| 1 | #! /bin/sh |
| 2 | |
| 3 | set -e |
| 4 | certroot=$(cd ${0%/*}/..; pwd) |
| 5 | cd "$certroot" |
| 6 | umask 022 |
| 7 | |
| 8 | ## Archive any existing CA. |
| 9 | if [ -f ca.cert ]; then |
| 10 | mkdir -p archive |
| 11 | if [ -f archive/state/serial ]; then |
| 12 | next=$(cat archive/state/serial) |
| 13 | else |
| 14 | mkdir -p archive/state |
| 15 | next=1 |
| 16 | fi |
| 17 | mkdir archive/"$next" |
| 18 | mv ca.cert certs crls index private state archive/"$next"/ |
| 19 | expr "$next" + 1 >archive/state/serial.new |
| 20 | mv archive/state/serial.new archive/state/serial |
| 21 | fi |
| 22 | |
| 23 | ## Clear out the old CA completely. |
| 24 | rm -rf certs index private tmp state |
| 25 | rm -f ca.cert distorted.crl |
| 26 | |
| 27 | ## Build a new one. |
| 28 | mkdir -m750 private |
| 29 | mkdir -m775 certs crls index index/byhash index/byserial state tmp |
| 30 | chown root:ca certs crls index index/byhash index/byserial private state tmp |
| 31 | touch state/db |
| 32 | echo 01 >state/serial |
| 33 | echo 01 >state/crlnumber |
| 34 | |
| 35 | ## Set the CA subject name. It won't fit on one line, and there's no |
| 36 | ## good way of continuing it. Have fun parsing the sed. |
| 37 | subject=$(sed -n 's:^:/:;1h;2,$H;${x;s/\n//g;p;}' <etc/issuer) |
| 38 | |
| 39 | ## Build the new CA key and certificate. |
| 40 | umask 027 |
| 41 | openssl req -new -config openssl.conf -x509 -days 3650 \ |
| 42 | -out ca.cert -keyout private/ca.key \ |
| 43 | -subj "$subject" |
| 44 | chown root:ca private/ca.key |
| 45 | chmod 644 ca.cert |