summaryrefslogtreecommitdiff
path: root/sign-ca.in
blob: 25d1a98a5b1ee3af195e0ad6135f3af10d9e45a1 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
#!/bin/bash

# generate new ca certificates, roll over the old one(s)

set -e

if [ -r '#ETCDIR#/simple-pki/ca.conf' ]; then
  . '#ETCDIR#/simple-pki/ca.conf'
fi

if [ -n "${ca_user}" ] \
&& [ "$(whoami)" != "${ca_user}" ]; then
  chown -R "${ca_user}" '#ETCDIR#/simple-pki/ca'
  exec su "${ca_user}" -c "$0"
fi

if [ -f '#ETCDIR#/simple-pki/ca/root-ca.crt' ]; then
  if [ ! -f '#ETCDIR#/simple-pki/ca/root-ca.crt.old' ] \
  || [ "$(stat -c%Y '#ETCDIR#/simple-pki/ca/root-ca.crt.old')" -lt "$(($(date +%s)-60*60*24*ca_min_duration))" ]; then
    mv \
      '#ETCDIR#/simple-pki/ca/root-ca.crt' \
      '#ETCDIR#/simple-pki/ca/root-ca.crt.old'
  else
    >&2 echo 'nothing to do: "old" root certificate is too new'
    exit
  fi
fi

if [ -f '#ETCDIR#/simple-pki/ca/signing-ca.crt' ]; then
  mv \
    '#ETCDIR#/simple-pki/ca/signing-ca.crt' \
    '#ETCDIR#/simple-pki/ca/signing-ca.crt.old'
fi

CA=root-ca openssl req -new \
  -config '#ETCDIR#/simple-pki/ca-ssl.conf' \
  -out '#ETCDIR#/simple-pki/ca/root-ca.csr' \
  -keyout '#ETCDIR#/simple-pki/ca/root-ca/private/root-ca.key'

CA=root-ca openssl ca -batch -name root_ca -selfsign \
  -config '#ETCDIR#/simple-pki/ca-ssl.conf' \
  -in '#ETCDIR#/simple-pki/ca/root-ca.csr' \
  -out '#ETCDIR#/simple-pki/ca/root-ca.crt' \
  -extensions root_ca_ext

CA=signing-ca openssl req -new \
  -config '#ETCDIR#/simple-pki/ca-ssl.conf' \
  -out '#ETCDIR#/simple-pki/ca/signing-ca.csr' \
  -keyout '#ETCDIR#/simple-pki/ca/signing-ca/private/signing-ca.key'

CA=root-ca openssl ca -batch -name root_ca \
  -config '#ETCDIR#/simple-pki/ca-ssl.conf' \
  -in '#ETCDIR#/simple-pki/ca/signing-ca.csr' \
  -out '#ETCDIR#/simple-pki/ca/signing-ca.crt' \
  -extensions signing_ca_ext

rm \
  '#ETCDIR#/simple-pki/ca/root-ca.csr' \
  '#ETCDIR#/simple-pki/ca/signing-ca.csr'

rsync --ignore-missing-args \
  '#ETCDIR#/simple-pki/ca/root-ca.crt'{,.old} \
  "${remote_host}:${remote_dir}/"

(
  cd '#ETCDIR#/simple-pki/ca/'
  find . -maxdepth 1 \
    -type f \( \
      -name root-ca.crt -o \
      -name root-ca.crt.old \
    \) \
    -printf '%TY-%Tm-%TdT%TT ' \
    -exec sha512sum {} \; \
  | sed '
    s/\.[0-9]\+ / /
    s@\s\s\+\(\S\+/\)\?@ @
  '
) \
| ssh "${remote_host}" '
  cd "'"${remote_dir}"'"
  while read -r time sum file; do
    rm -f ????-??-??T??\:??\:??".${file}"
    mv "${file}" "${time}.${file}"
    sed -i '"'"'
      / [^.]\+\.'"'"'"${file//./\.}"'"'"'$/d
    '"'"' sha512sums
    printf '"'"'%s  %s\n'"'"' "${sum}" "${time}.${file}" \
    >> sha512sums
  done
'