diff options
author | Erich Eckner <git@eckner.net> | 2019-09-02 11:47:33 +0200 |
---|---|---|
committer | Erich Eckner <git@eckner.net> | 2019-09-02 12:03:10 +0200 |
commit | ff7a3622bc6b8002a2ca6c8c26668f4e1daa70df (patch) | |
tree | ab4993267e075f24c0d3717bb05b28772fbb1728 /sign-ca.in | |
parent | 4b146b607885a0a0543c68ee553f7a6c64e1fe30 (diff) | |
download | simple-pki-ff7a3622bc6b8002a2ca6c8c26668f4e1daa70df.tar.xz |
sign-ca functional
Diffstat (limited to 'sign-ca.in')
-rwxr-xr-x | sign-ca.in | 96 |
1 files changed, 56 insertions, 40 deletions
@@ -1,11 +1,9 @@ #!/bin/bash -# generate new ca certificate, roll over the old one(s) +# generate new ca certificates, roll over the old one(s) set -e -key_dir='#ETCDIR#/simple-pki/keys' - if [ -r '#ETCDIR#/simple-pki/ca.conf' ]; then . '#ETCDIR#/simple-pki/ca.conf' fi @@ -15,54 +13,72 @@ if [ -n "${ca_user}" ] \ exec su "${ca_user}" -c "$0" fi -if [ -f "${key_dir}/${ca_name}.key.new" ] \ -&& [ -f "${key_dir}/${ca_name}.crt.new" ]; then - if [ "$(stat -c%Y "${key_dir}/${ca_name}.key.new")" -lt "$(($(date +%s)-60*60*24*ca_min_duration))" ] \ - || [ ! -f "${key_dir}/${ca_name}.key" ] \ - || [ "$(stat -c%Y "${key_dir}/${ca_name}.crt.new")" -lt "$(($(date +%s)-60*60*24*ca_min_duration))" ] \ - || [ ! -f "${key_dir}/${ca_name}.crt" ]; then - mv "${key_dir}/${ca_name}.key"{.new,} - mv "${key_dir}/${ca_name}.crt"{.new,} +for ca in root signing; do + mkdir -p '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/private' '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db' '#ETCDIR#/simple-pki/crl' '#ETCDIR#/simple-pki/certs' + chmod 700 '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/private' + if [ ! -f '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db/'"${ca}"'-ca.db' ]; then + cp /dev/null '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db/'"${ca}"'-ca.db' + cp /dev/null '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db/'"${ca}"'-ca.db.attr' + echo 01 > '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db/'"${ca}"'-ca.crt.srl' + echo 01 > '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db/'"${ca}"'-ca.crl.srl' fi -fi +done -if [ ! -f "${key_dir}/${ca_name}.key.new" ] \ -|| [ ! -f "${key_dir}/${ca_name}.crt.new" ]; then - openssl req -new \ - -newkey rsa:4096 -sha256 \ - -keyout "${key_dir}/${ca_name}.key.new" \ - -out "${key_dir}/${ca_name}.csr.new" \ - -nodes \ - -subj "${ca_subject_prefix}"'/CN=Certification Authority' \ - -addext 'subjectKeyIdentifier = hash' \ - -addext 'basicConstraints = critical, CA:true' \ - -addext 'keyUsage = keyCertSign, cRLSign' - if [ -f "${key_dir}/${ca_name}.key" ]; then - previous_key="${key_dir}/${ca_name}.key" +if [ -f '#ETCDIR#/simple-pki/ca/root-ca.crt' ]; then + if [ ! -f '#ETCDIR#/simple-pki/ca/root-ca.crt.old' ] \ + || [ "$(stat -c%Y '#ETCDIR#/simple-pki/ca/root-ca.crt.old')" -lt "$(($(date +%s)-60*60*24*ca_min_duration))" ]; then + mv \ + '#ETCDIR#/simple-pki/ca/root-ca.crt' \ + '#ETCDIR#/simple-pki/ca/root-ca.crt.old' else - previous_key="${key_dir}/${ca_name}.key.new" + >&2 echo 'nothing to do: "old" root certificate is too new' + exit fi - openssl req -x509 \ - -sha256 \ - -in "${key_dir}/${ca_name}.csr.new" \ - -key "${previous_key}" \ - -out "${key_dir}/${ca_name}.crt.new" \ - -days 365 -nodes \ - -addext 'subjectKeyIdentifier = hash' \ - -addext 'authorityKeyIdentifier = keyid:always, issuer' \ - -addext 'basicConstraints = critical, CA:true' \ - -addext 'keyUsage = keyCertSign, cRLSign' - rm "${key_dir}/${ca_name}.csr.new" fi +if [ -f '#ETCDIR#/simple-pki/ca/signing-ca.crt' ]; then + mv \ + '#ETCDIR#/simple-pki/ca/signing-ca.crt' \ + '#ETCDIR#/simple-pki/ca/signing-ca.crt.old' +fi + +CA=root-ca openssl req -new \ + -config '#ETCDIR#/simple-pki/ca-ssl.conf' \ + -out '#ETCDIR#/simple-pki/ca/root-ca.csr' \ + -keyout '#ETCDIR#/simple-pki/ca/root-ca/private/root-ca.key' + +CA=root-ca openssl ca -batch -name root_ca -selfsign \ + -config '#ETCDIR#/simple-pki/ca-ssl.conf' \ + -in '#ETCDIR#/simple-pki/ca/root-ca.csr' \ + -out '#ETCDIR#/simple-pki/ca/root-ca.crt' \ + -extensions root_ca_ext + +CA=signing-ca openssl req -new \ + -config '#ETCDIR#/simple-pki/ca-ssl.conf' \ + -out '#ETCDIR#/simple-pki/ca/signing-ca.csr' \ + -keyout '#ETCDIR#/simple-pki/ca/signing-ca/private/signing-ca.key' + +CA=root-ca openssl ca -batch -name root_ca \ + -config '#ETCDIR#/simple-pki/ca-ssl.conf' \ + -in '#ETCDIR#/simple-pki/ca/signing-ca.csr' \ + -out '#ETCDIR#/simple-pki/ca/signing-ca.crt' \ + -extensions signing_ca_ext + +rm \ + '#ETCDIR#/simple-pki/ca/root-ca.csr' \ + '#ETCDIR#/simple-pki/ca/signing-ca.csr' + rsync --ignore-missing-args \ - "${key_dir}/${ca_name}.crt"{.new,} \ + '#ETCDIR#/simple-pki/ca/root-ca.crt'{,.old} \ "${remote_host}:${remote_dir}/" ( - cd "${key_dir}" + cd '#ETCDIR#/simple-pki/ca/' find . -maxdepth 1 \ - -type f \( -name "${ca_name}"'.crt' -o -name "${ca_name}"'.crt.new' \) \ + -type f \( \ + -name root-ca.crt -o \ + -name root-ca.crt.old \ + \) \ -printf '%TY-%Tm-%TdT%TT ' \ -exec sha512sum {} \; \ | sed ' |