~mdw / ca / blame
| Commit | Line | Data |
|---|---|---|
| b294f6b5 MW |
1 | #! /bin/sh |
| 2 | ||
| 3 | set -e | |
| 4 | certroot=$(cd ${0%/*}/..; pwd) | |
| 5 | cd "$certroot" | |
| 6 | umask 022 | |
| 7 | ||
| 8 | ## Archive any existing CA. | |
| 9 | if [ -f ca.cert ]; then | |
| 10 | mkdir -p archive | |
| 11 | if [ -f archive/state/serial ]; then | |
| 12 | next=$(cat archive/state/serial) | |
| 13 | else | |
| 14 | mkdir -p archive/state | |
| 15 | next=1 | |
| 16 | fi | |
| 17 | mkdir archive/"$next" | |
| 18 | mv ca.cert certs crls index private state archive/"$next"/ | |
| 19 | expr "$next" + 1 >archive/state/serial.new | |
| 20 | mv archive/state/serial.new archive/state/serial | |
| 21 | fi | |
| 22 | ||
| 23 | ## Clear out the old CA completely. | |
| 24 | rm -rf certs index private tmp state | |
| 25 | rm -f ca.cert distorted.crl | |
| 26 | ||
| 27 | ## Build a new one. | |
| 28 | mkdir -m750 private | |
| 29 | mkdir -m775 certs crls index index/byhash index/byserial state tmp | |
| 30 | chown root:ca certs crls index index/byhash index/byserial private state tmp | |
| 31 | touch state/db | |
| 32 | echo 01 >state/serial | |
| 33 | echo 01 >state/crlnumber | |
| 34 | ||
| 35 | ## Set the CA subject name. It won't fit on one line, and there's no | |
| 36 | ## good way of continuing it. Have fun parsing the sed. | |
| 37 | subject=$(sed -n 's:^:/:;1h;2,$H;${x;s/\n//g;p;}' <<EOF | |
| 38 | C=GB | |
| 39 | ST=Cambridgeshire | |
| 40 | O=distorted.org.uk | |
| 41 | OU=Certificate Authority | |
| 42 | CN=distorted.org.uk top-level CA | |
| 43 | emailAddress=ca@distorted.org.uk | |
| 44 | EOF | |
| 45 | ) | |
| 46 | ||
| 47 | ## Build the new CA key and certificate. | |
| 48 | umask 027 | |
| 49 | openssl req -new -config openssl.conf -x509 -days 3650 \ | |
| 50 | -out ca.cert -keyout private/ca.key \ | |
| 51 | -subj "$subject" | |
| 52 | chown root:ca private/ca.key | |
| 53 | chmod 644 ca.cert |