summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorErich Eckner <git@eckner.net>2019-09-02 11:47:33 +0200
committerErich Eckner <git@eckner.net>2019-09-02 12:03:10 +0200
commitff7a3622bc6b8002a2ca6c8c26668f4e1daa70df (patch)
treeab4993267e075f24c0d3717bb05b28772fbb1728
parent4b146b607885a0a0543c68ee553f7a6c64e1fe30 (diff)
downloadsimple-pki-ff7a3622bc6b8002a2ca6c8c26668f4e1daa70df.tar.xz
sign-ca functional
-rw-r--r--Makefile6
-rw-r--r--etc/.gitignore2
-rw-r--r--etc/ca-ssl.conf.in (renamed from etc/ca.conf.in)0
-rw-r--r--etc/ca.conf (renamed from ca.conf)6
-rw-r--r--etc/server-ssl.conf (renamed from etc/server.conf)0
-rwxr-xr-xsign-ca.in96
6 files changed, 61 insertions, 49 deletions
diff --git a/Makefile b/Makefile
index 873c9c1..7e7a49f 100644
--- a/Makefile
+++ b/Makefile
@@ -27,13 +27,13 @@ MANDIR = /usr/share/man
VERSION = 0.0
-all: rotate-keys rotate-keys.service sign-ca sign-ca.service sign-request etc/ca.conf
+all: rotate-keys rotate-keys.service sign-ca sign-ca.service sign-request etc/ca-ssl.conf
%: %.in
sed " \
s/#VERSION#/$(VERSION)/; \
- s@#BINDIR#@$(BINDIR)@; \
- s@#ETCDIR#@$(ETCDIR)@; \
+ s@#BINDIR#@$(BINDIR)@g; \
+ s@#ETCDIR#@$(ETCDIR)@g; \
s@#HELPTEXT#\(\s\+\)#@ --help \1display this help and exit\n --version\1display version and exit@; \
" $< > $@
[ "$@" = "sign-ca" ] && chmod +x "$@" || true
diff --git a/etc/.gitignore b/etc/.gitignore
index ebd5f03..a7a2421 100644
--- a/etc/.gitignore
+++ b/etc/.gitignore
@@ -1 +1 @@
-ca.conf
+ca-ssl.conf
diff --git a/etc/ca.conf.in b/etc/ca-ssl.conf.in
index 78d211f..78d211f 100644
--- a/etc/ca.conf.in
+++ b/etc/ca-ssl.conf.in
diff --git a/ca.conf b/etc/ca.conf
index 2f85b40..b4e8ca3 100644
--- a/ca.conf
+++ b/etc/ca.conf
@@ -1,10 +1,6 @@
#!/bin/bash
-# details of the ca
-ca_name='eckner-ca'
-ca_subject_prefix='/C=DE/ST=Thuringia/L=Jena/O=Eckner/OU=Net'
-
-# generate new ca key/cert afther this many days
+# how long do we keep the old signature of the root-ca (days)
ca_min_duration=60
# which system user owns the ca
diff --git a/etc/server.conf b/etc/server-ssl.conf
index 337a7a4..337a7a4 100644
--- a/etc/server.conf
+++ b/etc/server-ssl.conf
diff --git a/sign-ca.in b/sign-ca.in
index 8d2f4b2..beab6da 100755
--- a/sign-ca.in
+++ b/sign-ca.in
@@ -1,11 +1,9 @@
#!/bin/bash
-# generate new ca certificate, roll over the old one(s)
+# generate new ca certificates, roll over the old one(s)
set -e
-key_dir='#ETCDIR#/simple-pki/keys'
-
if [ -r '#ETCDIR#/simple-pki/ca.conf' ]; then
. '#ETCDIR#/simple-pki/ca.conf'
fi
@@ -15,54 +13,72 @@ if [ -n "${ca_user}" ] \
exec su "${ca_user}" -c "$0"
fi
-if [ -f "${key_dir}/${ca_name}.key.new" ] \
-&& [ -f "${key_dir}/${ca_name}.crt.new" ]; then
- if [ "$(stat -c%Y "${key_dir}/${ca_name}.key.new")" -lt "$(($(date +%s)-60*60*24*ca_min_duration))" ] \
- || [ ! -f "${key_dir}/${ca_name}.key" ] \
- || [ "$(stat -c%Y "${key_dir}/${ca_name}.crt.new")" -lt "$(($(date +%s)-60*60*24*ca_min_duration))" ] \
- || [ ! -f "${key_dir}/${ca_name}.crt" ]; then
- mv "${key_dir}/${ca_name}.key"{.new,}
- mv "${key_dir}/${ca_name}.crt"{.new,}
+for ca in root signing; do
+ mkdir -p '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/private' '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db' '#ETCDIR#/simple-pki/crl' '#ETCDIR#/simple-pki/certs'
+ chmod 700 '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/private'
+ if [ ! -f '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db/'"${ca}"'-ca.db' ]; then
+ cp /dev/null '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db/'"${ca}"'-ca.db'
+ cp /dev/null '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db/'"${ca}"'-ca.db.attr'
+ echo 01 > '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db/'"${ca}"'-ca.crt.srl'
+ echo 01 > '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db/'"${ca}"'-ca.crl.srl'
fi
-fi
+done
-if [ ! -f "${key_dir}/${ca_name}.key.new" ] \
-|| [ ! -f "${key_dir}/${ca_name}.crt.new" ]; then
- openssl req -new \
- -newkey rsa:4096 -sha256 \
- -keyout "${key_dir}/${ca_name}.key.new" \
- -out "${key_dir}/${ca_name}.csr.new" \
- -nodes \
- -subj "${ca_subject_prefix}"'/CN=Certification Authority' \
- -addext 'subjectKeyIdentifier = hash' \
- -addext 'basicConstraints = critical, CA:true' \
- -addext 'keyUsage = keyCertSign, cRLSign'
- if [ -f "${key_dir}/${ca_name}.key" ]; then
- previous_key="${key_dir}/${ca_name}.key"
+if [ -f '#ETCDIR#/simple-pki/ca/root-ca.crt' ]; then
+ if [ ! -f '#ETCDIR#/simple-pki/ca/root-ca.crt.old' ] \
+ || [ "$(stat -c%Y '#ETCDIR#/simple-pki/ca/root-ca.crt.old')" -lt "$(($(date +%s)-60*60*24*ca_min_duration))" ]; then
+ mv \
+ '#ETCDIR#/simple-pki/ca/root-ca.crt' \
+ '#ETCDIR#/simple-pki/ca/root-ca.crt.old'
else
- previous_key="${key_dir}/${ca_name}.key.new"
+ >&2 echo 'nothing to do: "old" root certificate is too new'
+ exit
fi
- openssl req -x509 \
- -sha256 \
- -in "${key_dir}/${ca_name}.csr.new" \
- -key "${previous_key}" \
- -out "${key_dir}/${ca_name}.crt.new" \
- -days 365 -nodes \
- -addext 'subjectKeyIdentifier = hash' \
- -addext 'authorityKeyIdentifier = keyid:always, issuer' \
- -addext 'basicConstraints = critical, CA:true' \
- -addext 'keyUsage = keyCertSign, cRLSign'
- rm "${key_dir}/${ca_name}.csr.new"
fi
+if [ -f '#ETCDIR#/simple-pki/ca/signing-ca.crt' ]; then
+ mv \
+ '#ETCDIR#/simple-pki/ca/signing-ca.crt' \
+ '#ETCDIR#/simple-pki/ca/signing-ca.crt.old'
+fi
+
+CA=root-ca openssl req -new \
+ -config '#ETCDIR#/simple-pki/ca-ssl.conf' \
+ -out '#ETCDIR#/simple-pki/ca/root-ca.csr' \
+ -keyout '#ETCDIR#/simple-pki/ca/root-ca/private/root-ca.key'
+
+CA=root-ca openssl ca -batch -name root_ca -selfsign \
+ -config '#ETCDIR#/simple-pki/ca-ssl.conf' \
+ -in '#ETCDIR#/simple-pki/ca/root-ca.csr' \
+ -out '#ETCDIR#/simple-pki/ca/root-ca.crt' \
+ -extensions root_ca_ext
+
+CA=signing-ca openssl req -new \
+ -config '#ETCDIR#/simple-pki/ca-ssl.conf' \
+ -out '#ETCDIR#/simple-pki/ca/signing-ca.csr' \
+ -keyout '#ETCDIR#/simple-pki/ca/signing-ca/private/signing-ca.key'
+
+CA=root-ca openssl ca -batch -name root_ca \
+ -config '#ETCDIR#/simple-pki/ca-ssl.conf' \
+ -in '#ETCDIR#/simple-pki/ca/signing-ca.csr' \
+ -out '#ETCDIR#/simple-pki/ca/signing-ca.crt' \
+ -extensions signing_ca_ext
+
+rm \
+ '#ETCDIR#/simple-pki/ca/root-ca.csr' \
+ '#ETCDIR#/simple-pki/ca/signing-ca.csr'
+
rsync --ignore-missing-args \
- "${key_dir}/${ca_name}.crt"{.new,} \
+ '#ETCDIR#/simple-pki/ca/root-ca.crt'{,.old} \
"${remote_host}:${remote_dir}/"
(
- cd "${key_dir}"
+ cd '#ETCDIR#/simple-pki/ca/'
find . -maxdepth 1 \
- -type f \( -name "${ca_name}"'.crt' -o -name "${ca_name}"'.crt.new' \) \
+ -type f \( \
+ -name root-ca.crt -o \
+ -name root-ca.crt.old \
+ \) \
-printf '%TY-%Tm-%TdT%TT ' \
-exec sha512sum {} \; \
| sed '