Commit | Line | Data |
---|---|---|
69ab55f7 MW |
1 | #! /usr/bin/tclsh8.5 |
2 | ### -*-tcl-*- | |
3 | ### | |
4 | ### Run periodic maintenance on the certificate database | |
5 | ### | |
6 | ### (c) 2011 Mark Wooding | |
7 | ### | |
8 | ||
9 | ###----- Licensing notice --------------------------------------------------- | |
10 | ### | |
11 | ### This program is free software; you can redistribute it and/or modify | |
12 | ### it under the terms of the GNU General Public License as published by | |
13 | ### the Free Software Foundation; either version 2 of the License, or | |
14 | ### (at your option) any later version. | |
15 | ### | |
16 | ### This program is distributed in the hope that it will be useful, | |
17 | ### but WITHOUT ANY WARRANTY; without even the implied warranty of | |
18 | ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
19 | ### GNU General Public License for more details. | |
20 | ### | |
21 | ### You should have received a copy of the GNU General Public License | |
22 | ### along with this program; if not, write to the Free Software Foundation, | |
23 | ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. | |
24 | ||
25 | ## Find the common utilities. | |
26 | source [file join [file dirname $argv0] "../lib/func.tcl"] | |
27 | ||
28 | ## Open the database | |
29 | sqlite3 db "$CERTROOT/state/ca.db" | |
30 | db nullvalue nil | |
31 | cd "$CERTROOT" | |
32 | ||
2d23bbb8 MW |
33 | ## Refresh the database's idea of request profiles. |
34 | sync-profiles | |
35 | ||
69ab55f7 MW |
36 | ## Reissue certificates for requests which need it. |
37 | set now [now] | |
38 | set now_db [time-db $now] | |
39 | foreach id [db eval { | |
40 | SELECT id FROM request | |
41 | WHERE st = 'active' AND t_reissue <= $now_db; | |
42 | }] { | |
43 | issue-cert $id $now | |
44 | } | |
45 | ||
46 | ## Mark certificates as having expired. | |
47 | expire-certs $now | |
48 | ||
49 | ## Archive certificates and requests which are very old. | |
50 | archive-certificates | |
51 | ||
52 | ## Update OpenSSL's database of things. | |
53 | exec openssl ca -config "etc/openssl.conf" -updatedb 2>@1 | |
54 | ||
55 | ## Generate a CRL. | |
7d993891 MW |
56 | exec openssl ca -config "etc/openssl.conf" -gencrl | \ |
57 | openssl crl -text -out "crl" 2>@1 | |
69ab55f7 | 58 | |
1fc4577e MW |
59 | ## Call the user hook. |
60 | update-hook | |
61 | ||
69ab55f7 | 62 | ###----- That's all, folks -------------------------------------------------- |