1 files changed, 63 insertions, 0 deletions
diff --git a/sign-ca.in b/sign-ca.in
new file mode 100755
index 0000000..ff0e0c5
--- /dev/null
+++ b/sign-ca.in
@@ -0,0 +1,63 @@
+#!/bin/bash
+
+# generate new ca certificate, roll over the old one(s)
+
+set -e
+
+key_dir='#ETCDIR#/simple-pki/keys'
+
+if [ -r '#ETCDIR#/simple-pki/ca.conf' ]; then
+  . '#ETCDIR#/simple-pki/ca.conf'
+fi
+
+if [ -f "${key_dir}/${ca_name}.key.new" ] \
+&& [ -f "${key_dir}/${ca_name}.crt.new" ]; then
+  if [ "$(stat -c%Y "${key_dir}/${ca_name}.key.new")" -lt "$(($(date +%s)-60*60*24*30))" ] \
+  || [ ! -f "${key_dir}/${ca_name}.key" ] \
+  || [ "$(stat -c%Y "${key_dir}/${ca_name}.crt.new")" -lt "$(($(date +%s)-60*60*24*30))" ] \
+  || [ ! -f "${key_dir}/${ca_name}.crt" ]; then
+    mv "${key_dir}/${host_key_file}.key"{.new,}
+    mv "${key_dir}/${host_key_file}.crt"{.new,}
+  fi
+fi
+
+if [ ! -f "${key_dir}/${ca_name}.key.new" ] \
+|| [ ! -f "${key_dir}/${ca_name}.crt.new" ]; then
+  openssl req -x509 -new \
+    -newkey rsa:4096 -sha256 \
+    -keyout "${key_dir}/${ca_name}.key.new" \
+    -out "${key_dir}/${ca_name}.crt.new" \
+    -days 365 -nodes \
+    -subj "${ca_subject}"'/CN=Certification Authority' \
+    -addext 'subjectKeyIdentifier = hash' \
+    -addext 'authorityKeyIdentifier = keyid:always, issuer' \
+    -addext 'basicConstraints       = critical, CA:true' \
+    -addext 'keyUsage               = keyCertSign, cRLSign'
+done
+
+rsync --ignore-missing-args \
+  "${key_dir}/${ca_name}.crt"{.new,} \
+  "${remote_host}:${remote_dir}/"
+
+(
+  cd "${key_dir}"
+  printf '%s %s\n' "$(
+    date -u --iso-8601=seconds -d@$(stat -c%Y "${ca_name}.key") \
+    | cut -d+ -f1
+  )" "$(
+    sha512sum "${ca_name}.key" \
+    | sed 's/\s\+/ /'
+  )"
+) \
+| ssh "${remote_host}" '
+  cd "'"${remote_dir}"'"
+  while read -r time sum file; do
+    rm -f ????-??-??T??\:??\:??".${file}"
+    mv "${file}" "${time}.${file}"
+    sed -i '"'"'
+      / [^.]\+\.'"'"'"${file//./\.}"'"'"'$/d
+    '"'"' sha512sums
+    printf '"'"'%s  %s\n'"'"' "${sum}" "${time}.${file}" \
+    >> sha512sums
+  done
+'