#! /usr/bin/tclsh8.5
### -*-tcl-*-
###
### Run periodic maintenance on the certificate database
###
### (c) 2011 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

## Find the common utilities.
source [file join [file dirname $argv0] "../lib/func.tcl"]

## Open the database
sqlite3 db "$CERTROOT/state/ca.db"
db nullvalue nil
cd "$CERTROOT"

## Refresh the database's idea of request profiles.
sync-profiles

## Reissue certificates for requests which need it.
set now [now]
set now_db [time-db $now]
foreach id [db eval {
  SELECT id FROM request
  WHERE st = 'active' AND t_reissue <= $now_db;
}] {
  issue-cert $id $now
}

## Mark certificates as having expired.
expire-certs $now

## Archive certificates and requests which are very old.
archive-certificates

## Update OpenSSL's database of things.
exec openssl ca -config "etc/openssl.conf" -updatedb 2>@1

## Generate a CRL.
exec openssl ca -config "etc/openssl.conf" -gencrl | \
    openssl crl -text -out "crl" 2>@1

## Call the user hook.
update-hook

###----- That's all, folks --------------------------------------------------