From b6b7550ccbe694bfd81bfdb216d688c291930351 Mon Sep 17 00:00:00 2001 From: Erich Eckner Date: Mon, 9 Dec 2019 10:17:13 +0100 Subject: sign-request.in: use the old ca for some time (the new ca may need some time to circulate to clients) --- etc/ca.conf | 3 +++ sign-request.in | 9 ++++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/etc/ca.conf b/etc/ca.conf index aa8b4ba..2dccb42 100644 --- a/etc/ca.conf +++ b/etc/ca.conf @@ -3,6 +3,9 @@ # how long do we keep the old signature of the root-ca (days) ca_keep_duration=60 +# how long do we wait before using the new root-ca (days) +ca_min_duration=10 + # which system user owns the ca ca_user='erich' diff --git a/sign-request.in b/sign-request.in index 52b481e..0185cf4 100755 --- a/sign-request.in +++ b/sign-request.in @@ -14,6 +14,13 @@ remove_leading_spaces() { ' } +if [ -f '#ETCDIR#/simple-pki/ca/root-ca.old.crt' ] \ +&& [ "$(stat -c%Y '#ETCDIR#/simple-pki/ca/root-ca.old.crt')" -ge "$(($(date +%s)-60*60*24*ca_min_duration))" ]; then + export CA=signing-ca.old +else + export CA=signing-ca +fi + tmp_dir=$(mktemp -d) trap 'rm -rf --one-file-system "${tmp_dir}"' EXIT @@ -95,7 +102,7 @@ while read -r csr; do rm "${csr_local}" continue fi - if ! CA=signing-ca openssl ca -batch -name signing_ca \ + if ! openssl ca -batch -name signing_ca \ -config '#ETCDIR#/simple-pki/ca-ssl.conf' \ -in "${csr_local}" \ -out "${csr_local%.csr}.crt" \ -- cgit v1.2.3-70-g09d2