name="root-ca" --name="intermediate-ca" --ocsp-url="$OCSP_URL" --password="$INTERMEDIATE_PASSWORD" C="$C" CN="$CN Intermediate" L="$L" O="$O" ST="$ST"
+certified-crt --ca-password="$ROOT_PASSWORD" --days="$DAYS" --db="." --name="intermediate-ca" CN="$CN Intermediate"
 
 git init -q
 echo "private/root-ca.key" >".gitignore"
@@ -169,3 +169,4 @@ log "install this certificate on your laptops and servers"
 cat "certs/root-ca.crt"
 echo >&2
 log "store $PWD/private/root-ca.key in a very safe place and remove it from here"
+

bin/certified-crt

@@ -69,7 +69,7 @@ then
     else PASSIN="pass:$CA_PASSWORD"
     fi
     openssl ca -batch -config "$NAME.cnf" -extensions "x509_extensions" -in "$NAME.csr" -notext -out "certs/$NAME.crt" -passin "$PASSIN"
-elif grep -q "certificate = certs/ca.crt" "$NAME.cnf"
+elif grep -q "certificate = certs/intermediate-ca.crt" "$NAME.cnf"
 then
     log "signing the certificate"
     openssl ca -batch -config "$NAME.cnf" -extensions "x509_extensions" -in "$NAME.csr" -notext -out "certs/$NAME.crt"

bin/certified-csr

@@ -75,7 +75,7 @@ fi
 if is_dns "$CN"
 then SAN_DNS="$CN $SAN_DNS"
 fi
-: ${ISSUER:="ca"}
+: ${ISSUER:="intermediate-ca"}
 : ${ISSUER_NAME:="$(echo "$ISSUER" | tr "[:upper:]" "[:lower:]" | tr " " "-")"}
 
 mkdir -p "$DB/.$ISSUER_NAME" "$DB/private"

bin/certified-revoke

@@ -39,7 +39,7 @@ then . "$DB/defaults.sh"
 fi
 [ "$CN" ] || usage 1
 : ${NAME:="$(echo "$CN" | tr "[:upper:]" "[:lower:]" | tr " " "-")"}
-: ${ISSUER:="ca"}
+: ${ISSUER:="intermediate-ca"}
 : ${ISSUER_NAME:="$(echo "$ISSUER" | tr "[:upper:]" "[:lower:]" | tr " " "-")"}
 : ${REASON:="unspecified"}
 
@@ -76,7 +76,7 @@ fi
 
 echo >&2
 case "$ISSUER_NAME" in
-    "ca") log "install this certificate revocation list at ${CRL_URL:-"your CRL distribution URL"}";;
+    "intermediate-ca") log "install this certificate revocation list at ${CRL_URL:-"your CRL distribution URL"}";;
     "root-ca") log "install this certificate revocation list at ${ROOT_CRL_URL:-"your CRL distribution URL"}";;
     *) log "install this certificate revocation list at your CRL distribution URL";;
 esac

bin/certified-yaml

@@ -25,7 +25,7 @@ do
     NAME="$(basename "$PATHNAME" ".crt")"
     echo "$NAME.crt: |"
     sed "s/^/  /" "$PATHNAME"
-    if [ "$NAME" != "root-ca" -a "$NAME" != "ca" ]
+    if [ "$NAME" != "root-ca" -a "$NAME" != "intermediate-ca" ]
     then
         echo "$NAME.key: |"
         cat "$DB/private/$NAME.key" | sed "s/^/  /"