new sign-ca and/or root-ca means, we need to exchange the directory with the issued certificates, too - this means, we should handle creation of those in sign-ca, not in the Makefile

1 files changed, 26 insertions, 0 deletions

diff --git a/sign-ca.in b/sign-ca.in
index 25d1a98..f000dc3 100755
--- a/sign-ca.in
+++ b/sign-ca.in
@@ -20,6 +20,19 @@ if [ -f '#ETCDIR#/simple-pki/ca/root-ca.crt' ]; then
     mv \
       '#ETCDIR#/simple-pki/ca/root-ca.crt' \
       '#ETCDIR#/simple-pki/ca/root-ca.crt.old'
+    rm -rf --one-file-system \
+      '#ETCDIR#/simple-pki/ca/root-ca.old'
+    mv \
+      '#ETCDIR#/simple-pki/ca/root-ca' \
+      '#ETCDIR#/simple-pki/ca/root-ca.old'
+    install -d -m0755 '#ETCDIR#/simple-pki/ca/root-ca/db'
+    install -d -m0700 '#ETCDIR#/simple-pki/ca/root-ca/private'
+    touch \
+      '#ETCDIR#/simple-pki/ca/root-ca/db/root-ca.db' \
+      '#ETCDIR#/simple-pki/ca/root-ca/db/root-ca.db.attr'
+    echo '01' \
+      |tee '#ETCDIR#/simple-pki/ca/root-ca/db/root-ca.crt.srl' \
+      >'#ETCDIR#/simple-pki/ca/root-ca/db/root-ca.crl.srl'
   else
     >&2 echo 'nothing to do: "old" root certificate is too new'
     exit
@@ -30,6 +43,19 @@ if [ -f '#ETCDIR#/simple-pki/ca/signing-ca.crt' ]; then
   mv \
     '#ETCDIR#/simple-pki/ca/signing-ca.crt' \
     '#ETCDIR#/simple-pki/ca/signing-ca.crt.old'
+  rm -rf --one-file-system \
+    '#ETCDIR#/simple-pki/ca/signing-ca.old'
+  mv \
+    '#ETCDIR#/simple-pki/ca/signing-ca' \
+    '#ETCDIR#/simple-pki/ca/signing-ca.old'
+  install -d -m0755 '#ETCDIR#/simple-pki/ca/signing-ca/db'
+  install -d -m0700 '#ETCDIR#/simple-pki/ca/signing-ca/private'
+  touch \
+    '#ETCDIR#/simple-pki/ca/signing-ca/db/signing-ca.db' \
+    '#ETCDIR#/simple-pki/ca/signing-ca/db/signing-ca.db.attr'
+  echo '01' \
+    |tee '#ETCDIR#/simple-pki/ca/signing-ca/db/signing-ca.crt.srl' \
+    >'#ETCDIR#/simple-pki/ca/signing-ca/db/signing-ca.crl.srl'
 fi
 
 CA=root-ca openssl req -new \