6 files changed, 61 insertions, 49 deletions

diff --git a/Makefile b/Makefile
index 873c9c1..7e7a49f 100644
--- a/Makefile
+++ b/Makefile
@@ -27,13 +27,13 @@ MANDIR	 = /usr/share/man
 
 VERSION  = 0.0
 
-all: rotate-keys rotate-keys.service sign-ca sign-ca.service sign-request etc/ca.conf
+all: rotate-keys rotate-keys.service sign-ca sign-ca.service sign-request etc/ca-ssl.conf
 
 %: %.in
 	sed " \
 		s/#VERSION#/$(VERSION)/; \
-		s@#BINDIR#@$(BINDIR)@; \
-		s@#ETCDIR#@$(ETCDIR)@; \
+		s@#BINDIR#@$(BINDIR)@g; \
+		s@#ETCDIR#@$(ETCDIR)@g; \
 		s@#HELPTEXT#\(\s\+\)#@  --help   \1display this help and exit\n  --version\1display version and exit@; \
 		" $< > $@
 	[ "$@" = "sign-ca" ] && chmod +x "$@" || true
diff --git a/etc/.gitignore b/etc/.gitignore
index ebd5f03..a7a2421 100644
--- a/etc/.gitignore
+++ b/etc/.gitignore
@@ -1 +1 @@
-ca.conf
+ca-ssl.conf
diff --git a/etc/ca.conf.in b/etc/ca-ssl.conf.in
index 78d211f..78d211f 100644
--- a/etc/ca.conf.in
+++ b/etc/ca-ssl.conf.in
diff --git a/ca.conf b/etc/ca.conf
index 2f85b40..b4e8ca3 100644
--- a/ca.conf
+++ b/etc/ca.conf
@@ -1,10 +1,6 @@
 #!/bin/bash
 
-# details of the ca
-ca_name='eckner-ca'
-ca_subject_prefix='/C=DE/ST=Thuringia/L=Jena/O=Eckner/OU=Net'
-
-# generate new ca key/cert afther this many days
+# how long do we keep the old signature of the root-ca (days)
 ca_min_duration=60
 
 # which system user owns the ca
diff --git a/etc/server.conf b/etc/server-ssl.conf
index 337a7a4..337a7a4 100644
--- a/etc/server.conf
+++ b/etc/server-ssl.conf
diff --git a/sign-ca.in b/sign-ca.in
index 8d2f4b2..beab6da 100755
--- a/sign-ca.in
+++ b/sign-ca.in
@@ -1,11 +1,9 @@
 #!/bin/bash
 
-# generate new ca certificate, roll over the old one(s)
+# generate new ca certificates, roll over the old one(s)
 
 set -e
 
-key_dir='#ETCDIR#/simple-pki/keys'
-
 if [ -r '#ETCDIR#/simple-pki/ca.conf' ]; then
   . '#ETCDIR#/simple-pki/ca.conf'
 fi
@@ -15,54 +13,72 @@ if [ -n "${ca_user}" ] \
   exec su "${ca_user}" -c "$0"
 fi
 
-if [ -f "${key_dir}/${ca_name}.key.new" ] \
-&& [ -f "${key_dir}/${ca_name}.crt.new" ]; then
-  if [ "$(stat -c%Y "${key_dir}/${ca_name}.key.new")" -lt "$(($(date +%s)-60*60*24*ca_min_duration))" ] \
-  || [ ! -f "${key_dir}/${ca_name}.key" ] \
-  || [ "$(stat -c%Y "${key_dir}/${ca_name}.crt.new")" -lt "$(($(date +%s)-60*60*24*ca_min_duration))" ] \
-  || [ ! -f "${key_dir}/${ca_name}.crt" ]; then
-    mv "${key_dir}/${ca_name}.key"{.new,}
-    mv "${key_dir}/${ca_name}.crt"{.new,}
+for ca in root signing; do
+  mkdir -p '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/private' '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db' '#ETCDIR#/simple-pki/crl' '#ETCDIR#/simple-pki/certs'
+  chmod 700 '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/private'
+  if [ ! -f '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db/'"${ca}"'-ca.db' ]; then
+    cp /dev/null '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db/'"${ca}"'-ca.db'
+    cp /dev/null '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db/'"${ca}"'-ca.db.attr'
+    echo 01 > '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db/'"${ca}"'-ca.crt.srl'
+    echo 01 > '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db/'"${ca}"'-ca.crl.srl'
   fi
-fi
+done
 
-if [ ! -f "${key_dir}/${ca_name}.key.new" ] \
-|| [ ! -f "${key_dir}/${ca_name}.crt.new" ]; then
-  openssl req -new \
-    -newkey rsa:4096 -sha256 \
-    -keyout "${key_dir}/${ca_name}.key.new" \
-    -out "${key_dir}/${ca_name}.csr.new" \
-    -nodes \
-    -subj "${ca_subject_prefix}"'/CN=Certification Authority' \
-    -addext 'subjectKeyIdentifier = hash' \
-    -addext 'basicConstraints       = critical, CA:true' \
-    -addext 'keyUsage               = keyCertSign, cRLSign'
-  if [ -f "${key_dir}/${ca_name}.key" ]; then
-    previous_key="${key_dir}/${ca_name}.key"
+if [ -f '#ETCDIR#/simple-pki/ca/root-ca.crt' ]; then
+  if [ ! -f '#ETCDIR#/simple-pki/ca/root-ca.crt.old' ] \
+  || [ "$(stat -c%Y '#ETCDIR#/simple-pki/ca/root-ca.crt.old')" -lt "$(($(date +%s)-60*60*24*ca_min_duration))" ]; then
+    mv \
+      '#ETCDIR#/simple-pki/ca/root-ca.crt' \
+      '#ETCDIR#/simple-pki/ca/root-ca.crt.old'
   else
-    previous_key="${key_dir}/${ca_name}.key.new"
+    >&2 echo 'nothing to do: "old" root certificate is too new'
+    exit
   fi
-  openssl req -x509 \
-    -sha256 \
-    -in "${key_dir}/${ca_name}.csr.new" \
-    -key "${previous_key}" \
-    -out "${key_dir}/${ca_name}.crt.new" \
-    -days 365 -nodes \
-    -addext 'subjectKeyIdentifier = hash' \
-    -addext 'authorityKeyIdentifier = keyid:always, issuer' \
-    -addext 'basicConstraints       = critical, CA:true' \
-    -addext 'keyUsage               = keyCertSign, cRLSign'
-  rm "${key_dir}/${ca_name}.csr.new"
 fi
 
+if [ -f '#ETCDIR#/simple-pki/ca/signing-ca.crt' ]; then
+  mv \
+    '#ETCDIR#/simple-pki/ca/signing-ca.crt' \
+    '#ETCDIR#/simple-pki/ca/signing-ca.crt.old'
+fi
+
+CA=root-ca openssl req -new \
+  -config '#ETCDIR#/simple-pki/ca-ssl.conf' \
+  -out '#ETCDIR#/simple-pki/ca/root-ca.csr' \
+  -keyout '#ETCDIR#/simple-pki/ca/root-ca/private/root-ca.key'
+
+CA=root-ca openssl ca -batch -name root_ca -selfsign \
+  -config '#ETCDIR#/simple-pki/ca-ssl.conf' \
+  -in '#ETCDIR#/simple-pki/ca/root-ca.csr' \
+  -out '#ETCDIR#/simple-pki/ca/root-ca.crt' \
+  -extensions root_ca_ext
+
+CA=signing-ca openssl req -new \
+  -config '#ETCDIR#/simple-pki/ca-ssl.conf' \
+  -out '#ETCDIR#/simple-pki/ca/signing-ca.csr' \
+  -keyout '#ETCDIR#/simple-pki/ca/signing-ca/private/signing-ca.key'
+
+CA=root-ca openssl ca -batch -name root_ca \
+  -config '#ETCDIR#/simple-pki/ca-ssl.conf' \
+  -in '#ETCDIR#/simple-pki/ca/signing-ca.csr' \
+  -out '#ETCDIR#/simple-pki/ca/signing-ca.crt' \
+  -extensions signing_ca_ext
+
+rm \
+  '#ETCDIR#/simple-pki/ca/root-ca.csr' \
+  '#ETCDIR#/simple-pki/ca/signing-ca.csr'
+
 rsync --ignore-missing-args \
-  "${key_dir}/${ca_name}.crt"{.new,} \
+  '#ETCDIR#/simple-pki/ca/root-ca.crt'{,.old} \
   "${remote_host}:${remote_dir}/"
 
 (
-  cd "${key_dir}"
+  cd '#ETCDIR#/simple-pki/ca/'
   find . -maxdepth 1 \
-    -type f \( -name "${ca_name}"'.crt' -o -name "${ca_name}"'.crt.new' \) \
+    -type f \( \
+      -name root-ca.crt -o \
+      -name root-ca.crt.old \
+    \) \
     -printf '%TY-%Tm-%TdT%TT ' \
     -exec sha512sum {} \; \
   | sed '