sign-ca: cross sign ca with old one

1 files changed, 17 insertions, 2 deletions

diff --git a/sign-ca.in b/sign-ca.in
index cae09f2..9752464 100755
--- a/sign-ca.in
+++ b/sign-ca.in
@@ -28,16 +28,31 @@ fi
 
 if [ ! -f "${key_dir}/${ca_name}.key.new" ] \
 || [ ! -f "${key_dir}/${ca_name}.crt.new" ]; then
-  openssl req -x509 -new \
+  openssl req -new \
     -newkey rsa:4096 -sha256 \
     -keyout "${key_dir}/${ca_name}.key.new" \
+    -out "${key_dir}/${ca_name}.csr.new" \
+    -nodes \
+    -subj "${ca_subject_prefix}"'/CN=Certification Authority' \
+    -addext 'subjectKeyIdentifier = hash' \
+    -addext 'basicConstraints       = critical, CA:true' \
+    -addext 'keyUsage               = keyCertSign, cRLSign'
+  if [ -f "${key_dir}/${ca_name}.key" ]; then
+    previous_key="${key_dir}/${ca_name}.key"
+  else
+    previous_key="${key_dir}/${ca_name}.key.new"
+  fi
+  openssl req -x509 \
+    -sha256 \
+    -in "${key_dir}/${ca_name}.csr.new" \
+    -key "${previous_key}" \
     -out "${key_dir}/${ca_name}.crt.new" \
     -days 365 -nodes \
-    -subj "${ca_subject}"'/CN=Certification Authority' \
     -addext 'subjectKeyIdentifier = hash' \
     -addext 'authorityKeyIdentifier = keyid:always, issuer' \
     -addext 'basicConstraints       = critical, CA:true' \
     -addext 'keyUsage               = keyCertSign, cRLSign'
+  rm "${key_dir}/${ca_name}.csr.new"
 fi
 
 rsync --ignore-missing-args \