- openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem" \
- -signkey "$arg1-privkey.pem" -req -text 2>&3
-elif test "$command" = ls; then
- check_type "$arg2"
-
- cd "$pkidir/${type}ca/incoming"
- for file in $(glob "$arg1*-req.pem"); do
- fingerprint $file
- done
-elif test "$command" = flush; then
- check_type "$arg1"
-
- rm -f "$pkidir/${type}ca/incoming/"*
-elif test "$command" = reject; then
- one_or_two_args
- check_type "$arg2"
- resolve_prefix "$arg1"
-
- rm -f "$req"
-elif test "$command" = approve; then
- one_or_two_args
- check_type "$arg2"
- resolve_prefix "$arg1"
-
- make_tmpdir
- cp "$req" "$TMP/$req"
- verify_fingerprint "$TMP/$req"
- sign_request "$TMP/$req"
- rm -f "$req" "$TMP/$req"
-elif test "$command" = prompt; then
- zero_or_one_args
- check_type "$arg1"
-
- make_tmpdir
- cd "$pkidir/${type}ca/incoming"
- for req in $(glob "*-req.pem"); do
- cp "$req" "$TMP/$req"
-
- cert=$(echo "$pkidir/${type}ca/certs/$req" |
- sed 's/-req.pem/-cert.pem/')
- if test -f $cert; then
- echo "Request $req already approved--dropping duplicate request"
- rm -f "$req" "$TMP/$req"
- continue
- fi
+ # Create both the private key and certificate with restricted permissions.
+ (umask 077 && \
+ openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem.tmp" \
+ -signkey "$arg1-privkey.pem" -req -days 3650 -text) 2>&3 || exit $?