summaryrefslogtreecommitdiff
path: root/sign-ca.in
diff options
context:
space:
mode:
Diffstat (limited to 'sign-ca.in')
-rwxr-xr-xsign-ca.in96
1 files changed, 56 insertions, 40 deletions
diff --git a/sign-ca.in b/sign-ca.in
index 8d2f4b2..beab6da 100755
--- a/sign-ca.in
+++ b/sign-ca.in
@@ -1,11 +1,9 @@
#!/bin/bash
-# generate new ca certificate, roll over the old one(s)
+# generate new ca certificates, roll over the old one(s)
set -e
-key_dir='#ETCDIR#/simple-pki/keys'
-
if [ -r '#ETCDIR#/simple-pki/ca.conf' ]; then
. '#ETCDIR#/simple-pki/ca.conf'
fi
@@ -15,54 +13,72 @@ if [ -n "${ca_user}" ] \
exec su "${ca_user}" -c "$0"
fi
-if [ -f "${key_dir}/${ca_name}.key.new" ] \
-&& [ -f "${key_dir}/${ca_name}.crt.new" ]; then
- if [ "$(stat -c%Y "${key_dir}/${ca_name}.key.new")" -lt "$(($(date +%s)-60*60*24*ca_min_duration))" ] \
- || [ ! -f "${key_dir}/${ca_name}.key" ] \
- || [ "$(stat -c%Y "${key_dir}/${ca_name}.crt.new")" -lt "$(($(date +%s)-60*60*24*ca_min_duration))" ] \
- || [ ! -f "${key_dir}/${ca_name}.crt" ]; then
- mv "${key_dir}/${ca_name}.key"{.new,}
- mv "${key_dir}/${ca_name}.crt"{.new,}
+for ca in root signing; do
+ mkdir -p '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/private' '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db' '#ETCDIR#/simple-pki/crl' '#ETCDIR#/simple-pki/certs'
+ chmod 700 '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/private'
+ if [ ! -f '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db/'"${ca}"'-ca.db' ]; then
+ cp /dev/null '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db/'"${ca}"'-ca.db'
+ cp /dev/null '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db/'"${ca}"'-ca.db.attr'
+ echo 01 > '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db/'"${ca}"'-ca.crt.srl'
+ echo 01 > '#ETCDIR#/simple-pki/ca/'"${ca}"'-ca/db/'"${ca}"'-ca.crl.srl'
fi
-fi
+done
-if [ ! -f "${key_dir}/${ca_name}.key.new" ] \
-|| [ ! -f "${key_dir}/${ca_name}.crt.new" ]; then
- openssl req -new \
- -newkey rsa:4096 -sha256 \
- -keyout "${key_dir}/${ca_name}.key.new" \
- -out "${key_dir}/${ca_name}.csr.new" \
- -nodes \
- -subj "${ca_subject_prefix}"'/CN=Certification Authority' \
- -addext 'subjectKeyIdentifier = hash' \
- -addext 'basicConstraints = critical, CA:true' \
- -addext 'keyUsage = keyCertSign, cRLSign'
- if [ -f "${key_dir}/${ca_name}.key" ]; then
- previous_key="${key_dir}/${ca_name}.key"
+if [ -f '#ETCDIR#/simple-pki/ca/root-ca.crt' ]; then
+ if [ ! -f '#ETCDIR#/simple-pki/ca/root-ca.crt.old' ] \
+ || [ "$(stat -c%Y '#ETCDIR#/simple-pki/ca/root-ca.crt.old')" -lt "$(($(date +%s)-60*60*24*ca_min_duration))" ]; then
+ mv \
+ '#ETCDIR#/simple-pki/ca/root-ca.crt' \
+ '#ETCDIR#/simple-pki/ca/root-ca.crt.old'
else
- previous_key="${key_dir}/${ca_name}.key.new"
+ >&2 echo 'nothing to do: "old" root certificate is too new'
+ exit
fi
- openssl req -x509 \
- -sha256 \
- -in "${key_dir}/${ca_name}.csr.new" \
- -key "${previous_key}" \
- -out "${key_dir}/${ca_name}.crt.new" \
- -days 365 -nodes \
- -addext 'subjectKeyIdentifier = hash' \
- -addext 'authorityKeyIdentifier = keyid:always, issuer' \
- -addext 'basicConstraints = critical, CA:true' \
- -addext 'keyUsage = keyCertSign, cRLSign'
- rm "${key_dir}/${ca_name}.csr.new"
fi
+if [ -f '#ETCDIR#/simple-pki/ca/signing-ca.crt' ]; then
+ mv \
+ '#ETCDIR#/simple-pki/ca/signing-ca.crt' \
+ '#ETCDIR#/simple-pki/ca/signing-ca.crt.old'
+fi
+
+CA=root-ca openssl req -new \
+ -config '#ETCDIR#/simple-pki/ca-ssl.conf' \
+ -out '#ETCDIR#/simple-pki/ca/root-ca.csr' \
+ -keyout '#ETCDIR#/simple-pki/ca/root-ca/private/root-ca.key'
+
+CA=root-ca openssl ca -batch -name root_ca -selfsign \
+ -config '#ETCDIR#/simple-pki/ca-ssl.conf' \
+ -in '#ETCDIR#/simple-pki/ca/root-ca.csr' \
+ -out '#ETCDIR#/simple-pki/ca/root-ca.crt' \
+ -extensions root_ca_ext
+
+CA=signing-ca openssl req -new \
+ -config '#ETCDIR#/simple-pki/ca-ssl.conf' \
+ -out '#ETCDIR#/simple-pki/ca/signing-ca.csr' \
+ -keyout '#ETCDIR#/simple-pki/ca/signing-ca/private/signing-ca.key'
+
+CA=root-ca openssl ca -batch -name root_ca \
+ -config '#ETCDIR#/simple-pki/ca-ssl.conf' \
+ -in '#ETCDIR#/simple-pki/ca/signing-ca.csr' \
+ -out '#ETCDIR#/simple-pki/ca/signing-ca.crt' \
+ -extensions signing_ca_ext
+
+rm \
+ '#ETCDIR#/simple-pki/ca/root-ca.csr' \
+ '#ETCDIR#/simple-pki/ca/signing-ca.csr'
+
rsync --ignore-missing-args \
- "${key_dir}/${ca_name}.crt"{.new,} \
+ '#ETCDIR#/simple-pki/ca/root-ca.crt'{,.old} \
"${remote_host}:${remote_dir}/"
(
- cd "${key_dir}"
+ cd '#ETCDIR#/simple-pki/ca/'
find . -maxdepth 1 \
- -type f \( -name "${ca_name}"'.crt' -o -name "${ca_name}"'.crt.new' \) \
+ -type f \( \
+ -name root-ca.crt -o \
+ -name root-ca.crt.old \
+ \) \
-printf '%TY-%Tm-%TdT%TT ' \
-exec sha512sum {} \; \
| sed '