Commit | Line | Data |
---|---|---|
a717f5d7 MW |
1 | #! /usr/bin/tclsh |
2 | ### -*-tcl-*- | |
3 | ### | |
4 | ### Generate a new root key | |
5 | ### | |
6 | ### (c) 2022 Mark Wooding | |
7 | ### | |
8 | ||
9 | ###----- Licensing notice --------------------------------------------------- | |
10 | ### | |
11 | ### This program is free software: you can redistribute it and/or modify | |
12 | ### it under the terms of the GNU General Public License as published by | |
13 | ### the Free Software Foundation; either version 2 of the License, or (at | |
14 | ### your option) any later version. | |
15 | ### | |
16 | ### This program is distributed in the hope that it will be useful, but | |
17 | ### WITHOUT ANY WARRANTY; without even the implied warranty of | |
18 | ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
19 | ### General Public License for more details. | |
20 | ### | |
21 | ### You should have received a copy of the GNU General Public License | |
22 | ### along with this program. If not, write to the Free Software | |
23 | ### Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, | |
24 | ### USA. | |
25 | ||
26 | ## Find the common utilities. | |
27 | source [file join [file dirname $argv0] "../lib/func.tcl"] | |
28 | ||
29 | ## Open the database | |
30 | sqlite3 db "$CERTROOT/state/ca.db" | |
31 | db nullvalue nil | |
32 | cd "$CERTROOT" | |
33 | ||
34 | ## Refresh the database's idea of request profiles. | |
35 | sync-profiles | |
36 | ||
37 | ## Rename the old CA key so we don't lose it. | |
38 | set i 0 | |
39 | while {[file exists private/ca-$i.key]} { set i [expr {$i + 1}] } | |
40 | file rename private/ca.key private/ca-$i.key | |
41 | file rename ca.cert ca-$i.cert | |
42 | ||
43 | ## Make a new key. | |
44 | generate-root-key | |
45 | ||
46 | ## Generate new certificates for all of the live requests. | |
47 | set now [now] | |
48 | foreach id [db eval { SELECT id FROM request WHERE st = 'active' }] { | |
49 | issue-cert $id $now | |
50 | } | |
51 | ||
52 | ## Update OpenSSL's database of things. | |
53 | exec openssl ca -config "etc/openssl.conf" -updatedb 2>@1 | |
54 | ||
55 | ## Generate a CRL. | |
56 | exec openssl ca -config "etc/openssl.conf" -gencrl | \ | |
57 | openssl crl -text -out "crl" 2>@1 | |
58 | ||
59 | ## Call the user hook. | |
60 | update-hook | |
61 | ||
62 | ###----- That's all, folks -------------------------------------------------- |