From 3c5f739b6d6d86ecb86cf88834b95a8929771c8f Mon Sep 17 00:00:00 2001 From: Erich Eckner Date: Thu, 29 Aug 2019 11:13:36 +0200 Subject: ca stuff done --- sign-ca.in | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100755 sign-ca.in (limited to 'sign-ca.in') diff --git a/sign-ca.in b/sign-ca.in new file mode 100755 index 0000000..ff0e0c5 --- /dev/null +++ b/sign-ca.in @@ -0,0 +1,63 @@ +#!/bin/bash + +# generate new ca certificate, roll over the old one(s) + +set -e + +key_dir='#ETCDIR#/simple-pki/keys' + +if [ -r '#ETCDIR#/simple-pki/ca.conf' ]; then + . '#ETCDIR#/simple-pki/ca.conf' +fi + +if [ -f "${key_dir}/${ca_name}.key.new" ] \ +&& [ -f "${key_dir}/${ca_name}.crt.new" ]; then + if [ "$(stat -c%Y "${key_dir}/${ca_name}.key.new")" -lt "$(($(date +%s)-60*60*24*30))" ] \ + || [ ! -f "${key_dir}/${ca_name}.key" ] \ + || [ "$(stat -c%Y "${key_dir}/${ca_name}.crt.new")" -lt "$(($(date +%s)-60*60*24*30))" ] \ + || [ ! -f "${key_dir}/${ca_name}.crt" ]; then + mv "${key_dir}/${host_key_file}.key"{.new,} + mv "${key_dir}/${host_key_file}.crt"{.new,} + fi +fi + +if [ ! -f "${key_dir}/${ca_name}.key.new" ] \ +|| [ ! -f "${key_dir}/${ca_name}.crt.new" ]; then + openssl req -x509 -new \ + -newkey rsa:4096 -sha256 \ + -keyout "${key_dir}/${ca_name}.key.new" \ + -out "${key_dir}/${ca_name}.crt.new" \ + -days 365 -nodes \ + -subj "${ca_subject}"'/CN=Certification Authority' \ + -addext 'subjectKeyIdentifier = hash' \ + -addext 'authorityKeyIdentifier = keyid:always, issuer' \ + -addext 'basicConstraints = critical, CA:true' \ + -addext 'keyUsage = keyCertSign, cRLSign' +done + +rsync --ignore-missing-args \ + "${key_dir}/${ca_name}.crt"{.new,} \ + "${remote_host}:${remote_dir}/" + +( + cd "${key_dir}" + printf '%s %s\n' "$( + date -u --iso-8601=seconds -d@$(stat -c%Y "${ca_name}.key") \ + | cut -d+ -f1 + )" "$( + sha512sum "${ca_name}.key" \ + | sed 's/\s\+/ /' + )" +) \ +| ssh "${remote_host}" ' + cd "'"${remote_dir}"'" + while read -r time sum file; do + rm -f ????-??-??T??\:??\:??".${file}" + mv "${file}" "${time}.${file}" + sed -i '"'"' + / [^.]\+\.'"'"'"${file//./\.}"'"'"'$/d + '"'"' sha512sums + printf '"'"'%s %s\n'"'"' "${sum}" "${time}.${file}" \ + >> sha512sums + done +' -- cgit v1.2.3-54-g00ecf