diff options
| author | Erich Eckner <git@eckner.net> | 2019-12-09 10:11:59 +0100 |
|---|---|---|
| committer | Erich Eckner <git@eckner.net> | 2019-12-09 10:11:59 +0100 |
| commit | 7764d70477823876fdebb9dcd7586d26beeee80c (patch) | |
| tree | 668e73a155319cbf7e40ef4bf7526dc4622f89ae | |
| parent | 056402c1aa1f5bc3296755283cc8bcdf76815643 (diff) | |
| download | simple-pki-7764d70477823876fdebb9dcd7586d26beeee80c.tar.xz | |
sign-ca.in: old root-ca and old signing-ca should get .old suffix behind "ca" to be still operable
| -rwxr-xr-x | sign-ca.in | 71 |
1 files changed, 37 insertions, 34 deletions
@@ -14,50 +14,53 @@ if [ -n "${ca_user}" ] \ exec su "${ca_user}" -c "$0" fi +move_old_ca() { + mv \ + '#ETCDIR#/simple-pki/ca/'"$1"'.crt' \ + '#ETCDIR#/simple-pki/ca/'"$1"'.old.crt' + rm -rf --one-file-system \ + '#ETCDIR#/simple-pki/ca/'"$1"'.old' + mv \ + '#ETCDIR#/simple-pki/ca/'"$1" \ + '#ETCDIR#/simple-pki/ca/'"$1"'.old' + find '#ETCDIR#/simple-pki/ca/'"$1"'.old' \ + -type f \ + -name "$1"'.*' \ + | sed 's@^\(.*/'"$1"'\)\(\..*\)$@\0 \1.old\2@' \ + | while read -r from to; do + mv "${from}" "${to}" + done +} + +level_ground_for_new_ca() { + install -d -m0755 '#ETCDIR#/simple-pki/ca/'"$1"'/db' + install -d -m0700 '#ETCDIR#/simple-pki/ca/'"$1"'/private' + touch \ + '#ETCDIR#/simple-pki/ca/'"$1"'/db/'"$1"'.db' \ + '#ETCDIR#/simple-pki/ca/'"$1"'/db/'"$1"'.db.attr' + echo '01' \ + |tee '#ETCDIR#/simple-pki/ca/'"$1"'/db/'"$1"'.crt.srl' \ + >'#ETCDIR#/simple-pki/ca/'"$1"'/db/'"$1"'.crl.srl' +} + if [ -f '#ETCDIR#/simple-pki/ca/root-ca.crt' ]; then - if [ ! -f '#ETCDIR#/simple-pki/ca/root-ca.crt.old' ] \ - || [ "$(stat -c%Y '#ETCDIR#/simple-pki/ca/root-ca.crt.old')" -lt "$(($(date +%s)-60*60*24*ca_keep_duration))" ]; then - mv \ - '#ETCDIR#/simple-pki/ca/root-ca.crt' \ - '#ETCDIR#/simple-pki/ca/root-ca.crt.old' - rm -rf --one-file-system \ - '#ETCDIR#/simple-pki/ca/root-ca.old' - mv \ - '#ETCDIR#/simple-pki/ca/root-ca' \ - '#ETCDIR#/simple-pki/ca/root-ca.old' - install -d -m0755 '#ETCDIR#/simple-pki/ca/root-ca/db' - install -d -m0700 '#ETCDIR#/simple-pki/ca/root-ca/private' - touch \ - '#ETCDIR#/simple-pki/ca/root-ca/db/root-ca.db' \ - '#ETCDIR#/simple-pki/ca/root-ca/db/root-ca.db.attr' - echo '01' \ - |tee '#ETCDIR#/simple-pki/ca/root-ca/db/root-ca.crt.srl' \ - >'#ETCDIR#/simple-pki/ca/root-ca/db/root-ca.crl.srl' + if [ ! -f '#ETCDIR#/simple-pki/ca/root-ca.old.crt' ] \ + || [ "$(stat -c%Y '#ETCDIR#/simple-pki/ca/root-ca.old.crt')" -lt "$(($(date +%s)-60*60*24*ca_keep_duration))" ]; then + move_old_ca 'root-ca' else >&2 echo 'nothing to do: "old" root certificate is too new' exit fi fi +level_ground_for_new_ca 'root-ca' + if [ -f '#ETCDIR#/simple-pki/ca/signing-ca.crt' ]; then - mv \ - '#ETCDIR#/simple-pki/ca/signing-ca.crt' \ - '#ETCDIR#/simple-pki/ca/signing-ca.crt.old' - rm -rf --one-file-system \ - '#ETCDIR#/simple-pki/ca/signing-ca.old' - mv \ - '#ETCDIR#/simple-pki/ca/signing-ca' \ - '#ETCDIR#/simple-pki/ca/signing-ca.old' - install -d -m0755 '#ETCDIR#/simple-pki/ca/signing-ca/db' - install -d -m0700 '#ETCDIR#/simple-pki/ca/signing-ca/private' - touch \ - '#ETCDIR#/simple-pki/ca/signing-ca/db/signing-ca.db' \ - '#ETCDIR#/simple-pki/ca/signing-ca/db/signing-ca.db.attr' - echo '01' \ - |tee '#ETCDIR#/simple-pki/ca/signing-ca/db/signing-ca.crt.srl' \ - >'#ETCDIR#/simple-pki/ca/signing-ca/db/signing-ca.crl.srl' + move_old_ca 'signing-ca' fi +level_ground_for_new_ca 'signing-ca' + CA=root-ca openssl req -new \ -config '#ETCDIR#/simple-pki/ca-ssl.conf' \ -out '#ETCDIR#/simple-pki/ca/root-ca.csr' \ |