summaryrefslogtreecommitdiff
path: root/sign-ca.in
blob: 7a66437963cce75e5e4510a706568db619454a23 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
#!/bin/bash

# generate new ca certificates, roll over the old one(s)

set -e

if [ -r '#ETCDIR#/simple-pki/ca.conf' ]; then
  . '#ETCDIR#/simple-pki/ca.conf'
fi

if [ -n "${ca_user}" ] \
&& [ "$(whoami)" != "${ca_user}" ]; then
  chown -R "${ca_user}" '#ETCDIR#/simple-pki/ca'
  exec su "${ca_user}" -c "$0"
fi

move_old_ca() {
  mv \
    '#ETCDIR#/simple-pki/ca/'"$1"'.crt' \
    '#ETCDIR#/simple-pki/ca/'"$1"'.old.crt'
  rm -rf --one-file-system \
    '#ETCDIR#/simple-pki/ca/'"$1"'.old'
  mv \
    '#ETCDIR#/simple-pki/ca/'"$1" \
    '#ETCDIR#/simple-pki/ca/'"$1"'.old'
  find '#ETCDIR#/simple-pki/ca/'"$1"'.old' \
    -type f \
    -name "$1"'.*' \
  | sed 's@^\(.*/'"$1"'\)\(\..*\)$@\0 \1.old\2@' \
  | while read -r from to; do
    mv "${from}" "${to}"
  done
}

level_ground_for_new_ca() {
  install -d -m0755 '#ETCDIR#/simple-pki/ca/'"$1"'/db'
  install -d -m0700 '#ETCDIR#/simple-pki/ca/'"$1"'/private'
  touch \
    '#ETCDIR#/simple-pki/ca/'"$1"'/db/'"$1"'.db' \
    '#ETCDIR#/simple-pki/ca/'"$1"'/db/'"$1"'.db.attr'
  for srl in 'crl' 'crt'; do
    old='#ETCDIR#/simple-pki/ca/'"$1"'.old/db/'"$1"'.old.'"${srl}"'.srl'
    new='#ETCDIR#/simple-pki/ca/'"$1"'/db/'"$1"'.'"${srl}"'.srl'
    if [ -f "${old}" ]; then
      cp "${old}" "${new}"
    else
      echo '01' \
      >"${new}"
    fi
  done
}

if [ -f '#ETCDIR#/simple-pki/ca/root-ca.crt' ]; then
  if [ ! -f '#ETCDIR#/simple-pki/ca/root-ca.old.crt' ] \
  || [ "$(stat -c%Y '#ETCDIR#/simple-pki/ca/root-ca.old.crt')" -lt "$(($(date +%s)-60*60*24*ca_keep_duration))" ]; then
    move_old_ca 'root-ca'
  else
    >&2 echo 'nothing to do: "old" root certificate is too new'
    exit
  fi
fi

level_ground_for_new_ca 'root-ca'

if [ -f '#ETCDIR#/simple-pki/ca/signing-ca.crt' ]; then
  move_old_ca 'signing-ca'
fi

level_ground_for_new_ca 'signing-ca'

CA=root-ca CA_TYPE='Root' openssl req -new \
  -config '#ETCDIR#/simple-pki/ca-ssl.conf' \
  -out '#ETCDIR#/simple-pki/ca/root-ca.csr' \
  -keyout '#ETCDIR#/simple-pki/ca/root-ca/private/root-ca.key'

CA=root-ca CA_TYPE='Root' openssl ca -batch -name root_ca -selfsign \
  -config '#ETCDIR#/simple-pki/ca-ssl.conf' \
  -in '#ETCDIR#/simple-pki/ca/root-ca.csr' \
  -out '#ETCDIR#/simple-pki/ca/root-ca.crt' \
  -extensions root_ca_ext

CA=signing-ca CA_TYPE='Intermediate' openssl req -new \
  -config '#ETCDIR#/simple-pki/ca-ssl.conf' \
  -out '#ETCDIR#/simple-pki/ca/signing-ca.csr' \
  -keyout '#ETCDIR#/simple-pki/ca/signing-ca/private/signing-ca.key'

CA=root-ca CA_TYPE='Root' openssl ca -batch -name root_ca \
  -config '#ETCDIR#/simple-pki/ca-ssl.conf' \
  -in '#ETCDIR#/simple-pki/ca/signing-ca.csr' \
  -out '#ETCDIR#/simple-pki/ca/signing-ca.crt' \
  -extensions signing_ca_ext

rm \
  '#ETCDIR#/simple-pki/ca/root-ca.csr' \
  '#ETCDIR#/simple-pki/ca/signing-ca.csr'

rsync --ignore-missing-args \
  '#ETCDIR#/simple-pki/ca/root-ca'{,.old}'.crt' \
  "${remote_host}:${remote_dir}/"

(
  cd '#ETCDIR#/simple-pki/ca/'
  find . -maxdepth 1 \
    -type f \( \
      -name root-ca.crt -o \
      -name root-ca.old.crt \
    \) \
    -printf '%TY-%Tm-%TdT%TT ' \
    -exec sha512sum {} \; \
  | sed '
    s/\.[0-9]\+ / /
    s@\s\s\+\(\S\+/\)\?@ @
  '
) \
| ssh "${remote_host}" '
  cd "'"${remote_dir}"'"
  while read -r time sum file; do
    rm -f ????-??-??T??\:??\:??".${file}"
    mv "${file}" "${time}.${file}"
    sed -i '"'"'
      / [^.]\+\.'"'"'"${file//./\.}"'"'"'$/d
    '"'"' sha512sums
    printf '"'"'%s  %s\n'"'"' "${sum}" "${time}.${file}" \
    >> sha512sums
  done
'