diff options
-rwxr-xr-x | sign-ca.in | 19 |
1 files changed, 17 insertions, 2 deletions
@@ -28,16 +28,31 @@ fi if [ ! -f "${key_dir}/${ca_name}.key.new" ] \ || [ ! -f "${key_dir}/${ca_name}.crt.new" ]; then - openssl req -x509 -new \ + openssl req -new \ -newkey rsa:4096 -sha256 \ -keyout "${key_dir}/${ca_name}.key.new" \ + -out "${key_dir}/${ca_name}.csr.new" \ + -nodes \ + -subj "${ca_subject_prefix}"'/CN=Certification Authority' \ + -addext 'subjectKeyIdentifier = hash' \ + -addext 'basicConstraints = critical, CA:true' \ + -addext 'keyUsage = keyCertSign, cRLSign' + if [ -f "${key_dir}/${ca_name}.key" ]; then + previous_key="${key_dir}/${ca_name}.key" + else + previous_key="${key_dir}/${ca_name}.key.new" + fi + openssl req -x509 \ + -sha256 \ + -in "${key_dir}/${ca_name}.csr.new" \ + -key "${previous_key}" \ -out "${key_dir}/${ca_name}.crt.new" \ -days 365 -nodes \ - -subj "${ca_subject}"'/CN=Certification Authority' \ -addext 'subjectKeyIdentifier = hash' \ -addext 'authorityKeyIdentifier = keyid:always, issuer' \ -addext 'basicConstraints = critical, CA:true' \ -addext 'keyUsage = keyCertSign, cRLSign' + rm "${key_dir}/${ca_name}.csr.new" fi rsync --ignore-missing-args \ |