diff options
| author | Erich Eckner <git@eckner.net> | 2019-08-29 11:13:36 +0200 |
|---|---|---|
| committer | Erich Eckner <git@eckner.net> | 2019-08-29 11:13:36 +0200 |
| commit | 3c5f739b6d6d86ecb86cf88834b95a8929771c8f (patch) | |
| tree | bfbc74404da56bd568e46281f67756db5abb8aac /sign-ca.in | |
| parent | ef01a84a94041987cb952bb1313d33e338818fc4 (diff) | |
| download | simple-pki-3c5f739b6d6d86ecb86cf88834b95a8929771c8f.tar.xz | |
ca stuff done
Diffstat (limited to 'sign-ca.in')
| -rwxr-xr-x | sign-ca.in | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/sign-ca.in b/sign-ca.in new file mode 100755 index 0000000..ff0e0c5 --- /dev/null +++ b/sign-ca.in @@ -0,0 +1,63 @@ +#!/bin/bash + +# generate new ca certificate, roll over the old one(s) + +set -e + +key_dir='#ETCDIR#/simple-pki/keys' + +if [ -r '#ETCDIR#/simple-pki/ca.conf' ]; then + . '#ETCDIR#/simple-pki/ca.conf' +fi + +if [ -f "${key_dir}/${ca_name}.key.new" ] \ +&& [ -f "${key_dir}/${ca_name}.crt.new" ]; then + if [ "$(stat -c%Y "${key_dir}/${ca_name}.key.new")" -lt "$(($(date +%s)-60*60*24*30))" ] \ + || [ ! -f "${key_dir}/${ca_name}.key" ] \ + || [ "$(stat -c%Y "${key_dir}/${ca_name}.crt.new")" -lt "$(($(date +%s)-60*60*24*30))" ] \ + || [ ! -f "${key_dir}/${ca_name}.crt" ]; then + mv "${key_dir}/${host_key_file}.key"{.new,} + mv "${key_dir}/${host_key_file}.crt"{.new,} + fi +fi + +if [ ! -f "${key_dir}/${ca_name}.key.new" ] \ +|| [ ! -f "${key_dir}/${ca_name}.crt.new" ]; then + openssl req -x509 -new \ + -newkey rsa:4096 -sha256 \ + -keyout "${key_dir}/${ca_name}.key.new" \ + -out "${key_dir}/${ca_name}.crt.new" \ + -days 365 -nodes \ + -subj "${ca_subject}"'/CN=Certification Authority' \ + -addext 'subjectKeyIdentifier = hash' \ + -addext 'authorityKeyIdentifier = keyid:always, issuer' \ + -addext 'basicConstraints = critical, CA:true' \ + -addext 'keyUsage = keyCertSign, cRLSign' +done + +rsync --ignore-missing-args \ + "${key_dir}/${ca_name}.crt"{.new,} \ + "${remote_host}:${remote_dir}/" + +( + cd "${key_dir}" + printf '%s %s\n' "$( + date -u --iso-8601=seconds -d@$(stat -c%Y "${ca_name}.key") \ + | cut -d+ -f1 + )" "$( + sha512sum "${ca_name}.key" \ + | sed 's/\s\+/ /' + )" +) \ +| ssh "${remote_host}" ' + cd "'"${remote_dir}"'" + while read -r time sum file; do + rm -f ????-??-??T??\:??\:??".${file}" + mv "${file}" "${time}.${file}" + sed -i '"'"' + / [^.]\+\.'"'"'"${file//./\.}"'"'"'$/d + '"'"' sha512sums + printf '"'"'%s %s\n'"'"' "${sum}" "${time}.${file}" \ + >> sha512sums + done +' |