diff options
| author | Erich Eckner <git@eckner.net> | 2019-12-09 10:17:13 +0100 |
|---|---|---|
| committer | Erich Eckner <git@eckner.net> | 2019-12-09 10:17:13 +0100 |
| commit | b6b7550ccbe694bfd81bfdb216d688c291930351 (patch) | |
| tree | f6b9147b30689826c712bc6c294a9cdda476a2ea | |
| parent | 7764d70477823876fdebb9dcd7586d26beeee80c (diff) | |
| download | simple-pki-b6b7550ccbe694bfd81bfdb216d688c291930351.tar.xz | |
sign-request.in: use the old ca for some time (the new ca may need some time to circulate to clients)
| -rw-r--r-- | etc/ca.conf | 3 | ||||
| -rwxr-xr-x | sign-request.in | 9 |
2 files changed, 11 insertions, 1 deletions
diff --git a/etc/ca.conf b/etc/ca.conf index aa8b4ba..2dccb42 100644 --- a/etc/ca.conf +++ b/etc/ca.conf @@ -3,6 +3,9 @@ # how long do we keep the old signature of the root-ca (days) ca_keep_duration=60 +# how long do we wait before using the new root-ca (days) +ca_min_duration=10 + # which system user owns the ca ca_user='erich' diff --git a/sign-request.in b/sign-request.in index 52b481e..0185cf4 100755 --- a/sign-request.in +++ b/sign-request.in @@ -14,6 +14,13 @@ remove_leading_spaces() { ' } +if [ -f '#ETCDIR#/simple-pki/ca/root-ca.old.crt' ] \ +&& [ "$(stat -c%Y '#ETCDIR#/simple-pki/ca/root-ca.old.crt')" -ge "$(($(date +%s)-60*60*24*ca_min_duration))" ]; then + export CA=signing-ca.old +else + export CA=signing-ca +fi + tmp_dir=$(mktemp -d) trap 'rm -rf --one-file-system "${tmp_dir}"' EXIT @@ -95,7 +102,7 @@ while read -r csr; do rm "${csr_local}" continue fi - if ! CA=signing-ca openssl ca -batch -name signing_ca \ + if ! openssl ca -batch -name signing_ca \ -config '#ETCDIR#/simple-pki/ca-ssl.conf' \ -in "${csr_local}" \ -out "${csr_local%.csr}.crt" \ |