blob: 372309cd27f759d4ec4b0af98f80bb4dbabf184c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
#!/bin/bash
# generate new ca certificates, roll over the old one(s)
set -e
if [ -r '#ETCDIR#/simple-pki/ca.conf' ]; then
. '#ETCDIR#/simple-pki/ca.conf'
fi
if [ -n "${ca_user}" ] \
&& [ "$(whoami)" != "${ca_user}" ]; then
chown -R "${ca_user}" '#ETCDIR#/simple-pki/ca'
exec su "${ca_user}" -c "$0"
fi
move_old_ca() {
mv \
'#ETCDIR#/simple-pki/ca/'"$1"'.crt' \
'#ETCDIR#/simple-pki/ca/'"$1"'.old.crt'
rm -rf --one-file-system \
'#ETCDIR#/simple-pki/ca/'"$1"'.old'
mv \
'#ETCDIR#/simple-pki/ca/'"$1" \
'#ETCDIR#/simple-pki/ca/'"$1"'.old'
find '#ETCDIR#/simple-pki/ca/'"$1"'.old' \
-type f \
-name "$1"'.*' \
| sed 's@^\(.*/'"$1"'\)\(\..*\)$@\0 \1.old\2@' \
| while read -r from to; do
mv "${from}" "${to}"
done
}
level_ground_for_new_ca() {
install -d -m0755 '#ETCDIR#/'"$1"'/ca/'"$1"'/db'
install -d -m0700 '#ETCDIR#/'"$1"'/ca/'"$1"'/private'
touch \
'#ETCDIR#/'"$1"'/ca/'"$1"'/db/'"$1"'.db' \
'#ETCDIR#/'"$1"'/ca/'"$1"'/db/'"$1"'.db.attr'
echo '01' \
|tee '#ETCDIR#/'"$1"'/ca/'"$1"'/db/'"$1"'.crt.srl' \
>'#ETCDIR#/'"$1"'/ca/'"$1"'/db/'"$1"'.crl.srl'
}
if [ -f '#ETCDIR#/simple-pki/ca/root-ca.crt' ]; then
if [ ! -f '#ETCDIR#/simple-pki/ca/root-ca.old.crt' ] \
|| [ "$(stat -c%Y '#ETCDIR#/simple-pki/ca/root-ca.old.crt')" -lt "$(($(date +%s)-60*60*24*ca_keep_duration))" ]; then
move_old_ca 'root-ca'
else
>&2 echo 'nothing to do: "old" root certificate is too new'
exit
fi
fi
level_ground_for_new_ca 'root-ca'
if [ -f '#ETCDIR#/simple-pki/ca/signing-ca.crt' ]; then
move_old_ca 'signing-ca'
fi
level_ground_for_new_ca 'signing-ca'
CA=root-ca openssl req -new \
-config '#ETCDIR#/simple-pki/ca-ssl.conf' \
-out '#ETCDIR#/simple-pki/ca/root-ca.csr' \
-keyout '#ETCDIR#/simple-pki/ca/root-ca/private/root-ca.key'
CA=root-ca openssl ca -batch -name root_ca -selfsign \
-config '#ETCDIR#/simple-pki/ca-ssl.conf' \
-in '#ETCDIR#/simple-pki/ca/root-ca.csr' \
-out '#ETCDIR#/simple-pki/ca/root-ca.crt' \
-extensions root_ca_ext
CA=signing-ca openssl req -new \
-config '#ETCDIR#/simple-pki/ca-ssl.conf' \
-out '#ETCDIR#/simple-pki/ca/signing-ca.csr' \
-keyout '#ETCDIR#/simple-pki/ca/signing-ca/private/signing-ca.key'
CA=root-ca openssl ca -batch -name root_ca \
-config '#ETCDIR#/simple-pki/ca-ssl.conf' \
-in '#ETCDIR#/simple-pki/ca/signing-ca.csr' \
-out '#ETCDIR#/simple-pki/ca/signing-ca.crt' \
-extensions signing_ca_ext
rm \
'#ETCDIR#/simple-pki/ca/root-ca.csr' \
'#ETCDIR#/simple-pki/ca/signing-ca.csr'
rsync --ignore-missing-args \
'#ETCDIR#/simple-pki/ca/root-ca'{,.old}'.crt' \
"${remote_host}:${remote_dir}/"
(
cd '#ETCDIR#/simple-pki/ca/'
find . -maxdepth 1 \
-type f \( \
-name root-ca.crt -o \
-name root-ca.old.crt \
\) \
-printf '%TY-%Tm-%TdT%TT ' \
-exec sha512sum {} \; \
| sed '
s/\.[0-9]\+ / /
s@\s\s\+\(\S\+/\)\?@ @
'
) \
| ssh "${remote_host}" '
cd "'"${remote_dir}"'"
while read -r time sum file; do
rm -f ????-??-??T??\:??\:??".${file}"
mv "${file}" "${time}.${file}"
sed -i '"'"'
/ [^.]\+\.'"'"'"${file//./\.}"'"'"'$/d
'"'"' sha512sums
printf '"'"'%s %s\n'"'"' "${sum}" "${time}.${file}" \
>> sha512sums
done
'
|