| 1 | #! /bin/sh |
| 2 | |
| 3 | set -e |
| 4 | certroot=$(cd ${0%/*}/..; pwd) |
| 5 | cd "$certroot" |
| 6 | . lib/func.sh |
| 7 | umask 022 |
| 8 | |
| 9 | ## Archive any existing CA. |
| 10 | if [ -f ca.cert ]; then |
| 11 | mkdir -p archive |
| 12 | if [ -f archive/state/serial ]; then |
| 13 | next=$(cat archive/state/serial) |
| 14 | else |
| 15 | mkdir -p archive/state |
| 16 | next=1 |
| 17 | fi |
| 18 | mkdir archive/"$next" |
| 19 | mv ca.cert certs crls index private state archive/"$next"/ |
| 20 | expr "$next" + 1 >archive/state/serial.new |
| 21 | mv archive/state/serial.new archive/state/serial |
| 22 | fi |
| 23 | |
| 24 | ## Clear out the old CA completely. |
| 25 | rm -rf certs index private tmp state |
| 26 | rm -f ca.cert distorted.crl |
| 27 | |
| 28 | ## Build a new one. |
| 29 | mkdir -m750 private |
| 30 | mkdir -m775 certs crls index index/byhash index/byserial state tmp |
| 31 | chown $ca_owner:$ca_group certs crls index index/byhash index/byserial private state tmp |
| 32 | touch state/db |
| 33 | echo 01 >state/serial |
| 34 | echo 01 >state/crlnumber |
| 35 | |
| 36 | ## Set the CA subject name. It won't fit on one line, and there's no |
| 37 | ## good way of continuing it. Have fun parsing the sed. |
| 38 | subject=$(sed -n 's:^:/:;1h;2,$H;${x;s/\n//g;p;}' <etc/issuer) |
| 39 | |
| 40 | ## Build the new CA key and certificate. |
| 41 | umask 027 |
| 42 | openssl req -new -config openssl.conf -x509 -days 3650 \ |
| 43 | -out ca.cert -keyout private/ca.key \ |
| 44 | -subj "$subject" |
| 45 | chown $ca_owner:$ca_group private/ca.key |
| 46 | chmod 644 ca.cert |