#!/bin/bash key_dir='#ETCDIR#/simple-pki/keys' if [ -r '#ETCDIR#/simple-pki/ca.conf' ]; then . '#ETCDIR#/simple-pki/ca.conf' fi cd "${0%/*}" remove_leading_spaces() { sed ' s/^ \{'"$1"'\}// t d ' } tmp_dir=$(mktemp -d) trap 'rm -rf --one-file-system "${tmp_dir}"' EXIT while read -r csr; do csr_local="${tmp_dir}/${csr##*/}" curl -Ss "${csr}" -o "${csr_local}" if ! content=$( openssl req -text -noout -verify -in "${csr_local}" 2>/dev/null ); then rm "${csr_local}" continue fi content=$( printf '%s\n' "${content}" \ | sed -n ' /^Certificate Request:$/,/^\S/p ' \ | remove_leading_spaces 4 \ | sed -n ' /^Data:$/,/^\S/p ' \ | remove_leading_spaces 4 ) cn=$( printf '%s\n' "${content}" \ | sed ' s/^Subject: // t d ' \ | tr -d ' ' \ | tr ',' '/' ) if [ -n "${cn#${ca_subject_prefix}/CN=*/}" ]; then continue fi cn="${cn#${ca_subject_prefix}/CN=}" cn="${cn%/}" sans=$( printf '%s\n' "${content}" \ | sed -n ' /^Requested Extensions:$/,/^\S/ p ' \ | remove_leading_spaces 4 \ | sed -n ' /^X\S\+ Subject Alternative Name:\s*$/,/^\S/ p ' \ | remove_leading_spaces 4 \ | sed ' s/, /\n/g ' ) if printf '%s\n' "${sans}" | grep -vq '^\(DNS\|IP\):'; then continue fi sans=$( printf '%s\n' "${sans}" \ | sed ' s/^\(DNS\|IP\):// ' ) ok_sans=$( printf '%s\n' "${cn}" "${sans}" \ | while read -r san; do if ! curl -Ss --insecure 'https://'"${san}/${csr#*//*/}" \ | diff -q - "${csr_local}"; then rm "${csr_local}" break fi printf '%s\n' "${san}" done ) if [ ! -f "${csr_local}" ]; then continue fi if [ "$(printf '%s\n' "${cn}" "${sans}")" != "${ok_sans}" ]; then rm "${csr_local}" continue fi if [ ! -f "${key_dir}/${ca_name}.key" ] \ || [ $((2*$(date +%s) + $(stat -c%Y "${key_dir}/${ca_name}.key"))) -gt 3*$(stat -c%Y "${key_dir}/${ca_name}.key.new"))) ]; then key_to_use="${key_dir}/${ca_name}.key.new" else key_to_use="${key_dir}/${ca_name}.key" fi openssl req -x509 -key "${key_to_use}" -in "${csr_local}" -out "${csr_local%.csr}.crt" -addext 'basicConstraints = critical, CA:false' rm "${csr_local}" done cd "${tmp_dir}" tar -czf - *