summaryrefslogtreecommitdiff
path: root/rotate-keys.in
diff options
context:
space:
mode:
Diffstat (limited to 'rotate-keys.in')
-rw-r--r--rotate-keys.in43
1 files changed, 20 insertions, 23 deletions
diff --git a/rotate-keys.in b/rotate-keys.in
index 6116d9d..8b8cfe7 100644
--- a/rotate-keys.in
+++ b/rotate-keys.in
@@ -1,6 +1,6 @@
#!/bin/bash
-key_dir='#ETCDIR#/simple-pki/keys'
+key_dir='#ETCDIR#/simple-pki/cb'
if [ -r '#ETCDIR#/simple-pki/cb.conf' ]; then
. '#ETCDIR#/simple-pki/cb.conf'
@@ -64,10 +64,11 @@ if [ "$(whoami)" != "${certificate_user}" ]; then
systemctl try-restart nginx
fi
- su "${certificate_user}" -s /bin/bash -c "${me}"
+ chown -R "${certificate_user}" "${key_dir}"
+ exec su "${certificate_user}" -s /bin/bash -c "${me}"
fi
-
- exit
+ >&2 printf 'only root can su %s\n' "${certificate_user}"
+ exit 1
fi
if [ -n "$(trap)" ]; then
@@ -84,28 +85,23 @@ printf '%s\n' "${hosts}" \
&& [ -f "${key_dir}/${host}.crt.new" ]; then
continue
fi
- if [ -n "${other_hosts}" ]; then
- extensions="-addext subjectAltName=$(
- printf ',DNS:%s' \
- "${host}" \
- ${other_hosts} \
- | sed 's/^,//'
- )"
- else
- extensions=''
- fi
- openssl req -newkey rsa:4096 \
+
+ SAN=$(
+ printf ',DNS:%s' \
+ "${host}" \
+ ${other_hosts} \
+ | sed 's/^,//'
+ ) \
+ CN="${host}" \
+ openssl req -new \
+ -config '#ETCDIR#/simple-pki/server-ssl.conf' \
-keyout "${key_dir}/${host}.key.new" \
-out "${tmp_dir}/${host}.csr" \
- -nodes -subj "${subject_prefix}"'/CN='"${host}" -sha256 \
- ${extensions}
- printf 'https://%s/.csr/%s/%s.csr %s/CN=%s %s\n' \
+
+ printf 'https://%s/.csr/%s/%s.csr\n' \
"${host}" \
"${tmp_dir##*/}" \
"${host}" \
- "${subject_prefix}" \
- "${host}" \
- "${extensions}" \
>> "${tmp_dir}/commands"
done
@@ -116,9 +112,8 @@ fi
cd "${tmp_dir}"
-cut -d' ' -f1 \
-< 'commands' \
| ssh -T "${ca_host}" \
+< 'commands' \
| tar -xzf -
for host_key_file in ${host_key_files}; do
@@ -127,4 +122,6 @@ for host_key_file in ${host_key_files}; do
fi
cat "${tmp_dir}/${host_key_file}.crt" \
> "${key_dir}/${host_key_file}.crt.new"
+ cat "${tmp_dir}/${host_key_file}.chain" \
+ > "${key_dir}/${host_key_file}.chain.new"
done