~mdw / ca / blame
| Commit | Line | Data |
|---|---|---|
| b294f6b5 MW |
1 | #! /bin/sh |
| 2 | ||
| 3 | set -e | |
| 4 | certroot=$(cd ${0%/*}/..; pwd) | |
| 5 | cd "$certroot" | |
| ab54a4bc | 6 | . lib/func.sh |
| b294f6b5 MW |
7 | umask 022 |
| 8 | ||
| 9 | ## Archive any existing CA. | |
| 10 | if [ -f ca.cert ]; then | |
| 11 | mkdir -p archive | |
| 12 | if [ -f archive/state/serial ]; then | |
| 13 | next=$(cat archive/state/serial) | |
| 14 | else | |
| 15 | mkdir -p archive/state | |
| 16 | next=1 | |
| 17 | fi | |
| 18 | mkdir archive/"$next" | |
| 19 | mv ca.cert certs crls index private state archive/"$next"/ | |
| 20 | expr "$next" + 1 >archive/state/serial.new | |
| 21 | mv archive/state/serial.new archive/state/serial | |
| 22 | fi | |
| 23 | ||
| 24 | ## Clear out the old CA completely. | |
| 25 | rm -rf certs index private tmp state | |
| 26 | rm -f ca.cert distorted.crl | |
| 27 | ||
| 28 | ## Build a new one. | |
| 29 | mkdir -m750 private | |
| 30 | mkdir -m775 certs crls index index/byhash index/byserial state tmp | |
| ab54a4bc | 31 | chown $ca_owner:$ca_group certs crls index index/byhash index/byserial private state tmp |
| b294f6b5 MW |
32 | touch state/db |
| 33 | echo 01 >state/serial | |
| 34 | echo 01 >state/crlnumber | |
| 35 | ||
| 36 | ## Set the CA subject name. It won't fit on one line, and there's no | |
| 37 | ## good way of continuing it. Have fun parsing the sed. | |
| 0208298d | 38 | subject=$(sed -n 's:^:/:;1h;2,$H;${x;s/\n//g;p;}' <etc/issuer) |
| b294f6b5 MW |
39 | |
| 40 | ## Build the new CA key and certificate. | |
| 41 | umask 027 | |
| 42 | openssl req -new -config openssl.conf -x509 -days 3650 \ | |
| 43 | -out ca.cert -keyout private/ca.key \ | |
| 44 | -subj "$subject" | |
| ab54a4bc | 45 | chown $ca_owner:$ca_group private/ca.key |
| b294f6b5 | 46 | chmod 644 ca.cert |