Commit | Line | Data |
---|---|---|
b294f6b5 MW |
1 | #! /bin/sh |
2 | ||
3 | set -e | |
4 | certroot=$(cd ${0%/*}/..; pwd) | |
5 | cd "$certroot" | |
ab54a4bc | 6 | . lib/func.sh |
b294f6b5 MW |
7 | umask 022 |
8 | ||
9 | ## Archive any existing CA. | |
10 | if [ -f ca.cert ]; then | |
11 | mkdir -p archive | |
12 | if [ -f archive/state/serial ]; then | |
13 | next=$(cat archive/state/serial) | |
14 | else | |
15 | mkdir -p archive/state | |
16 | next=1 | |
17 | fi | |
18 | mkdir archive/"$next" | |
19 | mv ca.cert certs crls index private state archive/"$next"/ | |
20 | expr "$next" + 1 >archive/state/serial.new | |
21 | mv archive/state/serial.new archive/state/serial | |
22 | fi | |
23 | ||
24 | ## Clear out the old CA completely. | |
25 | rm -rf certs index private tmp state | |
26 | rm -f ca.cert distorted.crl | |
27 | ||
28 | ## Build a new one. | |
29 | mkdir -m750 private | |
30 | mkdir -m775 certs crls index index/byhash index/byserial state tmp | |
ab54a4bc | 31 | chown $ca_owner:$ca_group certs crls index index/byhash index/byserial private state tmp |
b294f6b5 MW |
32 | touch state/db |
33 | echo 01 >state/serial | |
34 | echo 01 >state/crlnumber | |
35 | ||
36 | ## Set the CA subject name. It won't fit on one line, and there's no | |
37 | ## good way of continuing it. Have fun parsing the sed. | |
0208298d | 38 | subject=$(sed -n 's:^:/:;1h;2,$H;${x;s/\n//g;p;}' <etc/issuer) |
b294f6b5 MW |
39 | |
40 | ## Build the new CA key and certificate. | |
41 | umask 027 | |
42 | openssl req -new -config openssl.conf -x509 -days 3650 \ | |
43 | -out ca.cert -keyout private/ca.key \ | |
44 | -subj "$subject" | |
ab54a4bc | 45 | chown $ca_owner:$ca_group private/ca.key |
b294f6b5 | 46 | chmod 644 ca.cert |