From 3c5f739b6d6d86ecb86cf88834b95a8929771c8f Mon Sep 17 00:00:00 2001
From: Erich Eckner <git@eckner.net>
Date: Thu, 29 Aug 2019 11:13:36 +0200
Subject: ca stuff done

---
 sign-ca.in | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)
 create mode 100755 sign-ca.in

(limited to 'sign-ca.in')

diff --git a/sign-ca.in b/sign-ca.in
new file mode 100755
index 0000000..ff0e0c5
--- /dev/null
+++ b/sign-ca.in
@@ -0,0 +1,63 @@
+#!/bin/bash
+
+# generate new ca certificate, roll over the old one(s)
+
+set -e
+
+key_dir='#ETCDIR#/simple-pki/keys'
+
+if [ -r '#ETCDIR#/simple-pki/ca.conf' ]; then
+  . '#ETCDIR#/simple-pki/ca.conf'
+fi
+
+if [ -f "${key_dir}/${ca_name}.key.new" ] \
+&& [ -f "${key_dir}/${ca_name}.crt.new" ]; then
+  if [ "$(stat -c%Y "${key_dir}/${ca_name}.key.new")" -lt "$(($(date +%s)-60*60*24*30))" ] \
+  || [ ! -f "${key_dir}/${ca_name}.key" ] \
+  || [ "$(stat -c%Y "${key_dir}/${ca_name}.crt.new")" -lt "$(($(date +%s)-60*60*24*30))" ] \
+  || [ ! -f "${key_dir}/${ca_name}.crt" ]; then
+    mv "${key_dir}/${host_key_file}.key"{.new,}
+    mv "${key_dir}/${host_key_file}.crt"{.new,}
+  fi
+fi
+
+if [ ! -f "${key_dir}/${ca_name}.key.new" ] \
+|| [ ! -f "${key_dir}/${ca_name}.crt.new" ]; then
+  openssl req -x509 -new \
+    -newkey rsa:4096 -sha256 \
+    -keyout "${key_dir}/${ca_name}.key.new" \
+    -out "${key_dir}/${ca_name}.crt.new" \
+    -days 365 -nodes \
+    -subj "${ca_subject}"'/CN=Certification Authority' \
+    -addext 'subjectKeyIdentifier = hash' \
+    -addext 'authorityKeyIdentifier = keyid:always, issuer' \
+    -addext 'basicConstraints       = critical, CA:true' \
+    -addext 'keyUsage               = keyCertSign, cRLSign'
+done
+
+rsync --ignore-missing-args \
+  "${key_dir}/${ca_name}.crt"{.new,} \
+  "${remote_host}:${remote_dir}/"
+
+(
+  cd "${key_dir}"
+  printf '%s %s\n' "$(
+    date -u --iso-8601=seconds -d@$(stat -c%Y "${ca_name}.key") \
+    | cut -d+ -f1
+  )" "$(
+    sha512sum "${ca_name}.key" \
+    | sed 's/\s\+/ /'
+  )"
+) \
+| ssh "${remote_host}" '
+  cd "'"${remote_dir}"'"
+  while read -r time sum file; do
+    rm -f ????-??-??T??\:??\:??".${file}"
+    mv "${file}" "${time}.${file}"
+    sed -i '"'"'
+      / [^.]\+\.'"'"'"${file//./\.}"'"'"'$/d
+    '"'"' sha512sums
+    printf '"'"'%s  %s\n'"'"' "${sum}" "${time}.${file}" \
+    >> sha512sums
+  done
+'
-- 
cgit v1.2.3-54-g00ecf