blob: 9d1bb439fa9a4583a9b94d5da2d327443a4db527 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
#!/bin/bash
# generate new ca certificates, roll over the old one(s)
set -e
if [ -r '#ETCDIR#/simple-pki/ca.conf' ]; then
. '#ETCDIR#/simple-pki/ca.conf'
fi
if [ -n "${ca_user}" ] \
&& [ "$(whoami)" != "${ca_user}" ]; then
chown -R "${ca_user}" '#ETCDIR#/simple-pki/ca'
exec su "${ca_user}" -c "$0"
fi
if [ -f '#ETCDIR#/simple-pki/ca/root-ca.crt' ]; then
if [ ! -f '#ETCDIR#/simple-pki/ca/root-ca.crt.old' ] \
|| [ "$(stat -c%Y '#ETCDIR#/simple-pki/ca/root-ca.crt.old')" -lt "$(($(date +%s)-60*60*24*ca_keep_duration))" ]; then
mv \
'#ETCDIR#/simple-pki/ca/root-ca.crt' \
'#ETCDIR#/simple-pki/ca/root-ca.crt.old'
rm -rf --one-file-system \
'#ETCDIR#/simple-pki/ca/root-ca.old'
mv \
'#ETCDIR#/simple-pki/ca/root-ca' \
'#ETCDIR#/simple-pki/ca/root-ca.old'
install -d -m0755 '#ETCDIR#/simple-pki/ca/root-ca/db'
install -d -m0700 '#ETCDIR#/simple-pki/ca/root-ca/private'
touch \
'#ETCDIR#/simple-pki/ca/root-ca/db/root-ca.db' \
'#ETCDIR#/simple-pki/ca/root-ca/db/root-ca.db.attr'
echo '01' \
|tee '#ETCDIR#/simple-pki/ca/root-ca/db/root-ca.crt.srl' \
>'#ETCDIR#/simple-pki/ca/root-ca/db/root-ca.crl.srl'
else
>&2 echo 'nothing to do: "old" root certificate is too new'
exit
fi
fi
if [ -f '#ETCDIR#/simple-pki/ca/signing-ca.crt' ]; then
mv \
'#ETCDIR#/simple-pki/ca/signing-ca.crt' \
'#ETCDIR#/simple-pki/ca/signing-ca.crt.old'
rm -rf --one-file-system \
'#ETCDIR#/simple-pki/ca/signing-ca.old'
mv \
'#ETCDIR#/simple-pki/ca/signing-ca' \
'#ETCDIR#/simple-pki/ca/signing-ca.old'
install -d -m0755 '#ETCDIR#/simple-pki/ca/signing-ca/db'
install -d -m0700 '#ETCDIR#/simple-pki/ca/signing-ca/private'
touch \
'#ETCDIR#/simple-pki/ca/signing-ca/db/signing-ca.db' \
'#ETCDIR#/simple-pki/ca/signing-ca/db/signing-ca.db.attr'
echo '01' \
|tee '#ETCDIR#/simple-pki/ca/signing-ca/db/signing-ca.crt.srl' \
>'#ETCDIR#/simple-pki/ca/signing-ca/db/signing-ca.crl.srl'
fi
CA=root-ca openssl req -new \
-config '#ETCDIR#/simple-pki/ca-ssl.conf' \
-out '#ETCDIR#/simple-pki/ca/root-ca.csr' \
-keyout '#ETCDIR#/simple-pki/ca/root-ca/private/root-ca.key'
CA=root-ca openssl ca -batch -name root_ca -selfsign \
-config '#ETCDIR#/simple-pki/ca-ssl.conf' \
-in '#ETCDIR#/simple-pki/ca/root-ca.csr' \
-out '#ETCDIR#/simple-pki/ca/root-ca.crt' \
-extensions root_ca_ext
CA=signing-ca openssl req -new \
-config '#ETCDIR#/simple-pki/ca-ssl.conf' \
-out '#ETCDIR#/simple-pki/ca/signing-ca.csr' \
-keyout '#ETCDIR#/simple-pki/ca/signing-ca/private/signing-ca.key'
CA=root-ca openssl ca -batch -name root_ca \
-config '#ETCDIR#/simple-pki/ca-ssl.conf' \
-in '#ETCDIR#/simple-pki/ca/signing-ca.csr' \
-out '#ETCDIR#/simple-pki/ca/signing-ca.crt' \
-extensions signing_ca_ext
rm \
'#ETCDIR#/simple-pki/ca/root-ca.csr' \
'#ETCDIR#/simple-pki/ca/signing-ca.csr'
rsync --ignore-missing-args \
'#ETCDIR#/simple-pki/ca/root-ca.crt'{,.old} \
"${remote_host}:${remote_dir}/"
(
cd '#ETCDIR#/simple-pki/ca/'
find . -maxdepth 1 \
-type f \( \
-name root-ca.crt -o \
-name root-ca.crt.old \
\) \
-printf '%TY-%Tm-%TdT%TT ' \
-exec sha512sum {} \; \
| sed '
s/\.[0-9]\+ / /
s@\s\s\+\(\S\+/\)\?@ @
'
) \
| ssh "${remote_host}" '
cd "'"${remote_dir}"'"
while read -r time sum file; do
rm -f ????-??-??T??\:??\:??".${file}"
mv "${file}" "${time}.${file}"
sed -i '"'"'
/ [^.]\+\.'"'"'"${file//./\.}"'"'"'$/d
'"'"' sha512sums
printf '"'"'%s %s\n'"'"' "${sum}" "${time}.${file}" \
>> sha512sums
done
'
|
