summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorErich Eckner <git@eckner.net>2019-12-06 15:24:07 +0100
committerErich Eckner <git@eckner.net>2019-12-06 15:24:07 +0100
commitfbd103c8e680cc73a79e316bebddeda11c33611a (patch)
tree523b1ed3f18a1891a4c81474e66c9e5e6e3eaa9d
parent96cbb5c8c99c586ed6b1a2105da4c5e21aa5ec1f (diff)
downloadsimple-pki-fbd103c8e680cc73a79e316bebddeda11c33611a.tar.xz
new sign-ca and/or root-ca means, we need to exchange the directory with the issued certificates, too - this means, we should handle creation of those in sign-ca, not in the Makefile
-rw-r--r--Makefile12
-rwxr-xr-xsign-ca.in26
2 files changed, 28 insertions, 10 deletions
diff --git a/Makefile b/Makefile
index b5c0668..74d64e7 100644
--- a/Makefile
+++ b/Makefile
@@ -46,16 +46,8 @@ install-ca:
install -D -m0755 -t $(DESTDIR)$(BINDIR) sign-ca sign-request
install -D -m0644 -t $(DESTDIR)$(ETCDIR)/simple-pki etc/ca.conf etc/ca-ssl.conf
install -D -m0644 -t $(DESTDIR)$(LIBDIR)/systemd/system sign-ca.service sign-ca.timer
- install -d -m0755 $(DESTDIR)$(ETCDIR)/simple-pki/ca/root-ca/db $(DESTDIR)$(ETCDIR)/simple-pki/ca/signing-ca/db $(DESTDIR)$(ETCDIR)/simple-pki/crl $(DESTDIR)$(ETCDIR)/simple-pki/certs
- install -d -m0700 $(DESTDIR)$(ETCDIR)/simple-pki/ca/root-ca/private $(DESTDIR)$(ETCDIR)/simple-pki/ca/signing-ca/private
- install -D -m0644 /dev/null $(DESTDIR)$(ETCDIR)/simple-pki/ca/root-ca/db/root-ca.db
- install -D -m0644 /dev/null $(DESTDIR)$(ETCDIR)/simple-pki/ca/signing-ca/db/signing-ca.db
- install -D -m0644 /dev/null $(DESTDIR)$(ETCDIR)/simple-pki/ca/root-ca/db/root-ca.db.attr
- install -D -m0644 /dev/null $(DESTDIR)$(ETCDIR)/simple-pki/ca/signing-ca/db/signing-ca.db.attr
- echo 01 | install -D -m0644 /dev/stdin $(DESTDIR)$(ETCDIR)/simple-pki/ca/root-ca/db/root-ca.crt.srl
- echo 01 | install -D -m0644 /dev/stdin $(DESTDIR)$(ETCDIR)/simple-pki/ca/signing-ca/db/signing-ca.crt.srl
- echo 01 | install -D -m0644 /dev/stdin $(DESTDIR)$(ETCDIR)/simple-pki/ca/root-ca/db/root-ca.crl.srl
- echo 01 | install -D -m0644 /dev/stdin $(DESTDIR)$(ETCDIR)/simple-pki/ca/signing-ca/db/signing-ca.crl.srl
+ install -d -m0755 $(DESTDIR)$(ETCDIR)/simple-pki/ca/signing-ca/db $(DESTDIR)$(ETCDIR)/simple-pki/crl $(DESTDIR)$(ETCDIR)/simple-pki/certs
+ install -d -m0700 $(DESTDIR)$(ETCDIR)/simple-pki/ca/signing-ca/private
install-cb:
install -D -m0755 -t $(DESTDIR)$(BINDIR) rotate-keys
diff --git a/sign-ca.in b/sign-ca.in
index 25d1a98..f000dc3 100755
--- a/sign-ca.in
+++ b/sign-ca.in
@@ -20,6 +20,19 @@ if [ -f '#ETCDIR#/simple-pki/ca/root-ca.crt' ]; then
mv \
'#ETCDIR#/simple-pki/ca/root-ca.crt' \
'#ETCDIR#/simple-pki/ca/root-ca.crt.old'
+ rm -rf --one-file-system \
+ '#ETCDIR#/simple-pki/ca/root-ca.old'
+ mv \
+ '#ETCDIR#/simple-pki/ca/root-ca' \
+ '#ETCDIR#/simple-pki/ca/root-ca.old'
+ install -d -m0755 '#ETCDIR#/simple-pki/ca/root-ca/db'
+ install -d -m0700 '#ETCDIR#/simple-pki/ca/root-ca/private'
+ touch \
+ '#ETCDIR#/simple-pki/ca/root-ca/db/root-ca.db' \
+ '#ETCDIR#/simple-pki/ca/root-ca/db/root-ca.db.attr'
+ echo '01' \
+ |tee '#ETCDIR#/simple-pki/ca/root-ca/db/root-ca.crt.srl' \
+ >'#ETCDIR#/simple-pki/ca/root-ca/db/root-ca.crl.srl'
else
>&2 echo 'nothing to do: "old" root certificate is too new'
exit
@@ -30,6 +43,19 @@ if [ -f '#ETCDIR#/simple-pki/ca/signing-ca.crt' ]; then
mv \
'#ETCDIR#/simple-pki/ca/signing-ca.crt' \
'#ETCDIR#/simple-pki/ca/signing-ca.crt.old'
+ rm -rf --one-file-system \
+ '#ETCDIR#/simple-pki/ca/signing-ca.old'
+ mv \
+ '#ETCDIR#/simple-pki/ca/signing-ca' \
+ '#ETCDIR#/simple-pki/ca/signing-ca.old'
+ install -d -m0755 '#ETCDIR#/simple-pki/ca/signing-ca/db'
+ install -d -m0700 '#ETCDIR#/simple-pki/ca/signing-ca/private'
+ touch \
+ '#ETCDIR#/simple-pki/ca/signing-ca/db/signing-ca.db' \
+ '#ETCDIR#/simple-pki/ca/signing-ca/db/signing-ca.db.attr'
+ echo '01' \
+ |tee '#ETCDIR#/simple-pki/ca/signing-ca/db/signing-ca.crt.srl' \
+ >'#ETCDIR#/simple-pki/ca/signing-ca/db/signing-ca.crl.srl'
fi
CA=root-ca openssl req -new \