[ca] / bin / cycle-root-key

#! /usr/bin/tclsh
### -*-tcl-*-
###
### Generate a new root key
###
### (c) 2022 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software: you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or (at
### your option) any later version.
###
### This program is distributed in the hope that it will be useful, but
### WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
### General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program.  If not, write to the Free Software
### Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
### USA.

## Find the common utilities.
source [file join [file dirname $argv0] "../lib/func.tcl"]

## Open the database
sqlite3 db "$CERTROOT/state/ca.db"
db nullvalue nil
cd "$CERTROOT"

## Refresh the database's idea of request profiles.
sync-profiles

## Rename the old CA key so we don't lose it.
set i 0
while {[file exists private/ca-$i.key]} { set i [expr {$i + 1}] }
file rename private/ca.key private/ca-$i.key
file rename ca.cert ca-$i.cert

## Make a new key.
generate-root-key

## Generate new certificates for all of the live requests.
set now [now]
foreach id [db eval { SELECT id FROM request WHERE st = 'active' }] {
  issue-cert $id $now
}

## Update OpenSSL's database of things.
exec openssl ca -config "etc/openssl.conf" -updatedb 2>@1

## Generate a CRL.
exec openssl ca -config "etc/openssl.conf" -gencrl | \
    openssl crl -text -out "crl" 2>@1

## Call the user hook.
update-hook

###----- That's all, folks --------------------------------------------------
Commit	Line	Data
a717f5d7 MW	1	#! /usr/bin/tclsh
	2	### --tcl--
	3	###
	4	### Generate a new root key
	5	###
	6	### (c) 2022 Mark Wooding
	7	###
	8
	9	###----- Licensing notice ---------------------------------------------------
	10	###
	11	### This program is free software: you can redistribute it and/or modify
	12	### it under the terms of the GNU General Public License as published by
	13	### the Free Software Foundation; either version 2 of the License, or (at
	14	### your option) any later version.
	15	###
	16	### This program is distributed in the hope that it will be useful, but
	17	### WITHOUT ANY WARRANTY; without even the implied warranty of
	18	### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	19	### General Public License for more details.
	20	###
	21	### You should have received a copy of the GNU General Public License
	22	### along with this program. If not, write to the Free Software
	23	### Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
	24	### USA.
	25
	26	## Find the common utilities.
	27	source [file join [file dirname $argv0] "../lib/func.tcl"]
	28
	29	## Open the database
	30	sqlite3 db "$CERTROOT/state/ca.db"
	31	db nullvalue nil
	32	cd "$CERTROOT"
	33
	34	## Refresh the database's idea of request profiles.
	35	sync-profiles
	36
	37	## Rename the old CA key so we don't lose it.
	38	set i 0
	39	while {[file exists private/ca-$i.key]} { set i [expr {$i + 1}] }
	40	file rename private/ca.key private/ca-$i.key
	41	file rename ca.cert ca-$i.cert
	42
	43	## Make a new key.
	44	generate-root-key
	45
	46	## Generate new certificates for all of the live requests.
	47	set now [now]
	48	foreach id [db eval { SELECT id FROM request WHERE st = 'active' }] {
	49	issue-cert $id $now
	50	}
	51
	52	## Update OpenSSL's database of things.
	53	exec openssl ca -config "etc/openssl.conf" -updatedb 2>@1
	54
	55	## Generate a CRL.
	56	exec openssl ca -config "etc/openssl.conf" -gencrl \| \
	57	openssl crl -text -out "crl" 2>@1
	58
	59	## Call the user hook.
	60	update-hook
	61
	62	###----- That's all, folks --------------------------------------------------